“Prevent identity theft—protect your Social Security number” is the headline on my Social Security statement that I receive each year around tax time. We hear about identity theft a lot these days, but as CIOs, we need to think about the issue from the point of view of the enterprise entrusted with the "identities" of our users and customers. I'll explain what is meant by identity in this context and how it must be managed to securely facilitate relationships to business applications.
What is an identity?
In the simplest terms, an identity is some method that verifies you are the person you say you are—those distinguishing attributes that only you can provide to authenticate yourself. It can be a single pass code or a set of numbers, such as a Social Security number, or a complex procedure, such an encrypted key. The identity interacts with a process that determines what level of security you may possess and which services or activities you may participate in after completing an authentication challenge. Associated with this process is a set of global attributes that contains information about you. It might be your name, e-mail address, pin/user password, credit card number, or Social Security number. It might be less obvious information such as how you want your home page to appear, affinity program memberships, or recent purchases. In part, it enables a positive user experience by retaining history or preferences about you.
If well guarded, the use of this information can make an e-commerce experience easy for the user. However, e-commerce is not just about the user experience—it's about the merchant or business entity's responsibilities to protect the user’s identity.
Having an identity and having a network identity are different subjects. A network identity is a construct consolidating multiple identities. An identity, as described above, is one aspect in a description of a person’s network identity. You can authenticate to one business application with a set of credentials known to that business application and get one experience. But you may need to present another identity to authenticate to another business application with a set of credentials known to the second business application. The credentials may not be the same, and the information about you may not be the same or even known. Besides the irritation of remembering another set of user identification and user passwords, you may not have entered the same information (or wanted to), or the information may be used in a slightly different manner.
To describe this in another way, user account information is scattered across isolated applications, even though users are members of overlapping multiple communities of interest and commerce. The information is overlapping. With a network identity, the synergies abound: online banking with investment possibilities, credit card and utilities payments, and any number of other possibilities. With the realization that the overlapping information is consistent, the experience across different sets of business applications within a community of interest will be consistent. For instance, while doing online banking, I may be servicing my loan or working with my savings or checking account. Information affecting one set of applications would be relevant to another.
The security problem enters when your network identity needs to transcend a business entity or a number of discrete sets of applications within a business. Each set of applications requires credentials and, therefore, you, the user, may be challenged multiple times. Obviously, with a single set of applications, a simple identity will suffice. But with a wide range of business applications, you can very easily lose control; each application might enforce authentication and authorization very differently, including what and how to challenge. The basis of decision could be on different policies (rules) that are inconsistent between business processes (say between the online banking information passed to the mortgage application) or on islands of dissimilar information collected by each business application (say reversing two digits of a Social Security number).
For the business community, this becomes more of a problem than just an irritation. An ad hoc security implementation lays open the real probability of a security breach and the associated fines that come with it, whether it's disclosure of financial information or release of restricted information that is subject to government regulation. And then there is the (missed) opportunity cost of enhancing affinity relationships (cross-selling).
What is identity management?
I've described identity as the binding between a person (or entity) and a business process. It is a one-to-one relationship, and it has a lifecycle. The identity starts when a person initiates a relationship and gets an initial set of rights and privileges. As the relationship grows, rights may be added or subtracted, with preferences and affinity groups modified or removed.
Although I've given examples that relate to e-commerce, the concept of identity management is also of importance in controlling and tracking the use of enterprise resources by employees or other authorized agents, such as contractors and approved vendors. Intellectual property accessed and used by employees, including computer systems and network file storage, must be included in your identity management process.
For example, when a person joins a company and fills out the necessary forms for payroll, benefits, and other identification information, this normally triggers some activity within human resources, and the person gets an e-mail address. In identity management terms, the person is assigned an identity and granted rights to a mailbox that has a user identification and password assigned. The person is assigned a computer, and added to the identity is the privilege to access the computer system and other network file shares. Once allowed to access the computer system, the person assumes other rights to peruse the intranet and, most likely, the ability to go out through the corporate firewall to the public Internet. The person may be allowed into certain restricted intranet sites, again with another user identification and password. A transfer to a new position or a promotion brings a different set of privileges. Throughout the person's career, the process of addition, subtraction, and modification continues, until the person leaves or retires. Each data source or workflow action adds information to the person's identity.
At each point in time, the rights granted allow some measure of access to business applications and services. When and how the rights are assigned, and to what business applications and services, is the process of identity management. On the other side of identity management are the applications and services that must define rules for access. Like any other software, the identity, too, has a lifecycle. And within the growth of additional services, and the pruning of extraneous or outmoded services, it must have its rules of access managed closely to prevent security and information breaches.
Does identity management remove operational hurdles?
You can imagine the user identity information as similar to a credit card with a computer chip of memory. By unambiguously proving your identity (authentication), you unlock information about yourself. As you access applications and services, your rights to use that information (authorization) and your preferences (attributes) provide you with services.
Identity management can make this information usable across many different applications in a standard fashion. This would eliminate redundancy of storage, while allowing security policies to be written in a consistent manner and enforced in a general way. The standardization would force a generic interoperability, saving development time, and with credential formats, authentication protocols, and security policies, ensure the fidelity of information for operation. The standardization of identity allows you to use a common credential portable across many applications. By doing so, the complexity of the authorization process is diminished.