The Evolution of Identity
By Michael Atalla
Group Product Manager, Microsoft Corporation
See other Viewpoint articles.
Over the past several years, technological innovations in communications have given people the tools to form new connections to other people, businesses, and services. And increasingly, people envision a world in which they will have instant, seamless access to the applications, information, and communities that are important to them, no matter where they are and regardless of the devices they are using to connect. As this new world of work begins to take shape, there is a growing expectation that connectivity should be transparent and pervasive—and that our digital identities should move with us automatically as we travel from place to place and switch from device to device.
Achieving this vision is no longer a question of whether the power of our devices and networks is sufficient. Instead, security has taken center stage as IT professionals work toward creating a computing environment that businesses can use to access, share, and use corporate and personal information without fear that it will compromised, stolen, or exploited. There is a growing expectation that we will solve this problem of not just creating connections, but creating trustworthy connections together.
In this connected world, the proliferation of identities and identity systems is a significant problem and a difficult challenge. Our users struggle to remember an ever-growing number of user names and passwords as they move between systems. And we, as IT professionals, struggle to manage them. Whether a digital identity represents a user, an application, or a device, the protection and management of that digital identity is critical to make possible the scenarios that our users are demanding today and create these trustworthy connections.
The cost and effort required to effectively and securely implement and manage user communities in a corporate network can be overwhelming. Software vendors have provided a variety of solutions to IT organizations, ranging from point solutions that address a specific vertical or narrow identity problem to broad suites of products that are intended to solve all problems for all people. Regardless of what vendor or vendors you select to solve your identity management problems, you’re going to find products and solutions in five key areas of identity, and it is critical that all are paid due attention as you plan your organization’s identity and access infrastructure.
With the proliferation of users and devices in an organization, there is a great need for a central place to store and manage information about users, computers, and the applications they access. In addition, the central store must be able to adapt to newer organization security policies such as two-factor authentication, data encryption, and tracking for compliance purposes. Old news, isn’t it? Most IT professionals have long since adopted a directory services strategy for their organizations. And more and more of these IT professionals are revisiting their directory architectures today to ensure they have their directories in order as they seek to address broader identity management challenges and compliance challenges.
This ongoing focus on getting directories in order is critical to laying the foundation for a successful identity and access infrastructure. You cannot build a house on a sandy foundation, and as you look forward to providing richer experiences to your end users, revisiting the directory architecture is the starting point. If you’re one of the majority of customers who has come to depend on Active Directory as a primary authentication directory for users, it is time to take a critical look at the architectural choices you made five to seven years ago.
As organizations look toward providing more services to their users that cross organizational boundaries, they are increasingly realizing that traditional user name and password solutions are no longer sufficient to secure access control for business assets and sensitive data. In addition, IT professionals are well aware of the complexities that many strong authentication solutions have historically presented from a deployment, maintenance, and management perspective.
One solution that has gotten a negative reputation is digital certificates. Despite some of the previous experiences that many organizations have had with digital certificate–based authentication solutions, these are the best and most flexible of solutions for authentication across the broadest variety of scenarios for users, computers, and applications. Software vendors and hardware vendors have made enormous improvements in the technology they provide for deploying and managing digital certificate infrastructures. Certificate Services in Windows Server has come a long way itself in providing this base infrastructure since first showing its face in the Windows NT 4.0 Option Pack.
As requirements for technologies such as Internet Protocol security (IPsec) for computer authentication and smart card authentication for users come front and center for organizations, it is time to look again at the three-letter word that starts with a P and ends with I.
While directory services and strong authentication have long been in the vernacular of the IT professional, new terms like “identity federation” are coming into being because in an increasingly interconnected world, organizations need to provide efficient and secure access to their internal systems and data for external entities such as business partners, customers, and mobile employees.
Federation is a standards-based mechanism for establishing trust between different organizational entities, such as an organization and its suppliers. Because of this established trust, organizations can collaborate more securely and efficiently, giving the end users a seamless cross-company single sign on experience across different environments.
While the technology industry has come up with numerous approaches to single sign on in the past, one of the reasons federation is getting so much fresh attention is because its design inherently allows IT professionals to create these relationships across boundaries—without creating additional user accounts for external parties—and to manage an even more complex directory environment. In the past, many IT professionals have had to create entirely separate Active Directory forests to provide access to business partners in a manner deemed secure. Using federation, businesses can react to their imperative to connect without adding burden to the IT staffs that ensure the security of the information and assets within their network boundaries.
I don’t think I’m going to have to repeat the following sentence: Leaks of confidential information can result in loss of intellectual property, compromised ability to compete, unfairness in purchasing and hiring decisions, and diminished customer confidence. No IT professional wants to get an e-mail message from his or her CEO asking how the salaries and social security numbers of his or her employees ended up on a public Web site, but somebody reading this article probably has.
Electronic communications and files are ubiquitous in today’s organizations. The ease of transmitting e-mail messages and information also increases the risk of unauthorized viewing and distribution. Our strategies for protecting the digital information and assets of our organizations must evolve to address this changing landscape of threats that faces us. For a truly defense-in-depth approach to this problem, it is becoming imperative that we implement solutions for protecting information upon creation with detailed policies that govern information usage.
Investing time and energy into a strategy for protecting information from creation and throughout its life cycle is an important component of a comprehensive approach to identity and access. Critical considerations in this area are:
Is my information protected when it is created?
Is the protection persistent?
Can my users access this information seamlessly in the applications they use most often?
Do I have a disaster and information recovery plan?
Life Cycle Management
Now you’ve heard what I think about four major areas of infrastructure that are critical to ensuring you’ve covered your bases when it comes to identity and access. So, what’s next? IT professionals have to take responsibility for managing the policies that will govern digital identities in their organizations through their life cycles. The task of managing users, information policies, access policies, strong authentication tokens, and so forth has become far more complex. Organizations have to deal with the complexity of distributed applications and data and with internal and external regulations. In addition, they have to ensure authorization policy is defined and implemented accurately across all this. This increased complexity is beginning to demand a management solution that is automated, policy driven, and workflow based rather than the manual processes of years past.
You’ve got a big job here, and you want to ensure that you are addressing this issue in the simplest, most straightforward way you can. There are a few key things to think about when you think about life cycle management. Keep an eye on that first recommendation around getting your directories in order. The simpler and more well managed your directory infrastructure, the easier your life cycle management tasks will be. Think about all the application-specific directories you have in place and make sure you are thinking about how to keep the data in those directories in sync with your primary user directory.
Think about your authentication strategy and your federation strategy and what you’re doing about information protection; look for solutions that help you bring these pieces together rather than solutions that just add layers to each individually. In order to simplify the process of life cycle management, empower users to handle the business tasks associated with their identities, and keep maximum control in the hands of the IT organization. You need a solution that integrates well with all of your existing investments. No identity life cycle management solution will meet all of your needs out of the box, so it is important to look for solutions that can be tailored to your individual needs.
However you choose to approach this problem, don’t make the mistake of thinking a suite of management products will solve all of your problems if you haven’t built your house with a solid foundation and walls across all of the other four areas I’ve discussed.
Identity is at the crux of the security challenges we face in responding to the imperative to connect users and organizations. The way you as IT professionals address the identity and access challenges of the day and in the future will determine how quickly your organizations can realize this world of pervasive, seamless connectivity to applications, information, and services. Take a measured approach to this challenge across these five key areas and you’ll find that the solutions are out there that can help you achieve your goals. And when you don’t find what you need, tell your favorite software vendors to get on track and make it happen. This one is listening.