Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require
stronger security, to protect sensitive business processes. Regulations
such as Gramm-Leach-Bliley, HIPAA, PIPEDA and the EU Privacy Protection
Directive 2002/58/EC require stronger security, to protect the
privacy of investors, patients, consumers and citizens, respectively.
Security in every multi-user application depends on authentication, authorization and audit infrastructure (AAA). In turn, this infrastructure depends on complete, current and accurate data about users. In particular, dormant and orphan accounts must be reliably deactivated, and privilege creep must be addressed.
Identity management systems enable reliable maintenance of data about users and their security rights. In turn, this supports reliable AAA and therefore regulatory compliance.
Corporations and non-profit organizations, such as Universities or Government agencies, are increasingly subject to regulations that have an impact on IT governance. Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive business processes. Regulations such as Gramm-Leach-Bliley, HIPAA, PIPEDA and the EU Privacy Protection Directive 2002/58/EC require stronger security, to protect the privacy of investors, patients, consumers and citizens, respectively.
The common theme in all of these regulations is that IT security is crucial, to protect both corporate governance and privacy. Since every multi-user computer system depends on authentication, access controls and audit logs (AAA) for its security, it follows that the regulatory environment mandates an effective AAA infrastructure.
AAA is not new: one form of AAA or another has been embedded into every multi-user application since early mainframes in the 1960s. The weakness in most systems is not their ability to authenticate users, control their access rights and audit their actions, but rather in the fact that these run-time decisions depend on accurate and reliable user data. As the number of users in a typical enterprise IT environment has grown, and as the number of systems and applications has multiplied, it has become increasingly difficult to maintain accurate and reliable data about very user on every system.
Identity management systems are intended to overcome this problem, by automating user administration processes, so that data about users, how they are authenticated, and what rights they have can be maintained more efficiently and reliably.
This document outlines a variety of problems that can arise with user profile data, the impact of those problems on the efficacy of an enterprise AAA infrastructure, and the solutions that an identity management system can bring to bear to eliminate those problems.
The remainder of this document is organized as follows:
Describes the elements of an identity management system that may be deployed in an enterprise network.
Describes user authentication processes, how they can fail, and what identity management systems can do to eliminate these failures.
Describes access authorization processes, how they depend on user profile data, and what identity management systems can do to ensure that user profile data is accurate and reliable.
Describes access audit processes, their limitations and how those limitations can be overcome using an identity management system.
A summary of the concepts presented earlier.
This document focuses primarily on identity management inside the enterprise, managing internal users -- employees, contractors, vendors, etc. Internal users are qualitatively different than external users, in that they are relatively few (thousands, not millions), and complex (having tens of login accounts and user objects each, many of which may be inaccurate, uncorrelated or obsolete).
Without an identity management system, users are managed by separate administrators, using separate software tools, and often separate business processes, on each system. This is illustrated in Figure [link].
An identity management system is used to externalize the administration of user objects, replacing processes that are implemented within each system and application with new processes that apply uniformly to all users, on all systems. This simpler process is illustrated in Figure [link].
As illustrated in Figure (_label_fig:idm-processes), an identity management system connects to multiple, existing systems where user objects are stored, and manages them cohesively. It does this as the end-product of one or more business processes, which drive changes to user definitions.
Identity management systems may implement any of the following business processes:
Breaking processes down further, enterprise identity management systems may expose some subset of the following functions:
Identity management systems are closely related to access management systems, which may consolidate or strengthen user authentication processes (i.e., single, strong sign-on) and may enforce authorization policies at run-time. These include:
Users typically sign into systems and directories by typing a personal login ID and password. In most organizations, if a user forgets his password, or inadvertently mistypes it often enough to trigger an intruder lockout, the user may call the help desk, identify himself, and request a new password.
This process can create multiple security vulnerabilities, exposing sensitive systems and data to access by unauthorized users:
All of the above problems can be addressed by an effective identity management system:
Strong authentication products also works to eliminate weak passwords, typically requiring that users submit multiple authentication factors.
Vulnerabilities in a typical password-based authentication infrastructure can be eliminated using a combination of:
Most systems control user access to data by first authenticating users (see previous section), and then checking each attempted user action against a privilege model.
Users gain access to sensitive systems and data first by having a login account on the system in question, and secondarily by having specific privileges on that system. Users may be granted privileges directly, or in relation to specific resources (e.g., folders, shares, printers, screens, menus, etc.). Users may acquire privileges by virtue of membership in a security group, which itself has been assigned privileges.
Most large systems rely heavily on user groups to manage privileges, since assigning fine-grained rights individually to many users is too onerous. As a result, the rights a user has across multiple systems in an organization can usually be expressed as a function of which accounts the user has, and what security groups the user belongs to on each system.
The authorization infrastructure in most systems and applications is technically effective, but relies on data about user rights, which may be inaccurate:
Accounts may be active, but have no known owner, which eliminates the possibility of making users accountable for their actions.
Users may belong to groups which grant them no-longer-needed privileges. This is a result of privilege accumulation, whereby users gain new rights as their responsibilities change, but where their old (and no longer needed) rights are not reliably deactivated. This compromises the security principle of least privilege.
The above problems can be addressed by an effective identity management system:
One function of any enterprise identity management system is to construct enterprise-wide user profiles, which connect user objects on multiple systems to single owners. Orphan accounts can be identified once this process is complete, as they are the accounts with no known owners.
Typically a user provisioning system will be used to first deactivate orphan accounts, and wait to see their (legitimate) owners complain. After some time, orphan accounts can be removed, reducing the security "attack surface" and possibly also software licensing costs, where they are tied to the number of user objects.
A user provisioning system can be used to identify dormant accounts, by inspecting the last-login-time attribute of each user. Dormant accounts can be eliminated in the same way as orphan accounts.
On systems where there is no record of last login time, accounts can be connected to user profiles, and if the primary login account in the profile is inactive, it may be assumed that all other accounts are likewise dormant.
By creating accounts through the user provisioning system, rather than directly using a variety of native user administration tools, organizations can enforce standards regarding login account configuration, to ensure that new users get appropriate privileges when their login IDs are created.
A privilege auditing system can be used to periodically review the rights of all users. Managers, application owners and group owners can identify and remove inappropriate privileges, that were either improperly assigned or retained beyond their relevance.
The same system can also be used to identify orphan and dormant accounts.
A user provisioning system can be used to prevent users from acquiring inappropriate privilege combinations. It can also be used to report on such combinations where they exist prior to deployment of the system, so that some or all of the offending privileges can be removed.
The combination of a user provisioning system and a privilege auditing system can be used to find and remove:
Audit logs are intended to make users accountable for their actions. Various regulations that impact IT security require logging of changes to financial data, attempts to access private information, various authorizations and digital signatures.
The degree to which common systems and applications log events of interest is variable. For example, most systems record failed login attempts and user lockouts, but not all systems record successful user logins. Financial and clinical systems log authorizations and signatures, but other systems don't. Many systems do not log user administration actions, such as the creation of new users, changes to user privileges or deactivation of user access.
In almost all cases, audit logs are internal to systems and applications. Events on different systems may be difficult or impossible to correlate, as would be required in a forensic audit to establish a pattern of activity. Beyond local storage, a challenge for event correlation is that users often have different login IDs on different systems, and so audit logs on one system cannot be readily connected to those on another.
Limited, system-specific audit logs present some security challenges to enterprises who must protect multiple, sensitive systems:
An identity management system can resolve all of these audit challenges:
A user provisioning system, combined with a privilege auditing system, can significantly improve the ability of an organization to create accountability, and to find and remove inappropriate security privileges.
Regulations increasingly demand that corporations and non-profit organizations implement sound IT security to protect privacy and ensure sound governance.
Most systems and applications already incorporate authentication, authorization, and audit (AAA) infrastructure with which to do this. Unfortunately, AAA infrastructure is vulnerable to weaknesses in security-related business processes and to improper user privilege definitions.
An identity management system, including user provisioning, password synchronization and reset and privilege audit can be used to address shortcomings in security business processes and inappropriate user privileges, which would otherwise undermine a AAA infrastructure.
These identity management features can be supplemented by strong authentication technology, single sign-on and web access management systems.