SP-010: Identity Management Pattern

Diagram:

Description:

In this pattern we illustrate the core concepts of enterprise Identity Management (IdM). Until recently IdM has only been regarded as the governing and operational processes that control user provisioning for information systems. In recent years legislation by governments and regulation of vertical markets has defined a number of additional identity requirements that must be met by organisations. Enterprises must respect their customer's privacy and only collect necessary identity related data. However, even in Europe where the EU-Prime initiative pushes citizen privacy as far as possible, there are limits where privacy needs are overruled by the states fight against crime. Unfortunately it is impossible for global companies to refer to a single set of regulatory or legal privacy requirements for a unified identity management and privacy policy. Hence companies are generally best to adapt a baseline policy as required to local needs.

The function of Identity management is to provide the necessary identifier data for authentication and authorization within business applications. The term access control is today extended to “usage control”, particularly in those scenarios where data is also protected outside the business application by means of DRM technology.

 

Assumptions:

There are different needs for authentication of business partners and private customers. Mostly these needs are different because the transaction volume of a business partner tends to be much larger and hence the risk is higher. With higher risks one expects stronger security and hence the level of confidence needed for an authentication assertion increases.

 

Typical challenges:

The oldest enterprise challenge when it comes to managing identities across all business applications is the synchronisation of data between the distributed systems. In the age of “business process outsourcing” however we are faced with systems that are distributed across network and trust boundaries and hence synchronisation can present an even larger challenge. A better approach is promised via identity federation, however this requires a trust model that spans across organisations, so that the relying party is able to accept identity assertions made by a partners systems. Furthermore federation requires a unification or a translation of identity attributes at the federation boundary. Standards for federation are slowly emerging,and vendors gradually making their products compatible.

 

Another big challenge in outsourced scenarios is the control of service level agreements (SLAs) regarding the timely provisioning and de-provisioning of identities. Data-leakage of identity information is also a critical risk in every corporation.

 

Indications:

This pattern applies to companies where private customer or confidential business identity information is stored and processed.

Contra-indications:

You do not process critical data, and do not store or process private or confidential identity information.

 

Resistance against threats: TBD.

 

References:

• Eu Prime: Privacy and Identity Management for Europe
• Laws of identity (by Kim Cameron (MS))

Patterns:

• Patterns for Access Control in Distributed Systems
• Usage Control

Books (Chapters):

• Access Control Systems: Security, Identity Management and Trust Models

Related patterns:

• to be added

Classification:

• to be added : Industry sector | Threat | Infrastructure area

Release Date: 2008-Sep-29, Minor revision 2009-Sep-29

Authors: Tobias

Reviewers: Russell, Phaedrus