Digital Identity and Access Management: Technologies and Frameworks

Digital Identity and Access Management: Technologies and Frameworks

Raj Sharman (State University of New York, USA), Sanjukta Das Smith (State University of New York-Buffalo, USA) and Manish Gupta (State University of New York at Buffalo, USA)
Indexed In: SCOPUS
Release Date: December, 2011|Copyright: © 2012 |Pages: 498
ISBN13: 9781613504987|ISBN10: 1613504985|EISBN13: 9781613504994|DOI: 10.4018/978-1-61350-498-7

Description

Digital identity and access management (DIAM) systems are essential to security frameworks for their ability to rapidly and consistently confirm identities and to control individuals’ access to resources and services. However, administering digital identities and system access rights can be challenging even under stable conditions.

Digital Identity and Access Management: Technologies and Frameworks explores important and emerging advancements in DIAM systems. The book helps researchers and practitioners in digital identity management to generate innovative answers to an assortment of problems, as system managers are faced with major organizational, economic and market changes and are also expected to increase reach and ease of access to users across cyberspace while guaranteeing the reliability and privacy of highly sensitive data.

Topics Covered

The many academic areas covered in this publication include, but are not limited to:

  • Access Management
  • Authentication Systems
  • Business Process Frameworks
  • Digital Credentials
  • Digital Identity and Access Management (DIAM)
  • Digital privacy
  • Identity Management
  • Identity Management Systems
  • Information Security
  • Service Oriented Architectures
  • System Access Rights

Reviews and Testimonials

The book is intended to serve a key audience of professionals, students, researchers, and educators operating in the swiftly developing discipline of digital identity management. Practitioners and managers functioning in the information technology or information security fields across all sectors of business would greatly advance their awareness and knowledge of myriad issues surrounding identity and access management.

– Raj Sharman, State University of New York, USA; Sanjukta Das Smith, State University of New York-Buffalo, USA; and Manish Gupta, State University of New York at Buffalo, USA

Table of Contents and List of Contributors

Search this Book:
Reset

Preface

Digital identity and access management (DIAM) systems are widely believed to be one of the principal components of any good security framework for business processes, most of which are largely deployed online. Such systems assist with access control, specifically making sure that the right to use particular resources is approved provided that it is appropriately sanctioned. Their ability to rapidly and consistently confirm identities of individuals attempting to access specific services, and to tally that against their rights to do so, is a necessity from a business standpoint, in addition to being, in many cases, a basic regulatory condition that must be met. This book presents a collection of articles on a set of very significant and opportune issues in different fundamental and practical subjects connected to DIAM systems. The book aims to offer great academic value and inputs to the subject of information technology. The main purpose of this book is to activate a community-wide consciousness about the important and up-and-coming advancements in DIAM systems, and accordingly emphasize the vast promise of DIAM research to essentially transform and generate ground-breaking answers to an assortment of problems in the DIAM area.

Primary Challenges of DIAM

Identity management systems control an individual’s access to resources and services by managing his/her credentials by setting up, preserving, and in due course obliterating such identity, once its purpose has been served. Even though such systems are tightly incorporated with access control systems, their major purpose is to aid system managers and end users in carrying out maintenance procedures, such as managing access credentials (user roles, access rights), designating rights, and reviewing such rights on a routine basis, across different functional units, throughout the entire lifecycle of such credentials. Administering digital identities and system access rights can be challenging even under stable conditions. This is because DIAM systems affect practically all end-users and several business processes in addition to software applications and hardware infrastructure of an organization. Identity management is frequently perceived as largely a technical solution and consequently, a problem with such perception is that it may encourage a rather dedicated concentration on the technical plan and execution thereof, perhaps at the exclusion of softer organizational constraints. This can potentially result in solutions that fall short of the organizational expectations.    

There are several added complexities that make for a number of interesting challenges in this discipline. Nowadays, organizational structures can alter fairly fast due to economic expansion and contractions. This, taken in conjunction with the reality of shifting technological dependencies, create still more hurdles for successful DIAM system deployment. With the increasing utilization of the cyberspace as a business platform, identity management is developing further and influencing our approach towards characterizing and stipulating identities online. Knowing the rewards of offering more services online and also the loss of market share that can result if such services are not made available in an effective manner for increasingly mobile consumers, it is not surprising that most firms are aggressively expanding their online presence. For certain sectors however, such as the financial or health and human services sectors, with the steadily increasing dependence on the Internet to carry out business, it means an increased pressure to guarantee the reliability and privacy of highly sensitive data.

The persistent employment of digital identities in the Internet these days has also directed greater attention towards the subject of identity management. Several interesting questions arise surrounding the issues of security, privacy, and system availability, in addition to the role of governance authorities for digital credentials. State-run identity projects in different countries which consolidate unique identification of their populace have also garnered some attention. Such governance programs present many apparent payoffs with regards to public administration and also several issues and roadblocks for effective implementations. There is also a tremendous amount of heterogeneity amongst users along several dimensions, which further exacerbates these challenges and generates more interesting research questions. Some users, while being highly conversant in browsing or shopping online, often show a naiveté when it comes to the frequently unregulated utilization of personally identifiable data that they supply on various websites. In spite of the fact that these websites candidly state their privacy procedures, generally, consumers either do not fully comprehend of the implications of such policies or simply choose to disregard them. Further, as IT becomes more pervasive in our daily lives, private and business affairs often unavoidably blend in. For any individual, it becomes vital to effectively manage private and business lives and accounts thereof, publicly available data, actions, and personas.

Along with the issues surrounding DIAM in the context of major organizational, economic, and market changes, there are several other facets of social and technical elements such as the challenges of separating personal and business identities, denial of service resilience of authentication systems, security issues surrounding service oriented architectures, and role based access control issues that the book covers in detail. The book offers readers an outstanding collection of related expert commentaries on the technology, processes, management, governance, research, and practices surrounding DIAM. This book has 16 innovative research contributions presented as chapters. We concisely delineate these contributions in the subsequent section.

Overview of Chapters in the Book

When enduring challenging financial crises, change happens in the form of insolvencies, resource curtailment, and comparable damaging events. Positive change inducing events can such as mergers and acquisitions can cause just as much upheavals. Regardless of the nature of the change, it is often essential for organizations to break apart, unite, halt, or otherwise adjust business units and their processes, in addition to the foundational computer and network systems. As a result, steps for identifying, validating, and approving rights to use system functions and data come under great pressure to react fast to organizational and system changes and withstand the effects of such changes with ideally negligible consequences on the general business operations. In Chapter1, “IAM Risks During Organizational Change and Other Forms of Major Upheaval,” Dr. Warren Axelrod of the Delta Risk L.L.C., U.S.A., appraises the different phases in the identity and access management (IAM) lifecycle specifically from the viewpoint of businesses experiencing considerable change from mergers and acquisitions, business expansions and contractions, and internal structural and technological changes. The effect on IAM of events initiated externally, for example natural disasters (earthquakes, deadly storms, volcanic eruptions, etc.) and manmade calamities (terrorist bombings, major oil spills, etc.) is also studied. The author tackles the problem of how one might get ready for and take action against such events by managing and controlling identification and authorization under dynamic, difficult-to-control circumstances.

Chapter 2, “From Domain-Based Identity Management Systems to Open Identity Management Models,” focuses on the contradiction that open identity management models have been devised expressly to deal with the open nature of the Internet and yet conventional methods even now used to control these networks. The authors Ivonne Thomas and Dr. Christoph Meinel of the Hasso-Plattner Institute, Germany, find that one of the major causes for this is the difficulty of setting up trust relationships between independent parties, a dilemma which is intrinsic to open environments with numerous trust domains. In open environments members frequently are not acquainted enough with each other, yet they need an existing trust relationship to carry out vital transactions. Governments, business groups, and the academic world have tackled this subject by offering improved assurance guidelines for identity management. The result is a number of identity assurance frameworks that classify and group particular security factors into levels of trust or levels of assurance (LoA). These methodologies are explained, contrasted, and reviewed with reference to their role towards assuring dependable identity management across the Internet. Deficiencies of these approaches are provided and trust levels for attributes are suggested as possible areas for further research.

Chapter 3, “Effective Guidelines for Facilitating Construction of Successful, Advanced, User-Centric IAM Frameworks,” suggests an effective method of approaching, planning, and putting into practice a practical, standards-based, centralized, and united IAM system, with which a trust relationship amongst the involved entities is set up in a protected and interoperable manner, allowing end-users to effortlessly get electronic and/or mobile (e/m) access to sophisticated business services, and Service Providers (SPs) to effectively improve their infrastructures by implementing it in their systems in a straightforward manner. The authors, Dr. Athanasios Karantjias and Dr. Nineta Polemi of the University of Piraeus, Greece, also share their collective knowledge in building IAM frameworks, delineating the key insights concerning the critical success factors for the integration of large-scale, user-centric, and federated IAM frameworks. It essentially presents a realistic guideline, intended for use by IAM practitioners, and has two prime target audiences, i.e. enterprises and their executing associates that search for help on planning IAM aware projects and enterprises and their cohorts that are now operationalizing IAM projects and who wish to ensure the efficacy of their tactic and consequent development.

The goal of Chapter 4, “Feasibility and Sustainability Model for Identity Management,” is to identify the drivers and inhibitors for implementing a universal identity management system across different businesses for public administration, specifically national identity projects in different nations around the world that handle unique identification of citizens. The authors, Prof. Rajanish Dass and Sujoy Pal of Indian Institute of Management, Ahmedabad, India, propose a model for assessing the viability and sustainability of such a system. Different issues influencing successful implementation of the system and the likely effect of these aspects are also revealed. The recommended model would let public institutes and policy makers establish the critical factors for the implementation of comprehensive identity management systems.

Chapter 5, “User-Centric Identity Management Architecture Using Credential Holding Identity Agents,” offers an identity management architecture that tries to resolve some of the security, privacy, and system availability problems associated with existing user-centric identity management systems. The system designed by the authors, Daisuke Mashima, David Bauer, Dr. Mustaque Ahmed, and Dr. Douglas Blough of Georgia Institute of Technology, U.S.A., depends on user-controlled identity agents. Identity agents achieve fine-grained influence over online identity disclosure by means of a minimal-disclosure identity credential plan and in addition advance users’ consciousness about their credential usage through an identity-usage monitoring scheme that comprises of an instantaneous risk scoring instrument. A proof-of-concept implementation is demonstrated and assessed with regards to security, user-centricity, and performance.

The purpose of Chapter 6, “Coming of Age or just off the Boat: A Review of Contemporary Identity Management System,” is to put forward architecture and applications that will facilitate in setting up and examining the framework that Identity Management (IdM) systems abide by. The authors, Dr. Raj Sharman, Ryan Kendrick, and Dr. Manish Gupta of the State University of New York at Buffalo, U.S.A., describe the function of IdM systems nowadays, while investigating the difficulties that occur during implementation, management, and integration of the systems.  The concluding part of this chapter scrutinizes eighteen commercial off-the-shelf IdM software solutions. The authors supply concise discussions on each of the solutions to emphasize dissimilarities and advantages. The deliberations in this chapter can support system managers and security professionals in their accurate perception of the present setting of IdM Solutions and Technologies. Their study can considerably ease such parties’ decision making and risk management.

In Chapter 7, “Separating Private and Business Identities,” the authors, Gábor György Gulyás, Róbert Schulcz, and Dr. Sándor Imre of Budapest University of Technology and Economics, Hungary, evaluate different aspects of employee privacy, and examine in depth two subjects of particular significance from the perspective of the disconnect between private and business records and personas: web and social network privacy. They discuss threats and solutions concerning these topics as well, and moreover, in addition to reviewing the pertinent literature, they enumerate existing Privacy Enhancing Technologies appropriate for each theme. Furthermore, they provide a concise assessment of additional ways of workplace surveillance, giving some glimpses of the world of smart phones, where the growth of new privacy-protecting technologies is predicted as these devices are getting proficient in assuming the tasks of personal computers.

Chapter 8, “Identity and Access Management Architectures with a Focus on User Initiative,” puts forward the notion of Identity and Access Management Architectures encompassing a policy-oriented management system that facilitates the employment of user identity-related information. This policy-oriented management system persuades users to take the lead in supplying their own identity-related data and supports an understanding of the handling of such data by different entities. This architecture is intended to let users set up user policies for identity-related data security, just as entities have rules regarding their plan for using the data. The authors, Takao Kojima and Yukio Itakura of the Institute of Information Security, Japan, have created a Privacy Policy Matching Engine as a part of the Identity and Access Management Architecture. This engine permits the matching of a user’s intent to make his/her identity-related data available with an entity’s own guiding principles regarding privacy. Additionally, it automatically studies the guidelines with a spotlight on the categories and treatment techniques for identity-related data.

An Enterprise Architect who is endeavouring to produce an Identity Management (IdM) design may discover that the modern perception of an IdM enterprise framework relies to a greater extent upon a specific vendor’s implementation as opposed to a clearly defined model. Even though nearly all major vendors offer complete IdM systems, Chapter 9, “Starting the Revolution: Implementing an Identity Management Architecture,” contends that an enterprise should build its own Identity Management Architecture (IdMA) before trying any IdM implementation. It starts with a discussion on the growth of the Reference IdMA. In addition, it discusses the subject of integrating existing enterprise workflows and processes and other particular requirements of an enterprise into an IdMA. The author, Dr. Peter White of the Charles Sturt University, Australia, suggests the assimilation of existing information security controls into the IdMA by employing chokepoints to check on identified security hotspots. Privacy concerns regarding personal data along with the issues surrounding the defense of corporate data and assets are discussed, and it is shown how these matters may be adopted and incorporated in the Reference IdMA. Lastly, there is a discussion of how to incorporate federation with other enterprises as part of the enterprise’s IdMA.    

Single Sign-On (SSO) protocols form the keystone of Identity and Access Management systems as they allow companies to set up a federated environment in which users sign in once and gain the right to use services provided by diverse organizations. The OASIS Security Assertion Markup Language (SAML) 2.0 Web Browser SSO Profile (SAML SSO) is the emerging standard in this environment: it describes an XML-based format for programming security assertions in addition to numerous procedures and requirements that stipulate how assertions should be switched in a broad swath of applications and/or usage settings. This is accomplished to the smallest extent essential to assuring the interoperability amongst various implementations. As a result, SAML SSO includes several configuration options extending from optional fields in messages, usage of SSL 3.0 or TLS 1.0 channels (SSL channels) at the transport layer, application of encryption and/or digital signature on certain vulnerable message elements that require instantiation consistent with the conditions established by the circumstances of the application and the security systems on hand. The security recommendations that are accessible throughout the extensive SAML stipulations are helpful in evading the most common security pitfalls but are of little assistance in ensuring their absence in specific instances of the protocol. Leveraging an earlier work where a critical security defect in the SAML-based SSO for Google Apps was exposed, in Chapter 10, “Automatic Security Analysis of SAML-based Single Sign-On Protocols,” the authors, Drs. Alessandro Armando and Roberto Carbone of Fondazione Bruno Kessler, Italy, and Dr. Luca Compagna and Giancarlo Pellegrino of SAP Research Sophia-Antipolis, France, demonstrate that model inspection methods for security protocols can assist the development and analysis of SSO solutions, thereby aiding the designer in spotting severe security defects early in the development life-cycle and granting guarantees on the security of the solutions identified.

Cryptographic authentication systems provide improved security for interacting parties. However, they nevertheless have a susceptible spot corresponding to their vulnerability to denial of service (DoS) attacks. Chapter 11, “Denial of Service Resilience of Authentication Systems,” concentrates on two vital facets connected to the security of authentication systems and their fight against intense DoS attacks, signified by attack detection and attack prevention. Towards that end, the authors, Valer Bocan and Mihai Fagadar-Cosma of Alcatel-Lucent, Romania, undertake a thorough examination of the techniques utilized to assess the attack state of an authentication system and the countermeasures that can be arranged to avert or deter a DoS attack.

Chapter 23, “Identity Management Systems,” presents a summary of the concept of identity and of identity management. The author, Dr. Waleed Alrodhan of Imam Muhammed Ibn Saud University, Saudi Arabia, explains a theoretical identity management model in addition to numerous practical models. He also addresses many related issues including Single Sign-On, Level of Assurance, identity source discovery, security policies, proof-of-rightful-possession, and the exercise of pseudonyms and temporary IDs.

Security is one of the main issues confronting the development of a Service-Oriented Architecture (SOA). This is because both the service consumer and service provider is accountable for SOA security. This is an overarching item of interest, since it influences every advertisement, discovery and interaction of services and applications in an SOA ecosystem. In particular, SOA security usually necessitates authentication, privacy, auditing, and authorization. Currently, numerous solutions have been put into practice, for example Web Services Security Standards, together with WS-Security and WS-SecurityPolicy. However, those standards are inadequate for the promising new generations of Web 2.0 applications. In Chapter 13, “Developing Proactive Security Dimensions for SOA,” the authors, Dr. Hany El Yamany of the Suez Canal University, Egypt and David S. Allison and Dr. Miriam A. M. Capretz of the University of Western Ontario, Canada, portray an Intelligent SOA Security (ISOAS) framework and present four of its services: Authentication and Security Service (NSS), the Authorization Service (AS), the Privacy Service (PS), and the Service of Quality of Security Service (SQoSS). A case study is also provided to observe the performance of the described security services in a market SOA setting.

Chapter 14, “RBAC with Generic Rights, Delegation, Revocation, and Constraints,” puts forward R+DRC, an addition to the Role-based Access Control (RBAC) model. R+DRC permit the characterization of constraints, for instance, to implement various procedures for separation of duties, and the right of superseding a constraint. The model describes delegations and two types of revocations. The authors, Dr. Jacques Wainer, Fabio Negrello and Igor Ribeiro de Assis of the Instituto de Computação da UNICAMP, Brazil, discuss the model within the context of modeling access control for a hospital. Algorithms are provided for the more complex actions.

Few technological adoptions can measure up to the latest tendency of the general public to make greater use of Internet banking services. Based on the cost advantages and payoffs it tenders, it is broadly advertized as a win-win strategy for both banks and customers. Nevertheless, with the increase in E-banking services and dependence on a public network – the Internet – to carry out their trade, it has been difficult for banks to guarantee integrity and privacy of extremely sensitive data. Chapter 15, “Who is Guarding the Doors: Review of Authentication in E-Banking,” portrays a summary of concerns and challenges pertaining to authentication in the online banking sphere with an examination of a few of the enhanced tactics. The authors, Pradeep Kumar KB of SRM University, India, Dr. Manish Gupta of M&T Bank, USA, and Dr. H. R. Rao of the State University of New York, Buffalo, USA, evaluate various authentication schemes and discuss resulting issues. The chapter is of particular value to executives and professionals wishing to familiarize themselves with the present authentication landscape.

Chapter 16, “Privacy in Identity & Access Management systems,” studies the tactics for assuring privacy in open identity and access management (I&AM) systems as used by several existing systems. The chapter commences by cataloging key prerequisites for privacy and discusses how three systems that are being increasingly deployed in the Internet (specifically SAML 2.0, CardSpace, and eID) deliver on these must-haves. Next, the authors, Dr. Andreas Pashalidis of the Katholieke Universiteit Leuven, Belgium and Dr. Chris J. Mitchell of Royal Holloway, University of London, UK, discuss the results of some of the latest European research projects in the field of privacy for I&AM systems. Lastly, the methodology applied to deal with the identified privacy requirements by current projects is explained at a high level. In general, the purpose of this chapter is to give the reader with an outline of the assortment of topics and methods related to privacy in the I&AM framework.

The majority of web-based identity management systems nowadays comply with one of the following practical identity management models: the isolated, Information Card-based or Federated identity management models. In Chapter 17, “Identity Management,” the author, Dr. Waleed Alrodhan of Imam Muhammed Ibn Saud University, Saudi Arabia, gives a synopsis of five of the most extensively discussed web-based identity management systems: Microsoft CardSpace, the Higgins project, the Liberty Alliance project, the Shibboleth project, and OpenID. He also studies some security limitations common to all these systems and also discusses the feasibility of identity management systems, and reflects on how their practicality can be improved by developing robust integration and delegation schemes. Moreover the chapter offers a general idea of the Project Concordia integration framework, and the Shibboleth and OAuth delegation frameworks, in addition to examining the associated literature.

In recent years, quite a few big IT-suppliers such as Oracle, IBM, Sun Microsystems, Novell, and CA have launched Identity and Access Management (IAM) systems so as to help businesses manage their identification and access authentication processes. Even though the reality is that an increasing number of organizations are preparing to implement IAM tools, attempts to choose and implement the appropriate solutions are sometimes less than successful. Chapter 18, “Selecting and implementing Identity and Access Management technologies: The IAM Services Assessment Model,” explores how organizations can be helped during the selection and implementation process for IAM services. Owing to the mounting number of applications that are being employed in organizations, stringent policies and evolving relationships between organizations, a novel method for login- and password management, security, and compliance is required. While IAM services generally claim to facilitate this new approach, the authors, Peter Haag and Dr. Marco Spruit of Utrecht University, The Netherlands, show the IAM Services Assessment Model which supplies a helpful and functional tool to assist organizations in the selection and implementation of IAM services.

The book is intended to serve a key audience of professionals, students, researchers, and educators operating in the swiftly developing discipline of digital identity management. Practitioners and managers functioning in the information technology or information security fields across all sectors of business would greatly advance their awareness and knowledge of myriad issues surrounding identity and access management.

Author(s)/Editor(s) Biography

Raj Sharman is an associate professor in the Management Science and Systems Department at SUNY Buffalo, NY. He received his B. Tech and M. Tech degree from IIT Bombay (India) and his M.S degree in Industrial Engineering and PhD in Computer Science from Louisiana State University. His research streams include information assurance, extreme events, and improving performance on the Web. His papers have been published in a number of national and international journals. He is also the recipient of several grants from the university as well as external agencies. He serves as an associate editor for the Journal of Information Systems Security.
Sanjukta Das Smith is an Assistant Professor of Management Science and Systems at the State University of New York at Buffalo, New York, USA. She has published in the Information Systems Research, INFORMS Journal on Computing, Journal of Management Information Systems, ACM Transactions in Management Information Systems, and the Journal of Organizational Computing and Electronic Commerce. She is a graduate of the University of Connecticut, Clarkson University, and Calcutta University.
Manish Gupta is an Information Security Professional in a Northeast based bank in US. He was an Adjunct Instructor/Professor (2007) at State University of New York at Buffalo, USA. He received his PhD in Management Science and Systems and an MBA in Information Systems and Finance from State University of New York, Buffalo, NY, USA in 2011 and 2003, respectively. He received his Bachelor’s degree in Mechanical Engineering from Institute of Engineering and Technology, Lucknow, India in 1998. He has more than twelve years of experience in information systems, security policies, and technologies. He has published 4 books in the area of information security, ethics, and assurance. He has published more than 50 research articles in leading journals, conference proceedings, and books including DSS, ACM Transactions, IEEE, and JOEUC. He serves in editorial boards of several international journals including Journal of Electronic Banking and International Journal of Liability and Scientific Enquiry (IJLSE), and has served in program committees of several international conferences. He holds several professional designations including CISSP, CISA, CISM, ISSPCS, CIW Security Analyst, and PMP. He is a member of Sigma Xi, Beta Gamma Sigma, ISACA, and ISC2. He received prestigious 2008 ISC2 information security scholarship (awarded on to only 7 researchers around the world) from ISC2 and also received PhD Student Achievement Award from SUNY Buffalo.

Indices