Better security through identity

A new breed of identity-based access systems helps tame complex networks and bring security back in line with business goals

This article has been modified from its original version. Certain quoted material has been removed because its veracity could not be confirmed.

The old “separate nations” network paradigm -- decentralized security in which multiple departments using various applications manage access as each sees fit -- is now passé. Security systems are going global, as enterprises increasingly turn to identity management solutions from vendors such as IBM, Netegrity, Novell, and Oblix as a means to better align network policies and permissions with business goals, not just IT’s ideas of how a system should be managed.

It had to happen. The more resources are added to a network, the harder it becomes to control. In today’s strict regulatory environment, businesses are clamoring for a better way.

“The traditional model of enterprise security is parameterized around a small set of datacenters,” says Chris O’Connor, director of security strategy at IBM. “It’s security Swiss cheese that has bred all kinds of compliance issues and security problems.”

No matter what level of chaos we let reign on our desks and file cabinets, we all know that a messy network can never be a secure one. Digital identity, beyond being a means to enable application SSO (single sign-on), has begun to emerge as a key tool for bringing order out of the chaos.

“Enterprise investments in identity management are enabling identity-centric network management,” says Phil Schacter, vice president and service director of directory and security strategies at Burton Group. In particular, Schacter cites the changing nature of today’s networks -- including the increases in mobility and remote access -- as driving forces behind the move toward identity-based systems.

Identity doesn’t just define who a user is; it connects the “who” directly with the “what” -- what a user’s role in the organization is, what resources and information that user needs access to, and what he or she can and can’t do with that information. Identity is the big picture, the whole story that allows corporate policy and processes to be applied in a consistent and comprehensive manner across an entire enterprise.

By consolidating access and authorization information for each user, identity solutions help keep networks current. They grant quick access to new hires, while helping to exorcise the ghost accounts of former employees before they have a chance to possess the system. They provide audit information for regulatory compliance. They protect privacy and strengthen access controls. But perhaps most importantly, identity-based network management lifts network security out of the datacenter and brings it in line with the needs of the enterprise.

Identity storehouse

Moving toward identity-based network management is a tall order, but it does not mean ripping and replacing your current software infrastructure. Instead, identity systems work with the existing infrastructure to make it more robust, more intelligent, and more likely to resist attempts at unauthorized access.

The first piece of the puzzle is to establish an identity store, where user-access information can be maintained in a central location, independent of applications. Typically this takes the form of a network directory, such as an LDAP directory, Microsoft Active Directory, or Novell eDirectory.

The problem is that many organizations already maintain several directories of network authentication information, along with various partner, supplier, and customer databases. Often these will contain both duplicate and proprietary data. The solution lies in two emerging types of directory integration tools. A metadirectory solution such as Novell Nsure Identity Manager establishes a single authoritative directory as the source of all data. Conversely, a virtual directory product such as OctetString Virtual Directory Engine only pretends to -- what looks like a single data store is really pulling data from each source and presenting it as if it all came from the same place.

Businesses should consider the political power plays that are already at work in their enterprises before choosing a tool to build an identity store.Virtual directories are excellent choices when dealing with workgroups that have ownership issues concerning their data -- since a virtual directory doesn’t alter data, it just points to its location. Metadirectories are ideal for situations where data accuracy across the board is critical, since everyone who has access sees the same information. Neither format is universally better than the other; it depends on your company’s specific needs.

One point of entry

When you’ve built your identity store and deployed the tools to manage it, you can begin implementing applications that take advantage of digital identity. Perhaps the most often-cited example is SSO, which promises to eliminate the problem of  users juggling multiple passwords for network and application accounts.

In an SSO-enabled environment, it is each user’s identity that defines what he or she can do on the network, rather than a granular series of usernames and passwords. Therefore, users can sign in just once to claim their access privileges to all the applications and data residing on the network.

In practice, although users invariably enjoy the “magic” of SSO, it is probably one of the less significant benefits of identity-based networking. Some IT administrators fear that granting access to multiple applications with a single log-on makes it easier for attackers to compromise larger portions of the network. In some cases, SSO is simply impractical; the appropriate goal for many organizations will be reduced -- rather than single -- sign-on.

Yet SSO has tangible benefits beyond end-user convenience. When users are forced to maintain multiple usernames and passwords, they are much more likely to choose ineffective or easy-to-guess passwords that are more easily compromised. If assigned strong passwords by the IT department, often they will write down their log-in information and leave it in insecure areas, such as Post-It notes stuck to their monitors.

36FEidentity_ch1.gif
Click for larger view.

In addition, the more passwords a user is tasked to remember, the more likely the user will be to forget at least one. Multiplied by a few thousand users, the time it takes to reset each forgotten password results in significant help desk overhead. Those end-user support costs can be dramatically reduced through identity-based SSO.

Now you see it ...

Even more significant than SSO, identity-based networking offers administrators a single point of access for creating and destroying network accounts. With an identity-based provisioning system such as Netegrity IdentityMinder eProvision, a new hire can be set up with e-mail, application, and network access in just a few minutes. Permissions can be assigned based on pre-established rules regarding what access rights a user group -- and each member of that group -- has in the network. Enter a few brief bits of information into the system -- essentially the new hire’s name, rank, and serial number -- and the identity management solution takes care of the rest.

Purging accounts from the system is an equally speedy procedure. It is obviously far easier to globally delete all permissions associated with a user’s identity after the user leaves the company than it is to manually purge this information from a fragmented system, taking note of every remote access server, VPN, wireless access point, and so on. Thus, the risk of leaving a disgruntled employee’s password active in some hidden corner of the network is dramatically reduced.

Mike Neuenschwander, senior analyst at Burton Group, believes that provisioning capabilities are likely to provide most enterprises a quick and visible return on their identity management investment. He adds that it’s tempting to see provisioning as the most attractive and easy-to-implement component of an identity management system.

But provisioning isn’t necessarily simple. Besides setting permissions for human users, it often involves granting access to portable devices and applications and managing other assets (see Identity's Role in SOA). Plus, many companies expand their identity management system beyond their network perimeter to include partners, suppliers, and customers.

“You can’t assume you’ll be able to run on automatic pilot,” Neuenschwander says. “You need responsible parties to set the policies, to look through the rules, make any necessary changes, and approve them. Managers, not the [identity management] system, ultimately have to be the responsible parties for approving and denying access.”

Keys to the kingdom

Standardizing on identity allows for the creation of more straightforward, role- and policy-based security controls. By defining precisely who the approved users are and what their roles and responsibilities are within and across the entire network, data is better protected from misuse.

Access control can apply to both internal and external users’ identities. External user access control can be put to work by allowing customers access to specified sections of company databases for self-service activities, checking order shipment status, adding new services with a click instead of a phone call, or paying bills, for example.

Policies can also be implemented to enforce privacy, exposing sensitive data to only those who need to see it. This is obviously important for those in fields where access to data is now regulated, such as health care and banking, but today no business can afford to be cavalier about privacy.

Another advantage of an identity-based infrastructure is that it facilitates delegated administration, in which the responsibility for managing certain roles and identities can be handed off to the departments most familiar with them, without granting those parties full administrative access to the network.

36FEidentity_in.gif
Click for larger view.

“We can delegate administration to help desks and call centers so that they’re able to do certain things with people’s identities in the directory,” says Steve Devoti, directory services manager at the Credit Union National Association (CUNA), which delivers online services for more than 10,000 credit unions serving more than 80 million consumer clients. CUNA implemented an identity management system by Oblix in September 2001.

“On the credit union side, it’s huge,” Devoti says. “The help desks can reset passwords but not delete someone’s Social Security number.”

For the record

Another benefit of a network infrastructure based on a centralized identity system is the ease with which the system can automate comprehensive logging and auditing. Many experts note that without proper auditing, there’s no such thing as real security.

“Audit is just event logging, but it’s a really big issue,” says Roberta Witty, research director for information security strategies at Gartner. “You need to be able to know at a glance who signed on to the system, who signed off and when, and what access they requested.”

There’s no point in establishing security polices if there’s no way to track adherence to those policies. Users need to know that policies mean something, that they aren’t just suggestions, and that policies are enforced. Plus, depending on the business a company is in, auditing may already be required by law or may soon be.

Ken Sims, vice president of business development at Oblix, says, “The original drivers toward identity management were [competition], cost reduction, and increased security. Now we have regulatory compliance issues that are forcing people to look towards identity management as the only way to effectively be in compliance with regulations like HIPAA [Health Insurance Portability and Accountability Act] and Sarbanes-Oxley."

The advantage of identity-based security is that it unifies and correlates the various logs and audit trails generated by disparate applications and tools. Virtually all business software tools already have their own event log that makes note of who’s doing what at the operating system and application level, but the number of logs you'd need to query in the event of a security breech or to show what information each user had access to, when and why, can be daunting. It’s far better to have a central repository for this information, where the data can be correlated using the proper tools.

Tailored to fit

Burton Group’s Neuenschwander and Gartner’s Witty agree that it’s important for businesses to find an identity management system that fits their unique needs, rather than altering their business practices to suit the needs of a solution.

“I had a customer call and ask me, ‘What identity management system should I buy, and can I install it over the weekend?’ ” Neuenschwander says. “Identity management is not something that you can just install, and it’s not a plug-and-play product. You need to have a strategic plan. You need to identify the problems that are not being handled well now and then come up with the specific tasks that you want to accomplish before you begin to evaluate products.”

IBM’s O’Connor agrees that no single approach will be right for every organization. A successful identity implementation, he says, will start small.

“Whatever issue you want to address -- cost cutting, security, compliance, solving workflow processes, etc. -- it’s important that you pick the problem you want to solve first and start there,” O’Connor explains. “And it’s important to understand the scope of what you’re doing. In a typical large enterprise, identity management will need to span several lines of business.”

In addition, O’Connor cautions companies not to expect an immediate return on its move to identity-based network management. As with any major IT project, arriving at the solution that best serves business goals will take time.

“You will spend several months architecting how it should work and another several months getting first areas up to speed,” O’Connor says. “You’ll first start seeing value in the system two or three months after you deploy it. It will take six months to fully realize value. So the entire cycle will take a year or longer.”

When the goal is securing and future-proofing your network, however, there’s little doubt that implementing identity will be time well spent.

36FEindentity_ch2.gif
Click for larger view.
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies