Identity management

From Wikipedia, the free encyclopedia - View original article

 
Jump to: navigation, search

In computing, identity management (IdM) describes the management of individual principals, their authentication, authorization,[1] and privileges within or across system and enterprise boundaries[2] with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.[3]

The terms "Identity Management" and "Identity and Access Management" (or IAM) are used interchangeably in the area of Identity access management, while identity management itself falls under the umbrella of IT Security.[4]

Identity-management systems, products, applications and platforms manage identifying and ancillary data about entities that include individuals, computer-related hardware and applications.

Technologies, services and terms related to identity management include Active Directory, Service Providers, Identity Providers, Web Services, Access control, Digital Identities, Password Managers, Single Sign-on, Security Tokens, Security Token Services (STS), Workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth and RBAC.[5]

IdM covers issues such as how users gain an identity, the protection of that identity and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.).

Definitions[edit]

Identity management (IdM) is the task of controlling information about users on computers. Such information includes information that authenticates the identity of a user, and information that describes information and actions they are authorized to access and/or perform. It also includes the management of descriptive information about the user and how and by whom that information can be accessed and modified. Managed entities typically include users, hardware and network resources and even applications.

Digital identity is an entity's online presence, encompassing personal identifying information (PII) and ancillary information. See OECD[6] and NIST[7] guidelines on protecting PII.[8] It can be interpreted as the codification of identity names and attributes of a physical instance in a way that facilitates processing.

Identity management functions[edit]

In the real-world context of engineering online systems, identity management can involve three basic functions:

  1. The pure identity function: Creation, management and deletion of identities without regard to access or entitlements;
  2. The user access (log-on) function: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
  3. The service function: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.

Pure identity[edit]

A general model of identity can be constructed from a small set of axioms, for example that all identities in a given namespace are unique, or that such identities bear a specific relationship to corresponding entities in the real world. Such an axiomatic model expresses "pure identity" in the sense that the model is not constrained by a specific application context.

In general, an entity (real or virtual) can have multiple identities and each identity can encompass multiple attributes, some of which are unique within a given name space. The diagram below illustrates the conceptual relationship between identities and entities, as well as between identities and their attributes.

Identity conceptual view

In most theoretical and all practical models of digital identity, a given identity object consists of a finite set of properties (attribute values). These properties record information about the object, either for purposes external to the model or to operate the model, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external semantics of these properties.

The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model expresses such semantics internally, it is not a pure model.

Contrast this situation with properties that might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored, maintained and retrieved, without special treatment by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.

Identity management, then, can be defined as a set of operations on a given identity model, or more generally as a set of capabilities with reference to it.

In practice, identity management often expands to express how model contents is to be provisioned and reconciled among multiple identity models.

User access[edit]

User access enables users to assume a specific digital identity across applications, which enables access controls to be assigned and evaluated against this identity. The use of a single identity for a given user across multiple systems eases tasks for administrators and users. It simplifies access monitoring and verification and allows the organization to minimize excessive privileges granted to one user. User access can be tracked from initiation to termination of user access.

When organizations deploy an identity management process or system, their motivation is normally not primarily to manage a set of identities, but rather to grant appropriate access rights to those entities via their identities. In other words, access management is normally the motivation for identity management and the two sets of processes are consequently closely related.

Services[edit]

Organizations continue to add services for both internal users and by customers. Many such services require identity management to properly provide these services. Increasingly, identity management has been partitioned from application functions so that a single identity can serve many or even all of an organization's activities.

For internal use identity management is evolving to control access to all digital assets, including devices, network equipment, servers, portals, content, applications and/or products.

Services often require access to extensive information about a user, including address books, preferences, entitlements and contact information. Since much of this information is subject to privacy and/or confidentiality requirements, controlling access to it is vital.

System capabilities[edit]

In addition to creation, deletion, modification of user identity data either assisted or self-service, Identity Management is tasked with controlling ancillary entity data for use by applications, such as contact information or location.

Privacy[edit]

Putting personal information onto computer networks necessarily raises privacy concerns. Absent proper protections, the data may be used to implement a surveillance society.(Taylor, Lips & Organ 2009)

Social web and online social networking services make heavy use of identity management. Helping users decide how to manage access to their personal information has become an issue of broad concern.(Gross, Acquisti & Heinz 2008)(Taylor 2008)

Identity theft[edit]

Identity theft happens when thieves gain access to identity information such as the PIN that grants access to a bank account.

Research[edit]

Research related to the management of identity covers disciplines such as technology, social sciences, humanities and the law.(Halperin & Backhouse 2009)

European research[edit]

Within the Seventh Research Framework Programme of the European Union from 2007 to 2013, several new projects related to Identity Management started.

The PICOS Project investigates and develops a state-of-the-art platform for providing trust, privacy and identity management in mobile communities.

PrimeLife develops concepts and technologies to help individuals to protect autonomy and retain control over personal information, irrespective of activities.

SWIFT focuses on extending identity functions and federation to the network while addressing usability and privacy concerns and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers.

Ongoing projects[edit]

Ongoing projects include Future of Identity in the Information Society (FIDIS), GUIDE and PRIME.

Publications[edit]

Academic journals that publish articles related to identity management include:

Less specialized journals publish on the topic and for instance have special issues on Identity such as:

Standardization[edit]

ISO (and more specifically ISO/IEC JTC1, SC27 IT Security techniques WG5 Identity Access Management and Privacy techniques) is conducting some standardization work for identity management (ISO 2009), such as the elaboration of a framework for identity management, including the definition of identity-related terms. The published standards and current work items includes the following:

Organization implications[edit]

In each organization there is normally a role or department that is responsible for managing the schema of digital identities of their staff and their own objects, which are represented by object identities or object identifiers (OID).[10]

See also[edit]

References[edit]

  1. ^ Ioana Bazavan Justus (18 June 2010). "Identity Management Series – Role- and Rule-Basing Part 1: Introduction". THE SECURITY CATALYST helping people effectively communicate value. Michael Santarcangelo. Retrieved 23 May 2012. 
  2. ^ John K. Waters (1994–2012). "The ABCs of Identity Management". CSO. IDG Enterprise. Retrieved 23 May 2012. 
  3. ^ "Identity Management in an enterprise setting". 
  4. ^ Staff (2012). "Identity and access management products". ComputerWeekly.com. TechTarget. Retrieved 23 May 2012. 
  5. ^ Staff (2012). "Windows Identity Foundation Simplifies User Access for Developers". Microsoft.NET. Microsoft. Retrieved 23 May 2012. 
  6. ^ Functional requirements for privacy enhancing systems Fred Carter, OECD Workshop on Digital Identity Management, Trondheim, Norway, 9 May 2007 (PPT presentation)
  7. ^ Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, January 2009
  8. ^ PII (Personally Identifiable Information), The Center For Democracy & Technology, September 14, 2007
  9. ^ "Working Groups | Identity Commons". Idcommons.org. Retrieved 2013-01-12. 
  10. ^ Object Id's (OID'S), PostgreSQL: Introduction and Concepts, in Bruce Momjian, November 21, 1999

External links[edit]