1 White Paper Identity and Access Management (IAM). Gain Agility through IAM in Companies and Complex Supply Chains.
2 Contents at a Glance Introduction 4 2. Scope and General Conditions 7 3. Tasks and Components of an Identity Management System Administration and Identity Lifecycle Authentication Procedures and Architectures Data Storage and Enterprise Application Integration Systems and Providers Glossary Basic Terms List of Figures
3 1. Introduction. Flexible and efficient business processes set the standard for IT infrastructures in modern businesses. Today, users can access a company s resources and applications in a wide variety of ways. User identities and all their requisite attributes are the basis for authentication and authorization and hence the basis for efficient IT-supported processes. A major challenge is managing the digital identities over their entire lifecycle, from production, maintenance and use until they are deleted. User identities are the basis for efficient IT-supported processes. Project-specific teamwork, corporate mergers, the sale of shares in a company and other reorganization initiatives as well as changing output and delivery relations require flexibility and efficiency in the management of users and their access options. This is why an efficient system is required for authorizing users. Modern identity management systems also allow new business models to develop. Supply chains in the automotive industry provide a classic example of the complexity of links in industry and administration. The value chain extends from research and development via production, marketing and sales through to service. As a result of cost pressure and globalization, the value chain of individual companies has plummeted while at the same time the division of labor has intensified. This is apparent not only in the automotive industry, but also in other branches. The result: Research and development activities with different companies must be coordinated. In addition, close collaboration between suppliers and original equipment manufacturers (OEM) must be ensured during product development and production planning. Linking individual systems and processes together creates a competitive edge. The value chain thus comprises many independently acting entrepreneurial units. It is only possible to achieve a competitive edge if individual systems are linked to one another and processes coordinated. Authorization of users and the administration of the relevant digital identities, their roles and access rights are crucial in the design of these IT-supported processes. 3
4 2. Scope and General Conditions. The users of data, applications and other resources in a company can be subdivided into two groups (see Figure 1). Internal users (e.g. permanent employees, interns, freelancers) are closely connected with the company. They normally have access to multiple internal systems in the company and therefore have relatively detailed identity profiles. In addition to internal users, there are external users (e.g. customers, suppliers, contract partners), which makes it extremely difficult to manage identities. In general, the number of external users by far exceeds the number of internal users. Normally external users only have access to a highly restricted number of systems that they use on a temporary basis, i.e. in connection with specific assignments or projects. Internal users External users Administrators Employees Partners Customers Directory Database Mainframes Operating Systems Enterprise Package Applications Custom Applications Non-Digital Assets Figure 1: Identity Management Problem Real-time access to sensitive IT resources, information and applications is now more essential than ever. The number of different groups involved in business processes or projects in a large company is constantly increasing. Process-related IT components are linked beyond the limits of individual ERP, CRM or other purchasing, logistics and management systems. Real-time access to sensitive IT resources, information and applications is now more essential than ever. Enterprise resource planning (ERP) for the support of manufacture and production necessitates a synchronization of the movement of materials and goods along the entire value chain. This requires the efficient exchange of information and resources between all involved (suppliers, manufacturers, customers, etc.). Customer relationship management (CRM) systems are used by a considerable number of employees in the marketing, sales, customer service and finance departments. Applications in the field of human resources (HR) enable employees to manage their own pension plans, and different roles and rights need to be assigned for this. With e-business systems, customers and partners need to be able to view specific information about products, order products and track the delivery status. In all cases, managing the different entities access to the various applications is complex. A further problem is that software systems need to be linked to other applications in order to enable cross-company identity and access management. 4
5 Comprehensive and sophisticated models for the efficient management of user rights must form the basis for the implementation of project-related collaboration and for ever-changing forms of economic organization in particular (restructuring, acquisitions & mergers).in this context the following questions arise: Who has received which access authorization, when, and for which data or application? And who has assigned the access rights? How do we arrange the cross-organizational regulation of access rights in companies? How do we proceed from the decision on the assignment of identities and rights (corporate and departmental responsibility) to their storage in the IT system? What legal and other general conditions (compliance) must be met? What options does an effective identity and access management (IAM) system offer for linking business processes efficiently with one another? What types of problem can be anticipated with the introduction and use of these kinds of systems? Regulations, user diversity, flexibility, optimization of administrator processes and protection of corporate data are some of the driving factors. These questions increasingly concern business partners and customers alike, who need to be factored into the definition and distribution of the relevant access and role concepts. When outlining the driving factors for the implementation of an efficient identity management system, regulations (compliance), variety of users, flexibility, and optimization of administration processes, as well as the protection of company data, in particular, must be mentioned: Regulations: Within the scope of risk management or due legal regulations (keyword: compliance), the aspects of auditability and replicability (e.g. which user had access to which system) are becoming increasingly significant to companies. Regulations such as Basle II and the European Data Protection Directive require the seamless documentation of transactions in companies. The protection of the different types of data requires a strict process-driven access management system for IT applications. As a result, access activities must be documented and testable. User diversity: Now more than ever, a company s IT systems are used by a wide range of different users. So, the access levels vary from individual to group access requirements through to time-limited accesses. Flexibility: The relationship of users to the company is constantly changing and so, too, are access privileges. Employees are promoted, assigned to a new department or leave the company. New business relationships with partners are established or terminated, etc. In this dynamic environment identities need to be managed on a continuous basis. As the number of customers increases, due to mergers, acquisitions and restructurings, the scalability of access to IT resources becomes more important. Protection of corporate data: As systems, conditions and data become increasingly linked, IT managers are finding it more and more difficult to ensure that access rights are properly maintained. The variety of ways in which systems can be accessed means that user identities, as well as the associated attributes and access data, must be managed efficiently. So, comprehensive and sophisticated auditing is required when efficiently managing user rights. 5
6 Identity and access management (IAM) enables users to work effectively towards achieving business goals. Although access control mechanisms are per se protective, the objective, however, is primarily to provide employees, customers and partners with easy and flexible access to IT resources. IAM enhances agility and productivity and is more than an IT project. So, companies need to be able to clearly recognize the right tools required to achieve these business goals quickly, securely and cost-effectively. According to consistent analysts reports, IAM is one of the most important security issues, which extends far beyond the scope of IT design. 6
7 3. Tasks and Components of an Identity Management System. Identity and access management (IAM) covers two sub-areas: management of digital identities, or identity management, and access management. Identity management refers to the capability of managing digital identities (of persons or machines) in heterogeneous IT environments. Access management (synonyms: permission management, rights management) is the ability to manage (policy administration) and implement (policy enforcement) access control to IT systems by means of security policies. IAM comprises the management of digital identities and the control of access to IT systems. IAM systems are essential for providing a large number of users with access to a wide range of applications, if necessary, in different roles and contexts and from different departments. Solutions include components for managing digital identities, including the roles and access rights of all users for applications and systems as well as those for monitoring and logging the interaction of networked applications. To achieve the business goals, various IT objectives must be fulfilled. And yet other fundamental IT objectives must be realized by the IAM system. Therefore, the functions shown must support the IT objectives in such a way that business objectives can be achieved. Identity and access management (IAM) thus involves all levels in networks and systems, ranging from applications, information and data through to the processes in a company and beyond (see Figure 2). Processes Information and data Applications Systems Networks Figure 2: Corporate Architecture IAM products are a critical part of the overall IT infrastructure. IAM functions can be subdivided into administrative level, real-time enforcement and directory services (see Figure 3). They are described in more detail below: Administration Real-Time Enforcement Directories Figure 3: IAM Levels 7
8 Administrative level Access control mechanisms for the respective resources are managed at this level. The management (policy administration) and implementation (policy enforcement) of security guidelines established corporate-wide are guaranteed. Rights are assigned to or withdrawn from users within the framework of the security guideline on the basis of underlying information in the different entities. An identity lifecycle management system must guarantee that the creation, activation and deletion of digital identities take place without delay. The provision of user self-service functionalities can lead to big savings on administration costs. The user, for example, is offered the option to reset or redefine a forgotten password using alternative mechanisms (shared secrets or biometric traits). Real-time enforcement Real-time enforcement guarantees that entities will get access to the resources intended for them. And so, the set of rules for access authorization established at administrative level is enforced. Access is checked (authorization) on the basis of the secure login (authentication) before the resource is made available for use. An authorized user can access other computers and services following a one-off authentication procedure using single sign-on mechanisms (SSO). The SSO mechanism thus performs the task of securely identifying (authentication) the user with respect to all systems. Generally, applications verify the authorizations themselves. Directory level The identity directories form a basic component of the IT infrastructure. They contain all information about the entities with the associated identities. In general, a company has numerous separate directories and databases for user accounts. The reason for the large number of directories is that the various applications and platforms all use a separate directory service or a special database for user administration. Very often central directories based on LDAP are used to manage the identities at a single point. The outlay for the administration of directories and databases can be reduced by automating replication or synchronization of the identities and associated data. Synchronization of this kind can be done in a meta directory or in a virtual directory, for example, where the data from different directories and databases are centralized in abstract form, providing a better overview. Logging, monitoring and safeguarding of evidence are fixed components of IAM. The functionalities of an IAM system also include the recording of security-related events (logging or auditing) as well as the monitoring and analysis of these events. This makes it possible to identify weak points and to guarantee essential requirements for accounting, which are also important for audits and auditors. Some of the users security-critical actions that need to be logged include failed login attempts, for instance. Furthermore, it may be necessary to log access activities. This, of course, also applies particularly to administrative activities in identity management itself. 8
9 The log data of different resources have to be collected and processed so that a specific analysis can be carried out. This type of documentation is fundamental to compliance with current regulatory requirements. Furthermore, it is desirable that these functions support security information and event management (SIEM). Unfortunately, IAM and SIEM are too seldom connected with one another. The directory level is also shown in the diagram in Figure 4. In contrast to Figure 3, this shows the functions that are connected to IAM. Services Authentication Services SSO,SLOff, Token, PKI Biometry Authorization Services Access Control, Policy Definition / Enforcement Federation Services Identity Administration, Authentication, SSO Infrastructure Identity Administration Delegated and central management of user IDs Credential Management Password Management, Token Handling User Provisioning Management of Users, Groups, Roles, Attributes Accounting (logging, auditing) Directory Directories / Databases Storage of Identities, Roles, Attributes Virtual Directory / Meta Directory Unified access, synchronization, replication Figure 4: IAM Functionalities The central level contains the generation and assignment of identities, authentication traits (credentials) as well as groups, roles and other attributes. These tasks are not merely administrative in nature, but rather they establish the basis for access to the IT resources (real-time enforcement). Services are required for this which identify users securely (authentication), verify access rights, and provide access to IT resources (authorization). In order to be able to take advantage of the wide range of IT resources, users should only have to log on once at most (authentication in terms of single sign-on). A further objective is to expand the applicability of identities so that they are accepted outside the limits of domains or companies in particular. Different solutions are available for this so-called federation, which are dealt with below. 9
10 4. Administration and Identity Lifecycle. System security may be compromised as a direct result of errors in identity management, which are a high risk. Accounts that can be assigned to persons who have not been reliably identified are particularly risky. Identity lifecycle management comprises processes and technologies for creation, temporarily revoking, modifying and deleting digital identities. The efficient management of the identity lifecycle is an essential component of identity management. Figure 5 illustrates the lifecycle of digital identities. Collaboration between decision-makers and IT administrators must be precisely defined in the process if the former cannot assign identities, roles and rights themselves. Furthermore, it needs to be established whether, and how, the authorization of users and the exercise of assigned authorizations can be transferred (delegating). Identity lifecycle management comprises the creation, temporary revocation, modification and deletion of digital identities. Revocation Creation Reactivation Deletion / Deprovisioning Modification Figure 5: Identity Lifecycle Creation The digital identity is defined at the beginning of the lifecycle and the user is identified and registered for this purpose. The type of identification and registration is determined by the purpose and degree of connection that should be associated with the digital identity. In many companies the assignment of rights and roles is a complex process that can involve quite a number of verification functions. Consequently, it is crucial to define, to model and to communicate these processes within the company. The handling of specific queries regarding rights, roles, access, etc. must be uniquely defined. The performance of specific tasks requires a set of rights. Roles are predefined authorization profiles, which are assigned to users in a second step, and role-based access control mechanisms have a range of advantages. They enable flexibility and significantly accelerate the creation of an account, for new members of staff for instance. The use of roles ultimately leads to cost savings, a gain in time, better compliance with policies and regulations as well as transparency (accountability). Roles must be clearly defined as well as documented, requiring an approach that is extremely process- or organization-oriented, something which is not adequately developed in some companies. The complexity of IT and applications also makes it very difficult to define roles. 10
11 Subsequently, the digital identity is created in the system (e.g. it is incorporated into the user directory, and the account is created in the application). However, the digital identity remains inactive until it is actually assigned to the user (provisioning). So, the user cannot use the resources yet. For the time being he is given his user ID (user name), and his credentials are defined. Passwords, personal authentication media (tokens such as chip cards for instance) or biometrics can be used for authentication purposes. Users are then granted access to the IT systems on the basis of attributes included in their digital identity. The various users will not be able to use the different systems in the heterogeneous IT environment in the company until these rights have been finally assigned by an identity management system. Modification During the lifecycle of the digital identity, the attributes will generally need to be changed. In general, the circumstances under which these changes are required must be defined (when relocating or moving to a new department for instance). Very often, authorizations within the systems need to be changed when an employee is promoted or when the customer status changes for example. Revocation In the event of loss of the identity and the suspicion that it is being misused, a procedure is required to block access (revocation). But leave of absence or a temporary transfer can also necessitate this kind of block. All actions and procedures must be logged and preferably stored centrally. Using the log data, the system can automatically generate warning messages for instance. This makes it possible to ascertain more rapidly whether the system is being misused or under attack in any way. In certain cases it also makes sense to reactivate the digital identity (after credentials are changed or exchanged, or after the user has returned to his original job). Deletion/Deprovisioning The digital identity must be deleted when the business relationship between the provider and the user terminates (if the contract is terminated, or if the user leaves the company). Rights are withdrawn from the user (deletion / deprovisioning). Identity lifecycle management is inextricably linked with corporate processes. The creation, temporary revocation as well as modification and deletion of digital identities are closely associated with the processes in the human resources department in the company. But not all decisions are made here. External users are generally not supported by the human resources department. And many user attributes, particularly specific rights for internal users, are defined with respect to the organization, process or project. Ultimately, these two levels must also be dovetailed with IT administration. IAM design is the responsibility of the IT service provider who follows the above guidelines, while internal departments must be involved in corporate security and auditing. 11
12 If hardware tokens such as chip cards, for instance, are used as authentication media, applications can be developed that go beyond the scope of mere access to IT resources. It is possible to integrate applications such as those for recording attendance or payroll. In addition, chip cards can also function as company ID Hardware tokens allow new applications to be developed and the physical world to be integrated. cards. They are then used to control entrance (electronically) to buildings and offices. Accordingly, the token management system must be linked with the IT systems and processes of the facility management system and security services as a branch of IAM. Only a few service providers are in a position to integrate this physical world in the identity and access management (IAM) system and to provide complete solutions. 12
13 5. Authentication Procedures and Architectures. The user is identified and registered when the digital identity is created. Furthermore, one or more credentials are defined with which the user can authenticate himself with respect to one or more systems (i.e. verify his alleged identity). These credentials can have different characteristics. In general, identity can be proved by possession, knowledge and/or biometric traits (see Figure 6): Identity can be proven by means of possession, knowledge and/or biometric traits. The user knows something. He has been examined (registered). He has been given a password (knowledge), which he is to use as proof of his identity. The user possesses something. He has been examined (registered). He has received something (possession), which he should use as proof of his identity. The user is a unique individual. He has been examined (registered). During the process, a personal trait was appraised and stored in the system. The user is to show this again as proof of his identity. Figure 6: Methods of Authentication (Knowledge, Possession, Biometrics) Each one of these authentication mechanisms has specific advantages and disadvantages, and there are many options for implementing them. Security can be enhanced by combining several credentials (multiple factor authentication). The use of simple passwords is no longer sufficient to fulfill current security and compliance requirements. We often talk about stronger, or strong, authentication in relation to alternatives. Apart from costs and the required security level, the question of the level at which an authentication service is required (application, network, physical level) is fundamental to the selection of an authentication procedure. This depends again on the resources to be protected. A vast range of architectures and procedures are available for authentication in distributed systems. Due to the fact that IT infrastructures in companies are generally very heterogeneous with many legacy systems, individual authentication methods are permanently implemented in the software there is an increase in the use of Enterprise Single Sign-On (ESSO). ESSO allows people to log on centrally to all company applications. This saves the user the laborious task of managing passwords, leading to an increase in employee productivity in particular. Technically, the ESSO client can be seen as a negotiator between the user and the systems in the company. Mostly, a special hardware token, in the form of a stick or a chip card for instance, is used. The user authenticates himself with respect to this device, which then logs onto the target systems with the relevant credentials. 13
14 If business processes extend beyond company limits, the nature of the security requirements changes. The implementation of identity management between different organizational units and business partners is referred to as federated identity management. This concept is based on business and technical agreements as well as arrangements between companies. Federation can be implemented as a simple forwarding through the home domain, in the form of a backlink to the home domain, by grouping services with a central identity provider, by grouping identities with central or local authentication or by establishing a relationship of trust between security token services (STS). The growing significance of federated identity management in the IT security environment should not be underestimated by companies in the future. With the implementation of cross-border solutions, different web applications need to communicate with one another very frequently. So, the exchange of security tokens is of central importance. A security token contains information that is fundamental to security-critical actions (logging on to a web service for instance). So, the security token is used for verification with respect to the various web applications. The aim of a web services security model is to ensure interoperability between existing authentication or security infrastructures (trust domains) by defining protocols for generic security tokens (public key certificate, password, one-time password, Kerberos ticket). The protocols allow trust models to be defined without reference to a specific enforcement in a security infrastructure. An example of a special token type, which is becoming increasingly important, is the so-called SAML token (Security Assertion Markup Language). SAML is an XML-based standard for the exchange of authentication and authorization data between identity providers and service providers. 14
15 6. Data Storage and Enterprise Application Integration. A company generally maintains different directories/databases for various services such as user management, personnel data maintenance or customer care. These structures, which have expanded over time, are a thorny problem for big companies. Today, applications not only use the resources in their own corporate network, but also the Internet, or resources from project partners, for instance. These interconnections, which have been growing over the last number of years, have led to a situation where most networks now have various, specialized directories often containing redundant information, which are often very difficult to share. Directory services are one solution to these complex structures in a company. These make it possible for identities to be combined and managed at a single point using central directories. LDAP (Lightweight Directory Access Protocol) is an application protocol which allows you to retrieve and modify data relating to individual people or an organization for instance. Using LDAP your object-related data can be read out of a directory. The directory service specializes more in finding and reading out data than in writing new data. Each LDAP directory uses a specific data structure, which is defined by a preset schema. This type of LDAP schema describes the object classes with the associated attributes such as the class, person, or the class, organization, for instance. LDAP has developed into an industry standard for authentication and for user directories, which means that compatibility between implementations from different manufacturers is guaranteed. LDAP features, in particular, a fast connection setup and cleardown, a simply structured protocol and a powerful retrieval language, which enables efficient processing. This is an example of how different applications can be linked and formed into groups. 15
16 7. Systems and Providers. The huge number of challenges presented by identity management has given rise to a wide range of products over the last few years. Since an increasing number of companies will become reliant on identity management solutions in the near future, the number of providers on this market has grown. These include traditional IT manufacturers and security providers as well as management consultants or system integrators. There is currently a huge range of solutions on the market. Most companies, however, only cover a few areas with their products, such as compliance, provisioning, access or IT management. Companies are attempting to supplement their own product suite with external solutions by intensifying their business developments. Identity management is considered to be a strategic issue by manufacturers. The most well-known manufacturers of IAM products include: Databases: IBM, Microsoft, Oracle, Directory services: Critical Path, Microsoft, Novell, Siemens, Sun Microsystems, Security products: ActiveIdentity, Alladin, Beta Systems, Bull/Evidian, Citrix, EMC/RSA, Entrust, Secure Computing, VASCO, IAM suites: BMC Software, Bull/Evidian, Computer Associates, HP, IBM (Tivoli), Microsoft, Novell, Oracle, EMC/RSA, Sun Microsystems IAM is deeply involved in the processes of a company and makes a significant contribution to their design. When selecting a solution, not only do the products need to be evaluated, but all the providers strategies as well. Products differ from one another in respect of the cost of purchase and operation as well as their integration ability and scalability. Although systems can generally be connected via a series of standardized protocols, many suites reach their limits when connecting individually developed solutions. This often results in expensive enhancements using individual interfaces. Since the products, circumstances within the company and IAM requirements are continuously changing, it is also important to establish that future developments will be along the same lines. Identity and access management (IAM) is far from being an isolated IT project. The functions of IAM systems must support IT objectives efficiently in order to ultimately achieve the intended business goals. IAM must be planned, designed, implemented, integrated, operated but also lived. Because identity management is deeply involved in the processes of a company and makes a significant contribution to their design. Due to the complexity of the field, support from external consultants and system integrators both technical and in the plan-build-run phase is often required to overarch networks, systems, applications and business processes. They have the project experience as well as the distinct advantage of being independent from the manufacturer. 16 T-Systems has an in-depth knowledge of identity management which has been developed during the performance of a vast number of projects. Identity management procedures have been appraised, tested and their practical implementation monitored from the point of view of IT security within surveys, risks and needs analyses, IT security concepts as well as implementation projects. T-Systems develops and operates solutions for identity management as well as authentication services for systems and applications. Identity management has been integrated and standardized company-wide for the Deutsche Telekom Group and many other renowned customers. T-Systems designs, develops and operates federation, central authentication and single sign-on solutions.