Enterprises are increasingly interested in new and cost effective technologies to leverage existing investments in IT and extend capabilities to reduce costs and improve security and productivity. User account and password management has long been a major expense for organizations. As a means to improve the integration of applications hosted both internal and external to the enterprise, enterprises are turning to automated account provisioning systems for providing secure and efficient accesses to wide range of systems. Provisioning and Identity Management are key technologies for enhancing operational efficiencies and gaining improvements in productivity and security. With tremendous growth in the number of information systems and user accounts in any enterprise, standards are key and necessary for solutions to interoperate and integrate with existing solutions. SPML is such a standard that has recently gained immense adoption from organizations. This shift can have major impact on enterprise’s information architecture. In this chapter, we outline the concepts of identity provisioning, service provisioning and how SPML can be leveraged to provide enterprise identity provisioning to both internal and external applications. The paper suggests come common security and business benefits that SPML can introduce. The paper also presents detailed discourse on architecture of SPML and improvises an implementation scenario to effect the functioning of different features and protocols of the standard.
Enterprise digital identity management is a process of employing technologies and procedures to manage information about the identity of users and control access to enterprise resources. The goal of identity management is to improve productivity and security while lowering costs associated with managing users and their identities, attributes, and credentials (Penn, 2002). It is a set of processes, tools and social contracts surrounding the creation, maintenance and termination of a digital identity for people or, more generally, for systems and services to enable secure access to an expanding set of systems and applications. Digital identities, profiles and their management are increasingly required to enable interactions and transactions on the Internet among people, enterprises, service providers and government institutions. (Mont, Bramhall, Gittler, Pato, & Rees, 2000) About 90 years ago, the infamous thief Willy Sutton was asked why he robbed banks. His reply: “Because that’s where the money is, stupid.” Today, information is money and there’s a lot of information out there—vulnerable in databases, exposed in transactions, and circulating on the Web—catapulting identity theft to be the fastest growing crime in the world. While recent laws and legislations (S.761, 2006)(1999/93/EC, 1999) aim at speeding up the process of adoption of digital identities by recognizing the legal validity of digital signatures both on electronic documents and electronic transactions, Internet identity thefts, and related frauds (Arnold, 2000; Coates, Adams, Dattilo, & Turner, 2000) are fast growing crimes that take advantage of poor security and privacy practices and the underestimation of the involved risks. Modern architectures have to control access not only to single, isolated systems, but to whole business-spanning federations of applications and services. This task is complicated by the diversity of today’s specifications concerning, for example, privacy, system integrity and distribution on the Web (Gaedke, Meinecke, & Nussbaumer, 2005) The challenge of resource provisioning only becomes more complex as companies reach beyond organizational boundaries to conduct business. The move towards service-oriented architectures adds yet another layer of complexity as not only users, but also pieces of applications require access to corporate systems. “Creating a standard way in which to communicate user provisioning information between enterprises will greatly improve corporate efficiency, contribute to cost reduction and increase productivity,” said Roberta Witty, Research Director of Gartner, Inc (Gartner, 2007). “The adoption of open standards such as SPML provides market assurance that customers do not need to be dependent on their user provisioning solution vendor for proprietary customization which only adds to the cost of the user provisioning implementation,” she adds (Gartner, 2007).
The chapter analyzes how SPML fits with enterprise business identity management initiatives and provides an exploratory review of SPML’s significance and shortcomings in context of enterprise information systems. The chapter also will present opportunities and challenges that SPML brings to enterprise systems in terms of security and business opportunities. The contributions of the chapter are twofold. Firstly, it presents a review of the current state of enterprise identity provisioning systems and secondly, it analyzes architecture and workings of the SPML standard which is touted to become one of the most commonly adopted standards for digital identity management. The paper is organized as follows: the first section presents introduction and background to the context of the issues involved. The second section presents key concepts and terminologies related to enterprise identity management (EIM) systems, provisioning and SPML. The third section analyzes SPML architecture and explores it components and their interaction. The fourth section discusses different business and security imperatives of SPML for enterprises. The fifth section provides an illustrated example of SPML and reflects on its functioning as it would relate to real world implementation. The final section concludes the paper with summary and discussion points.
Key Terms in this Chapter
Service Provisioning Markup Language: It is an XML-based framework (and an OASIS standard) for managing the allocation of system resources within and between organizations, enabling secure and more dynamic business process integration with their employees, customers, suppliers, and business partners.
Identity De-Provisioning: The process of disabling access of users (digital identities/accounts) to information technology resources
Security Assertion Markup Language: It is an XML standard for exchanging authentication and authorization data between two entities (businesses, applications or other systems), typically between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).
Identity Management Systems: Enterprise Systems designed and deployed to manage digital identities of users of information technology resources to allow for secure access to those resources.
Service Provisioning: The process of allocating services to requestors based on pre-arranged policy.
Identity Provisioning: The process of creating digital identities (accounts) for users of a system and linking appropriate rights to identities.
Identity and Access Management: A set of procedures and technologies to manage information about the identity of users and control access to resources.