Business challenges in identity and entitlement management
Several factors combine to make management of users and their security entitlements a growing challenge for many organizations:
- The number of systems and applications that users need to sign into
is large and growing. Rapid adoption of SaaS applications is
accelerating the growth of IDs-per-user, even where federation
limits the growth of passwords.
- Regulatory requirements increase the burden of administration, audit
and policy enforcement.
- Flat or shrinking IT budgets mean that organizations cannot afford to increase IT support staff in response to this workload.
This complexity is illustrated in Figure [link].
Managing Each Application in its own Silo
Complexity leads serious business problems:
- Security and regulatory compliance:
- The access deactivation process may be slow or unreliable, allowing users who have left the organization to retain access.
- Access to privileged accounts, such as Administrator, root or sa is not consistently secured, leading to weak accountability and access to critical systems retained by departed users.
- Users accumulate security entitlements over time, ending up with the ability to commit fraud or other abuses.
- Responding to audit queries about who has what, who requested and approved access and whether access is consistent with policy is time consuming.
- IT support cost:
- The IT help desk must resolve many login- and access-related calls.
- A large number of access administration staff are needed to setup, manage and tear-down user access in response to organizational changes.
- User service:
- It is difficult for users to figure out how to request access for new or reassigned users.
- It takes too long to authorize and provision needed access rights.
- Users must manage too many passwords and fill in too many login prompts.
Shared infrastructure for IAM
To resolve the business problems that arise from the complexity described above in Figure (Screenshot:silo-processes), it makes sense to implement a shared infrastructure for managing identities and entitlements. This is illustrated in Figure [link].
Externalizing the Management of Identities and Entitlements
Using this approach, the links that connect every process to every system are severed, replaced with links between each process and a shared IAM system, plus links between the IAM system and each integrated application. If before there were N processes, M applications and N x M links (chaos!), now there are just N + M links -- much more manageable.
A shared infrastructure for managing identities and entitlements can take on different forms, each of which has merit and all of which can be combined.
Shared directory (LDAP)
The first approach to consolidating identity and access management is to remove the database that identifies users and what they have access to from individual applications and move that data to a shared directory. Applications are then configured to externalize user identification, authentication and authorization, to leverage the directory instead of proprietary storage.
This approach has merit, hence the popularity of the lightweight directory access protocol (LDAP). It also has limitations:
- Some systems are not compatible with LDAP, and cannot externalize identification, authentication or authorization.
- Some systems can externalize only authentication, but not identification or authorization.
- Some systems cannot connect to the corporate directory. This is especially true of software-as-a-service (SaaS) applications, which are hosted outside the corporate perimeter and cannot reach the on-premises, firewalled corporate directory.
- Some applications require complex data about users, which would be impractical to migrate to a shared infrastructure, as this could lead to a very large directory with a very complex schema.
- Identity data is sometimes confidential and does not belong in a directory whose main design function is to publish.
Because of these limitations, LDAP has helped to slow the proliferation of user databases but organizations still have multiple systems to manage.
Federated access (SAML)
Some applications, and in particular many SaaS applications, are able to externalize identification, authentication and authorization via a federated access protocol such as the security assertions markup language (SAML). The net effect is much like using a shared directory, but no direct connection from the application to a directory server is required. Instead, the user's browser accesses both the application (the service provider - SP) and the identity provider (IdP).
While there are multiple standards for how one application can federate identity data, SAML seems to be the protocol that has won out in the marketplace. WS-* is not widely adopted (really only used in the Microsoft ecosystem) and OAuth is more appropriate to consumer logins than corporate applications.
Most of the same limitations apply to SAML as to LDAP -- some applications require complex, proprietary data about users and cannot externalize it all while other applications are simply not compatible with SAML.
Shared management layer (IAM)
Where LDAP and SAML end, a shared identity and access management system begins. IAM systems consolidate and automate business processes to create, modify and delete identities and to grant and revoke entitlements, across multiple systems. The idea is to define processes once and apply those processes across every user community and every system and application in the organization.
Identity Manager is designed to provide a shared set of processes and infrastructure to manage identities and entitlements across every system in an organization, both on-premises and SaaS.