Today we talk of 'collaboration' a lot. And if we look at it in context
of IT, the biggest challenge confronting us is managing the digital presence of
every user across all organizations and business units. Today an enterprise user
faces multiple computer interfaces to fulfill his job. It can be his mail
account, bank account password, corporate intranet, a B2B or B2C site, or even
his workstation. And everywhere he has to be authenticated. Due to this trend of
multiple authentications, it becomes quite natural for an enterprise user to
become careless about the whole process. This leads to mismanagement of online
identity or identity theft. While it might sound harmless, it can lead to
drastic results. For example, say, in your organization you have given access to
mobile users to log in to your corporate network from anywhere in the world.
Now, you cannot keep a check on who is logging on to the network by any physical
means. In case this ID gets hacked, your whole enterprise network can get
compromised. Here, you might ask how is this possible and what is the role of
Identity Management (IDM) in preventing such a scenario. Let's suppose that your
organization doesn't have any kind of Identity Management implementation and
users are free to choose any password they want, for accessing any resources.
So, the users will naturally be inclined to use the same or very easy to
remember (and guess) passwords across all the resources. So you might have
secured your critical resources with state of the art firewalls, IPS, anti
viruses, encryption, etc. But this weakest link could very well be misused by a
hacker. If a user has used the same password across, the hacker could attack the
easiest resource to acquire it. For instance, most e-mail clients and servers
communicate in plain text and a hacker could easily intercept and capture it.
Identity theft is becoming the fastest growing crime in the world. With
increased presence of ordinary citizens on the Internet and access to crucial
resources such as online banking, transactions and purchases, simple passwords
no more provide adequate protection. Whosoever is accessing your systems, be it
employees on your LAN or Wi-Fi network, partners on your extranet, or customers
on your e-commerce sites, they need to have a reliable means of authentication.
Stronger forms, such as USB tokens or smart cards, may be required to ensure the
identity of users nowadays.
Challenges for enterprise
The key challenge for an enterprise is to maintain a common and managed dentity
for two different types of user groups- namely, insiders and outsiders.
Insiders are the internal employees of an organization, while externals are the
customers or partners of an enterprise.
Out of the two, insiders are the ones who are generally hooked inside the
corporate network and spend most of their working hours engaged with the
enterprise. They typically access multiple internal systems of the enterprise
and their identity profiles are relatively detailed. Outsiders on the other hand
are those who access only a few systems of the enterprise such as CRM and
e-Commerce, and access these systems occasionally. Identity profiles about
outsiders are less detailed and less accurate than those of insiders.
At Crest we use 'multiple applications' with 'multiple users' having 'roaming profiles,' by deploying Identity Management SSO (Single Sign on).It helps us to integrate applications and users to increase efficiency of production. IDM also helps our organization to analyze resources utilized on various projects, for better 'project management planning' and 'cost calculation' amongst various departments suchas HR, Finance and Production. | |
P Krishna Prasad, Head IT, Crest Animation Studio |
Now, as both types of users are of different nature, the technology used to
manage them is also different. Let us now see some key trends and solutions that
an enterprise can use to manage users.
Trends and solutions
To achieve Identity Management, a host of technologies are brought together to
meet business and technical needs. Identity Management has its own life cycle,
which includes user provisioning (activation and deactivation of employee
accounts), and account management. Other tasks of IDM are password management
and access management, and allocation according to identity. As employees change
position or address and other work/personal information, multiple systems need
to be updated in multiple places. Identity management solutions offer the
ability to self-serve this and synchronize and automate these tasks.
Now the biggest drawback with vendors in this space today is that most of
them provide incomplete products. For example, you have different products to
achieve different functionalities of Identity Management. Single Sign On (SSO),
which is a key component of IDM, can be achieved by proper implementation of any
Directory Service such as MS-ADS (Microsoft's Active Directory Service). Now
if you talk about key or hardware based Identity management solutions, you have
RSA in place. So, today the key trend which we can see is the integration of the
ID and access management suite of all major technology vendors such as BMC
Software, IBM, CA, RSA, Microsoft, etc to achieve a full fledged IDM system.
The other trend that we see is the integration of access and management
technologies with other technologies such as Help Desk, Service Management,
Configuration Management and Monitoring, eventually leading to Business Services
Management.
Our organization deals with IT and ITES (BPOs and call centers). Most of our customers implement their global development centers from our premises. In addition to iGATE specific security implementation, these customers want to implement their own security solutions for projects and processes. Due to this, handling and deploying security processes (which include |
|
Shiva M, Vice President, Global IT Infra Support and Purchases, iGATE |
Types of IDMs
Following are a few types of Identity Management solutions that are available.
Single Sign-on: This is a mechanism with which a single action of
authentication can grant a user access to all his system and network resources
where he has access permissions. While doing this, you don't even need to
enter multiple passwords and face multiple authentication interfaces. SSO or
Single Sign-on reduces human error by reducing the number of authentications
required. Some examples of Single Sign-on are Microsoft Passport and Kerberos.
Two Factor Sign in: This is a mechanism with which a user gets an
additional layer of protection with a hardware token or card based
authentication, coupled with a standard PIN or password. In such a scenario, at
the first stage a user has to authenticate himself by either swapping an RF or
Magnetic card or by providing a random number generated by a hardware device
(called a token) to the system. In the second stage, the user has to provide a
standard PIN or password to gain the full authentication.
Policy based automated provisioning: It's a system for creating and
managing multiple instances of a service within a shared IT infrastructure. The
network administrator maintains a set of computing resources that can be
allocated to different services and then to users based on policies. The users
can then request to access services of a particular type, and instances of these
services are then provisioned to meet their requirements.
Role based access control: There are roles for different job related
functions. And then permission is allotted according to the type of roles. Now,
instead of assigning direct policies to a certain user or group, they are
assigned roles. And through those role assignments, the users get the required
permissions to perform any particular task in the network. As users/groups are
not assigned policies directly but have acquired the policies through roles,
management of individual user/group rights becomes very easy. All you have to do
in this case is to allocate proper role to a given user.
This simplifies the task of editing a user, changing user policies or even
adding new users. This feature can be achieved by using any LDAP server.
Microsoft is a vendor in this space.
Conclusion
Because of the huge threat posed by identity theft and requirements of MNCs, who
come to India for offshoring, it has become very important for Indian IT and
ITES companies to deploy Identity Management for their users and customers. This
market is buzzing around with new technologies and players. So do your proper
homework properly before selecting the right solution for your enterprise.
Useful Links |
RSA: http://www.rsasecurity.com/node.asp?id=1191 Microsoft: http://tinyurl.com/z98dr Sun: http://www.sun.com/software/products/identity/index.jsp BMC Software: http://www.bmc.com/corporate/nr2005/032305_1.html CA: http://www3.ca.com/Press/PressRelease.aspx?CID=82552 |