Users wary of ID management complexity

Network executives say they understand the benefits of building infrastructure to centralize the management of users and access privileges but worry it will be a slow and painful process, especially when it comes to including business partners.

Identity and access management were the main topics at last week’s The Burton Group Corp. conference, which was a hotbed of activity among vendors eager to show their support for emerging standards such as the Security Assertion Markup Language (SAML).

Network executives at the annual conference said having a standardized identity and access management infrastructure promises many rewards. These include better overall security; fewer user accounts to manage; better control over who is on a network and what they are doing; centralized management of account creation and deletion; and ultimately the ability to work, or federate, with similar infrastructures on partner networks.

They said having such an infrastructure it is key if electronic commerce and Web services are ever to scale. And in fact, Web-based and newly developed applications plug fairly easily into such an infrastructure.

The problem is that most large companies have islands of authentication and authorization services spread across their networks and built into each application. In order to take advantage of a new identity management infrastructure, they would have to rebuild those applications to recognize and defer security to the centralized system.

“So far we have done two of about 200 applications. At least that is a step in the right direction,” said Fred Wettling, enterprise infrastructure architect for Bechtel in San Francisco and president of the Network Application Consortium, a user group.

“These are hard problems and things we see organizations struggling with,” said Patrick O’Kane, chief architect for ePresence, a directory consulting firm. “If you have an application with an authentication mechanism, you have to remove it and put it in the directory. Then you have to determine how much of the authorization system you will have to extract. And the big issue is once you do this, it has to be scalable and reliable, but you have to realize some applications will never plug into the infrastructure.”

Wettling said he’d prefer vendors not to build any security into their applications, which is the way Bechtel builds its own applications. That way Wettling can plug them into what he describes as a security service that includes identity management but also takes into account all his network systems, services and applications.

Wettling said single user identity is complicated by the fact that he also must define those identities in context.

“Is that person signing on to get e-mail, for doing administration, to do a funds transfer? And I have IDs that are not people, they are machines,” he said.

Perhaps an even larger sticking point is standardized access policy. Wettling said policies, along with definitions of roles and groups used to grant access based on an attribute a user has attached to his or her identity, need to be standardized and every application retrofitted to understand those definitions.

“We would like to define user roles in one place and share them among applications,” Wettling said. “Security needs to be a service, but applications today require us to define those roles inconsistently and in various places.”

Other large companies are facing similar issues.

“I have my digital identities stored in the directory,” says an application security specialist who asked not to be identified. He says he has nearly 200,000 users and more than a million other external accounts.

“We have a portal and Web access management software based on the corporate directory, but we don’t do authentication in the directory so we have to write custom code if we want to bring in our applications,” he said.

He has potentially tens of thousands of authentication scenarios spread across his operating systems, applications and servers.

“It’s testing all this stuff,” he says. “You have RACF, [public-key infrastructure], network custom code, vendor code. It all has to work 24-7 with 0% for failure.”

He agrees with Wettling that the biggest issue might be establishing a set of standard policies.

“But that is a business issue, not a technology issue,” said the application security specialist. “What is a policy? What is a role? How can I get an enterprise consensus on defining those things.”

While that isn’t easy, it gets even more complex when you start to involve business partners.

Technologies such as the XML-based SAML will help. Last week, the specification won backing from the Liberty Alliance and Microsoft and is now nearly a de facto standard.

“What we have learned over the past two years is that it is not trivial to create this security umbrella,” said Ed Truitt, a security specialist for a major petroleum company, which is in the pilot phase of a provisioning system that manages creation and deletion of user accounts for nearly 100,000 employees. “We’ve been working on this for two years, and now it takes us about six to eight weeks to add an application to the system.”

Once established, an identity management system creates its own security issues. With a centralized identity and access control service, any hacker attacks or failures can bring down every application attached to that service.

And once that system is shared among business partners, companies start to lose control of their users’ identities.

“My concern is that everyone will be so excited about this they won’t think of the policy issues and loss of control,” said Pamela Dingle, a consultant with Nulli Secundus. “People need to consider that convenience and security are on opposite ends of the spectrum.”

Bechtel’s Wettling remains optimistic, though. “Evolution will take care of a lot of these problems,” he said.