In our innovation issue last month, I commented that identity management can be an administrator’s nightmare. That, it turns out, is only part of the story. Another piece of the nightmare is figuring out what identity management really means in the context of product selection. We looked at products that presented themselves as identity management products and we found that many of them, good as they were in their own context, did not fit our concept of what identity management is.
The bottom line is that the immature level of the genre has spawned many products that address a piece of what may be loosely interpreted as identity management. For a solid definition of identity management, then, we turned to federal standards. FIPS 201, Federal Information Processing Standards Publication 201, is a standard for the federal government that specifies Personal Identity Verification (PIV) requirements for employees and contractors at the federal level.
FIPS 201 says a PIV system has three sub-systems: the front-end sub-system, the card issuance and management sub-system, and the access control sub-system. The front-end sub-system includes those components that accept identity input. These could be a card system, a biometric system, or any other way of providing unique individual identities.
The card issuance sub-system is just what it sounds like, but we may extend that definition using the vernacular of the commercial world to mean provisioning. This goes beyond cards to include any identity credential. We use the term “credential” here to mean any card — biometric, password or phrase, or PIN — used to uniquely identify a subject. Finally, the access control sub-system includes all of those things that authorized users can access and the means to control that access and authorization.
If we stick to FIPS 201, then, we find that all of the products we examined fit the description in some manner. However, we set a features benchmark to include at least one component from each of the FIPS 201 subsystems. That means that we were looking for some manner of assigning unique identity credentials (the product did not need to supply the credentials), a method of provisioning, and a method of binding identities to objects to which the identified subject might require access.
We also found that many of these systems are complicated to deploy, especially when they contain many modules and can address enterprises of different sizes. Once deployed, however, they tended to fulfill their promises of providing a simplified method of managing personal IDs and the objects to which they are bound. This begs the question of who needs identity management.
We found that most vendors believe that just about any size enterprise can benefit from their products. In that regard, at least for now, we beg to differ. Identity management must address a particular challenge. That challenge may be size, special applications, high security requirements, or
geographic disbursement of the organization or other needs.
That said, we likely are headed for a time when, in order to do away with static passwords, we will all want some form of identity management system. In that regard, we saw some products that are headed in that direction. These products are more than identity management products. They build identity management into an overall workflow management system.
The real benefit in these systems is that they even out the process of assigning, managing and auditing access. They are, in effect, full user management systems. Most important, perhaps, is that they are extensible.
How we evaluated systems
Because the products we saw covered a broad range of capabilities, we evaluated on two levels. First, we wanted to see if the product met our minimum benchmark of providing each of the subsystems called for by FIPS 201. Those that did could do better than three stars in the features category, but those that did not were not limited in any other way.
Second, products that met only part of our FIPS benchmark were evaluated on those functions that they did provide. We evaluated them individually and, though they may have lacked features according to our benchmark, they may have been extremely competent in their own context. We did not, as is always the case in our review process, compare products. Each product was rated on its own merits.
Mike Stephenson contributed to this review.