This month we looked at one of the hot-button products from the 2006 landscape — identity management. For years identity management has been defined by the "triple A acronym" of:
Authentication: confirmation that a user is truly tied to the username provided;
Authorization: granting access to specific services based on the authentication;
Accounting: a process for logging access and authorization.
As more best practices around Sarbanes-Oxley have been implemented at organizations, the first tenet of the AAA which needed updating was the accounting process. As organizations needed to maintain a more granular set of logs, as well as retain the logs for longer periods of time, it became necessary to create improved logging processes.
Under Homeland Security Presidential Directive 12 (HSPD/12) and, subsequently, Federal Information Processing Standard (FIPS) 201, new roles became part of identity management. These new roles were: proofing, registration, issuance and maintenance.
The standards lead to the NIST Special Publication 800-79. All of these new standards and terms have left the entire field of identity management in a state of rapid evolution. When I served as a moderator of a panel on identity management at several national conferences, the first question I usually had to answer was, "What exactly is identity management?"
The answers, explanations and discussion around this single question would often be heated. In most cases, identity management is comprised of several functions. These functions, while they don’t define identity management directly, do serve to characterize it and, to paraphrase Justice Potter Stewart’s famous response when asked what he considered pornography to be, we may not know exactly what identity management is, but we’ll know it when we see it. These characteristics are:
- Provisioning: the enrollment of users to the system;
- Workflow automation: movement of data in a business process;
- Delegated administration: the use of role-based access control to grant permissions. With delegated administration the access is granted by the process owner instead of through an IT environment;
- Password synchronization: creating a process for single sign-on (SSO) or reduced sign-on (RSO). A single authentication can be used for access to all network resources;
- Self-service password reset: this process often can reduce the cost of account administration, but it must be done in a secure enough manner to not invalidate the security of the account;
- Federation: a process where authentication and permission will be passed from one system to another, reducing the number of authentication needed for the user.
These processes are, by no means, a list of all of the functions that can be part of identity management. There are, certainly, other processes that are added to these core ones by the manufacturer to improve or implement additional features. Moreover, most products in the identity management space do not implement all of these components.
For submissions to this review, we required only that the products exhibit the following characteristics: password management, user provisioning, and enterprise access management.
Additionally, it had to be enterprise-centric. Each product we tested implemented a subset of these features. Some of these products were complex and would be required only in the largest enterprises, and would also require a dedicated staff to implement and manage them. Some of the products were software-only , while others were appliance-based.
How we tested
For the software-only product distributions we tested using Windows 2003 Advanced Server Service Pack 1 with SQL Server 2005 installed. The hardware used was an Intel Pentium 4 3.00 Ghz machine with 512 MB of RAM and a 100 GB hard drive installed. All of the latest hotfixes were applied and several Microsoft components were installed to facilitate the installation of the software packages.
We were especially attentive to ease of use, deployment and management. We were interested in how transparently the product does its job without being intrusive to the user. Finally, we looked at the functionality and how well it meshed with the six characteristics we described above.