Identity management
From Wikipedia, the free encyclopedia
This article or section needs to be wikified to meet Wikipedia's quality standards. Please help improve this article with relevant internal links. (December 2007) |
This article does not cite any references or sources. (September 2007) Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed. |
In information systems, identity management, sometimes referred to as identity management systems, involves the management of the identity life cycle of entities (subjects or objects) during which the system:
- Establishes the identity
- Links a name (or number) with the subject or object;
- Re-establishes the identity (i.e. links a new or additional name, or number, with the subject or object);
- Describes the identity:
- Optionally assigns one or more attributes applicable to the particular subject or object to the identity;
- Re-describes the identity (i.e. changes one or more attributes applicable to the particular subject or object);
- Destroys the identity
Contents |
[edit] Identity management in the public and private domains
Identities may manage themselves or other parties may manage them. These other parties may include private parties (e.g. employers or businesses) or public parties (e.g. personal record offices and immigration services).
Identity management in the public domain has become known as National Identity Management[citation needed].
[edit] Electronic identity management
Several interpretations of identity management (IdM) have been developed in the IT industry. Computer scientists now associate the phrase, quite restrictively, with the management of user credentials and the means by which users might log on to an online system. The focus on identity management goes back to the development of directories, such as X.500, where a namespace serves to hold named objects that represent real-life "identified" entities, such as countries, organizations, applications, subscribers or devices. The X.509 ITU-T standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. X.509 certificates and PKI systems operate to prove the online "identity" of a subject. Therefore, in IT terms, one can consider identity management as the management of information (as held in a directory) that represents items identified items in real life (e.g. users, devices, services, etc). The design of such systems requires explicit information and identity engineering tasks.
The evolution of identity management follows the progression of Internet technology closely. In the environment of static web pages and static portals of the early 1990s, corporations investigated the provision of informative web content such as the "white pages" of employees. Subsequently, as the information changed (due to employee turnover, provisioning and de-provisioning), the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management today.
Typical identity management functionality includes the following:
- User information self-service
- Password resetting
- Management of lost passwords
- Workflow
- Provisioning and de-provisioning of identities from resources
Identity management also addresses the age-old 'N+1' problem — where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process.
The term identity engineering refers to putting engineering effort into managing large numbers of interrelated items that have identifiers or names.
[edit] Three perspectives on IdM
In the real-world context of engineering online systems, identity management can involve three perspectives:
- The pure identity paradigm: Creation, management and deletion of identities without regard to access or entitlements;
- The user access (log-on) paradigm: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
- The service paradigm: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.
[edit] The pure identity paradigm
Please help improve this section by expanding it. Further information might be found on the talk page or at requests for expansion. |
[edit] The user access paradigm
Identity management in the user "log-on" perspective may involve an integrated system of business processes, policies and technologies that enable organizations to facilitate and control access by their users to critical online applications and resources — while protecting confidential personal and business information from unauthorized access. It represents a category of interrelated solutions which system administrators employ towards managing user authentication, Access rights and restrictions, account profiles, passwords, and other attributes supportive of the roles/profiles of user in relation to applications and/or systems.
[edit] The service paradigm
In the service paradigm perspective, where organizations evolve their systems to the world of converged services, the scope of identity management becomes much larger, and its application more critical. The scope of identity management includes all the resources of the company deployed to deliver online services. These may include devices, network equipment, servers, portals, content, applications and/or products as well as a user credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.
Today, many organizations face a major clean-up in their systems if they are to bring identity coherence into their influence. Such coherence has become a prerequisite for delivering unified services to very large numbers of users on demand — cheaply, with security and single-customer viewing facilities.
[edit] Emerging fundamental points
- IdM provides significantly greater opportunities to online businesses beyond the process of authenticating and authorizing users via cards, tokens and web access control systems.[citation needed]
- User-based IdM has started to evolve away from username/password and web-access control systems[citation needed] toward those that embrace preferences, parental controls, entitlements, policy-based routing, presence and loyalty schemes.
- IdM provides the focus to deal with system-wide data quality and integrity issues[citation needed] often encountered by fragmented databases and workflow processes.
- IdM embraces what the user actually gets in terms of products and services and how and when they acquire them. Therefore, IdM applies to the products and services of an organization, such as health, media, insurance, travel and government services. It is also applicable to means by which these products and services are provisioned and assigned to (or removed from) "entitled" users.
- IdM can deliver single-customer views that includes the presence and location of the customer, single products and services as well as single IT infrastructure and network views to the respective parties. Accordingly, IdM relates intrinsically to information engineering, security and privacy.
- IdM covers the machinery (system infrastructure components) that delivers such services because a system may assign the service of a user to: a particular network technology, content title, usage right, media server, mail server, soft switch, voice mailbox, product catalog set, security domain, billing system, CRM, help desk etc.
- Critical factors in IdM projects include consideration of the online services of an organization (what the users log on to) and how they are managed from an internal and customer self-care perspective.
[edit] Research
[edit] European Research
Within the Seventh Research Framework Programme of the European Union from 2007 to 2013, several new projects related to Identity Management started. PICOS will investigate and develop a state-of-the-art platform for providing trust, privacy and identity management in mobile communities. On the backdrop of an increased risk to privacy of the citizen in the Information Society, PrimeLife will develop concepts and technologies to help individuals to protect their autonomy and retain control over personal information, irrespective of their activities. SWIFT focuses on extending identity functions and federation to the network while addressing usability and privacy concerns, and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers.
[edit] Solutions
Solutions which fall under the category of identity management may include:
Management of identities
- Provisioning/De-provisioning of accounts
- Workflow automation
- Delegated administration
- Password synchronization
- Self-service password reset
Access control
- Policy-based access control
- Enterprise/Legacy single sign-on (SSO)
- Web single sign-on (SeoS)
- Reduced sign-on
Directory services
- Identity repository (directory services for the administration of user account attributes)
- Metadata replication/Synchronization
- Directory virtualization (Virtual directory)
- e-Business scale directory systems
- Next-generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP
Other categories
- Role-based access control (RBAC)
- Federation of user access rights on web applications across otherwise untrusted networks
- Directory-enabled networking and 802.1X EAP
Standards initiatives
- Security Assertion Markup Language (SAML)
- Liberty Alliance — A consortium promoting federated identity management
- Shibboleth (Internet2) — Identity standards targeted towards educational environments
[edit] Implementation challenges
- Getting all stakeholders to have a common view of data
- Expectation to make the IdM a data synchronization engine for application data
- Envisaging an appropriate business process leading to post-production challenges
- Lack of leadership and support from sponsors
- Overlooking change management — expecting everybody to go through the self-learning process
- Lack of definition of the post-production phase in a project plan — for a smooth transition of the system to the end-user community, it becomes critical that an organization gears up for proper support through a transition phase or stabilization phase. This may take from three to six months.
- Lack of focus on integration testing
- Lack of consistent architectural vision
- Expectations for "over-automation"
[edit] See also
- Athens Access and Identity Management
- Digital Identity
- Directory Service
- Future of Identity in the Information Society (FIDIS NoE)
- Identity-Driven Networking
- Light-Weight Identity
- Lightweight Directory Access Protocol (LDAP)
- Metadirectory and Virtual Directory
- Network Information Service (NIS)
- Single Sign-On (SSO)
- Yadis
[edit] References
at present no references
[edit] External links
- General Public Tutorial about Privacy and Identity Management
- Identity Management Overview (Computer Weekly)
- Secure Widespread Identities for Federated Telecommunications (SWIFT)
- Additional Wiki for Identity and Access Management (German)
- Federation for Identity and Cross-Credentialing Systems (FiXs)
- FIDIS Database on IMS The FIDIS IMS Database gives a non comprehensive overview and a brief description of identity management systems and tools.