Business and technical motivation for identity management

Mike Small Computer Associates, Ditton Park, Datchet, SL3 9LL Mike is Director of eTrust strategy at Computer Associates International, Inc. (CA). In this role he is responsible for defining and communicating the technical strategy for CA’s eTrust product line within Europe. Mike developed CA’s identity and access management strategy and, prior to his current position, he was responsible for its implementation. Mike joined CA in 1995 from ICL where he was the leader and architect for a number of software development projects ranging from system software to artificial intelligence. Mike is a Chartered Engineer, a Fellow of the British Computer Society and a Member of the Institution of Electronic Engineers.

Business and technical motivation for identity management 1. Introduction With security concerns subsequent to 9/11, identity has become a hot topic. In January this year the US government introduced the requirement for certain categories of visitors to the US to submit to being fingerprinted and photographed on entry. This is indicative of the importance of identity in helping to manage risk and to provide protection against crime. But how effective will this be? Organizations are evolving to become more accessible to customers, partners, vendors, suppliers and employees. However controls, where what you can do is based on who you are, are fundamental to managing risk. The title of ‘Identity Management’ has developed over time to describe the processes and technologies involved in implementing these controls. In fact ‘Identity and Access Management’ is a more appropriate title since it is essential to control access based on the management of identity. Since information systems were not originally structured to manage access by this wide range of different users, many organisations have taken a piecemeal approach to identity and access management. This piecemeal approach has resulted in costs that are higher than necessary while at the same time poorly implementing the controls. The increasing amount of personal or sensitive data held in information systems, has led governments and regulatory bodies to respond with directives relating to the privacy and confidentiality of data. So organisations find themselves squeezed between cost control and regulatory compliance. How can this conflict be resolved? A number of technologies are relevant to managing identity and access. These include: strong authentication technologies; directory services; password synchronisation; single sign-on; web access 6

1363-4127/04/© 2004, Elsevier Ltd

control; and provisioning. The technology landscape is also evolving, with the advent of web services that are intended to enable interoperability among distributed systems and services built and deployed by different vendors or organizations. How will these new technologies impact on this problem?

2. What is identity? Knowing with whom you are dealing is fundamental to the way we do business today. Being able to recognise other people is something that, as humans, we take for granted. The evolutionary benefit of being able to distinguish family from outsider and friend from foe is obvious – hence the human brain is very adept at identifying people. However recognising who is accessing an information system is far from easy. It can even be difficult to be certain that it is a person, and not another machine that is making the access. To deal with this problem, individuals are assigned credentials that can be processed by the information systems and thus provide them with ways to prove who they are. This process of proving identity is called authentication. There are three basic approaches based on: ‘what you know’, ‘what you have’ and ‘what you are’. A personal identification number or PIN is an example of ‘what you know’, similar to a user name and password. A credit card, a smart card, a driving licence, or a passport are examples of ‘what you have’. Biometric data, such as fingerprints, palm prints, hand geometry, facial features, and characteristics of the eye such as the iris are examples of ‘what you are’. In many cases authentication of identity is achieved by a combination of these factors such as a card and PIN. This is known as multi-factor authentication. However, proving identity by means of credentials leads to the problem of identity

Mike Small Business and technical motivation for identity management

theft. The credentials can and do get lost and stolen. User names, passwords and PINs get written down, cards get lost and misused. Credentials can be intercepted during transmission and storage or by social engineering. The recent ‘phishing’ attacks are an example – in these the hackers send emails purporting to have come from a bank asking the recipient to connect to a web site, that apparently belongs to the bank, where they are asked to confirm their identity credentials. Therefore steps need to be taken to protect against these contingencies. This form of identity is only as trustworthy as the process that assigns the credentials. If the credentials are only to be used within an organisation it may be sufficient for them to be issued internally, for example on the basis of a person being on the payroll. If however the credentials are to be used across organisational boundaries a stronger approach may be needed. One approach is for organisations to require that a trusted third party issues the credentials, just like for a passport or driving license. On the downside, this is expensive and another approach, that is gaining favour, is for organisations to agree to accept the electronic identity of people as established by their partners’ information systems. When external credentials are accepted legal issues also arise, for instance, where will liability rest if an identity has been used fraudulently? In practice these legal issues can be more costly to resolve than the technology ones.

3. What can I do? Establishing identity is important but it cannot stand alone, in addition you need to be able to control what the identified person is allowed to do and keep a track of what they have actually done. As an example of this, the perpetrators of the 9/11 attacks all had valid identity

credentials. It was the insufficient access controls that allowed them to board the aircraft with weapons and to gain entry to the pilot’s cockpit. Information systems generally provide access control and auditing facilities to satisfy these needs. Unfortunately these facilities are not consistent across the range of platforms and applications in common use. The information that a person can see, the tasks that they can perform, the times when they can perform these tasks, and from what location are usually related to the job (or role) the person performs. Therefore it makes sense for the access controls to be specified and assigned in a way that is related to this. Recognising this, to help to assess and compare the different approaches, the US National Institute of Standards and Technology (NIST) has developed a standard for Role Based Access Control [1]. Where identity has been determined within the system being secured the access controls can also be implemented internally. This is generally the case for operating systems. However if identity has been established externally a way is needed to be able to securely exchange security information including the access rights. The Organisation for the Advancement of Structured Information Standards (OASIS) has developed SAML (Security Assertion Markup Language) to provide this capability in a web services environment [2].

4. Why do identities need to be managed? The key business drivers that make identity management important are financial discipline, operational risk and compliance with legal and regulatory requirements.

4.1. Financial discipline The competitive business environment makes financial discipline a priority for

Information Security Technical Report. Vol. 9, No. 1

7

Identity Management

organisations. Financial discipline is not just about saving costs but also about doing things smarter. Organisations that succeed in achieving financial discipline will be those that survive and grow by providing their products and services more efficiently and more effectively than their competitors. In relation to identity management, this means organisations knowing who their customers are, what their customers want, and making it easier for customers to obtain the products and services that they want from them. When doing business on the Internet the number of customers can be so large that manual security administration processes cannot provide the service required at a realistic cost. By automation, for example through customer self-registration, it is possible to offload the costs to the business units or the customers. The cost of getting new customers is higher than that of retaining existing ones. So technologies that recognise individuals and their preferences are important by making it easier for customers to do business with your organisation rather than with your competitors. Financial discipline also means managing operations more effectively, making employees more efficient and reducing administrative overheads. In a typical organisation, password and account lockout problems can represent a large proportion (often over 50%) of the help desk load. The need to individually sign-on to multiple applications wastes time. The costs and delays involved in providing access for new employees can be a significant problem in industries with high staff turnover (call centres and retail are good examples).

4.2. Operational risk Organisations survive in the face of many risks, including market risk and operational risk. Market risk includes, for example, investing in products that do not meet the 8

needs of the customers or where competitors provide better or cheaper products. Operational risk covers aspects such as processes being vulnerable to theft, fraud, disruption or mismanagement. Better management of the way in which employees, partners and customers are identified and their access is controlled and audited can mitigate some of these operational risks. Although hacker and virus attacks are well publicised, the insider remains the greatest threat to an organisation in terms of potential to cause financial loss. One of the main reasons for this is that the insider understands the organisation’s systems and is hence able to spot and exploit any weaknesses. Another is that they have physical access to systems and this is often poorly managed. There have been many reported incidents by insiders, one infamous example is that of Geoffrey Osowski and Wilson Tang, former accountants at Cisco Systems Inc, who in 2001 were convicted of swindling the company of $7.8 million by using the company’s computer systems to fraudulently grant themselves stock options [3]. In order to reduce the risk of identity credentials being stolen and used by people other than their rightful owner, many organisations have security policies that mandate the use of passwords which are changed frequently, for example every 30 days, and which follow complex rules. These passwords are difficult to memorise and, since users may need to access several applications, this in turn leads to users writing them down – which negates the whole point. Strong authentication technologies can potentially overcome this difficulty but many organisations cannot afford the changes that would be needed to their applications necessary to achieve this. Access rights are normally set by security policy according to the role of the individual. However as individuals move through

Information Security Technical Report. Vol. 9, No. 1

Mike Small Business and technical motivation for identity management

the organisation it is often the case that new rights are added. Unfortunately, existing rights that are no longer needed are not always promptly withdrawn. This is usually because it is difficult to see what rights an individual actually has and how these relate to the security policy. Administration staff are therefore reluctant to remove rights to avoid taking action that could make an individual unable to do their job. This access rights creep increases operational risk. Promptly disabling all the access rights of users who have left the organisation is another critical issue. Often organisations are unable to reconcile access rights with people. This makes it difficult to ensure that when a person leaves the organisation their access rights are removed. These residual rights pose a clear risk.

4.3. Regulatory compliance A further aspect concerns compliance with regulation and the law. In some sectors there is now regulation relating to the security of information and information systems. This includes, for example the banking industry (Basel II) and the Graham Leach Billey Act (GBLA), and the Health Insurance Portability and Accountability Act (HIPAA) in the USA. In the case of Basel II, this provides a relationship between the risk (including operational risks) assessed for a bank and the amount of working capital that needs to be set aside to cover that risk. Hence reducing the assessed risk releases capital and so Basel II provides an incentive for banks to assess and reduce risk. In the case of HIPAA, health information providers are required by the law to ensure that patient information is kept confidential. Since much of the patient information is held electronically there is a clear need to authenticate and control who is able to access the data.

Over 45 countries have comprehensive national data protection laws (notable exceptions are China and the USA). In Europe the EU Directive 95/46/EC provides some of the world's toughest rules governing how companies and governments may deal with personal data. EU Directive 2002/58/EC Directive on Privacy and Electronic Communications governs how the providers of publicly available electronic communications services must safeguard the security and confidentiality of communications on their services. Managing who is able to access what information is critical to complying with these regulations as well as reducing risk. Improving the identity management process, including the provisioning, authentication and access control processes, can reduce costs and improve efficiency. Opening up the organisation to allow partners and customers to access information and to securely purchase products can provide competitive advantages and worthwhile improvements in efficiency.

5. Multiple identities In an ideal world a person would have one identity that could be used to gain appropriate access depending upon the context. However, in practice, this is far from the norm. Employees often have multiple sign-on credentials to access the different applications within their organisation and consumers need different sets of credentials to access the various organisations they wish to deal with over the Internet. These multiple identities impact upon all the three areas described above by increasing costs, increasing risk and making it difficult to comply with regulations. Information systems providers recognised the importance to be able to control access based on identity. While there are a number

Information Security Technical Report. Vol. 9, No. 1

9

Identity Management

of standards in this area, the need for systems and applications to be able to work independently, has led many to provide their own identity store and access control mechanism. As a result, a typical large organisation, like a retail bank, can have between 60 and 100 distinct and separate security systems, just related to its own employees. This proliferation of identity and access control mechanisms leads to many problems. From the consumer’s perspective it is necessary to have several sets of credentials, and this is inconvenient. In order to be able to perform their normal tasks, end users need to sign-on individually to each of the systems and applications, this is time consuming and error prone. The main reason for help desk calls in many organisations is account lockout due to incorrect credentials. This is often exacerbated by attempts to increase security by requiring passwords to be long, cryptic and changed frequently as previously described. This leads to users writing the passwords down on ‘post-it notes’ hidden under keyboards or even writing them down on white boards in their office.

Each of the security systems needs to be managed individually and this duplication of effort is costly. Many studies have shown that the time between a new employee arriving in an organisation and that employee getting access to the systems needed to be productive can be several days, and this leads to lost productivity. Management of the different identity systems may not be performed consistently and this can lead to increased risks. There is often no way of determining how many accesses an individual has or who owns a particular account. Hence accounts are often not disabled when employees terminate, thus increasing operational risk by leaving security holes. In the same way organisations recognise the need to secure access to their Internet sites and each site may be secured in a different way. So a consumer will need a different set of credentials to access each organisation’s site. This is inconvenient and error prone without really providing the consumer with increased security.

6. Return on negligence Many organisations have chosen to ignore the issues of identity and access management. Many of the costs are hidden and it is easier to do nothing than to confront these – see [4]. In order to illustrate this we have developed the notion of ‘Return on Negligence’ by adapting the return on investment model described by Datamonitor [5]. The following panels set out the return on negligence that would be typical for an organisation of 8,000 employees with access to seven different applications each with their own security system. These focus on tangible costs and are based on practical experience: 10

Information Security Technical Report. Vol. 9, No. 1

Mike Small Business and technical motivation for identity management

Sign On Costs

Provisioning Costs

Help Desk Costs

Lost Productivity

1.2 calls/user/month

10,800 calls

Numbers of employees 5% Growth, 17% turnover per annum

10,000

Call duration

10mins

Help Desk Staff cost


24/hour

New employees per month

183

Total


518,400/annum

Waiting for access (4 days)

32hours

Staff Cost


20

Total Lost Productivity


1,405,440/Annum

Lost Productivity Staff Cost


20/hour

Logins/Month (15 sec)

155

Administration Cost

Incorrect Logins (2min) 23.25/month Need help desk (10min) 4.65/month

New employees per month

183

Account changes per month

732

Login cost/agent


527/annum

Admin time taken perchange

30mins

Total


4,743,000/Annum

Administration staff cost


50/hour


5,261,400/Annum

Total Administration cost


219,600/Annum

Total

Total


1,625,040/Annum

7. User populations

Return on Negligence

For the purposes of describing their identity and access management requirements users can be divided into three different categories, insiders, business partners and consumers. Insiders, which include employees and contractors working inside the organisation, represent the traditional users managed by the IT department. These users have the following characteristics and needs:

Avoidable Help Desk Costs SSO 85% reduction in password issues Avoidable Costs


440,640

Avoidable Lost Productivity SSO 75% reduction in log-in costs Avoidable Costs


3,557,250

Provisioning 75% reduction in waiting time
1,054,080

Avoidable Costs

• A relatively small number of people – typically tens of thousands. • Need to access a comparatively large number of applications. • Access and administration is a cost overhead and the issue is cost saving rather than revenue generation. • Identity is strongly established by human resources hiring practices. • Authentication is performed by internal systems. • Organisation has responsibility for compliance with laws and regulation relating to privacy of information.

Avoidable Administration Costs Provisioning 80% reduction in administration costs Avoidable Costs


449,280

Total Avoidable Costs


5,501,250

• Need to ensure the separation or duties of employees. • Improper use can be dealt with internally and can be governed by employment law. Business partners include employees within organisations that do business

Information Security Technical Report. Vol. 9, No. 1

11

Identity Management

together electronically. These typically include corporate buyers and sellers, for example, retail organisations placing orders on manufacturing suppliers. These users have the following characteristics and needs: • A small number of people. • Access to a comparatively small number of applications. • Perform transactions with a very high total monetary value. • Identity is established externally either by the partner organisation or a trusted third party. • Possibility of a large financial loss due to a fraudulent transaction. • Hence the issue is non-repudiation of the identity of the person performing a transaction. • Authentication may involve external third parties. • A legal framework needs to be agreed between the organisations. Consumers are the individual end users who wish to access corporate websites to obtain information or to purchase products. These people may be acting independently or may be employees of organisations who can access corporate services provided by another organisation. This latter group are increasing as organisations outsource services like corporate travel and pensions administration. These users have the following characteristics and needs: • A very large number of people. • A very large number of applications in total. • Each consumer individually only needs to access a relatively small number of applications. • Perform a very large number of transactions in total. • Each transaction has a relatively small monetary value but total value is important. 12

• Identity of the people is not directly known to the organisation providing the information service. • Cost of establishing their identity is too high in relation to the value of the goods. • Users may be invited to self-register. • Identity established by a business partner may be accepted. • Final transaction authorisation is based on credit card details. • Legal framework is needed between partner organisations. • Need to control against organised criminal attempts to defraud. • Need to comply with regulations related to privacy of personal information and credit card details.

8. Information security management A common approach is needed to enable organisations to manage operational risk and help to achieve compliance with security related regulations. Managing identity and access needs to fit within a complete information security management strategy. Organisations are increasingly using BS 7799 [6] or ISO 17799 [7] as the standard upon which to base information security management. BS 7799-1 was first produced in 1995 to provide a comprehensive set of controls comprising best practices in information security. This was subsequently revised in 1999, and in December 2000 Part 1 was adopted by ISO/IEC as the International Standard ISO/IEC 17799:2000. In 1998 Part 2 complemented BS 7799 Part 1, and while Part 1 gives guidance on controls Part 2 describes an Information Security Management System to manage those controls. In 2002, BS 7799 Part 2 was drastically revised and now contains guidance on implementation and complies with the OECD guidelines on information security.

Information Security Technical Report. Vol. 9, No. 1

Mike Small Business and technical motivation for identity management

An Information Security Management System is a documented, working process that covers all activities in planning, implementation and review. This process, which is illustrated below, is based around a security policy. The process involves performing a risk assessment to identify the valuable assets and the vulnerabilities and threats related to these. Then, depending upon the organisation’s approach to risk, and the degree of assurance required, the processes and tools required to manage these risks are defined. Finally the way in which the application of these processes will be monitored and reviewed is specified. Measuring compliance is important; the British Standards Organisation has published a series of books, [8] including one on auditing the BS7799 controls but does not describe an audit framework. The European Accreditation Organisation however does provide guidance on how to perform such audits [9]. Also Cobit [10] audit guidelines for DS5.2 (Identification, Authentication and Access) are helpful to perform an audit of BS7799 compliance.

9. Technology issues 9.1. Web Services Web Services is one of the industry’s hottest technologies. The promise of Web Services is to deliver a standards-based vehicle to address one of the most vexing problems facing the IT industry today – how to make heterogeneous systems talk to each other. At the business level, Web Services seeks to enable the integration of customers, employees and partners via the Internet. Much of the media coverage on Web Services has focused on using Web Services in consumer-focused solutions. However, most IT organizations intend to leverage the power of Web Services to integrate internal systems and processes, then extend these solutions to trusted business partners.

The basic concept of Web Services is quite simple, and is reflected in the following definition taken from the TechWeb encyclopaedia [11]: • Web Service: A Web-based application that can dynamically interact with other Web applications using an XML message protocol such as SOAP. The technological foundation of Web Services rests on: • Platform neutral information exchange via XML • Ubiquitous data transport using HTTP (and other protocols) • Formal standards to define interactions Every major platform vendor has endorsed the formal standards involved in Web Services, reflecting a unique convergence of interests in the industry. There are several key standards that work in concert to enable Web Services: • XML – Extensible Markup Language, the universal format for structured documents and data on the Web. • SOAP – Simple Object Access Protocol, a lightweight protocol for exchange of information in a distributed environment. • WSDL – Web Services Definition Language, the XML format describing network services.

Information Security Technical Report. Vol. 9, No. 1

13

Identity Management

• UDDI – Universal Description, Discovery and Integration, an industry initiative to enable businesses to quickly, easily, and dynamically find and interact with web services. [16] Web Services have special security requirements not found in enterprise computing. Both service consumers and service providers may possess distributed identities. There could be several identities from different security domains (e.g. public: Microsoft Passport, Liberty Alliance etc; corporate: LDAP, Windows Domain account, NIS account, Portal user account etc). A consumer uses an identity to gain access to the service it needs. A provider and consumer may use their identities to encrypt and sign messages that they exchange. Provider and consumer may exchange identity credentials within a context of initial messages (handshake). This is used to allow further trusted interactions. The service provider’s identity is optional, and it is perfectly possible to implement a business service without an identity if it always acts on behalf of a client. Not having a client’s identity translates into anonymous access which is rarely allowed for business services. WS-Security defines a carrier of identity credentials and other securityrelated information in interactions with a Web Service. Distributed Policies are associated with all involved parties: consumer, provider and discovery mechanism. These policies are a distributed set of rules that define if a consumer can request a function from a provider and if a provider can respond to such a request. Each party in an interaction validates its own policies. For example a consumer may not allow interaction with an earlier discovered bandwidth-hungry provider when the consumer is roaming. 14

Trust Policies are distributed policies that apply to the safety of the environment of the other party in an interaction. A consumer needs to ‘trust’ the environment of a provider and the provider needs to ‘trust’ the environment of the consumer. Security Assertion Markup Language (SAML) [2] is used to assert statements and conditions against a security authority and policies that it manages. SAML can be used in interactions between security authorities as well. Service Provisioning Markup Language (SPML) [12] can be used to interface with a security agent or a platform itself to allow control and configuration of security.

9.2. Utility or on-demand computing In today's economic climate, businesses are carefully examining all IT expenditures. Many firms are finding that their IT infrastructure is too inefficient and unresponsive to meet the needs of a dynamic business and is not aligned with business needs. The concept of on-demand computing is to provide IT with the tools to apply computing resources more like a utility (electricity, telephone, water, etc). In this service-driven model, computing resources are dynamically allocated to meet demand, and systems are increasingly selfmanaged to maximize flexibility and ease of administration. We can define on-demand computing as the ability to manage the corporate infrastructure as an internal computing service, similar to a utility. The on-demand computing environment must be driven by formal service level definitions and include these key capabilities: • Dynamic Provisioning, where the goal is to allocate computing resources dynamically to meet current and projected needs. This is a variable

Information Security Technical Report. Vol. 9, No. 1

Mike Small Business and technical motivation for identity management

consumption model; you use only what you need. An interesting side benefit of this approach is that it also provides strong resilience in the event of failure. Resources can be re-allocated to meet needs when one node or system fails. • Self-Managing Systems, where automation and intelligence enable the flexibility to address changing conditions and ensure administrative scalability. Any changed resources should be discovered and managed automatically based on service-level requirements.

Organizations need to manage the digital identity across entire organizations, authenticating to all corporate assets with a single credential, provisioning all IT systems, Web services, devices and entrance badges and securing access to files, directories and databases while monitoring of all these activities. The Open Security Exchange (OSE) [17] is an organisation promoting open standards for converging physical and IT management.

Security is a critical component of any business infrastructure. In the dynamic, ondemand computing environment, where servers are dynamically reconfigured and deployed, it is even more important to ensure that security policies are properly deployed and maintained. In this environment it is critical to assure that user identities are properly provisioned and users have convenient, secure access to their applications.

The ideal identity and access management solution is complete, integrated and open. It combines provisioning, policy enforcement and endto-end auditing to help ensure that all aspects of the identity life cycle are securely and efficiently managed - including the impact of identity activity on access to business-critical assets. Tying together a collection of point products is expensive, includes overlapping functionality and could potentially result in security loopholes. An integrated solution reduces costs, eases deployment and administration, accommodates and correlates multiple identity directories, and helps ensure cohesive auditing of all identity and access-related activities. Openness is needed to ensure that the solution can be built upon existing infrastructure and components.

9.3. Convergence of physical and IT security Physical access control is fundamental to security and increasingly implemented using microcomputer technology. As a consequence the problems of provisioning, authentication, monitoring, reporting and de-provisioning now include physical access as well as IT systems access. Employees and contractors need access to a wide range of corporate assets, from office buildings and secured test labs to computer systems, files, directories, databases and PCs. In addition, they may be assigned laptops, calling cards and corporate credit cards. It is also useful if a single credential can be utilized for authentication for both physical resources and cyber access. Specifications, such as ISO 7816, are trying to deliver on the promise of platformindependent smart card applications.

10. Functional requirements

The key features needed in an identity and access management solution are: roleand rule-based provisioning of employees, partners and customers; role-based access control from the mainframe to the Web; and auditing of administration, account activity and access privileges. The integrated solution should include open interfaces for integration with the existing infrastructure. No changes to existing applications or systems should be needed.

Information Security Technical Report. Vol. 9, No. 1

15

Identity Management

single sign-on, self-service interfaces, and administrator and delegated administrator logins. It should provide a way to plug-in password authentication, security token authentication, biometric authentication, digital certificate authentication or custom authentication methods. It should support authentication standards including PKCS 11, SAML, Liberty Alliance and Microsoft’s Cryptographic API (MS-CAPI).

10.3. Role and rule based provisioning

10.1. Integrated and modular For maximum business value, the functional components of an identity and access management solution should be integrated, yet interoperable with components from other vendors or with custom-developed applications. This enables organizations to choose a fully integrated solution from a single vendor, to combine selected components from different vendors that will work together, or to phase in the pieces of a complete identity and access management solution over time. Optimally, the solutions should share a common infrastructure, data store and user interface. There should be no need to change the existing business applications and information systems.

10.2. Flexible authentication This provides user authentication with flexible mechanisms at each authentication point where a user or administrator is authenticated, including web resources, 16

This automates the processes for the creation administration and removal of access rights across all of the different security environments. The access rights should be based on the role of the person being given them. There should be integration between the provisioning system and the human resources system where possible. This is to automate the process of giving access to new members of the organisation, automate changing access rights when their function changes and automate removal of access rights when they leave. As a consequence this should ensure that it is possible to reconcile the people with access rights with the list of people in the organization. The provisioning system should provide or integrate with ordering systems so that requests for changes in access rights can be made, approved and implemented in a traceable way. This is important to provide separation of duties between the people who have the right to make changes, and the people who have the right to use the systems. This helps to reduce the potential for administrators to unilaterally give themselves the privileges necessary in order to improperly use the systems. The provisioning system should provide for delegation of administration and for limited self-administration. Delegated administration provides a way to spread the

Information Security Technical Report. Vol. 9, No. 1

Mike Small Business and technical motivation for identity management

administrative workload and self administration can help to reduce costs by allowing end users to deal directly with minor problems like account lockouts. In order to support delegated and selfadministration the provisioning system needs to support administrative access controls limiting the operations that an administrator can perform and the objects that can be administered. The provisioning system should satisfy the needs for administering users outside of an organisation as well as those within it. Examples of this include banks who offer exotic trading facilities to other organisations and manufacturers who allow their distributors access to central systems. In the case where one organisation offers another organisation access to its systems, provisioning policies need to be defined at the organisational level based on the contract between the organisations. Delegated provisioning is performed by the organisations themselves within these policies and the central service provider does not know the final end users. Where users belonging to multiple organisations are being provisioned through a single infrastructure, it must be possible to ensure that each organisation can only see information belonging to itself and not that which belongs to the others.

and a single role can be assigned to many permissions. There is also a requirement for user-role review, whereby the roles assigned to a specific user can be determined as well as users assigned to a specific role. This access control should be capable of being used to control access to the whole range of information system resources from a mainframe dataset to a web service in a consistent manner. It should provide control and accountability for the use of administrative accounts (root). These accounts have virtually unlimited access to files and can bypass application access controls. It should be possible to limit the scope of individuals and to trace the identity of the person using these accounts. Note that there is a difference between Role Based Access Control and Role Based Provisioning. For a discussion on this, see [13]. The ideal solution should support both in a consistent fashion (as shown in the diagram).

10.5. Single sign-on This is a special case of role based access control that provides the end user with the

10.4. Role based access control This provides access control to the various systems, applications and transactions in a consistent manner based pre-identified role. The basic concept is that users are assigned to roles, permissions are assigned to roles, and users acquire permissions by being members of roles. User-role and permissionrole assignment can be many-to-many. Thus the same user can be assigned to many roles and a single role can have many users. Similarly, for permissions, a single permission can be assigned to many roles Information Security Technical Report. Vol. 9, No. 1

17

Identity Management

ability to authenticate once to gain access to all the systems, applications and transactions to which they are entitled. The entitlement should be based on the role of the end user. It should be possible to specify the primary authentication method independently of the authentication methods supported by the systems to which sign-on is being made. There should be no need to align the user credentials for the different systems. Nor should it be necessary for any change to be made to the systems being signed on to.

10.6. Federated identity Cross-domain federation of identities enables web applications or products from different vendors to share information about the authenticated user across the multiple parts of a business transaction, eliminating the need for the individual to re-authenticate to each application or web service. It is defined as the secure trust relationship between multiple disparate security systems that may have one or many trusted parties reviewing and accepting authentication. As an example, a hotel provider may have preferred room rates for employees of a certain organisation. As part of the federated identity flow, it is very useful for the hotel provider to be able to verify that the person requesting the hotel room rate really works for the organisation. The automated verification supported by federated identity helps to reduce administrative costs. It also provides single sign-on and single sign-off without the need to remember multiple user names and passwords.

10.7. Protection of web services This provides a secure infrastructure to publish Web services written to the popular web application servers and enforces policies for web services directed 18

through proxy servers. It should provide integration with a range of mechanisms to authenticate the users of these services. It should also provide protection to prevent hacking of the services or the servers on which they reside, and auditing of all or selected activity surrounding the Web services.

10.8. Auditing It is essential that all activities and access rights can be audited and the audit tools and information should fit within a recognised auditing methodology. Activities include those of administrators as well as users, and cover the platforms, applications and administration tools. It should be possible to link actions to the identity of the people performing the activity rather than anonymous system accounts. It should also be possible to see access rights belonging to each individual and to trace how those rights were acquired and under what authority. The collection process should be tamper proof. For example, administrators should not be permitted to disable auditing of their activities, or to alter the log of what they did. The audit information should be transmitted across the network and stored securely. Reports on on the activities for different uses should be accessible. It should be possible to raise alerts in real time when certain actions are detected (for example repeated failed access attempts).

10.9. Interoperability Organizations need an identity and access management solution that securely facilitates the flow of business across traditional barriers, both externally and internally. The establishment of identities and their relationship to the business must be easily accomplished across the wide range of technologies from different vendors.

Information Security Technical Report. Vol. 9, No. 1

Mike Small Business and technical motivation for identity management

Therefore, the identity and access management solution should use standard interfaces so as to avoid unnecessary duplication of information systems infrastructure and development, and reduce the cost of integrating subsystems from different vendors. Some of the principle relevant standards are: • LDAP (Lightweight Directory Access Protocol [5]); • SPML (Service provisioning Mark-up Language [12]); • SAML (Security Assertion Mark-up language [2]); • XACML (Extensible Access Control Mark-up Language [15]).

10.10. Scalability The identity and access management solution must be scalable. It must support any number of identities and access rights, and it must protect any number of systems, files, databases or Web services. It must therefore be capable of supporting a distributed architecture providing common services, such as directory, reporting or auditing that work on the Internet scale.

11. Solution technologies There are a number of technologies in the marketplace that form part of the solution to the identity and access management challenge. These include: • Password Synchronisation - intercept agents detect a password change made by the user on one platform and this change is automatically propagated to other applications and platforms. This provides the user with a single password. • Directory and Meta Directory – LDAP directories like Active Directory from Microsoft provide a single repository for user information. Meta-directory

technology extends a directory by providing connectors, to incorporate user data from existing external sources. In addition to connectors the technology needs to provide mechanisms for synchronising changes. Meta-directory provides a single interface upon which administration tools can be built but not the tools themselves. • Strong authentication technologies – these include smart cards, certificates and biometric devices. They provide a stronger authentication of the user's identity than a simple username and password. • Single Sign-on and Extranet Access Control. There are a number of different systems that enable the user to access multiple applications with a single set of credentials. Here we consider those technologies that intercept access attempts to applications. If the user is already authenticated, access is controlled by pre-defined policies. If not the user is then challenged his or her identity. • Provisioning and Workflow systems – these provide automation of the processes surrounding the granting of access rights, changes to access rights and termination. The following table provides an evaluation of these systems showing how they match up to the requirements for authentication, access control, administration and practicality. It is, therefore, evident from this that no single technology provides a complete solution. What is required is a solution that integrates these technologies based on open standards, so that existing infrastructure need not be replaced. An example of such a solution is eTrust Identity and Access Management Suite from Computer Associates [18].

Information Security Technical Report. Vol. 9, No. 1

19

Identity Management

Password Sync

Directory/ MetaDirectory

Strong Authentication Technologies

Single Sign-on, Extranet Access Control

Provisioning and Workflow

Single Password

Yes

Need application changes

Needs application changes

Yes

No

Strong Authentication

No

Not on its own

Yes

Should provide this as a choice as the primary

Should support provisioning of

authentication method

these credentials

Single User credentials to access multiple systems

User account names must be aligned

Need application changes

Needs application changes

Yes without change to applications

No

Web Single Sign-on

No

Yes

Yes

Yes

No

Role based

No

Yes

No

Yes

No

Provisioning of user access rights

No

Only provides a single interface or repository

No

No

Yes

Approval process for access rights

No

No

No

No

Yes

Integration with HR systems

No

No

No

No

Yes

Self Admin

Yes

No

No

No

Yes

Delegated Admin

No

No

No

No

Yes

Access Control

12. Conclusions Identity is a hot topic and is important in helping to manage risk and prevent crime. Organisations are under pressure to reduce operational risk, comply with regulations while saving costs and working smarter. Identity management is key to managing these, but only if linked to access management. Individuals having multiple identities and poor provisioning practice increase costs and operational risk. Management of physical access controls is often separated from the management of information systems access control. Many organisations are doing nothing to manage identity and access, and the cost of this inaction is high. User populations are not homogeneous, and there are three distinct populations with different requirements that need to be taken into account. Identity and access 20

management should be part of a complete information security management system. BS7799 describes such a system providing useful guidelines to manage operational risk and covers identity and access management. Technology issues that need to be taken into account include the expected growth of web services and utility computing. An identity and access management solution should be complete, integrated and open. The functional requirements for it include role and rule based provisioning, and role based access control, without the need to change existing infrastructure. A complete identity and access management solution involves the integration of multiple technologies and buyers should beware of the single technology vendor. A number of standards are now gaining acceptance making it possible to create such an integrated solution.

Information Security Technical Report. Vol. 9, No. 1

Mike Small Business and technical motivation for identity management

14 References

[10] CobiT, see http://www.isaca.org

[1] D.F. Ferraiolo and D.R. Kuhn, Role Based Access Control, 15th National Computer Security Conference (1992). See http://csrc.nist.gov/rbac/.

[11] TechWeb, The Business Technology Network, http://www.techweb.com/encyclopedia/.

[2] Organisation for Structured Information Standards, SAML 1.0 Specification Set (5th November 2002). See http://www.oasis-open.org/ [3] Rerouted: Former Cisco accountants sent up the river. Steven Taub, (November 28th, 2001). See http://www.cfo.com [4] Butler Group, Identity and Access Management, September 2003 [5] Single Sign On - Enterprise access made secure and easy. Datamonitor July 2001. See http://www.datamonitor.com [6] BS7799 Information security management - see http://bsi-global.com [7] ISO17799 see http://www.iso.ch [8] British Standards Organization, see http://www.ccure.org/serv.htm [9] EA-7/03 European Accreditation Organization, http://www.european-accreditation.org

[12] Organisation for Structured Information Standards, SPML1.1 Specification Set. See http://www.oasisopen.org/ [13] Gartner, Identity and Access Management in the Real-Time Enterprise, Ant Allan, 10-12 March 2003 [14] RFC2251 - Lightweight Directory Access Protocol (v3), IETF [15] Organisation for Structured Information Standards, XACML Specification Set.See http://www.oasisopen.org/ [16] Leveraging Directory Technologies for Enterprise UDDI, Tim Bentley, Don LeClair, CA, January 2002 (http://www3.ca.com/Files/WhitePapers/WP_Leveraging_ Directory_Tech_Enterprise_UDDI.pdf) [17] Open Security Exchange, http://www.opensecurityexchange.com/ [18] Computer Associates, eTrust Identity and Access Management Suite, November 2003 http://www3.ca. com/Solutions/ProductFamily.asp?ID=4839

Information Security Technical Report. Vol. 9, No. 1

21