I came across an article discussing Identity Management-as-a-Service and was reminded of an article by Eugene Schultz, Making Identity Management work in your organization. Schultz gets to the heart of the hard realities of deploying identity management in a no hype, no hard sell manner. Many of the insights from this article are again relevant as organizations think about moving IDM into the cloud.
IDM Management, Technology or Service?
Schultz claims that it's critically important to achieve "a genuine understanding of the fundamental difference between identity management and identity management technology". IDM projects that begin with the premise that the organization simply needs new identity management solution to improve its security often stall or fail. This claim applies to Identity Management-as-a-service (IDMaaS) as well.
This story offers a good lesson for any organization that's about to launch an IDM initiative.
An organization had several minor incidents, all shown to be related to password sharing. The problem was presented to management as, "Our users have too many passwords to remember so they often ask their colleagues to share accounts when they forget their own." The organization introduced an appliance-based IDM technology to implement single sign-on to simplify password use and thereby address the sharing problem, but they left in place a password policy that allowed short, static passwords. Password related incidents continued, some with graver results.
Image by danhuby
|The "new" problem was presented to management, who decided that the organization should revise its password policy and instructed IT to define and implement an identity policy that exceeded industry best practices. IT complied and implemented quality checks to ensure that all passwords met minimum length, complexity, rotation, and a 30 day maximum lifetime criteria. Users also had to request password resets from IT in person. Users wrote passwords on Post-It notes or shared passwords to avoid the inconvenience of visiting The IT Crowd for password resets.
Photo by dmountain
The lesson? Identity management requires careful planning at several levels - policy, awareness, technology, and implementation - to assure that the organization invests wisely in technology or (cloud) services.
IDM must be pervasive
Schultz asserts that an identity management effort is "good only to the degree that the resulting mechanisms and processes are pervasive..." and that it must affect "every access to every system, network, application and database - with no exceptions." I strongly agree. An organization can't enforce an identity policy that applies to staff but makes exceptions to executives, or a policy that fails to address the challenges that guests, contractors, federations, or mobility introduce. Similarly, an organization can't enforce an identity policy that is readily circumvented by staff who choose to ignore policy for convenience's sake, install a departmental database, and use the built-in user account system.
Any organization that is considering identity management must consider mobility. This requirement imposes an additional burden on IDM solutions, i.e, organizations must be able to apply them to every access, by every user, from any endpoint. To satisfy this requirement organizations must think beyond the traditional Triple-A (Authentication, Authorization, Auditing) and consider authenticity (data integrity and data origin verification) and admission control measures (verifying that an endpoint device poses no threat to an organization's information and networking asset before granting a user access via that endpoint device). For more on this Quint-A approach, read Improve your branch office security, one "A" at a time.
Does IDMaaS force an IDM "reset"?
Kim Cameron suggests that moving IDM into the cloud is a change of such a dramatic nature that it constitutes a reset. Other sources claim IDMaaS is no longer optional but foundational. I imagine that Eugene Schultz would downplay the debate over whether or not to "go cloud" and continue to emphasize the importance of developing requirements, setting criteria to assure that the identity solution scales well, is not overly complex, and is compatible with the existing IT environment. Emerging Identity Management-as-a-service solutions purport to satisfy these organizational needs. The recommendations Schultz presents in his article are as useful when assessing cloud solutions in 2012 as they were for assessing IDM solutions and technology in 2008.
Updated. The original post appeared at http://www.securityskeptic.com/arc20080801.htm#BlogID701