Identity management (ID management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity. The driver licensing system is a simple example of identity management: drivers are identified by their license numbers and user specifications (such as "can not drive after dark") are linked to the identifying number.
In an IT network, identity management software is used to automate administrative tasks, such as resetting user passwords. Enabling users to reset their own passwords can save significant money and resources, since a large percentage of help desk calls are password-related. Password synchronization (p-synch) enables a user to access resources across systems with a single password; a more advanced version called single signon enables synchronization across applications as well as systems.
In an enterprise setting, identity management is used to increase security and productivity, while decreasing cost and redundant effort. Standards such as Extensible Name Service (XNS) are being developed to enable identity management both within the enterprise and beyond.
Perspectives on IdM
In the real-world context of engineering online systems, identity management can involve three perspectives:
- The pure identity paradigm: Creation, management and deletion of identities without regard to access or entitlements;
- The user access (log-on) paradigm: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
- The service paradigm: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.
Pure identity paradigm
A general model of identity can be constructed from a small set of axiomatic principles, for example that all identities in a given abstract namespace are unique and distinctive, or that such identities bear a specific relationship to corresponding entities in the real world. An axiomatic model of this kind can be considered to express "pure identity" in the sense that the model is not constrained by the context in which it is applied. In general, an entity can have multiple identities, and each identity can consist of multiple attributes or identifiers, some of which are shared and some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and the entities they represent, as well as between identities and the attributes they consist of.
In most theoretical and all practical models of digital identity, a given identity object consists of a finite set of properties. These properties may be used to record information about the object, either for purposes external to the model itself or so as to assist the model operationally, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external semantics of these properties.
The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model attempts to express these semantics internally, it is not a pure model.
Contrast this situation with properties which might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored and retrieved, in other words not treated specially by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.
Identity management, then, can be defined as a set of operations on a given identity model, or as a set of capabilities with reference to it. In practice, identity management is often used to express how identity information is to be provisioned and reconciled between multiple identity models.
User access paradigm
User access requires each user to assume a unique "digital identity" across applications and networked infrastructures, which enables access controls to be assigned and evaluated against this identity. Technically, the use of a unique identity across all systems ease the monitoring and verification of potential unauthorized access, and allows the organization to keep tabs of excessive privileges granted to any individual within the company. From the user lifecycle perspective, user access can be tracked from new hire, suspension to termination of employee.
In the service paradigm perspective, where organizations evolve their systems to the world of converged services, the scope of identity management becomes much larger, and its application more critical. The scope of identity management includes all the resources of the company deployed to deliver online services. These may include devices, network equipment, servers, portals, content, applications and/or products as well as a user's credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.
Today, many organizations face a major clean-up in their systems if they are to bring identity coherence into their influence. Such coherence has become a prerequisite for delivering unified services to very large numbers of users on demand — cheaply, with security and single-customer viewing facilities.
Thanks in large part to the rise of the cloud, identity-management software has become faster and further-reaching than ever before—an IT administrator can approve a worker’s access to a particular set of cloud applications from halfway around the world, in a matter of seconds, while setting tighter controls for a new set of mobile devices on their network.
However, despite the boost from the cloud, many of the old issues associated with identity management continue to collectively plague IT.
In recent weeks, Intel and SailPoint have all made forays into delivering identity management services via the cloud, where they join players such as Okta, IBM and CA Technologies. That comes just as players such as VMware extend identity-management technologies developed for on-premise use to cloud applications.
According to Girish Juneja, Intel’s director of application security and identity products, Intel Cloud SSO (an identity-and-access platform accessible via Salesforce’s Force.com) allows IT organizations to provision, synchronize and de-provision access to thousands of cloud applications. It relies on a two-factor authentication model. Juneja added that Intel included a comprehensive set of reporting and auditing tools for the platform, the better to apparently meet all compliance requirements.
Making a similar recent identity management move into the cloud is SailPoint, a longtime provider of on-premise data governance tools that just launched SailPoint AccessIQ, a cloud service that provides an identity management that can be integrated with the company’s existing on-premise offerings.
Others are extending their technologies to the cloud. For example, just coming out of beta is version 1.5 of Horizon Application Manager, based on technology that VMware gained when it acquired TriCipher in 2010. Horizon Application Manager is a virtual appliance that IT organizations can deploy in their data centers to manage access to specific cloud applications and services.
Despite all this progress, a more unified approach to identity management eludes most organizations.
In the meantime, the tools for managing identity both inside and outside the enterprise are becoming increasingly sophisticated. Rather than forbidding users from using certain devices or accessing specific services, IT leaders these days are being asked to find ways to allow the organization to take advantage of these technologies with the minimum amount of risk possible. That means organizations will rely more than ever on identity-management technologies—making it easier to determine who should have access to what, when and where. But that doesn’t mean an end to issues associated with determining who’s really who.