The Rewards and Pitfalls Of Identity Management

Companies that diligently use standard data management products and techniques might assume that all their corporate information is safe. However, that is not the case. Some kinds of information need special care and attention – for example financial information, or, even more so, information related to personal identities.



Identity fraud is a growing problem. Organized crime often uses identity theft to raise money to fund operations such as people trafficking and drug smuggling. Gartner Research estimates that just "phishing" attacks alone cost U.S. banks and credit card companies $1.2 billion last year. According to Computer Associates’ security guru Mick Coady, identity theft is much easier than most people think; personal information can be relatively easily obtained for about $500-1,000 per record.

Increasingly, governments realize the problem of identity fraud, and legislation is being put in place that regulates who can see what information. In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley (GLB) Act mandate privacy of personal information in the healthcare and financial spheres. In Europe, the European Data Protection Directive restricts access to personal information. Other countries such as Canada and Australia have similar laws.

Unfortunately, having the legislation in place is only the first step. To make the legislation have any impact, organizations need effective, reliable identity management.

Well-implemented identity management systems not only help with regulatory compliance and preventing fraud; they can also increase operational efficiency, tighten security and improve customer experience. For example, identity provisioning systems, which speed up the process of allocating access permissions to business systems and information, can dramatically reduce the time that it takes to make a new employee productive. In addition, they can eliminate the problem of ex-employees having continued access to systems because no one has thought to remove those permissions. Identity-based access control with simplified sign-on can ensure that the right people - and only the right people - have speedy access to the right systems and information. Identity management also plays a critical role in enabling personalized user interfaces, which provide a better user experience and subsequently result in attracting and retaining customers. Amazon leads the way, but is followed by many other web retailers and customer-facing organizations.

If it’s so great, why doesn’t everybody implement it? Here comes the challenge - implementing effective, interoperable identity management can be very tricky.

First of all, each enterprise has its own individual identity management requirements. Based on its specific needs, it must have a solution for a combination of different functions. The most common functions include control of access to information, privacy management, human resources, customer relations management, supply chain management, "White pages" directory, web services, and custom corporate applications. There are many good identity management products as well as third-party services that perform different identity-related functions, such as identity storage, provisioning, single-sign on, identification through smart cards or biometrics, information synchronization, federation, and policy management. However, most solutions on the market are point solutions, which are not easy to match to a set of requirements within a coherent architecture, and which often do not interoperate. There is no overall, off-the-shelf solution.

Matching solutions to requirements and ensuring interoperability requires standards. However, identity management products and standards are still emerging, and the picture can be confusing. There has been rapid progress in Web Services Specifications for identity management, and in the Liberty Alliance project, although these two approaches are often seen as being in competition. There are several XML-based identity-related standards, including the Directory Services Mark-up Language (DSML), the Service Provisioning Mark-up language (SPML), the Extensible Access Control Markup Language (XACML), and the Security Assertions Mark-up Language (SAML). The Public Key Infrastructure (PKI) bandwagon might look to have stalled. However, PKI has the potential to be an important identity management technology, and its supporters may yet get their wagon back into gear. In addition, there are some unstandardized technologies that can provide effective point solutions – for example, password synchronization.

The common problem that adds to the challenge is that the identity information itself, which is available in organizations’ directories and databases, is often fragmented, and can be of poor quality. A large corporation may have many stores of identity information (many thousands, if PC and PDA address lists are included) that often contain records for the same people, although sometimes with different additional information. People's personal circumstances, and their roles within the organization, change frequently; information stores are not always updated; and errors accumulate. So how do you find your way through this fog, and figure out how to make identity management effective for your organization?

The Liberty Alliance Project and the Web Services Specifications initiative are working on different approaches to identity federation, and are developing standards profiles for sign-on and attribute retrieval. The Organization for the Advancement of Structured Information Standards (OASIS) develops XML-based standards for packaging and secure transport of identity information, including SAML and the other mark-up languages mentioned earlier. ISO/IEC JTC 1 SC 37 (a formal international standards body) is defining standards, including data formats and APIs, for biometric technologies. Work on PKI is being done in the pkix group of the Internet Engineering Task Force (IETF). Most of these bodies publish information about their standards and encourage participation in their work.

Industry consortia such as Network Applications Consortium (NAC), EEMA - the independent European association for e-business, and The Open Group provide a way of getting involved at a less technical level. Through participation in group activities and networking with people that are deploying solutions and designing products, they help its members gain an understanding of what the value of the technologies is to enterprises, how they can be deployed, as well as giving them an option to influence the direction that the industry is taking.

Identity management is a new discipline; it can be confusing, and hard to understand. But there are some good sources of information, and opportunities for involvement in the development of identity management standards and practice. The rewards for getting on top of this technology are improved efficiency, security and customer satisfaction, easier compliance with regulation, and protection against fraud. Giving identity information special treatment is not easy, but the reward will make the effort worthwhile.

For more information, please contact Dr. Chris Harding at c.harding@opengroup.org

About the Author

Dr. Chris Harding leads the SOA Working Group at The Open Group - an open forum of customers and suppliers of IT products and services. In addition, he is a Director of UDEF Forum, and manages The Open Groups work on semantic interoperability. He has been with The Open Group for over ten years.

Dr Harding began his career in communications software research and development. He then spent nine years as a consultant, specializing in voice and data communications, before moving to his current role.

Recognizing the importance of giving enterprises quality information at the point of use, Dr. Harding sees information interoperability as the next major challenge, and frequently speaks or writes on this topic. He is a regular contributor to ebizQ.

Dr Harding has a PhD in mathematical logic, and is a member of the British Computer Society (BCS) and of the Institute of Electrical and Electronics Engineers (IEEE).

More by Dr. Chris Harding

About Open Group

The Open Group is a vendor-neutral and technology-neutral consortium, whose vision of Boundaryless Information Flow will enable access to integrated information within and between enterprises based on open standards and global interoperability. The Open Group works with customers, suppliers, consortia and other standard bodies. Its role is to capture, understand and address current and emerging requirements, establish policies and share best practices; to facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies; to offer a comprehensive set of services to enhance the operational efficiency of consortia; and to operate the industry’s premier certification service. Further information on The Open Group can be found at http://www.opengroup.org.