Don't let identity management turn chaotic as your business grows

by Deb Shinder | Dec 19, 2005 8:00:00 AM

Tags: Authentication/Encryption, Deb Shinder, single sign-on, password, identity management, SMB Strategies Newsletter

Takeaway: Plan ahead to develop a strategy for keeping company accounts and passwords under control.

Digital identities -- in the form of user accounts and their associated passwords -- are the means by which network administrators implement access controls to network resources. When your network is small and users only need access to a few data sources and applications, managing those identities is relatively simple. But as the organization grows and becomes more complex, identity management can turn into identity chaos, unless you plan ahead to develop a strategy for keeping all those accounts and passwords under control.

Identity management becomes even more complicated when a single user has multiple accounts. For example, an employee might need to log onto a Windows Active Directory domain, access Novell eDirectory resources, and use custom applications that require him to provide credentials. And when companies merge, user account information from different directories and other identity stores must be combined.

Tips in your inbox

TechRepublic's free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.

Automatically sign up today!

Luckily, there are numerous solutions available to help you make it easier for your users to access the servers, applications and data they need, even in a network environment that spans multiple forests or multiple organizations (a federation). Let's take a look at some of your options, based on business size, network complexity and user needs.

The purpose of an identity management scheme

Identity management helps to simplify life for both users and administrators. Multiple accounts with different passwords require a lot of memorization on the parts of users. Many will be tempted to use simple (easily cracked) passwords or to write their passwords down, which poses a risk to security. A good identity management scheme can solve this problem in one of two ways:

• Password synchronization
• Single sign-on

Although at first glance these may appear to be the same, they work quite differently. Password synchronization refers to a means of ensuring that the user's password is the same for all accounts and applications. Password synchronization software allows a user to change his password once and have the change propagated to all of his accounts.

Single sign-on uses a "master" account and password. The user still has different passwords for different applications, but he doesn’t have to enter them to access the applications. Instead, he signs on once with the "master" credentials and the single sign-on software retrieves the necessary credentials when needs to access a particular application and enters them automatically. The user doesn’t have to remember all of those passwords (in fact, he doesn’t have to ever know them; the individual application passwords can be generated for him).

Identity management makes the administrator’s job easier by providing centralized provisioning (creation and maintenance) and deprovisioning (removal) of user accounts and making it easy to delegate administration over specific accounts to others. A good identity management scheme also includes self-service functionality so that users can perform some of their account management tasks (such as resetting their passwords) themselves, relieving administrators of that chore.

How identity information is stored

Identity information for a single user can be stored in many different locations and formats on the network. For example:

• Operating system logon credentials are stored in Active Directory on Windows 2000/2003 domains.
• Email account information is stored in a Global Address List (GAL) for Exchange servers.
• Application credentials can be stored in LDAP compatible directories, in SQL or Oracle relational databases, or in flat text files (comma delimited, XML etc.).

p>The databases in which account information is stored are called identity stores, and a primary function of an identity management scheme is integrating and synchronizing these stores. The more different the stores are, the more difficult that job becomes.

Small business identity management

When the organization is small and user needs are simple, identity management can be handled manually. There may be only a couple of sets of credentials needed: the user's Windows logon account and an e-mail account, for example. Users probably won’t have much difficulty remembering just two account names and passwords, or the identity information can be synchronized manually by using the same account name for both accounts and changing the passwords on the domain account and the email server to match each time a password change is needed.

Identity management solutions for larger organizations

As the organization grows, manual identity management becomes impractical. However, with just a few accounts, administrators can write and run scripts to automate the password synchronization process. There are some disadvantages to this method, too: it requires programming skills, and scripts can present security threats if not constructed properly.

Large organizations generally use special software packages designed to consolidate information from different identity stores and provide centralized management. This can be a metadirectory program (a directory that contains information from more than one directory) or a more robust identity integration program that also provides automated account provisioning and single sign-on capabilities.

Examples of identity management software includes:

• Microsoft Identity Integration Feature Pack (IIFP) for Windows Server Active Directory (for small- to medium-sized businesses or those with simple networks), which synchronizes identity information from Active Directory databases (including Active Directory Application Mode) and Exchange 2000 and 2003 databases).
• Microsoft Identity Integration Server 2003 (MIIS), which provides synchronization of identity information across many different platforms and types of identity stores, including AD/ADAM, Exchange 5.5 and above, NT domains, Lotus Notes, Novell eDirectory, Sun ONE Directory, Oracle and SQL databases, LDAP directories and flat files.
• IBM’s Tivoli Identity Manager, which provides automated and policy-based user management and Web-based self service interfaces.
• HP’s OpenView Identity Management, which captures enterprise single sign-on log information generated by Citrix Password Manager.
• Novell Identity Manager, which provides a user portal and a provisioning workflow system that automates approval requests and supports role-based and rule-based provisioning of accounts.
• BMC’s Identity Management Suite 5.0, which integrates with the company’s identity compliance manager that allows monitoring of user access and security policies.
• Oracle’s Xellerate Identity Provisioning (aquired from Thor).

The cost of identity management solutions ranges from free downloads such as Microsoft IIFP to thousands of dollars for the major commercial packages.