Several interpretations of identity management (IdM) have been developed in the IT industry. Computer scientists now associate the phrase, quite restrictively, with the management of user credentials and the means by which users might log on to an online system. The focus on identity management goes back to the development of directories, such as X.500, where a namespace serves to hold named objects that represent real-life “identified” entities, such as countries, organizations, applications, subscribers or devices. The X.509 ITU-T standard defined certificates carried identity attributes as two directory names: the certificate subject and the certificate issuer. X.509 certificates and PKI systems operate to prove the online “identity” of a subject. Therefore, in IT terms, one can consider identity management as the management of information (as held in a directory) that represents items identified in real life (e.g. users, devices, services, etc). The design of such systems requires explicit information and identity engineering tasks.
The evolution of identity management follows the progression of Internet technology closely. In the environment of static web pages and static portals of the early 1990s, corporations investigated the delivery of informative web content such as the “white pages” of employees. Subsequently, as the information changed (due to employee turnover, provisioning and de-provisioning), the ability to perform self-service and help-desk updates more efficiently morphed into what became known as Identity Management today.
Typical identity management functionality includes the following:
- User information self-service
- Password management
- Workflow
- Role Based Administration
- Provisioning and de-provisioning of identities from resources
- Delegated management
Identity management also addresses the age-old ‘N+1’ problem — where every new application may entail the setting up of new data stores of users. The ability to centrally manage the provisioning and de-provisioning of identities, and consolidate the proliferation of identity stores, all form part of the identity management process.
Three perspectives on IdM
In the real-world context of engineering online systems, identity management can involve three perspectives:
- The pure identity paradigm: Creation, management and deletion of identities without regard to access or entitlements;
- The user access (log-on) paradigm: For example: a smart card and its associated data used by a customer to log on to a service or services (a traditional view);
- The service paradigm: A system that delivers personalized, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.
The pure identity paradigm
A general model of identity can be constructed from a small set of axiomatic principles, for example that all identities in a given abstract namespace are unique and distinctive, or that such identities bear a specific relationship to corresponding entities in the real world. An axiomatic model of this kind can be considered to express “pure identity” in the sense that the model is not constrained by the context in which it is applied.
In most theoretical and all practical models of digital identity, a given identity object has a finite set of properties associated with it. These properties may be used to record information about the object, either for purposes external to the model itself or so as to assist the model operationally, for example in classification and retrieval. A “pure identity” model is strictly not concerned with the external semantics of these properties.
The most common departure from “pure identity” in practice occurs with properties intended to assure some aspect of identity, for example a digital signature or software token which the model may use internally to verify some aspect of the identity in satisfaction of an external purpose. To the extent that the model attempts to express these semantics internally, it is not a pure model.
Contrast this situation with properties which might be externally used for purposes of information security such as managing access or entitlement, but which are simply stored and retrieved, in other words not treated specially by the model. The absence of external semantics within the model qualifies it as a “pure identity” model.
Identity management, then, can be defined as a set of operations on a given identity model, or as a set of capabilities with reference to it. In practice, identity management is often used to express how identity information is to be provisioned and reconciled between multiple identity models.
The user access paradigm
Identity management in the user “log-on” perspective may involve an integrated system of business processes, policies and technologies that enable organizations to facilitate and control access by their users to critical online applications and resources — while protecting confidential personal and business information from unauthorized access. It represents a category of interrelated solutions which system administrators employ towards managing user authentication, Access rights and restrictions, account profiles, passwords, and other attributes supportive of the roles/profiles of user in relation to applications and/or systems.
The service paradigm
In the service paradigm perspective, where organizations evolve their systems to the world of converged services, the scope of identity management becomes much larger, and its application more critical. The scope of identity management includes all the resources of the company deployed to deliver online services. These may include devices, network equipment, servers, portals, content, applications and/or products as well as a user credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service.
Today, many organizations face a major clean-up in their systems if they are to bring identity coherence into their influence. Such coherence has become a prerequisite for delivering unified services to very large numbers of users on demand — cheaply, with security and single-customer viewing facilities.