Identity management

IdM, Access and Identity Management, and Identity and Access Management redirects here.

Identity management (IdM) describes the management of individual identities, their authentication, authorization,roles, and privileges/permissions within or across system and enterprise boundaries^[1] with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks.^[2]

"Identity Management" and "Access and Identity Management" (or AIM) are terms that are used interchangeably under the title of Identity management while Identity management itself falls the umbrella of IT Security.^[3]

Identity management systems, products, applications, and platforms are commercial Identity management solutions implemented for enterprises and organizations.

Technologies, services, and terms related to Identity management include Active Directories, Service Providers, Identity Providers, Web Services, Access control, Digital Identities, Password Managers, Single Sign-on, Security Tokens, Security Token Services (STS), Workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth, and RBAC.^[4]

History

Identity management (IdM) is a term related to how humans are authenticated (identified) and authorized across computer networks. It covers issues such as how users are given an identity, the protection of that identity, and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.).

Digital identity: Personal identifying information (PII) selectively exposed over a network. See OECD^[5] and NIST^[6] guidelines on protecting PII^[7] and the risk of identity theft.

Thus the term management is appended to "identity" to indicate that there is technological and best practice framework around a somewhat intractable philosophical concept. Digital identity can be interpreted as the codification of identity names and attributes of a physical instance in a way that facilitates processing. In each organization there is normally a role or department that is responsible for managing the schema of digital identities of their staff and their own objects, these represented by object identities or object identifiers (OID).^[8]

The SAML protocol is a prominent means used to exchange identity information between two identity domains. Other examples are listed on the Website of this project.^[9]

Perspectives on IdM

In the real-world context of engineering online systems, identity management can involve three perspectives:

1. The pure identity paradigm: Creation, management and deletion of identities without regard to access or entitlements;
2. The user access (log-on) paradigm: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
3. The service paradigm: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.

Pure identity paradigm

A general model of identity can be constructed from a small set of axiomatic principles, for example that all identities in a given abstract namespace are unique and distinctive, or that such identities bear a specific relationship to corresponding entities in the real world. An axiomatic model of this kind can be considered to express "pure identity" in the sense that the model is not constrained by the context in which it is applied. In general, an entity can have multiple identities, and each identity can consist of multiple attributes or identifiers, some of which are shared and some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and the entities they represent, as well as between identities and the attributes they consist of.

In most theoretical and all practical models of digital identity, a given identity object consists of a finite set of properties. These properties may be used to record information about the object, either for purposes external to the model itself or so as to assist the model operationally, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external semantics of these properties.

The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model attempts to express these semantics internally, it is not a pure model.

Contrast this situation with properties which might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored and retrieved, in other words not treated specially by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.

Identity management, then, can be defined as a set of operations on a given identity model, or as a set of capabilities with reference to it. In practice, identity management is often used to express how identity information is to be provisioned and reconciled between multiple identity models.

User access paradigm

User access requires each user to assume a unique "digital identity" across applications and networked infrastructures, which enables access controls to be assigned and evaluate against this identity. Technically, the use of a unique identity across all systems ease the monitoring and verification of potential unauthorized access, and allows the organization to keep tabs of excessive privileges granted to any individual within the company. From the user lifecycle perspective, user access can be tracked from new hire, suspension to termination of employee.

Service paradigm

In the service paradigm perspective, where organizations evolve their systems to the world of converged services, the scope of identity management becomes much larger, and its application more critical. The scope of identity management includes all the resources of the company deployed to deliver online services. These may include devices, network equipment, servers, portals, content, applications and/or products as well as a user's credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.

Today^[update], many organizations face a major clean-up in their systems if they are to bring identity coherence into their influence. Such coherence has become a prerequisite for delivering unified services to very large numbers of users on demand — cheaply, with security and single-customer viewing facilities.

Emerging fundamental points

• IdM provides significantly greater opportunities to online businesses beyond the process of authenticating and granting access to authorized users via cards, tokens and web access control systems.^{[citation needed]}
• User-based IdM has started to evolve away from username/password and web-access control systems^{[citation needed]} toward those that embrace preferences, parental controls, entitlements, policy-basedrouting, presence and loyalty schemes.
• IdM provides the focus to deal with system-wide data quality and integrity issues^{[citation needed]} often encountered by fragmented databases and workflow processes.
• IdM embraces what the user actually gets in terms of products and services and how and when they acquire them. Therefore, IdM applies to the products and services of an organization, such as health, media, insurance, travel and government services. It is also applicable to means by which these products and services are provisioned and assigned to (or removed from) "entitled" users.
• IdM can deliver single-customer views that include the presence and location of the customer, single products and services as well as single IT infrastructure and network views to the respective parties. Accordingly, IdM relates intrinsically to information engineering, security and privacy.
• IdM covers the machinery (system infrastructure components) that delivers such services because a system may assign the service of a user to: a particular network technology, content title, usage right, media server, mail server, soft switch, voice mailbox, product catalog set, security domain, billing system, CRM, help desk etc.
• It is equally important for users to correctly identify and authenticate service providers as it is for service providers to identify and authenticate users. This aspect has largely been ignored during the early development of identity management, but will have to be taken seriously in the future.
• Critical factors in IdM projects include consideration of the online services of an organization (what the users log on to) and how they are managed from an internal and customer self-care perspective.

Capabilities of IdM systems include:

• User Management by a Help/Service Desk, as in creation, deletion, modification of user identity data by a staffed desk
• User Self Service, as in user being able to modify one's own mutable or correctable data - e.g. postal address, telephone number, and more importantly and frequently, one's own credentials. Credentials are the, typically, secret piece of information that allows a user to identify himself or herself to the IdM system
• Roles Based Delegated User administration, which involves, as an example a supervisor of an employee being able to modify certain attributes of an employee's user data. Delegation allows for scaling of an IdM solution in that local administrators or supervisors are able to perform permissible modifications without requiring a global administrator perhaps. Roles based aspect allows for the Supervisor, to be a role in this example, as opposed to a specific person. For e.g., today it might be Jane Smith who occupies the supervisor role of a local department store, where Debbie Forsyth is an employee; a few months down the line, the supervisor role might be assigned to a new person say, Joseph Peterson. At that point, no IdM system changes will need to be made, except removing Jane Smith from the Supervisor role and assigning Joseph Peterson that role at the local department store. Roles based access mechanisms also allow for implementation of privacy controls around user attribute data.
• Provisioning resources, as in the assignment of a desk or a phone to a new employee in an office
• Roles Based Access Control, as in the rights to access resources secured using a companion access control agents, by specifying user access roles within IdM system
• Entitlement to resource privileges, as in the privilege to read and update Human Resources paperwork (files and folders on a shared network drive) for a newly recruited Human Resources Administrator

Note that for each of the above, there could be a withdrawal action as well, as in withdrawal of privileges as the opposite of assignment of privileges.

Issues

The management of identity raises a certain number of issues, such as privacy issues that may lead to the implementation of a surveillance society (Taylor, Lips & Organ 2009), or risk related to the stealing of identity (identity theft).

The advent of the social web, and in particular the important development of online social networking services, for which the management of their identities of their members represent a core element of these systems, also create a certain number of risks related to the disclosure of personal information (Gross, Acquisti & Heinz 2008), and in particular in losing an individual's privacy (Taylor 2008).

Research

Research related to the management of identity covers a variety of disciplines (such as technology, social sciences, the humanities and the law (Halperin & Backhouse 2009)) and areas, and tries to investigate many different issues (technical, legal, societal, etc.).

European research

Within the Seventh Research Framework Programme of the European Union from 2007 to 2013, several new projects related to Identity Management started. PICOS investigates and develops a state-of-the-art platform for providing trust, privacy and identity management in mobile communities. On the backdrop of an increased risk to privacy of the citizen in the Information Society, PrimeLife will develop concepts and technologies to help individuals to protect their autonomy and retain control over personal information, irrespective of their activities. SWIFT focuses on extending identity functions and federation to the network while addressing usability and privacy concerns, and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers.

Other identity related projects from older European Union funded framework programs include:

• FIDIS (Future of Identity in the Information Society)
• GUIDE
• PRIME.

Publications

Different academic journals can be used to publish articles related to identity management such as:

• Ethics and Information Technology
• Identity in the Information Society
• Surveillance & Society

Less specialized journals may also publish on the topic, and for instance have special issue on Identity such as:

• Online Information Review. See for instance the Special Issue on: Digital ID management (Volume 33, Issue 3, 2009).

Standardization

ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques) is conducting some standardization work for identity management (ISO 2009), such as the elaboration of a framework for identity management, including the definition of different identity related terms.

Implementation challenges

• Getting all stakeholders to have a common view of area which is likely to come together and discuss the issues
• Expectation to make the IdM a data synchronization engine for application data
• Envisaging an appropriate business process leading to post-production challenges
• Lack of leadership and support from sponsors
• Overlooking change management — expecting everybody to go through the self-learning process
• Lack of definition of the post-production phase in a project plan — for a smooth transition of the system to the end-user community, it becomes critical that an organization gears up for proper support through a transition phase or stabilization phase. This may take from three to six months.
• Lack of focus on integration testing
• Lack of consistent architectural vision
• Expectations for "over-automation"
• Deploying too many IdM technologies in a short time period

A few of the core challenges around Identity Management solutions include - one, a failure to differentiate between identities and identifying names; two, capability constraints around the use of off the shelf vendor products, three, a failure to assimilate the natural growth trajectory of organizations into the Identity Management solution.

See also

Access Control Authentication Claims Based Identity Computer Security Digital identity Directory service Dongle Federated Identity Management Hardware Security Module Identity assurance Identity driven networking Identity management systems Information privacy Initiative For Open Authentication

Loyalty card Mobile identity management Mobile Signatures Multi-factor authentication Mutual authentication Online identity management SAML 2.0 SAML-based products and services Single sign-on List of single sign-on implementations Software token Two-factor authentication User modeling

References

1. "ABC’s of Identity Management". http://www.csoonline.com/article/205053/the-abcs-of-identity-management. 
2. "Identity Management in an enterprise setting". http://searchunifiedcommunications.techtarget.com/definition/identity-management. 
3. "Identity management as a component of IT Security". http://www.computerweekly.com/resources/Identity-and-access-management-products. 
4. "Identity management security". http://msdn.microsoft.com/en-us/security/aa570351. 
5. Functional requirements for privacy enhancing systems Fred Carter, OECD Workshop on Digital Identity Management, Trondheim, Norway, 09 May 2007 (PPT presentation)
6. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, January 2009
7. PII (Personally Identifiable Information), The Center For Democracy & Technology, September 14, 2007
8. Object Id's (OID'S), PostgreSQL: Introduction and Concepts, in Bruce Momjian, November 21, 1999
9. [1],

• Gross, Ralph; Acquisti, Alessandro; Heinz, J. H. (2005). "Information revelation and privacy in online social networks". Workshop On Privacy In The Electronic Society; Proceedings of the 2005 ACM workshop on Privacy in the electronic society. pp. 71–80. doi:10.1145/1102199.1102214. http://doi.acm.org/10.1145/1102199.1102214 
• Halperin, Ruth; Backhouse, James (2008). "A roadmap for research on identity in the information society". Identity in the Information Society (Springer) 1 (1): 71. 2009. doi:10.1007/s12394-008-0004-0. 
• Lusoli, Wainer; Miltgen, Caroline (2009). "Young People and Emerging Digital Services. An Exploratory Survey on Motivations, Perceptions and Acceptance of Risks". JRC Scientific and Technical Reports (Sevilla: EC JRC IPTS) (EUR 23765 EN). March 2009. doi:10.2791/68925. http://ipts.jrc.ec.europa.eu/publications/pub.cfm?id=2119. 
• ISO, IEC (2009). Information Technology -- Security Techniques -- A Framework for Identity Management. ISO/IEC WD 24760 (Working draft). http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51625 
• Pohlman, M.B. (2008). Oracle Identity Management: Governance, Risk, and Compliance Architecture. Auerbach Publications. ISBN 978-1420072471. 
• Pounder, C. N. M. (2008). "Nine principles for assessing whether privacy is protected in a surveillance society". Identity in the Information Society (Springer) 1: 1. 2009. doi:10.1007/s12394-008-0002-2. 
• Taylor, John A.; Lips, Miriam; Organ, Joe (2009). "Identification practices in government: citizen surveillance and the quest for public service improvement". Identity in the Information Society (Springer) 1: 135. doi:10.1007/s12394-009-0007-5. 
• Taylor, John A. (2008). "Zero Privacy". IEEE Spectrum 45 (7): 20–20. doi:10.1109/MSPEC.2008.4547499. 
• Williamson, Graham; Yip, David; Sharni, Ilan; Spaulding, Kent (September 1, 2009). Identity Management: A Primer. MC Press. ISBN 978-1-58347-093-0. 

External links

• General Public Tutorial about Privacy and Identity Management
• Identity Management Overview (Computer Weekly)
• Secure Widespread Identities for Federated Telecommunications (SWIFT)
• Federation for Identity and Cross-Credentialing Systems (FiXs)
• Identity management and information sharing in ISO 18876 Industrial automation systems and integration
• Identity management terminology (free, no registration required)
• Identity management with virtual credentials- a dimension to the access control industry