Identity and Access Management (IAM) systems are considered as one of the core elements of any sound security electronic framework for electronic business processes. Their ability to quickly and reliably verify who is trying to access what service, and what they are authorized to do, is both a business enabler and a core requirement for meeting regulatory demands. However, IAM systems are difficult to implement since they touch virtually every end-user, numerous business processes, as well as every IT application and infrastructure component of an enterprise, and therefore most of the times IAM implementations fall short of expectations. This chapter proposes an effective way of approaching, designing, and implementing a constructive, user-centric, standards-based, centralized, and federated IAM system, with which a trust relationship among the involved entities is established in a secure and interoperable way, enabling end-users to easily gain electronic and/or mobile (e/m) access to advanced business services, and Service Providers (SPs) to effectively enhance their infrastructures by easily adopting it in their systems. In addition, a collective knowledge of IAM systems’ implementation best practices is presented.
TopIntroduction
Nowadays, enterprises are operating in a constantly shifting threat environment, where data breaches are all too common, identity theft is on the rise, and trust relationships are enforced in an inconsistent and hard-to understand manner. These threats are compounded by the increasing need for supporting electronic business at all levels of assurance, within the scope of the enterprise and with federal business partners (Forward Consortium, 2009).
Enterprises themselves are experiencing a growing need to exchange information securely across network boundaries, and create digital representations of identities in order to enable system-specific processes, such as provisioning of access privileges. In addition, initiatives such as electronic health care records and transparency in electronic and mobile transactions are increasing the need to strongly authenticate all end-users in order to enable access to federal systems and frameworks. As a result, maintenance and protection of identities themselves is treated as secondary to the mission associated with the enterprise system itself.
The latest incarnation of a distributed computing framework is the Services Oriented Architectures (SOAs) that are most often implemented with Web Services, using open XML standards and focusing on reuse and loosely coupled integration. However, these objectives are often completely lost when advanced security is integrated. Until now, most SOA developments have relied on application or system level authentication and authorization for establishing simple trusted user identity features. Inert passwords remain the primary credential users employ to authenticate to enterprise systems and because of their nature it is simple to share a password amongst multiple individuals, which greatly increases the risks to an enterprise.
In general, current Identity and Access Management (IAM) solutions lack the following obstacles:
- •
Service Providers (SPs) have to implement multiple, different and separate authentication and authorization mechanisms for their applications and systems. According to statistics only 13 percent of companies surveyed by Ponemon Institute describe their company’s approach to identity compliance as centralized (The Ponemon Institute, 2007) and only 10 percent of companies surveyed by Aberdeen have a single identity store, while 8 percent have more 100 (Aberdeen Group, 2007). This is rather expensive and difficult for an SP to manage and administer, while is inefficient for the end-users who have to manage multiple identities.
- •
Every attempt to interconnect separate applications in order to add value and build more advanced e/m-services often means linking separate user e/m-access security processes. This is rather complex and difficult to achieve from the technical point of view (Karantjias & Polemi, 2009). The usual solution is to lower the level of security and privacy to these systems and applications, while the end-users are not able to easily handle their identifiers and credentials.
The increasing regulatory compliance and audit requirements are additional burdens for the SPs. These oblige them to consider a higher assurance level for user identity in e/m-provision of services, which impose the implementation of proprietary IAM mechanisms with questionable levels of usability, manageability, and scalability.
Worldwide accepted and mature standards, specifications, and protocols lay the foundation for solutions and new security models that allow trusted user identity to be digitally and effectively managed across multiple and different security domains and enterprise systems (Karp, 2006). However, SOA implementations and architectures based on these do not actually gain the benefits of a truly parameterizable e/m-environment in which existing modules can be easily merged (Farahbod, Glasser, & Vajihollahi, 2007).
The uplift of the above mentioned obstacles requires more than basic web service communications protocols. What is needed is an efficient and practical way to use these standards and integrate a synchronous architecture, which will be able to introduce automation and system support of the identity management equally at the user and the SP sides. Based on it, enterprises should be able to easily build end-to-end identity infrastructures, supporting interoperable Web Services applications.