Subscribe
About

ID management often misunderstood

Identity management is fraught with confusing terms and misunderstanding.
By Karel Rode, security consultant at Performanta Consulting.
Johannesburg, 27 May 2008

Having spent the last five years very close to the topic of identity management (IDM), I need to take a break today and pay it forward.

You see, I prefer to visit the bigger landscape of identity and access management (IAM), where we can look at a much wider area within the enterprise IT management gambit.

Still, there are many players in this field and we are fortunate in SA to have skilled integrators of various solutions that all require some tailoring to suit the different business needs.

I have often equated the discovery process with the herding of cats within the business, as the views for IT, security, "the business" and even the HR department all differ when it comes to managing the user community, as well as the entitlement of said users.

Becoming entitled

Ok, so let me first declare and define. ID management is the act of user account provisioning from a central user interface, through various levels of automation and workflow, and should include for good measure a strong audit trail of the various actions taken by the different actors within the system. Moreover, de-provisioning of users within a timely fashion remains a vital principle.

Entitlements is the fine-grained accesses that a user may have, or definitively, when a subject accesses an object, the need to manage what the subject may or may not do with the said object.

Additionally, identity and access management encompasses these two areas as well as strives to achieve more in providing an access control model. This is where some of these projects get into distress, as a sudden desire to define user roles and business rules can become a major dependant issue.

A user store or directory also forms part of an IAM/IDM project. This is a required component to store user attributes that will feed most of the business logic for rule- and role-based identity management. Deployment of a freestanding directory is not a difficult project, nor does it spell the end of the user identity project.

The heavy lifting that will be demanded of a directory requires a significant investment in defining the directory design. It is through this design that companies will allow a directory to act as a central depository of user attributes and entitlements.

Roles and rules

The heavy lifting that will be demanded of a directory requires a significant investment in defining the directory design.

Karel Rode is solutions strategist at CA.

On the roles side, I can just comment that with 10 000 users, companies cannot define 10 000 roles. For that many users, a firm needs to strive for low double-digit roles, with a technology solution that will allow delegated administration and self-service capabilities to request additional accesses that may not be defined in the initial "general" user roles.

Many examples can be cited globally where extensive resources were committed to the process of role definition.

Finally, we have rules. These are the logic that drives who may access assets (what), through what motivation (why), by what process (how), from which location (where) within the organisation and at what time (when) they may have the said interaction.

I often cite an example of the financial director of a listed company storing the spreadsheets of the just passed financial year-end on his notebook. These data sets are highly classifies, though the output will eventually become public and will most probably indicate a healthy result and dividend.

Sadly, these notebooks in question rarely have good access control and often do not have these sensitive files stored in an encrypted format. Therefore, if we have defined the above rules (data classification, access control and network boundaries as well as strong user authentication within the business), these data assets should never reside on untrusted platforms.

These mandates, though maybe not currently well documented in most companies, will gain much needed attention as soon as SA passes the Protection of Personal Information Act (now in draft in Parliament). Moreover, the Protection of Personal Information Act will also have a mandate to breach disclosure. So this will allow for the enforcement of stronger controls around personal identifiable information and will introduce better technical controls for accessing these attributes. All of these will be contributors for a good business case for identity and access management.

* Karel Rode is solutions strategist at CA.

Share