This research note is restricted to the personal use of

Transcription

1 Burton IT1 Research G Identity Management Published: 9 July 2012 Analyst(s): Ian Glazer, Bob Blakley Identity management (IdM) has become a distinct aggregation of functions for the maintenance and use of digital names, credentials, and attributes for people, devices, and applications. Change and consolidation in the industry heighten the need for a logical architecture for developing and evaluating IdM solutions. This document is the root template for the Reference Architecture. It incorporates a revised template graphic to illustrate the interaction of users; objects or resources they seek to use; access gateways, authentication, and policy enforcement services; federated domains; identity administration, policy administration, and provisioning; and identity data services. *The secondary authors listed above have been included for attribution purposes only. They were the original authors of this content, but were not involved in the latest update. As they are no longer employed at Gartner, please contact the lead author if you have questions. Table of Contents Template Applicability...2 Template Map... 2 Template Diagram... 3 Template Description...4 Access Policy Enforcement... 5 User Management Templates...6 Identity Data Services Templates...6 Common Concepts and Terms... 7 Subjects... 7 Access Gateways...7 Federation... 7 Objects...8

2 Management and Audit... 8 Recommended Reading...9 Notes List of Figures Figure 1. Template Map...2 Figure 2. Template Symbols... 3 Figure 3. Identity Management... 4 Template Applicability What are the components and interfaces of an architecture for identity management? Template Map As illustrated in Figure 1, the "Identity Management" references other templates containing further details. Figure 1. Template Map Identity Management You are here. Identity Data Services Identity Policy Admin Provisioning Web Access Mgmt Identity and Access Governance Integrated Layered Directory Environment Virtual Directory Metadirectory Directory Externals Directory Internals Access Request Access Certification Data Gathering and Fulfillment Services Source: Gartner (June 2012) Page 2 of 11 Gartner, Inc. G

3 Template Diagram Figure 2 illustrates the symbols used in the template diagram. A colored square-cornered box with solid borders represents a component; components implement functionality and may contain subcomponents (which may be described in subsidiary templates). A gray box with rounded corners and a dotted border represents an interface; interfaces provide programmatic access to some or all of a component's functionality. A white box with square corners and a solid border sticking out of the surface of an interface represents a discrete unit of functionality within an interface. A gray box with arrowheads at two ends and a dotted border represents a protocol. Protocols provide remote access (over a communications link) to some or all of the functionality of a component. Figure 2. Template Symbols A colored square box with solid borders is a component. A gray round-cornered box with dotted borders is an interface. A white box on the surface of an interface is a function. A gray arrow with dotted borders is a protocol. Source: Gartner (June 2012) Figure 3 is the template diagram for identity management. Gartner, Inc. G Page 3 of 11

4 Figure 3. Identity Management Federation Authentication and reduced sign-on Access gateway Access policy enforcement Access policy mgmt. Provisioning Provisioning policy mgmt. Identity admin. and audit interface Identity audit Authentication and authorization Personalization and visualization Query and update Identity data services interface Trust mgmt. Delegated user admin. Self-service Source: Gartner (June 2012) Template Description Identity management (IdM) services enable management of subject identities and control the access of domain subjects 1 (e.g., users or services) or subjects in federated domains 1 to objects 1 (or resources) such as applications and databases. IdM services grant or deny access in keeping with policies defined by the organization that owns and controls the requested resources. These services allow access based on identity attributes including a user's identity, permissions, and role 1 information. Access management, provisioning, 1 and other IdM security components rely on identity data services (e.g., directory services) to provide information about users and their permissions. For example, an authorization system may implement the policy 1 that a user with the role or attribute "bronze dealer" can access the "bronze dealer price" field in a database. Although the authorization system knows the rules, it cannot function without the identity data that identifies who the bronze dealers are. Whereas authorization and other policy enforcement systems control user access to resources by actively allowing or prohibiting runtime access attempts, provisioning services control policy indirectly by propagating account information and access rights to diverse applications and security domains, which then use this information to locally enforce policies such as authorization. (For definitions of terms such as "subject," "object," "role," "provisioning," and "policy," see "Concepts Page 4 of 11 Gartner, Inc. G

5 and Definitions." The interaction of these components is discussed in the templates referred to throughout this root template.) The templates described in this root template break IdM down into access policy enforcement, user management, and identity data services. Each subsection contains a link to the corresponding Reference Architecture template and the template's problem statement. Access Policy Enforcement Access policy enforcement infrastructure provides authentication 1 of subjects and may provide authorization 1 and reduced sign-on through components such as the following: Firewalls perform access control on the network traffic between systems. Note that the term "firewall," as used here, refers to any device (whether it is an enterprise firewall, a router or switch, or a security appliance) that acts as an identity-enabled policy enforcement point (PEP) 1 while performing network access control. For example, firewalls may authenticate users and allow or deny access to the system on a particular port. Proxies positioned at network access points intercept communications of a certain type (e.g., Hypertext Transfer Protocol [HTTP]) between the subject and the resource, authenticate the user, and allow or deny access to the resource based on rules or policies. Agents behave like proxy components, except they are co-located on a system with the target resource. Authorization services function as policy decision points (PDPs) 1 that make authorization decisions on behalf of PEPs. Firewalls, proxies, and agents may function as PEPs that contact PDPs such as authorization services or identity data services, or PEPs may be co-located with their own PDP functionality. Before they can access resources, users coming from outside the enterprise network may pass through an access gateway (e.g., a portal) and multiple PEPs such as firewalls, proxies, and agents. To understand how an overarching authorization architecture can be abstracted from the physical environment, see "Decision Point for Selecting Authorization Mechanisms" and "Decision Point for Authentication." In addition, the back-end resources such as operating systems and applications usually have native authentication and authorization capabilities of their own. Resource-specific authentication interfaces come into play when a user logs into a resource directly rather than through a centralized access gateway or policy enforcement component. Resource-specific authorization logic is applied in addition to any centralized policy enforcement. Access policy enforcement systems usually support reduced sign-on. In such scenarios, the centralized access services either proxy the access for the user, or generate a Kerberos ticket, session cookie, or other session information that the resource can natively recognize. Gartner, Inc. G Page 5 of 11

6 For authorization purposes, centralized policy enforcement services are often applied at the front end while leaving fine-grained or custom authorization to the local resource or resource manager. In such cases, it is important that the centralized policy service's view of identity and the resource view of identity are well correlated. One way to provide such correlation is through a bridged session associated with a common user identifier. Another way to achieve identity correlation is through provisioning of accounts with consistent privileges across diverse resources. Yet another approach is to use HTTP variables to pass the user identifier name and pertinent attributes. Web access management (WAM) services are a common solution set consisting of PEPs (e.g., agents or proxies) and PDPs (e.g., authorization services) that provide centralized access policy enforcement. "Web Access Management Services" What are the components of WAM services that enable external and internal users of Web portal systems to be authenticated and/or authorized to access enterprise resources? User Management Templates To learn more about the structure of various portions of IdM architectures, click on the links for any of the following Reference Architecture templates: "Identity Administration" What are the components an organization uses to administer internal and external user identities and related policies? "Provisioning Services" What are the components an organization can use to leverage its knowledge of user identities and roles and automatically provision accounts and access rights across its resource managers and applications? Identity Data Services Templates Identity data services store and provide identity information such as names, credentials, roles, and other attributes to users, applications, user management, policy enforcement, and other services. Although directory services and other repositories are important components, additional identity data services such as synchronization, replication, and identity proxy capabilities are necessary to ensure adequate availability, accessibility, and performance. Federation and virtualization are also important for increasing the utility of identity information for diverse applications and domains. To learn more about identity data services, see the following template: "Identity Data Services" What are the components and interfaces of identity data services through which an organization can store and provide identity information to users, applications, and other services throughout the enterprise? Page 6 of 11 Gartner, Inc. G

7 Common Concepts and Terms The IdM templates all conform to a common understanding of the following basic concepts and terms that are central to Gartner's IdM Reference Architecture. Subjects Alternately known as "principals" or "users," subjects are people, application entities, and named devices whose identities are managed in an IdM environment. Subjects may access resources using Web interfaces, client/server interfaces, or other protocols. Subjects may access enterprise networks either internally, from local-area network (LAN)-based desktops, or externally, from outside the firewall. Applications and Web services modules may access other applications or Web services interface points to fulfill user requests. Virtual private network (VPN) technology is often used to create secure tunnels from employee portable devices or remote locations. Access Gateways Access gateways such as portals, terminal services, and other solutions provide a centralized or consistent presentation experience for users. Portals are an application development paradigm in which content and applications are aggregated into a single browser view. Most portals require no client software or dependencies beyond a Web or Wireless Application Protocol browser. Portals can also broker Web services requests using Web Services for Remote Portlets (WSRP). Some access gateways personalize the aggregation and presentation of these views based on user identities, preferences, and roles. Access gateways can mitigate differences among user client devices, applications, and locations by separating application presentation from application backend processing and data-storage tiers. Separate access gateways can be implemented for internal and external users, respectively, or both categories of users can access the same infrastructure, with separate permissions enforced through integrated IdM services. Increasingly, users are utilizing IdM functions through access gateways such as portals. Typically, access gateways provide some authentication and authorization features, but these are not as comprehensive, robust, or well integrated as the security services from WAM systems. However, WAM systems are often fairly well integrated with portals, and many access gateways can integrate with dedicated access management systems. Federation Organizations are increasingly implementing identity federation to support access across multiple identity domains. In federated environments, domains exchange just-in-time assertions of identity attributes or events, such as whether a given user has logged into a given site and has a particular set of permissions. Identity federation may be established across internal business units, affiliated enterprises, or public identity networks. Gartner, Inc. G Page 7 of 11

8 Objects Objects (or resources) include applications, platforms, databases, resource managers, operating systems, LANs, printers, scanners, and devices. The resources in a typical enterprise are highly fragmented, which increases the cost and difficulty of managing them. Burgeoning connectivity exacerbates an environment in which resources contain their own embedded security functions, provided in some cases by the applications themselves and in other cases by resource managers, such as the operating system. These security functions include account repositories, access control lists (ACLs), policies, auditing, and enforcement logic. In some cases, embedded security functions are necessary to address security needs that are unique to an application or system. But in other cases, the embedded security functions duplicate general-purpose security functionality and could be replaced with general-purpose security. In addition, if exposed to the external environment or serious internal threats, many security systems embedded within resources are weak and will fail. The IdM infrastructure therefore exists to provide general-purpose facilities to increase the security and manageability of resources in accordance with enterprise policies. Identity Sources and Information IdM services support creation and maintenance of identity information, including groups, roles, attributes, credentials, and entitlements. Identities are stored in IdM repositories, such as directories. Where possible, integrated directory environments aggregate composite user information from multiple sources. However, primary identity sources include human resources (HR), customer, and supplier databases. Applications and other resource managers also hold accounts, credentials, and other information for users. Thus, some of the "objects "shown in the template diagram may be used as identity sources. It is critical, however, that each source of data hold clean or correct information. Management and Audit All IdM infrastructure components require management and auditing. Consoles, servers, databases, and agent components are dedicated to fault management, performance management, configuration management, accounting management, and security management. Auditing functions include event prioritization and secure event collection, correlation, and reporting. Once only an afterthought, auditing services are receiving increased attention as customers deploy complianceoriented IdM architecture. Although all IdM products should include basic logging and reporting for auditing purposes, IdM vendors are now developing specialized auditing products. It must also be possible to correlate audit information, fault data, and other security information across the infrastructure and the objects in the resource layer. 1 "Identity and Access Governance" What are the components of a complete IAG program and technical architecture and how do these relate to the rest of the identity management infrastructure? Page 8 of 11 Gartner, Inc. G

9 Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Concepts and Definitions" "Decision Point for Selecting Authorization Mechanisms" "Decision Point for Authentication" "Web Access Management Services" "Provisioning Services" "Identity Data Services" Revision History June 2012 Revised to include updated figures and template map. Updated links and text. Added Recommended Reading section. February 2010 Updated graphics to new standard. Removed items which are context for the identity management (IdM) architecture but not actually part of it (e.g., subjects and objects). November 2005 The "identity data services" functional aggregation subsumes "directory services" and "identity mapping and referral" services. "Access gateway" replaces "portals" to allow for more generalized coverage of presentation issues. "Subjects" replaces "internal users" and "external users" to formalize terminology (similar authentication and policy enforcement mechanisms are often employed regardless of the user's starting point with respect to the perimeter). "Access policy enforcement infrastructure" replaces "access management" and "Web access management" (WAM) to reflect the increased diversity of IdM policy enforcement points (PEPs), which now include some firewalls as well as WAM agents or proxies. Gartner, Inc. G Page 9 of 11

10 "Objects" subsumes "applications, platforms, and databases." April 2003 The template was renamed "Identity Management Templates" (previously "Applications Infrastructure Templates"). The template now incorporates a revised graphic that more effectively shows the relationships of IdM components. Discussion of authentication and authorization was enhanced under the "Access Management" section. The link to the sub-template formerly called "Identity Management" was updated to the subtemplate's new name, "Identity Administration," because the term "identity management" has taken on a broader meaning. A link to an additional template for virtual directory services was added to fill out the "Identity Mapping and Referral" section, which also contains a link to metadirectory services. The "I&AM Environment" sidebar was removed and replaced with a section called "Common Concepts and Terms." Miscellaneous icons on the template graphic, such as "users" and "portals," point to this section. Notes 1 Gartner. "Concepts and Definitions." 25 April Page 10 of 11 Gartner, Inc. G

11 GARTNER HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT USA Regional Headquarters AUSTRALIA BRAZIL JAPAN UNITED KINGDOM For a complete list of worldwide locations, visit Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, ombudsman/omb_guide2.jsp. Gartner, Inc. G Page 11 of 11