© Tech Mahindra Limited 2010

Identity and Access

Management An integrated solution for an

Enterprise

Nilesh Shirke

eSecurity Practice Tech Mahindra

For enterprise investment in IAM solutions,

primary driver shifts from compliance to

information protection. Additionally,

Organizations are now focusing on IAM

solution to improve infrastructure security &

providing better user experience. The IAM

solution primarily consists of three main

components, Identity Repository, Identity

Management and Access Management. The

rationale behind building an IAM solution in an

Enterprise is to achieve greater ROI at lower

TCO. It optimizes new investment for direct

benefits & frees up part of operational budget

for Innovation.

1 © Tech Mahindra Limited 2010

Table of Contents

Introduction ................................................................................................................................. 2

Increase Operating Efficiency ................................................................................................. 2

Security Efficiency .................................................................................................................. 2

Security Effectiveness ............................................................................................................. 2

Business Enablement ............................................................................................................. 2

IAM Architecture and Services .................................................................................................... 3

Identity and Access Management Technologies ......................................................................... 4

Directory Technologies ........................................................................................................... 4

Identity Management Technologies ........................................................................................ 4

Access Control Technologies .................................................................................................. 4

Summary .................................................................................................................................... 5

2 © Tech Mahindra Limited 2010

Introduction

Identity and Access Management (IAM) is a set of processes and technologies to manage users'

digital identities and ensuring that only authorized users have access to the information

resources, with access-needs based on users’ business relationship with the organization

In reality, IAM is a complex business solution that goes far beyond the IT department. It

encompasses the entire enterprise, including all business units, individual locations, systems,

access points, business partners, and customers. Organizations have been implementing

identity and Access Management on a per system and application basis through the creation of

user accounts and administering file permissions.

Identity and Access Management have evolved into independent products which provide a

centralized identity and access management services across the system and application estate.

These solutions are maturing in their capabilities and service offerings. We are gradually seeing

the emergence of IAM as a recognizable discipline within information security that encompasses

a broad range of enterprise tools and technologies within a distinct architecture supporting a

set of interrelated processes.

There are many factors driving the adoption of IAM Solution in enterprises and government

organizations which can be categorized in four broad areas.

Increase Operating Efficiency

Organizations are continually in hunt for measures to reduce cycle

time and reduce TCO while improving SLNs.

Security Efficiency

By centralization of security policy enforcement and controlling

authentication and authorization to its application infrastructure,

Organization need to exhibit how security is being enforced and

managed at all times

Security Effectiveness

Organizations are also mandated to adhere to regulatory

compliance by managing the enterprise's risk-profile better.

Business Enablement

Streamline the business processes and structuring the technology components provide

Organizations greater flexibility. It is expected to proactively support business initiatives such

as reorganizations, mergers and acquisitions, new business partnerships, new product and

system rollout.

Business Drivers

Operating Efficiency

Security Efficiency

Security

Effectiveness

Business Enablement

3 © Tech Mahindra Limited 2010

IAM Architecture and Services

An IAM solution provides secure and auditable access to systems, resources and applications. It

comprises of the people, processes, and technology collaborating for the solution. An IAM

solution mediates between identities and resources. It is able to centrally administer identity

and policy information and is able to support both centralized

and distributed policy decision points. Centralizing policy

decisions simplifies how policy changes are propagated, as well

as how the integrity of those policies is maintained. It comprises

of three core areas;

Directory services - Storing identity and its attribute data,

configuration information, and policies.

Identity Provisioning and Administration Services - Providing

identity lifecycle management services, such as ID

provisioning/de-provisioning, password management,

approval-workflows, synchronization logic.

Access Management Services - Defining and evaluating

security policies related to authentication, authorization,

auditing, and privacy through well-defined service interfaces.

The diagram below identifies various components of each of the

core layers.

IAM Architecture in an Enterprise

IAM is a set of processes

and technologies to

manage users' digital

identities and its access

privileges to systems and

information based on users

business relationship with the Organization

Benefits to the Enterprise

Reduce TCO

Improved Risk

Management

Regulatory Compliance

Increase Operational

Efficiency

Business Facilitation

4 © Tech Mahindra Limited 2010

Identity and Access Management Technologies The two major classes of IAM technology are identity Management and access management while Directory Technology provides the underlying infrastructure and interface for storage of Identity information.

Directory Technologies Users’ credentials and attributes are stored in Directories. Directory Technology provides an object-oriented, dynamically configurable repository with standards for access, security, and information management. To facilitate potentially unlimited scalability, directories organize their data hierarchically. Directories are designed for fast response times to queries as the identity information is generally queried much more often than it is updated. Some

Organizations prefer to leverage existing relational DB to store enterprise Identities as well

Identity Management Technologies Identity management technologies are designed to provide centralized capabilities for managing the Enterprise User identity lifecycle (creation, modification, self-service, synchronization, reporting, and revoking). It includes Identity Administration and Identity Auditing. The Identity administration focuses on the management of users' multiple identities, attributes and credentials across heterogeneous environment. It also includes password management and the administration of access model constructs such as roles and resource access control information Identity auditing tools focus primarily on identity-related event monitoring, reporting status auditing and enforcement of segregation of duties.

Access Control Technologies Access Control technologies are designed to provide and managing the access to an application or operating system environment with high depth of access, adequate logging, ability to implement dynamic access rules, and ability to perform authentication when accessing information. The access management tools certainly have administration capabilities, but their distinctive focus is on authorization. Access management tools enforce access control policies across heterogeneous environments It includes technologies to Authenticate and provide seamless access to organization’s application estate. Federation is an approach of authenticating users across multiple sites within the organization

SSO Technology Solutions

ESSO for Enterprise

Applications

WebSSO for Web Based

Application

Smart Token Based SSO

Federation from Cross

domain SSO

OS Access Management

Directory Technology solutions

Meta Directory

Virtual Directory

Identity Management Solutions

Centralized User

Provisioning

Process Workflow

mapping

Role Management

Centralized Password

Mgmt

Identity Auditing and

Compliance Capability

Policy based Segregation

of duties.

5 © Tech Mahindra Limited 2010

(intranet) or across independent and disparate domains (extranet) using open standards A full IAM solution requires multiple products, at least one from each technology class discussed briefly in the document. Although any major IAM vendor can provide core products, no one vendor can provide a full integrated IAM solution. Following is the brief summary of IAM technologies and their solidity in the market

Summary The Identity Solution designed around business policies should be able to revolve business issues with the help of neatly laid out standardized business processes. The IAM Solution also offers a thorough and dynamic data protection solution that can be implemented around the existing business processes and technologies. It delivers an adequate level of security through a simple set of customizable management interfaces.