Welcome to the MedLibrary.org Wikipedia Supplement on Access and Identity Management -- Please Click to Return to Front Page

This article or section includes a list of references or external links, but its sources remain unclear because it has insufficient inline citations. You can improve this article by introducing more precise citations where appropriate. (December 2008)

This article or section appears to contain a large number of buzzwords. Please help rewrite this article to make it more concrete and meaningful. (June 2008)

This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed. (September 2007)

In information systems, identity management is the management of the identity life cycle of entities (subjects or objects). An identity management system:

1. Establishes the identity
   1. Links a name (or number) with the subject or object;
   2. Re-establishes the identity (i.e. links a new or additional name, or number, with the subject or object);
2. Describes the identity:
   1. Optionally assigns one or more attributes applicable to the particular subject or object to the identity;
   2. Re-describes the identity (i.e. changes one or more attributes applicable to the particular subject or object);
3. Follow identity activity:
   1. Record and/or provide access to logs of identity activity
   2. Optionally auto-analyze behaviour patterns of the identity
4. Destroys the identity

Contents 1 Identity management in the public and private domains 2 Electronic identity management 3 Three perspectives on IdM 3.1 The pure identity paradigm 3.2 The user access paradigm 3.3 The service paradigm 4 Emerging fundamental points 5 Research 5.1 European Research 6 Solutions 7 Implementation challenges 8 See also 9 External links

Identity management in the public and private domains

Identities may manage themselves or other parties may manage them. These other parties may include private parties (e.g. employers or businesses) or public parties (e.g. personal record offices and immigration services).

Identity management in the public domain has become known as National Identity Management^{citation needed}.

Electronic identity management

Several interpretations of identity management (IdM) have been developed in the IT industry. Computer scientists now^[update] associate the phrase, quite restrictively, with the management of user credentials and the means by which users might log on to an online system. The focus on identity management goes back to the development of directories, such as X.500, where a namespace serves to hold named objects that represent real-life "identified" entities, such as countries, organizations, applications, subscribers or devices. The X.509 ITU-T standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. X.509 certificates and PKI systems operate to prove the online "identity" of a subject. Therefore, in IT terms, one can consider identity management as the management of information (as held in a directory) that represents items identified in real life (e.g. users, devices, services, etc). The design of such systems requires explicit information and identity engineering tasks.

The evolution of identity management follows the progression of Internet technology closely. In the environment of static web pages and static portals of the early 1990s, corporations investigated the delivery of informative web content such as the "white pages" of employees. Subsequently, as the information changed (due to employee turnover, provisioning and de-provisioning), the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management today^[update].

Typical identity management functionality includes the following:

• User information self-service
• Password resetting
• Management of lost passwords
• Workflow
• Provisioning and de-provisioning of identities from resources

Identity management also addresses the age-old 'N+1' problem — where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process.

The term identity engineering refers to putting engineering effort into managing large numbers of interrelated items that have identifiers or names.

Three perspectives on IdM

In the real-world context of engineering online systems, identity management can involve three perspectives:

1. The pure identity paradigm: Creation, management and deletion of identities without regard to access or entitlements;
2. The user access (log-on) paradigm: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
3. The service paradigm: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.

The pure identity paradigm

A general model of identity can be constructed from a small set of axiomatic principles, for example that all identities in a given abstract namespace are unique and distinctive, or that such identities bear a specific relationship to corresponding entities in the real world. An axiomatic model of this kind can be considered to express "pure identity" in the sense that the model is not constrained by the context in which it is applied.

In most theoretical and all practical models of digital identity, a given identity object has a finite set of properties associated with it. These properties may be used to record information about the object, either for purposes external to the model itself or so as to assist the model operationally, for example in classification and retrieval. A "pure identity" model is strictly not concerned with the external semantics of these properties.

The most common departure from "pure identity" in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model attempts to express these semantics internally, it is not a pure model.

Contrast this situation with properties which might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored and retrieved, in other words not treated specially by the model. The absence of external semantics within the model qualifies it as a "pure identity" model.

Identity management, then, can be defined as a set of operations on a given identity model, or as a set of capabilities with reference to it. In practice, identity management is often used to express how identity information is to be provisioned and reconciled between multiple identity models.

The user access paradigm

Identity management in the user "log-on" perspective may involve an integrated system of business processes, policies and technologies that enable organizations to facilitate and control access by their users to critical online applications and resources — while protecting confidential personal and business information from unauthorized access. It represents a category of interrelated solutions which system administrators employ towards managing user authentication, Access rights and restrictions, account profiles, passwords, and other attributes supportive of the roles/profiles of user in relation to applications and/or systems.

The service paradigm

In the service paradigm perspective, where organizations evolve their systems to the world of converged services, the scope of identity management becomes much larger, and its application more critical. The scope of identity management includes all the resources of the company deployed to deliver online services. These may include devices, network equipment, servers, portals, content, applications and/or products as well as a user credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.

Today^[update], many organizations face a major clean-up in their systems if they are to bring identity coherence into their influence. Such coherence has become a prerequisite for delivering unified services to very large numbers of users on demand — cheaply, with security and single-customer viewing facilities.

Emerging fundamental points

• IdM provides significantly greater opportunities to online businesses beyond the process of authenticating and authorizing users via cards, tokens and web access control systems.^{citation needed}
• User-based IdM has started to evolve away from username/password and web-access control systems^{citation needed} toward those that embrace preferences, parental controls, entitlements, policy-based routing, presence and loyalty schemes.
• IdM provides the focus to deal with system-wide data quality and integrity issues^{citation needed} often encountered by fragmented databases and workflow processes.
• IdM embraces what the user actually gets in terms of products and services and how and when they acquire them. Therefore, IdM applies to the products and services of an organization, such as health, media, insurance, travel and government services. It is also applicable to means by which these products and services are provisioned and assigned to (or removed from) "entitled" users.
• IdM can deliver single-customer views that includes the presence and location of the customer, single products and services as well as single IT infrastructure and network views to the respective parties. Accordingly, IdM relates intrinsically to information engineering, security and privacy.
• IdM covers the machinery (system infrastructure components) that delivers such services because a system may assign the service of a user to: a particular network technology, content title, usage right, media server, mail server, soft switch, voice mailbox, product catalog set, security domain, billing system, CRM, help desk etc.
• Critical factors in IdM projects include consideration of the online services of an organization (what the users log on to) and how they are managed from an internal and customer self-care perspective.

Research

European Research

Within the Seventh Research Framework Programme of the European Union from 2007 to 2013, several new projects related to Identity Management started. PICOS will investigate and develop a state-of-the-art platform for providing trust, privacy and identity management in mobile communities. On the backdrop of an increased risk to privacy of the citizen in the Information Society, PrimeLife will develop concepts and technologies to help individuals to protect their autonomy and retain control over personal information, irrespective of their activities. SWIFT focuses on extending identity functions and federation to the network while addressing usability and privacy concerns, and leverages identity technology as a key to integrate service and transport infrastructures for the benefit of users and the providers.

Other identity related projects from older European Union funded framework programs include FIDIS (Future of Identity in the Information Society), GUIDE, or PRIME.

Solutions

Solutions which fall under the category of identity management may include:

Management of identities

• Provisioning/De-provisioning of accounts
• Workflow automation
• Delegated administration
• Password synchronization
• Self-service password reset

Access control

• Policy-based access control
• Enterprise/Legacy single sign-on (SSO)
• Web single sign-on (SeoS)
• Reduced sign-on

Directory services

• Identity repository (directory services for the administration of user account attributes)
• Metadata replication/Synchronization
• Directory virtualization (Virtual directory)
• e-Business scale directory systems
• Next-generation systems - Composite Adaptive Directory Services (CADS) and CADS SDP

Other categories

• Role-based access control (RBAC)
• Federation of user access rights on web applications across otherwise untrusted networks
• Directory-enabled networking and 802.1X EAP

Standards initiatives

• Security Assertion Markup Language (SAML)
• Liberty Alliance — A consortium promoting federated identity management
• Shibboleth (Internet2) — Identity standards targeted towards educational environments
• Global Trust Center

Implementation challenges

• Getting all stakeholders to have a common view of data
• Expectation to make the IdM a data synchronization engine for application data
• Envisaging an appropriate business process leading to post-production challenges
• Lack of leadership and support from sponsors
• Overlooking change management — expecting everybody to go through the self-learning process
• Lack of definition of the post-production phase in a project plan — for a smooth transition of the system to the end-user community, it becomes critical that an organization gears up for proper support through a transition phase or stabilization phase. This may take from three to six months.
• Lack of focus on integration testing
• Lack of consistent architectural vision
• Expectations for "over-automation"
• Deploying too many IdM technologies in a short time period

See also

• Athens access and identity management
• Digital identity
• Directory service
• Future of Identity in the Information Society (FIDIS Network of Excellence)
• Identity driven networking
• Light-Weight Identity
• Lightweight Directory Access Protocol (LDAP)
• Metadirectory and Virtual directory
• Network Information Service (NIS)
• Single sign-on (SSO)
• XML Enabled Directory (XMLED)
• Yadis
• OpenID

External links

• General Public Tutorial about Privacy and Identity Management
• Identity Management Overview (Computer Weekly)
• Secure Widespread Identities for Federated Telecommunications (SWIFT)
• Federation for Identity and Cross-Credentialing Systems (FiXs)
• FIDIS Database on IMS The FIDIS IMS Database gives a non comprehensive overview and a brief description of identity management systems and tools.
• Identity management and information sharing in ISO 18876 Industrial automation systems and integration

Wikipedia content modification information:

• This page was last modified on 15 December 2008, at 15:15.

Wikipedia Authorship and Review

Wikipedia content provided here is not reviewed directly by MedLibrary.org. Wikipedia content is authored by an open community of volunteers and is not produced by or in any way affiliated with MedLibrary.org.

Wikipedia Usage Guidelines

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article on "Access and Identity Management".

The URL for this specific entry is:

• http://medlibrary.org/medwiki/Access_and_Identity_Management

All Wikipedia text is available under the terms of the GNU Free Documentation License. (See Copyrights for details). Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc.