Enterprise Identity Management

Enterprise Identity Management (EIdM) is not a turn-key technology solution but a business strategy encompassing the enterprise as a whole.

By Srinivasan K, CISA, CISM, President, SKS Consulting.

History is replete with instances, which stand testimony to the age-old adage “Necessity is the mother of invention”. In recent times, the Internet centric technology has proved this adage to be true beyond doubt. However when one looks at how businesses have embraced and adapted the Internet centric technology, one is also left wondering if the age-old adage makes sense anymore!

With businesses eagerly embracing the Internet centric technology, a new business model “Virtual Enterprise” has emerged. The line of demarcation between “internal” and “external” users has progressively got blurred as business relationships are no longer restricted by the enterprise boundary under the “Virtual Enterprise” model ( fig 1 ). This has further resulted in application systems proliferation with multiple user profiles. It has also introduced diversity in technology infrastructure, which in turn has compelled the CIO to explore unique access security mechanisms at each component level. The overall user access mechanism has become more complex resulting in increased operational processes and escalated costs.

User management in an e-business environment is all about “letting people in” and yet manage access securely.

It is this complexity of managing complex user access and profiles that is compelling CIOs to establishing enterprise level “Digital User identity”. The emergence of Enterprise Identity Management should be seen in this context.

Enterprise Identity Management (EIdM) is not a turn-key technology solution but a business strategy encompassing the enterprise as a whole .

While it is true that the need for EIdM has emerged, thanks to Internet centric business approach, it should be remembered that an ideal EIdM Framework should consider both the web-enabled user access management and the internal user access management. The objectives of an EIdM should facilitate effective enforcement of access policies in real time mode apart from enabling dynamic registration, maintenance and de-registration of users. It should also assist in continuous auditing of user access management to identify and mitigate access risks in a real time mode and provide a comprehensive centralized repository of user identities, privileges and access right details. Essentially EIdM strives to bring together processes, technologies, and policies to define and manage digital identities to access enterprise information resources.

While the final EIdM technology may be product dependent, a typical EIdM technology deployment (fig 2) should include the following components:

1. Directory Service - to maintain a central repository of user identities
2. Identity Management Service – to manage identity details stored in the central repository
3. Access Management Service – to authenticate users (including web based users) and enforce access control over the web-based transactions
4. Provisioning Service – covers centralized user administration capabilities and serves mainly for propagating of user account changes and access rights across individual back-end applications
5. Presentation Service – to provide a personalized interface for all user interactions with the system.

The Directory Service (fig 3) can be considered the foundation for an Enterprise Identity and Access management infrastructure. It provides a single source of authoritative digital user identity information. The digital information can include security information, such as passwords and X.509 certificate mappings, as also user profile details such as addresses, telephone numbers, office space, titles, and department names etc. The Lightweight Directory Access Protocol (LDAP) and related LDAP directories are fast emerging as a de-facto standard for storing user identity details for most groupware, network operating systems, e-business applications and many enterprise applications.

While the primary objective of this centralized user repository is Identity Management, considering that the repository can include information about vendors, customers and other collaborators with whom the enterprise is engaged through an Internet centric platform, an Enterprise with the assistance of a mature IT team can leverage on the repository data for Customer Relationship Management and Supply Chain Management functions as well in tandem with the relevant application systems.