Security-Efficient Identity Management Using Service Provisioning (Markup Language)

Introduction

Enterprise digital identity management is a process of employing technologies and procedures to manage information about the identity of users and control access to enterprise resources. The goal of identity management is to improve productivity and security while lowering costs associated with managing users and their identities, attributes, and credentials (Penn, 2002). It is a set of processes, tools and social contracts surrounding the creation, maintenance and termination of a digital identity for people or, more generally, for systems and services to enable secure access to an expanding set of systems and applications. Digital identities, profiles and their management are increasingly required to enable interactions and transactions on the Internet among people, enterprises, service providers and government institutions. (Mont, Bramhall, Gittler, Pato, & Rees, 2000) About 90 years ago, the infamous thief Willy Sutton was asked why he robbed banks. His reply: “Because that’s where the money is, stupid.” Today, information is money and there’s a lot of information out there—vulnerable in databases, exposed in transactions, and circulating on the Web—catapulting identity theft to be the fastest growing crime in the world. While recent laws and legislations (S.761, 2006)(1999/93/EC, 1999) aim at speeding up the process of adoption of digital identities by recognizing the legal validity of digital signatures both on electronic documents and electronic transactions, Internet identity thefts, and related frauds (Arnold, 2000; Coates, Adams, Dattilo, & Turner, 2000) are fast growing crimes that take advantage of poor security and privacy practices and the underestimation of the involved risks. Modern architectures have to control access not only to single, isolated systems, but to whole business-spanning federations of applications and services. This task is complicated by the diversity of today’s specifications concerning, for example, privacy, system integrity and distribution on the Web (Gaedke, Meinecke, & Nussbaumer, 2005) The challenge of resource provisioning only becomes more complex as companies reach beyond organizational boundaries to conduct business. The move towards service-oriented architectures adds yet another layer of complexity as not only users, but also pieces of applications require access to corporate systems. “Creating a standard way in which to communicate user provisioning information between enterprises will greatly improve corporate efficiency, contribute to cost reduction and increase productivity,” said Roberta Witty, Research Director of Gartner, Inc (Gartner, 2007). “The adoption of open standards such as SPML provides market assurance that customers do not need to be dependent on their user provisioning solution vendor for proprietary customization which only adds to the cost of the user provisioning implementation,” she adds (Gartner, 2007).

The chapter analyzes how SPML fits with enterprise business identity management initiatives and provides an exploratory review of SPML’s significance and shortcomings in context of enterprise information systems. The chapter also will present opportunities and challenges that SPML brings to enterprise systems in terms of security and business opportunities. The contributions of the chapter are twofold. Firstly, it presents a review of the current state of enterprise identity provisioning systems and secondly, it analyzes architecture and workings of the SPML standard which is touted to become one of the most commonly adopted standards for digital identity management. The paper is organized as follows: the first section presents introduction and background to the context of the issues involved. The second section presents key concepts and terminologies related to enterprise identity management (EIM) systems, provisioning and SPML. The third section analyzes SPML architecture and explores it components and their interaction. The fourth section discusses different business and security imperatives of SPML for enterprises. The fifth section provides an illustrated example of SPML and reflects on its functioning as it would relate to real world implementation. The final section concludes the paper with summary and discussion points.