UNIT 4
IDENTITY MANAGEMENT
Identity management in an enterprise is a combination of processes and technologies to manage and
secure access to the information and resources of an organisation while also protecting user profiles,
including customer profiles. It includes the entire process of deciding who should have access to
resources, and to what resources; providing, changing and terminating such access when appropriate;
managing the process and monitoring it for compliance with internal and external policies. This
usually applies to situations where a person has to identify who he/she claims to be by means of a
verified identity, such as a passport or identity card at border control, login credentials for e-banking,
biometric identification for account access at an ATM machine, and so on.
Identity management has two principal components: management “of” the identity and management
“by” the identity 1 . Management of the identity is the process of issuing and using digital identities
and credentials (such as usernames and passwords) for authentication. Management by the identity
combines the proven identity of the user with their authorisation, in order to grant access to resources.
Identity Management Models
Identity of an entity has its own life cycle. For example, an employee‟s login account for accessing
the company network would be created, maintained, synchronised and deleted across multiple
systems or platforms. The employee‟s login credentials, with proper access rights, would be granted
by a process called user provisioning. This account would be maintained and updated whenever new
privileges are assigned to this employee, perhaps due to internal transfer, promotion, demotion, and so
on. The employee‟s data or passwords would be synchronised among different IT systems and
platforms. Finally, his/her login credentials can be deleted across all systems due to, say termination
of employment or retirement. This removal of access rights is a process called user de provisioning
There are three common identity management models:
Isolated identity management
This model requires that each user possess an identifier for access to each isolated service. This
system is used a lot in online services and resources, because it is relatively simple for service
providers to manage, but it is rapidly becoming unmanageable for users. The exponential growth in
online services has led to users being overloaded with identifiers and credentials (different logins and
passwords) that they need to remember and manage. For this reason, new identity management
models are being proposed and implemented.
�Federated identity management
Federated identity management simplifies the account management problem. A set of agreements and
standards are defined among a group of service providers who recognise user identifiers from one
another. A customer of one particular service provider could access all services provided by another
service provider in the group with only a single identifier. For such standardised methods of
information exchange within the group to work, implementation of a common technology standard
such as OASIS (Organisation for the Advancement of Structured Information Standards) SAML
(Security Assertion Markup Language)3 , the open source initiative, Shibboleth , and so on is
required.
Centralised identity management
In this model, the same identifier and credential are used by each service provider. This could for
example be implemented by having a PKI, where a Certificate Authority (CA) issues certificates to
users. Each user can then use the same certificate to access different services, and all providers
authenticate the client through the same certificate before granting access to their services. Another
example could be the Single sign-on (SSO) model, which requires a user to login once and be
authenticated automatically by all other service providers. The Kerberos Authentication Server and
Microsoft .Net Passport are examples of SSO implementation. A drawback of this approach is that
should one of the trusted identity providers fail (e.g. under a DoS attack), the normal services of all
service providers may be affected
Authentication and Authorisation
Authentication techniques make use of one or more of the following factors:
1. something you know (e.g. password),
2. something you have (e.g. a smart card),
3. something you are (e.g. fingerprint)
If two of these factors are needed for successful authentication, it is termed a “two-factor
authentication”. Two-factor authentication is generally believed to be more secure, and therefore
many high-risk systems such as Internet banking are now implementing schemes like this.
Authorisation is a process that determines whether an entity is allowed access to a given asset or
resource. Common access control models are5 :
�1. Discretionary Access Control (DAC): in this mechanism, users own the objects under their
control, and the granting and revoking of access control privileges are left to the discretion of
individual users.
2. Mandatory Access Control (MAC): it is a means of restricting access to objects based on the
sensitivity of the information contained in the objects, along with formal authorisation of subjects to
access information of such sensitivity.
3. Role-based access control (RBAC): it is an authorisation mechanism in which access decisions
are based on the roles that individual users have as part of an organisation.
Benefits of Identity Management
Apart from improvements in security, a well-implemented identity management system brings at least
two business benefits to an organisation: cost reduction and improved service levels.
With an enterprise-wide identity management system in place, an organisation does not need to
dedicate human resources to handling user ID related issues for each individual application. As a
result, fewer people are needed for ID administration activities, which could in turn reduce IT
operation costs. In addition, fewer calls to the help desk regarding user ID problems would contribute
to more cost savings.
A common user complaint in the enterprise environment is the slow response when dealing with user
ID resets, or other ID management functions. With the help of an automatic identity management
system, response times for requests relating to user IDs would be improved, resulting in an
improvement to IT service levels and better user ID management activities.
