Sunday, November 27, 2011

Governing Identity Management

Traditionally, each software application is developed to maintain and manage the identity and the related permission information within it. As more and more such applications gets deployed, user provisioning and managing access control could soon be a nightmare. A well managed Identity Management function within an enterprise can alleviate the hassles around this and will also enable the enterprise to better govern the identity and resource provisioning activities.

Identity Management solution as such comprises of the following key functions in addition to being technically capable of exposing necessary automation APIs:

Account Provisioning

This is a core function within Identity Management and this is where an identity gets created.  The following are the typical activities that need to be performed under this function.
  • Adding an Identity - includes receiving a request with required data, performing necessary verification and obtaining approval from appropriate authority.
  • Modifying an Identity - involves change of certain attributes of an identity.
  • Deleting an Identity - when an identity no is no longer associated with the organization, deletion may be required. Deletion may not mean actual deletion and instead may mean de-activation.
  • Suspending / Resuming an Identity - usually when employees go on long vacation, it would be appropriate to suspend the identity and resume again when the employee comes on board.


Resource Provisioning

An Identity once created need to be provisioned to access one or more services, which could be out of a computing resource or a non computing service. For instance, computing resources could mean access to payroll application and similarly a non computing resource could mean physical access to the Data Center.

De-Provisioning

De-provisioning is an equally important function which, if not done on a timely manner could put the organization into a big risk. For instance, if an employee who has been granted access to critical systems, is not de-provisioned when he leaves the organization, he could cause potential loss to the company.

Managing Permissions and Authorization

Provisioning a resource would only mean that the resource has a need to use the target resource, but it has to be further managed by defining specific privileges like, Read, Write, Delete. Similarly, the identity may have to be granted different permissions for different sub functions that the resource may expose. While a standards based IAM solution would be extensible, the consuming application may require changes to interact with the IAM solution and make use of the authorization information that is exposed.

Governance

With a central identity management solution, it is important that the related functions are better managed, monitored and audited. This requires defining, implementing and monitoring controls around people, process and tools & technology.
  • People – The person performing the one or more of the above functions should be highly trust worthy and appropriate separation of duties and responsibilities should be put in place. For instance, the person approving the identity creation should not be the same person who creates it. The identity performing these functions should be at appropriate level which ensures accountability. 
  • Process – Policies and processes need to be defined for each of the above functions. For instance, Identity creation shall specify the source of data, the required attributes for which data need to be captured, a process or methodology to have the identity information verified and on top an approval process. It is typical that the approving authority may be different for different resource, which has to be unambiguously defined. There should also be a process specifying the monitoring and audit requirements for the above functions.
  • Tools  & Technology – Carrying out the above functions will certainly need an appropriate tool and related technology. A comprehensive enterprise tool may facilitate carrying out all the required functions in addition to offering necessary APIs for the resources that consumes the authentication services. It is important to specify how access to these tools and related infrastructure is protected and governed.

The following are the key control objectives that need to be defined with respect to each activity performed under Identity Management:

  • Identification – the security control process that creates an entity and verifies the credentials of the individual, which together form a unique identity for authentication and authorization purposes
  • Authentication – a security control process that verifies credentials to support an interaction, transaction, message, or transmission
  • Authorization – a security control process that grants permissions by verifying the authenticity of an individual’s identity and permissions to access specific categories of information or functions exposed by a resource.
  • Accountability – a security control process that records the linkage between an action and the identity of the individual or role who has invoked the action, thus providing an evidence trail for audit or non-repudiation purposes
  • Audit – a security control process that examines data records, actions taken, changes made, and identities/roles invoking actions which together provide a reconstruction of events for evidence purposes

All the control objectives above serve the requirement to provide an auditable chain of evidence.
Identity management control processes should have an input, one or more control activities, an output, feedback, management monitoring, and an overall audit appraisal activity to ensure that they are fit-for-purpose. The starting point is an individual who is enrolled into an organization and subsequently acts in a function or role in the organization. The individual may be an employee, partner, or contractor, or third party. The output is the appropriate degree of policy enforcement and individual accountability for the business activity. Within the controls, the threats and vulnerabilities constituting the business risk must be addressed and assessed. These include business, legal, and technical aspects.

Like with any systems, the following are the key non-functional requirements an Identity Management infrastructure should aim to offer.
  • Being more responsive and secure
  • Interoperability with a multitude of systems requiring identity information.
  • Support for multiple authentication mechanisms, like two factor, bio-metric, etc.
  • Interfaces and APIs for automation which could result in reduction in operational costs.

A governance framework would not be complete if it does not define the measurements that indicate the efficiency and effectiveness. The following are some of the metrics that could be considered:
  • Password Reset volume – A well managed Identity Management System is expected to considerably reduce the help desk calls on forgotten passwords. As such a measure of this activity could be a key metric to establish that there is a considerable saving in such help desk activities.
  • Number of distinct credentials per user – With Single Sign On implemented, there should be only one distinct credential per user.
  • Average time taken for each of the identity management functions could be another useful metric to establish that the investment is worth.


References:

More related reading: