Identity Management and the Real-Time Virtual Enterprise

We’ve all heard about identity theft in the consumer environment, but identity management is also a key concern for enterprises.

Traditionally, every application requiring access restrictions implemented its own user authentication scheme. Password format and change rules varied by application, and loose policies defined who could be added to or removed from access lists. IT help desks were inundated by password reset requests.

The role of identity management is to provide a secure and reliable way to establish trust between communicating parties, wherever they may be and however they are connected. Identity, a central concept within identity management, can be defined as a set of claims made by a person or logical entity about itself. Logical entities can be devices, such as servers, PCs and smart phones — virtually any device connected to the network. A claim is an assertion of the truth of something, such as employee ID or username, personally identifying information, knowledge of a password, membership in a group, or a role-based capability.

Identity management integrates Authentication, Authorization, Accounting, Auditing and Administration (the 5 A’s of identity management) across user, device, network, service, application and content domains. Authentication securely defines that a user is who he/she claims to be. Authorization grants authenticated users a specific set of network capabilities, and access to specified information and applications. Accounting allows IT to allocate costs across business units. Auditability provides reporting in order to demonstrate regulatory compliance. Finally, Administration provides the ability to manage user profiles.

There are many stakeholders in identity management, which is why the deployment of enterprise-wide identity management is considered a strategic investment by many enterprises. The CEO would see the creation of flexible business networks, communities and federations, with role-based access to services and applications (e.g. for employees, partners or contractors), as a way to achieve improved business effectiveness. The CIO would target increased IT operational effectiveness to serve users better and support business transformation. The CSO would be able to deliver better and finer-grained security across a broader user and application population. The CFO would be able to more easily audit usage and demonstrate compliance with regulations such as Sarbanes Oxley. Application owners could use self-serve capabilities to control who has access to applications and when, even moving away from cumbersome employee lists to role-based access controls.

Enterprises need to address the needs of identity management. This can be done by rolling out end point security mechanisms, authenticating users, ensuring device compliance against the security policy, and providing controls to ensure access only to authorized applications. IT

Tony Rybczynski is Director of Strategic Enterprise Technologies at Nortel (News - Alert). He has over 20 years experience in the application of packet network technology. For more information, please visit www.nortel.com.

» Internet Telephony Magazine Table of Contents