communication exchanges, correlation and binding, policy enforcement, authentication and ... The Open Group Identity Management Architecture (Guide. G072); ... Centrify;. â¦. Ping Identity;. â¦. Oracle Identity and Access Management; and.
ix
Preface
Identity and Access Management has become one of the challenging areas in today’s business information architecture. The importance and impacts of Identity and Access Management to the Internet Age has long been overlooked by the IT practitioners and researchers until recently being caught up by the upsurge of breaches in identity theft. This is due to the proliferation of distributed mobile technologies, heavy usage of social media, continuous harnessing of information analytics, and the Cloud. Business-to-Customer, Business-to-Business and Governmentto-Citizen evolved into situations that trust between user and application are required to be established on-the-spot since they are no longer a given perquisite. Today, businesses are facing new challenges in implementing contemporary Identity and Access Management solutions due to difficulties in deciding when and what to get started. IT personnel are facing new ways of implementing Identity and Access Management solutions such as Identity Governance Administration (IGA) and Identity Management as a service (IDaaS) solutions. They need a comprehensive picture of their needs in Identity and Access Management in order to correctly plan, assess and deploy the right solutions for their organisation. There are very limited literatures available to highlight the challenges faced by researchers and developers in offering an Identity and Access Management solution that can meet the present and future situations. The author observed that most of the literatures available at present are either narrowly focused on specific Identity and Access Management environments (Unix / Windows), or covering too general on outdated technologies. There is lack of the information that captures, as many as possible, the critical elements required by contemporary Identity and Access Management solutions and architectures.
Preface
There are a vast number of Identity and Access Management solutions and architectures available commercially and as open source. Unfortunately, IT practitioners find it difficult to get hold of the critical information in order for them to make appropriate decisions. The purpose of this book is to provide our readers succinct answers to the following questions: • • • • • • • •
What is Identity and Access Management and what are the core technologies employed by different Identity and Access Management solutions and architectures? What is the role of Identity and Access Management in different contexts? For example: public and individual safety; internal and external business processes; and the influence of new technologies. How can we evaluate the applicability of different Identity and Access Management architectures and solutions? What are the state of the art Identity and Access Management architectures and solutions? How well do they perform? Who are the major players and contributors in Identity and Access Management technologies and solutions? What are the key challenges in Identity and Access Management that have not been addressed in the existing frameworks and solutions? What are the paths available to deal with those challenges? What are the potentials available for integrating different Identity and Access Management solutions? What are the challenges and the progress in the research of future Identity and Access Management architectures and solutions?
This book will provide answers to the above questions such that the readers can acquire the critical knowledge in selecting and implementing an appropriate Identity and Access Management solution for their organisations. Recently, there are a multitude of Identity and Access Management solutions flocking the market, such as Okta, PingIdentity, Oracle Identity Management, Microsoft Identity Integration Server, IBM Security Identity Manager, Novell Identity Manager, Hitachi ID Management Suite, Intercede MyID etc. These commercial systems provide application and platform specific identity and access control functionality. However, there is little objective third party information available for practitioners to understand the capabilities exhibited by these commercial Identity and Access Management systems.
x
Preface
Therefore, one of the aims of this book is to review, assess and consolidate the research and development activities of a number of existing Identity and Access Management architectures in privately and publicly funded organisations. The author will discuss the advantages, limitations, and requirements of these architectures. Apart from that, this book will highlight those key challenges in Identity and Access Management that have not been addressed by these architectures and provide our readers some thoughts on how to deal with those challenges as well as the potential for integrating different identity management architectures and frameworks. Furthermore, this book will discuss the pros and cons of some of the contemporary developments in Identity and Access Management, such as Social Login, Biometric Multi-modal Multi-factor Authentication, Federated Identity Management, and Cloud-based Identity & Access Management. This book is targeting the academic readers, researchers as well as practitioners who are responsible for the implementation of Identity and Access Management solutions in business and government organisations. Identity and Access Management researchers and practitioners shall find this book a useful resource. The author believes this book is first of its kind in Identity and Access Management that provides a holistic view on Identity and Access Management in regard to requirements, technologies, life cycle processes, evaluation methodologies of contemporary Identity and Access Management architectures, and overview of present and future commercial Identity and Access Management systems. This book will fill the gap to enable Identity and Access Management practitioners in gaining an objective view of the contemporary Identity and Access Management architectures and the landscape of the technologies and processes required to drive the future direction in Identity and Access Management development. The contemporary information contained in this is book will be a valuable resource for university students, Identity and Access Management practitioners and researchers. With the information contained in this book, our readers can achieve the goal of managing an organisation’s identities, credentials, attributes, and assuring the identity of an user in an extensible manner set for Identity and Access Management, through different areas such as technology, processes and functionality (e.g. administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) that are required to work collaboratively. Our readers will gain the following benefits from reading this book:
xi
Preface
•
•
•
•
Able to understand the concepts and technologies employed by contemporary Identity and Access Management architectures. Our readers shall be able to understand the roles, significance, advantages, limitations, and requirements of different Identity and Access Management technologies and architectures. Able to understand the vital concept of Identity and Access Management Life-Cycle. Our readers will understand the administration of the life cycle of digital identity entities; during which the digital representation of an identity is established, used and disposed of, when the digital identity is not required anymore. Able to elaborate the applications of processes and technologies in Identity and Access Management architectures by providing a taxonomy framework that captures and classifies the characteristics of different contemporary identity management architectures as well as compliance enforcement. Our readers can use the taxonomy framework in this book to benchmark other Identity and Access Management solutions. Able to evaluate the effectiveness of different Identity and Access Management architectures through business and bioinformatics applications life cycle and practices. This book is structured in the following way:
•
•
xii
Chapter 1, “Identity and Access Management in the Internet Age,” starts with a brief history of Identity and Access Management and then introduce our readers to some challenges to Identity and Access Management as exemplified by some scenarios such as social identity, biometrics and identity mobility. Chapter 2, “The Roles of Contemporary Identity and Access Management Standards,” sets an anchor for our readers to grasp the technologies closely related to Identity and Access Management that are developed by different standards organisations. This chapter will discuss the following different generations of Identity and Access Management technologies: ◦◦ Security and Privacy technologies terms and definitions; ◦◦ First Generation: LDAP, Kerberos, Radius, X.509; ◦◦ Second Generation: Cross Domain Collaboration, SAML; and ◦◦ Third Generation: OpenID, OAuth.
Preface
•
•
•
This chapter also summarises the different views of identities and gives an overview of the state of art of both biometric multimodal and password/token based Identity and Access Management architectures and systems, highlights the key issues and argue why these issues are important for the successful enhancing the security of digital identities in the current Information Age. Chapter 3, “The Roles of Identity Management Life Cycle,” will cover the importance of managing a person’s identity life cycle, which includes the technologies used for provisioning and password resets, the processes and policies associated with different technologies, and the important events that happen around the management issues of a person’s identity. Chapter 4, “The Goals and Requirements for Contemporary Identity and Access Management Systems,” provides an assessment of the requirements for Identity and Access Management frameworks so as to give our readers some insights into the primary purposes and characteristics of Identity and Access Management solutions. The following requirements will be discussed in the chapter: user empowerment on awareness and control; minimal information disclosure for constrained use, non-repudiation, support for directional identity topologies, support for a universal identity bus, provision of defining strength of identity, decoupling the identity management layer from the application layer, usability issues concerning identity selection and disclosure, a consistent experience across contexts, and scalability. Furthermore, this chapter presents a taxonomy to our readers for classifying the different Identity and Access Management frameworks. This taxonomy can be used to study and benchmark the features and functionalities of different Identity and Access Management frameworks proposed by different organisations. Chapter 5, “A Survey of Contemporary Identity and Access Management Architectures,” provides a summary of a number of organisations which are active in Identity and Access Management researches. We’ll discuss the technological and application contributions from each organisation, their key deliverables and the active research areas. The following are the Identity and Access Management frameworks covered in this book: ◦◦ Fast IDentity Online Alliance (FIDO); ◦◦ Privacy and Identity Management for Europe (PRIME);
xiii
Preface
◦◦
•
•
•
xiv
Privacy and Identity Management for Community Services (PICOS); ◦◦ Secure Widespread Identities for Federated Telecommunications (SWIFT); ◦◦ Telecommunication security & identity management (ITU-T Recommendations Y.2720, X.1250); ◦◦ The Open Group Identity Management Architecture (Guide G072); ◦◦ The OpenID Foundation Open Trust Frameworks for Open Government; ◦◦ The Liberty Alliance Identity Federation, Governance, and Assurance Framework; ◦◦ The National Institute of Standards and Technology (NIST) Ontology of Identity Credentials Framework; and ◦◦ BioAPI. Chapter 6, “An Introduction to Commercial Identity and Access Management Solutions,” exhibits an objective third party evaluation on a number of commercially available Identity and Access Management solutions. The author is certain that our readers will find the information resourceful in helping them, as an Identity and Access Management practitioner, to make Identity and Access Management related decisions with high level of confidence. This chapter summarises the functionalities and capabilities exhibited by the following commercially available Identity and Access Management solutions: ◦◦ Microsoft Identity Manager and Microsoft Azure Active Directory; ◦◦ IBM Security Identity Manager and Cloud Identity Service; ◦◦ Okta; ◦◦ Centrify; ◦◦ Ping Identity; ◦◦ Oracle Identity and Access Management; and ◦◦ Salesforce.com. Chapter 7, “The Role of Identity Theft in Identity and Access Management,” discusses how personal identities can be stolen and exploited and proposes a Self-Learning Context Aware Identity Access and Management Framework (SCAIAM) for combating identity theft. Chapter 8, “Challenges and Future Development in Identity and Access Management,” is the concluding chapter of this book. This
Preface
chapter summarises the challenges and future development in relation to the following new technological trends: Internet of Everything (IoE), Identity Relationship Management, Transient Identities, and Autonomous Devices. Lastly, the author would like to give credit to the following resources which have provided the author insights and enlightenments in accumulating useful knowledge in this Identity and Access Management research journey: •
•
Book Title: Identity and Access Management: Business Performance Through Connected Intelligence. Author: Ertem Osmanoglu Year: 2013 Type: Paperback and Kindle eBook Pages: 618 Publisher: Elsevier Comment: This guide is based on Ernst & Young’s methodologies. It is written as a guide so that the readers can use it as an implementation guide providing a step-by-step instruction of how to plan, assess, design, and deploy Identity and Access Management solutions in business settings. Although this book seems lacking in information about the requirements and processes in evaluating the suitability of different Identity and Access Management architectures, it is a very good resource in the technologies used in Identity and Access Management. Book Title: Identity Management: A Primer Author: Gram Williamson, David Yip, Ilan Sharoni and Kent Spaulding Year: 2009 Type: Paperback Pages: 220 Publisher: MC Press Comment: This book provides good coverage on the issues and strategies for implementing Identity and Access Management best practices and solutions. It has a strong emphasis on some of the technical solutions such as Single Sign-On (SSO) and Role-Based Access Controls (RBAC) but seems lacking in a broader view of other technologies that are vital in the contemporary Identity and Access Management solutions.
xv
Preface
•
•
•
xvi
Book Title: Identity & Access Management: A Systems Engineering Approach Author: Peter Omondi Orondo Year: 2014 Type: Paperback and Kindle Pages: 312 Publisher: IAM Imprints Comment: This book is more recent than other similar books and provides good focuses on the risks of identity authorisation and the modelling of Identity and Access Management processes and financial issues. Book Title: Identity and Data Security for Web Development: Best Practices Authors: Jonathan LeBlanc, and Tim Messerschmidt Year: 2016 Type: Paperback and Google Book Pages: 204 Comment: This book provides contemporary information on identity and data security for Web developers. Although the authors seemed not interested in explaining the basic concepts of Identity and Access Management, they’ve discussed in detail about password encryption, hashing & salting techniques, SSO and identity security fundamental concepts. They’ve also discussed the OAuth 2 and OpenID implementations, and other contemporary concepts such as multi-factor authentication and other alternate method of identification. Community Name: Kantara Initiative Comment: Kantara Initiative is a non-profit, open professional association in the fields of identity assurance, privacy, policy and information systems assessment, and real world innovation for the digital identity transformation. Kantara Initiative provides great resources in the development of Identity Relationship Management (IRM), User Managed Access (UMA) and Identities of Things (IoT).
