Critical Path
This article appears in eGov monitor Weekly

29 July 2002

Identity management - Readying Government for e-business

By Jamie Cowper, Critical Path

As the internet becomes an important tool enabling Government to reach new and wider audiences of business partners, suppliers, consumers and subscribers, e-business - loosely defined as the conduct of business on the Internet - is the focal point of eGovernment strategy. Issues such as, 'how can we improve the security of web based commerce and how can payment methodologies be made more secure?', are currently hampering the growth of trade over the internet and could ultimately devalue projections for future growth within this highly volatile trading environment. To address these issues it is imperative that an institution establishes a robust infrastructure before embarking on e-business programmes.

Becoming an e-business requires that organizations transform from regional/departmental organizations to truly global organizations. As such departments must expand their reach onto extranets and public networks without compromising the security, integrity and accuracy of data published for the needs of e-business. Identity Management is the key to providing the vehicle for offering secure access and transactions over the Internet. It is imperative that any organization wanting to do business online knows that they are trading with a bona fide customer. Authenticating individuals is paramount before a transaction can be completed and identity management is quintessential in this process.

A primary challenge for moving Government on-line is managing new, increasingly complex relationships between users and shared resources. In order to conduct business securely and effectively, it is critical that users be identified based on their individual profiles. Directories are the core infrastructure for user identity management, which grants inside and outside parties access to the digital assets required to conduct business today. Service providers and enterprises are realizing that directories provide the foundation for electronic commerce and communications, making them an instrumental part of e-business infrastructure. Today, directories are being deployed as the foundation for security and identity management services with user profile information being maintained and managed by the directory and meta directory.

In the Internet economy directories play an ever-increasing role facilitating secure and easy access to eBusiness services. Directories have been available since the late 1980's but traditionally have only been deployed within a Corporate intranet, addressing white/yellow pages requirements, or within Messaging infrastructures to synchronise email. Given directories were always predominantly deployed to manage user profile information, the natural evolution for directories has been into the identity management area where the user information can be used for Authentication, Authorisation and Access Control purposes. With security being recognised as one of the major blockers to eBusiness growth, Government organisations are making major investments in building security infrastructures with directories at the core of identity verification.

The implications of this natural evolution for directories is that no longer do they just need to manage internal files within an organization's intranet, but now they need to manage user profiles for customers, subscribers, suppliers and partners. This takes the directory deployment to a different scale from managing thousands of users to managing millions, if not tens of millions of users

Directory services are becoming a ubiquitous component of network computing environments and are playing a critical role in the preparation and execution of e-business. Directory services based on open standards are a simple, cost effective way to organize, store and secure data, enabling organizations to expand the reach of their businesses onto the Internet in a secure and efficient manner.

Unfortunately, many data repositories provide unique and proprietary ways of accessing user data, identifying users and describing information about those users. Directory services must overcome the continued proliferation of single users with multiple identities stored in numerous locations. The relationship between users' various identities - which may be stored in an SQL enabled database, LDAP-enabled email messaging system, or an LDAP directory - may be tenuous or non existent. As a result user identities are stored, administered and secured redundantly and local, often precluding organizations from deploying a comprehensive and global identity management policy. In addition they must take the administration of data more efficient and less redundant, and organizations must ensure that the information they deploy to service their e-business needs is accurate and up to date.

The imperative sounds simple: Reduce costs of identifying, integrating and securing data and administering users - in effect, readying the organization for e-business - while increasing revenues. But the imperatives present some special challenges. Research conducted a few years ago found that a typical Fortune 1000 company ran nearly 180 different databases or directories! Today, that number has grown to thousands as organizations needs complicate, responsibilities expand, and the number and type of users serviced continues to grow. So, how do organizations administer data if it is scattered across the entire IT organization, stored in dozens, potentially hundreds of thousands of repositories?

Consider how organizations identify, or fail to identify users. User identities are commonly stored in directories, subscriber databases or in applications and network services that have their own embedded data stores. Every user may be uniquely identified in each repository. If users change jobs or subscription services, will personal information, such as telephone number or a billing record number, be updated in one repository, but remain unknown elsewhere? A single data management system must be deployed that can govern the administration of all of the users in all of the repositories, this has to be the Meta directory. While the demands of internal, departmental identity management often strain the capabilities of many organizations, the increased scale, distribution and security needs of e-business threatens to break them. E-business requires that organizations form loosely coupled infrastructures capable of securely sharing sensitive data.

With the explosion of personal and client-server computing and emergence of the "global information society", the amount of data distributed across networks is continually growing. As much of this information can be sensitive or business critical, it is becoming essential that access to it be permitted only to suitably authenticated parties and in a confidential manner. In order to confidently share data externally, organizations need to develop coherent, global identity management policies that can be implemented as an internally governing technology. There is a requirement for IT systems that build upon the infrastructure to provide secure information access and exchange. A vital aspect of the system is that users of the system - either people or applications - must be suitably authenticated. Once these policies are in place, organizations can efficiently, securely and consistently deploy systems and data that serve partners, suppliers, consumers and subscribers, immeasurably helping them reap the benefits of online electronic business.

A global identity management solution allows a Government department to build a better, more complete infrastructure and deploy global security and e-business solutions. The directory is a powerful tool that is essential to service the complex, ever-changing identity management demands of e-business - whether preparing a new initiative, or expanding existing capabilities.

Managing an e-business infrastructure will become increasingly important as Government increasingly manages its trading partner relationships online. Controlling access to specific data becomes critical. Security services are key building blocks of e-business infrastructures, often including public key infrastructure (PKI) and directory based certificate management.

The directory is one of the most valuable assets in the organization. Here is the approach to Identity Management from Critical Path, a major supplier of Directory solutions.

Critical Path's 4-layer model for identity management deployment. It consists of 4 layers of functionality with Layers 2 and 3 providing the Meta Directory and Enterprise Directory services.

Layer 1 This layer represents the existing directories and user data repositories within the target organization. This is the layer from which the fragments of User identity are held and into which the Meta Directory server (at Layer 2 ) reaches in order to build the integrated Identity

Layer 2 This layer is where the Meta Directory Server (join engine) operates. In this architecture the Meta server is responsible for:

Connecting to the Layer 1 systems through one of the range of supported connectors or bespoke connectors based around the meta directory connector toolkit. The connection style is typically non-intrusive and uses open protocols (LDAP), proprietary interfaces (e.g. Notes API) or generic database service interfaces (ODBC) as required. For many of the more commonly occurring Layer 1 systems there is out of the box specific integration capability with a directory or data source. Here the exact knowledge of internal schema definitions and their mappings are built into the standard product.

Synchronising common (or duplicate) data held in any of the connected systems. Defining "attribute flows" between the connected systems is a Meta directory management function.

Joining data, as defined in a deployment, and originating from Level 1 systems into the defined Joined form, sometimes referred to as the Meta View - to form the Single Managed Identity. This joined view is used internally within the Join Engine as part of the synchronisation process in a) above.

Publishing the Joined View or Meta View into the single managed Enterprise Directory. Within the Critical Path architecture there is a clear separation between the Meta Directory functions a) to c) which are about data management and joining and the separate function of publication as enterprise directory data and the enabling of business applications to exploit the managed constructed identity.

Layer 3 This is the Enterprise Directory Layer. The functions of Layer 2 are about construction and maintenance of the Managed Identity within the enterprise directory. The enterprise directory provides the user and application facing services needed for concurrency of access, replication, secure access (access control), filtering and distribution.

Within this architecture the Enterprise Directory is distinct from the Meta Directory. This gives independence and separation of function and allows the Critical Path Meta Directory server the ability to work with Enterprise Directories from a variety of vendors - although it works at its optimum when coupled with the Critical Path Directory Server.

Layer 4 This is the directory-enabled layer of identity management. It is where the applications and services that exploit the directory service are based. Authentication services, Authorisation services, Single Sign On, eProvisioning, Personal Portal (B2E) and white and yellow pages directory applications are examples of directory-enabled applications operating at this level.

Digital recognition systems will ultimately influence many areas of modern living and no more so than the way that we do business over the Internet. Identity Management is instrumental for a successful and secure online trading environment.

Critical Path has deployed Identity Management Solutions in Government including within the Inland Revenue, Department for Work and Pensions and the Prison Service.

Jamie Cowper (Jamie.cowper@cp.net) is the Marketing Manager for Critical Path in the UK, formerly with ISOCOR in a marketing role. Critical Path delivers software and services that maximize the value of Internet communications. The company provide messaging and collaboration solutions - from wireless, secure and unified messaging to basic email and personal information management - as well as identity management solutions that simplify user profile management and strengthen information security.

 

*