The evolution of Identity and Access Management

Written By: Peter Cooke
Content Copyright © 2009 Bloor. All Rights Reserved.

Identity and Access Management (IAM) is having to evolve. Although it’s never been the most exciting aspect of computer usage, its importance and relevance is now affecting us all, whether we know it or not. No longer is IAM restricted to those using a corporate network; now anyone with access to the Internet wishing to do any form of business, from online banking to purchasing goods, has become involved and its importance will only increase as more and more services are made available online. IAM is vital to the underlying security of a system. Indeed, Governance, Risk and Compliance (GRC) is the main driving factor for the majority of IAM projects. If the Internet is to be a secure and trusted way to do business, it is vital that the underlying IAM infrastructure is up to the task.

Issues facing IAM
IAM solutions need to be able to address a whole host of issues to make lives easier for both those administering and those using a system. One of the biggest problems results from the complexities of the run-time environment; typically a corporate enterprise made up of a wide variety of operating systems and applications, each being constantly updated as newer versions are released. In addition, there is a wide age range of technology to address, from mainframe-based legacy systems to the latest virtualized servers. These issues alone have caused the premature termination and demise of a large number of IAM projects.

Fundamentally, each user will have a growing number of identities to manage, with an account set up on each system where access is needed. This leads to an increasing administrative burden to keep all of this information current, as well as having to support each platform for situations such as forgotten passwords or locked accounts. Having to remember a multitude of passwords adds to the user’s workload and often leads to security risks such as passwords being written down and never being changed.

Single sign-on solutions (SSO) have been developed to help with this issue. SSO systems enable users to log in once only and then be automatically authenticated when they attempt access to other resources. There are a number of technical solutions to this problem, each with its own advantages and disadvantages, including Kerberos, password management and password synchronisation. The reason for the number of solutions is down to the complexity of implementing each and the wide range of run-time environments where some solutions cannot be supported.

A more general approach to the SSO issue is the federation of user identities. This concept evolved as SSO functionality needed to be enabled between two or more different organizations. By setting up a network of trust between two companies, it is possible for a user to authenticate to one domain and when they wish to access secure resources in another, not to authenticate again.

Future issues: what’s coming next?
The corporate environment is now being opened up beyond the confines of the building with the growing number of cloud services. Technological progress has enabled cloud computing, driven ever faster by the huge cost savings and productivity improvements it offers. Areas such as security and infrastructure are lagging behind as common standards are yet to mature – and IAM falls into this category. Cloud applications are being developed independently, each with their own approach to IAM, typically with identities and access rights set up on a per-application basis. Each needs to be managed separately, which denies commonality and an easy way to provide SSO.

The standards developed for federated identities can begin to address SSO in the cloud but have restrictions; notably that the infrastructure becomes unworkable when a one-to-one trust relationship has to be set up between each organisation and each cloud provider. An evolutionary step forward is needed to enable this to work in the cloud in a way that is simple to manage and provide employees access to all of their internal and external resources by providing one set of credentials.

Keeping identity systems updated in a timely fashion is also vital. Traditionally, it has been hard enough for organisations to maintain the identities of staff in their own systems as they join and leave the organisation. Pushing this responsibility on to a hosted service provider abstracts the process and could mean that an ex-employee might continue to have access to a web-based system long after he has departed. With a single, consistent method of managing identities in the cloud all of a user’s accounts could be terminated at a stroke.

IAM services can be hosted in their own right. This brings all of the associated cost saving benefits to organisations in addition to immediate compliance, reduced staffing requirements, immediate scalability and reduced rollout complexity. Not surprisingly, it is proving to be most attractive for small to medium-sized businesses (SMB) as it provides access to resources that would otherwise have been unaffordable.

Securing the cloud is vital for its success. With companies trusting their corporate data – their most important asset – to third party organisations, the holy trinity of confidentiality, integrity and accessibility has to be assured. The infrastructure underpinning this is IAM. Without it, system access security is non-existent.

It will be a very exciting ride with new cloud-related IAM advancements announced on an ever-increasing basis. Only time will tell which of these technologies will win and become a de facto standard, gaining the position by its popularity and uptake by the masses.