Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Future Directions in Identity Lifecycle Management: Identity Crossing the Firewall (20070710)
Late last month I presented at the Burton Group Catalyst conference in the "future of identity" segment on the topic "Your Identity Session: Future Directions in Identity Lifecycle Management". The slides of the talk can be found on the Informed Control resources page in PDF.
1. Identity information crosses the firewall
Some of the people in Geo. Washington's boat
Unlike the "idealized state" mentioned in the Introduction, there are numerous points of interconnect where components of the 'enterprise' identity management system may now or in the future be interacting with systems outside of the enterprise, including interfaces with
- self-service: e.g., for retirees
- web browsers: e.g., employees using external collaborative tools, or searching the organization using LinkedIn.
- applications: e.g., VPNs, vendor/integrator support backdoors
- provisioning, access control and federation: e.g., for outsourced or contract environments, as well as in partner federations
Possible future
Besides benefits to the enterprise, some of these interaction projects can bring direct benefit to the end user. The earliest examples included
- the user can synchronize their address books with their PDA/phone,
- the user can perform (limited) self-service post-employment (e.g., to update their mailing address for retiree benefits), and
- the user has an improved experience at partner web sites.
The latter is beneficial as more business projects are moved off-site, however there is a risk to the organizations should one or more users choose on their own to move a project off-site (e.g., to a hosted application).
One of the control implications of introduced dependencies on third-party services and networks is the potential impact to confidentiality, integrity and availability. The identity data may have increased exposure to data loss (when outside the firewall) or corruption (should a bad update be received). An area of primary concern is the difficulty in applying detective controls, since there is typically no common method for exchanging retained data of audit events or reconstructing activities spanning multiple organizations or occuring entirely outside of an enterprise's firewall.
When representations of identities are synchronized with other representations outside of the firewall, such as in a federation scenario, this can in some cases lead to an increased volume of attributes needing to be stored in the enterprise's own repository. Furthermore, this can cause changes to the lifecycle model: additional events might be necessary.
Another aspect of externalizing identity information is that it might increase the success rate of certain kinds of social engineering attacks, if the organization's internal connection structure is visible through a service such as LinkedIn, for example.