Corporations and non-profit organizations, such as Universities or Government agencies, are increasingly subject to regulations that have an impact on IT governance. Regulations such as Sarbanes-Oxley, FDA 21-CFR-11 and HSPD-12 require stronger security, to protect sensitive business processes. Regulations such as Gramm-Leach-Bliley, HIPAA, PIPEDA and the EU Privacy Protection Directive 2002/58/EC require stronger security, to protect the privacy of investors, patients, consumers and citizens, respectively.
The common theme in all of these regulations is that IT security is crucial, to protect both corporate governance and privacy. Since every multi-user computer system depends on authentication, access controls and audit logs (AAA) for its security, it follows that the regulatory environment mandates an effective AAA infrastructure.
AAA is not new: one form of AAA or another has been embedded into every multi-user application since early mainframes in the 1960s. The weakness in most systems is not their ability to authenticate users, control their access rights and audit their actions, but rather in the fact that these run-time decisions depend on accurate and reliable user data. As the number of users in a typical enterprise IT environment has grown, and as the number of systems and applications has multiplied, it has become increasingly difficult to maintain accurate and reliable data about very user on every system.
Identity management systems are intended to overcome this problem, by automating user administration processes, so that data about users, how they are authenticated, and what rights they have can be maintained more efficiently and reliably.
This document outlines a variety of problems that can arise with user profile data, the impact of those problems on the efficacy of an enterprise AAA infrastructure, and the solutions that an identity management system can bring to bear to eliminate those problems.
The remainder of this document is organized as follows:
Describes the elements of an identity management system that may be deployed in an enterprise network.
Describes user authentication processes, how they can fail, and what identity management systems can do to eliminate these failures.
Describes access authorization processes, how they depend on user profile data, and what identity management systems can do to ensure that user profile data is accurate and reliable.
Describes access audit processes, their limitations and how those limitations can be overcome using an identity management system.
A summary of the concepts presented earlier.