Identity management

Poll without page-refresh

Article on other languages:

	del.icio.us
	Digg
	Furl
	Reddit
	Rojo
	Add to OnlyWire

It has been suggested that Identity and Access Management be merged into this article or section. (Discuss)

This article or section appears to contain a large number of buzzwords.
Please help rewrite this article to make it more concrete and meaningful. (June 2008)

This article does not cite any references or sources.
Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed. (September 2007)

In information systems, identity management is the management of the identity life cycle of entities (subjects or objects). An identity management system:

Establishes the identity
1. Links a name (or number) with the subject or object;
2. Re-establishes the identity (i.e. links a new or additional name, or number, with the subject or object);
Describes the identity:
1. Optionally assigns one or more attributes applicable to the particular subject or object to the identity;
2. Re-describes the identity (i.e. changes one or more attributes applicable to the particular subject or object);
Destroys the identity

1 Identity management in the public and private domains
2 Electronic identity management
3 Three perspectives on IdM
4 Emerging fundamental points
5 Research
- 5.1 European Research
6 Solutions
7 Companies with Identity Management Solutions
8 Implementation challenges
9 See also
10 International Standards
11 External links

Identity management in the public and private domains

Identities may manage themselves or other parties may manage them. These other parties may include private parties (e.g. employers or businesses) or public parties (e.g. personal record offices and immigration services).

Identity management in the public domain has become known as National Identity Management^{[citation needed]}.

Electronic identity management

Several interpretations of identity management (IdM) have been developed in the IT industry. Computer scientists now associate the phrase, quite restrictively, with the management of user credentials and the means by which users might log on to an online system. The focus on identity management goes back to the development of directories, such as X.500, where a namespace serves to hold named objects that represent real-life "identified" entities, such as countries, organizations, applications, subscribers or devices. The X.509 ITU-T standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. X.509 certificates and PKI systems operate to prove the online "identity" of a subject. Therefore, in IT terms, one can consider identity management as the management of information (as held in a directory) that represents items identified in real life (e.g. users, devices, services, etc). The design of such systems requires explicit information and identity engineering tasks.

The evolution of identity management follows the progression of Internet technology closely. In the environment of static web pages and static portals of the early 1990s, corporations investigated the provision of informative web content such as the "white pages" of employees. Subsequently, as the information changed (due to employee turnover, provisioning and de-provisioning), the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management today.

Typical identity management functionality includes the following:

User information self-service
Password resetting
Management of lost passwords
Workflow
Provisioning and de-provisioning of identities from resources

Identity management also addresses the age-old 'N+1' problem — where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process.

The term identity engineering refers to putting engineering effort into managing large numbers of interrelated items that have identifiers or names.

Three perspectives on IdM

In the real-world context of engineering online systems, identity management can involve three perspectives:

The pure identity paradigm: Creation, management and deletion of identities without regard to access or entitlements;
The user access (log-on) paradigm: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
The service paradigm: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.

The pure identity paradigm

Please help improve this section by expanding it. Further information might be found on the talk page or at requests for expansion. (May 2008)

The user access paradigm

Identity management in the user "log-on" perspective may involve an integrated system of business processes, policies and technologies that enable organizations to facilitate and control access by their users to critical online applications and resources — while protecting confidential personal and business information from unauthorized access. It represents a category of interrelated solutions which system administrators employ towards managing user authentication, Access rights and restrictions, account profiles, passwords, and other attributes supportive of the roles/profiles of user in relation to applications and/or systems.

The service paradigm

In the service paradigm perspective, where organizations evolve their systems to the world of converged services, the scope of identity management becomes much larger, and its application more critical. The scope of identity management includes all the resources of the company deployed to deliver online services. These may include devices, network equipment, servers, portals, content, applications and/or products as well as a user credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.

Today, many organizations face a major clean-up in their systems if they are to bring identity coherence into their influence. Such coherence has become a prerequisite for delivering unified services to very large numbers of users on demand — cheaply, with security and single-customer viewing facilities.

Emerging fundamental points

IdM provides significantly greater opportunities to online businesses beyond the process of authenticating and authorizing users via cards, tokens and web access control systems.^{[citation needed]}
User-based IdM has started to evolve away from username/password and web-access control systems^{[citation needed]} toward those that embrace preferences, parental controls, entitlements, policy-based routing, presence and loyalty schemes.
IdM provides the focus to deal with system-wide data quality and integrity issues^{[citation needed]} often encountered by fragmented databases and workflow processes.
IdM embraces what the user actually gets in terms of products and services and how and when they acquire them. Therefore, IdM applies to the products and services of an organization, such as health, media, insurance, travel and government services. It is also applicable to means by which these products and services are provisioned and assigned to (or removed from) "entitled" users.
IdM can deliver single-customer views that includes the presence and location of the customer, single products and services as well as single IT infrastructure and network views to the respective parties. Accordingly, IdM relates intrinsically to information engineering, security and privacy.
IdM covers the machinery (system infrastructure components) that delivers such services because a system may assign the service of a user to: a particular network technology, content title, usage right, media server, mail server, soft switch, voice mailbox, product catalog set, security domain, billing system, CRM, help desk etc.
Critical factors in IdM projects include consideration of the online services of an organization (what the users log on to) and how they are managed from an internal and customer self-care perspective.

Research

European Research

Within the Seventh Research Framework Programme of the European Union from 2007 to 2013, several new projects related to Identity Management started. PICOS will investigate and develop a state-of-the-art platform for providing trust, privacy and identity management in mobile communities. On the backdrop of an increased risk to privacy of the citizen in the Information Society, PrimeLife will develop concepts and technologies to help individuals to protect their autonomy and retain control over personal information, irrespective of their activities. SWIFT focuses on extending identity functions and federation to the network while addressing usability and privacy concerns, and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers.

Other identity related projects from older European Union funded framework programs include FIDIS (Future of Identity in the Information Society), GUIDE, or PRIME.

Solutions

Solutions which fall under the category of identity management may include:

Management of identities

Provisioning/De-provisioning of accounts
Workflow automation
Delegated administration
Password synchronization
Self-service password reset

Access control

Policy-based access control
Enterprise/Legacy single sign-on (SSO)
Web single sign-on (SeoS)
Reduced sign-on

Directory services

Identity repository (directory services for the administration of user account attributes)
Metadata replication/Synchronization
Directory virtualization (Virtual directory)
e-Business scale directory systems
Next-generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP

Other categories

Role-based access control (RBAC)
Federation of user access rights on web applications across otherwise untrusted networks
Directory-enabled networking and 802.1X EAP

Standards initiatives

Security Assertion Markup Language (SAML)
Liberty Alliance — A consortium promoting federated identity management
Shibboleth (Internet2) — Identity standards targeted towards educational environments
Abriva — Free mobile identity management framwork

Companies with Identity Management Solutions

Implementation challenges

Getting all stakeholders to have a common view of data
Expectation to make the IdM a data synchronization engine for application data
Envisaging an appropriate business process leading to post-production challenges
Lack of leadership and support from sponsors
Overlooking change management — expecting everybody to go through the self-learning process
Lack of definition of the post-production phase in a project plan — for a smooth transition of the system to the end-user community, it becomes critical that an organization gears up for proper support through a transition phase or stabilization phase. This may take from three to six months.
Lack of focus on integration testing
Lack of consistent architectural vision
Expectations for "over-automation"