The old "separate nations" network paradigm - decentralised security in which multiple departments using various applications manage access as each sees fit - is now passé. Security systems are going global, as enterprises increasingly turn to identity management solutions from vendors such as IBM, Netegrity, Novell, and Oblix as a means to better align network policies and permissions with business goals, not just IT's ideas of how a system should be managed.
It had to happen. The more resources are added to a network, the harder it becomes to control. In today's strict regulatory environment, businesses are clamouring for a better way.
"The traditional model of enterprise security is parameterised around a small set of datacentres," says Chris O'Connor, director of security strategy at IBM. "It's security Swiss cheese that has bred all kinds of compliance issues and security problems."
No matter what level of chaos we let reign on our desks and file cabinets, we all know that a messy network can never be a secure one. Digital identity, beyond being a means to enable application SSO (single sign-on), has begun to emerge as a key tool for bringing order out of the chaos.
"Enterprise investments in identity management are enabling identity-centric network management," says Phil Schacter, vice president and service director of directory and security strategies at Burton Group. In particular, Schacter cites the changing nature of today's networks, including the increases in mobility and remote access, as driving forces behind the move toward identity-based systems.
Identity doesn't just define who a user is; it connects the "who" directly with the "what" - what a user's role in the organisation is, what resources and information that user needs access to, and what he or she can and can't do with that information. Identity is the big picture, the whole story that allows corporate policy and processes to be applied in a consistent and comprehensive manner across an entire enterprise.
By consolidating access and authorisation information for each user, identity solutions help keep networks current. They grant quick access to new hires, while helping to exorcise the ghost accounts of former employees before they have a chance to possess the system. They provide audit information for regulatory compliance. They protect privacy and strengthen access controls. But perhaps most importantly, identity-based network management lifts network security out of the datacentre and brings it in line with the needs of the enterprise.
Moving toward identity-based network management is a tall order, but it does not mean ripping and replacing your current software infrastructure. Instead, identity systems work with the existing infrastructure to make it more robust, more intelligent, and more likely to resist attempts at unauthorised access.
The first piece of the puzzle is to establish an identity store, where user-access information can be maintained in a central location, independent of applications. Typically this takes the form of a network directory, such as an LDAP directory, Microsoft Active Directory, or Novell eDirectory.
The problem is that many organisations already maintain several directories of network authentication information, along with various partner, supplier, and customer databases. Often these will contain both duplicate and proprietary data.
According to network architecture consultant John McNeely, the solution lies in two emerging types of directory integration tools. A metadirectory solution such as Novell Nsure Identity Manager establishes a single authoritative directory as the source of all data. Conversely, a virtual directory product such as OctetString Virtual Directory Engine only pretends to - what looks like a single data store is really pulling data from each source and presenting it as if it all came from the same place.
McNeely advises businesses to consider the "political power plays that are already at work in your enterprise" before choosing a tool to build an identity store.
"Virtual directories are excellent choices when dealing with workgroups that have ownership issues concerning their data - since a virtual directory doesn't alter data, it just points to its location," McNeely explains. "Metadirectories are ideal for situations where data accuracy across the board is critical. Everyone who has access sees the same information, period. Neither format [is] universally better than the other; it depends on a specific company's needs."
One point of entry
When you've built your identity store and deployed the tools to manage it, you can begin implementing applications that take advantage of digital identity. Perhaps the most often-cited example is SSO, which promises to eliminate the problem of users juggling multiple passwords for network and application accounts.
In an SSO-enabled environment, it is each user's identity that defines what he or she can do on the network, rather than a granular series of usernames and passwords. Therefore, users can sign in just once to claim their access privileges to all the applications and data residing on the network.
In practice, although users invariably enjoy the "magic" of SSO, it is probably one of the less significant benefits of identity-based networking. Some IT administrators fear that granting access to multiple applications with a single log-on makes it easier for attackers to compromise larger portions of the network. In some cases, SSO is simply impractical; the appropriate goal for many organisations will be reduced, rather than single, sign-on.
Yet SSO has tangible benefits beyond end-user convenience. When users are forced to maintain multiple usernames and passwords, they are much more likely to choose ineffective or easy-to-guess passwords that are more easily compromised. If assigned strong passwords by the IT department, often they will write down their log-in information and leave it in insecure areas, such as Post-It notes stuck to their monitors.
In addition, the more passwords a user is tasked to remember, the more likely the user will be to forget at least one. Multiplied by a few thousand users, the time it takes to reset each forgotten password results in significant help desk overhead. Those end-user support costs can be dramatically reduced through identity-based SSO.
Next week: Standardising on identity for a single point of management.