How Secure is your Identity?

With identity thefts on the rise, organizations need the right solutions to manage them. We analyze what this trend is all about, and types of solutions that are available

Monday, September 25, 2006

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Today we talk of 'collaboration' a lot. And if we look at it in context of IT, the biggest challenge confronting us is managing the digital presence of every user across all organizations and business units. Today an enterprise user faces multiple computer interfaces to fulfill his job. It can be his mail account, bank account password, corporate intranet, a B2B or B2C site, or even his workstation. And everywhere he has to be authenticated. Due to this trend of multiple authentications, it becomes quite natural for an enterprise user to become careless about the whole process. This leads to mismanagement of online identity or identity theft. While it might sound harmless, it can lead to drastic results. For example, say, in your organization you have given access to mobile users to log in to your corporate network from anywhere in the world. Now, you cannot keep a check on who is logging on to the network by any physical means. In case this ID gets hacked, your whole enterprise network can get compromised. Here, you might ask how is this possible and what is the role of Identity Management (IDM) in preventing such a scenario. Let's suppose that your organization doesn't have any kind of Identity Management implementation and users are free to choose any password they want, for accessing any resources. So, the users will naturally be inclined to use the same or very easy to remember (and guess) passwords across all the resources. So you might have secured your critical resources with state of the art firewalls, IPS, anti viruses, encryption, etc. But this weakest link could very well be misused by a hacker. If a user has used the same password across, the hacker could attack the easiest resource to acquire it. For instance, most e-mail clients and servers communicate in plain text and a hacker could easily intercept and capture it.

Identity theft is becoming the fastest growing crime in the world. With increased presence of ordinary citizens on the Internet and access to crucial resources such as online banking, transactions and purchases, simple passwords no more provide adequate protection. Whosoever is accessing your systems, be it employees on your LAN or Wi-Fi network, partners on your extranet, or customers on your e-commerce sites, they need to have a reliable means of authentication. Stronger forms, such as USB tokens or smart cards, may be required to ensure the identity of users nowadays.

Challenges for enterprise
The key challenge for an enterprise is to maintain a common and managed dentity for two different types of user groups- namely, insiders and outsiders. Insiders are the internal employees of an organization, while externals are the customers or partners of an enterprise.

Out of the two, insiders are the ones who are generally hooked inside the corporate network and spend most of their working hours engaged with the enterprise. They typically access multiple internal systems of the enterprise and their identity profiles are relatively detailed. Outsiders on the other hand are those who access only a few systems of the enterprise such as CRM and e-Commerce, and access these systems occasionally. Identity profiles about outsiders are less detailed and less accurate than those of insiders.

At Crest we use 'multiple applications' with 'multiple users' having 'roaming profiles,' by deploying Identity Management SSO (Single Sign on).It helps us to integrate applications and users to increase efficiency of production. IDM also helps our organization to analyze resources utilized on various projects, for better 'project management planning' and 'cost calculation' amongst various departments suchas HR, Finance and Production.

P Krishna Prasad, Head IT, Crest Animation Studio

Now, as both types of users are of different nature, the technology used to manage them is also different. Let us now see some key trends and solutions that an enterprise can use to manage users.

Trends and solutions
To achieve Identity Management, a host of technologies are brought together to meet business and technical needs. Identity Management has its own life cycle, which includes user provisioning (activation and deactivation of employee accounts), and account management. Other tasks of IDM are password management and access management, and allocation according to identity. As employees change position or address and other work/personal information, multiple systems need to be updated in multiple places. Identity management solutions offer the ability to self-serve this and synchronize and automate these tasks.

Now the biggest drawback with vendors in this space today is that most of them provide incomplete products. For example, you have different products to achieve different functionalities of Identity Management. Single Sign On (SSO), which is a key component of IDM, can be achieved by proper implementation of any Directory Service such as MS-ADS (Microsoft's Active Directory Service). Now if you talk about key or hardware based Identity management solutions, you have RSA in place. So, today the key trend which we can see is the integration of the ID and access management suite of all major technology vendors such as BMC Software, IBM, CA, RSA, Microsoft, etc to achieve a full fledged IDM system.
The other trend that we see is the integration of access and management technologies with other technologies such as Help Desk, Service Management, Configuration Management and Monitoring, eventually leading to Business Services Management.

Our organization deals with IT and ITES (BPOs and call centers). Most of our customers implement their global development centers from our premises. In addition to iGATE specific security implementation, these customers want to implement their own security solutions for projects and processes. Due to this, handling and deploying security processes (which include access rights permission) to folders and applications, has become cumbersome. iGATE operates on heterogeneous systems due to its client requirements. Managing user accounts and associated passwords on a heterogeneous system is a cumbersome and difficult process. Due to above challenges, iGATE is evaluating various IDM solutions.

Shiva M, Vice President, Global IT Infra Support and Purchases, iGATE

Types of IDMs
Following are a few types of Identity Management solutions that are available.

Single Sign-on: This is a mechanism with which a single action of authentication can grant a user access to all his system and network resources where he has access permissions. While doing this, you don't even need to enter multiple passwords and face multiple authentication interfaces. SSO or Single Sign-on reduces human error by reducing the number of authentications required. Some examples of Single Sign-on are Microsoft Passport and Kerberos.

Two Factor Sign in: This is a mechanism with which a user gets an additional layer of protection with a hardware token or card based authentication, coupled with a standard PIN or password. In such a scenario, at the first stage a user has to authenticate himself by either swapping an RF or Magnetic card or by providing a random number generated by a hardware device (called a token) to the system. In the second stage, the user has to provide a standard PIN or password to gain the full authentication.

Policy based automated provisioning: It's a system for creating and managing multiple instances of a service within a shared IT infrastructure. The network administrator maintains a set of computing resources that can be allocated to different services and then to users based on policies. The users can then request to access services of a particular type, and instances of these services are then provisioned to meet their requirements.

Role based access control: There are roles for different job related functions. And then permission is allotted according to the type of roles. Now, instead of assigning direct policies to a certain user or group, they are assigned roles. And through those role assignments, the users get the required
permissions to perform any particular task in the network. As users/groups are not assigned policies directly but have acquired the policies through roles, management of individual user/group rights becomes very easy. All you have to do in this case is to allocate proper role to a given user.
This simplifies the task of editing a user, changing user policies or even adding new users. This feature can be achieved by using any LDAP server. Microsoft is a vendor in this space.

Conclusion
Because of the huge threat posed by identity theft and requirements of MNCs, who come to India for offshoring, it has become very important for Indian IT and ITES companies to deploy Identity Management for their users and customers. This market is buzzing around with new technologies and players. So do your proper homework properly before selecting the right solution for your enterprise.

Page(s)   1