The following entry answers the question, “What is IDM?” This acronym was once almost exclusively used by the IT community, however the concept has been gaining a more mainstream understanding. This entry aims to educate our readers on Identity Management, demonstrate why it’s necessary, and how businesses benefit from it. To skip to IDM FAQ, scroll down below for the link.
IDM Conceptual Overview
Broadly speaking, Identity Management (aka: IDM) is the management of a user’s accounts across a number of applications within a network. Therefore, an identity would consist of the accounts held by a single user on these systems. An identity is an abstract concept that surrounds the actual accounts on each application.
In the previous illustration, the user “John Q. Public” has an account on each of the 3 applications, but it may not be obvious that each account belongs to the same person. One of the greatest benefits of identity management is to link these accounts together in a single identity.
In this example, the Identity Management solution stores the user “John Q. Public” and keeps track of his various accounts. IDM can modify these accounts as time goes by, and since IDM knows about each application, it can create and delete accounts on behalf of users. In the case of creating accounts for users, this process is known as provisioning. Conversely, when deleting accounts for users, it is known as deprovisioning. These processes are done on behalf of the user by IDM itself, instead of manually by an application administrator.
The previous diagram illustrates an identity’s lifecycle. The following three stages, along with relevant considerations, are detailed:
1. Onboard. An employee joins the company. This employee will need to have all necessary accounts provisioned, whether manually by IT staff or automatically by an Identity Management solution. These accounts and their associated information will compose the user’s identity.
2. Update. A user’s information can change during their tenure with a company. These changes can be relatively benign or require many updates. For example, if a user changes physical location, this could require only updating a field on one application, but it could change the entry’s location within a directory for another application. Another example is if a user gets married and changes their last name, all their accounts may require a rename. Lastly, if a user gets promoted or changes departments, they may no longer require access to some of their applications (in which case access should be revoked) and may require access to different applications (in which case it should be provided). In summary, updates can require many changes to be made to a user’s accounts, and these changes must be done either manually by a staff person or automatically by an Identity Management solution.
3. Terminate. After a user leaves an organization, all access should be revoked. For auditing purposes, it may be necessary to keep the account around, but at the very least it should be disabled (prevented from performing any activities such as logging in). As before, this can be done either manually or automatically. Users can also be onboarded again after being terminated; for auditing purposes past and present accounts should be linked.
Historically, IT staff has undertaken these tasks manually, provisioning accounts to existing onboard users, updating accounts when changes happen, and terminating the accounts of employees who are no longer active. This presents, at a minimum, three challenges to organizations:
1. Volume. The sheer number of changes can be massive, requiring time and resources from employees dedicated to managing identities. The sheer volume of changes lends itself easily to the next challenge,
2. Human error. With a large number of changes to make comes the increased possibility of human error. Typographical errors can result in accounts provisioned incorrectly, and staff can easily forget to create a required account, which can result in lost time and lost tempers as the problem is corrected, or to terminate an account, which can result in sabotage as former employees retain access after having left the company.
3. Cost. Both the resources spent maintaining identities and the costs of making a mistake factor into the cost of manual identity management. Furthermore, federal regulations such as SOX and HIPAA require auditing of identity-related matters, providing steep penalties for violations.
An Identity Management solution provides the following benefits which address these problems:
1. Automation. A commercial Identity Management solution can automate the phases of the identity lifecycle. IDM solutions will connect to each resource, provisioning and deprovisioning automatically as required for each user. This reduces the cost of each transaction, increasing the volume of identities that can be handled in a timely manner.
2. Centralization. Since the IDM solution can connect to each resource, accounts can be provisioned from a single location. This, combined with automation, greatly reduces the possibility of human error in identity management.
3. Auditing. Given the importance of maintaining credible records in today’s IT world, IDM solutions can audit every transaction pertaining to each phase of the identity lifecycle. Organizations can easily see whether they are in compliance of federal regulations and take corrective measures when necessary.
The above is a general overview of what Identity Management is, how it’s applicable to different industries, and the benefits of incorporating IDM solutions at an enterprise level. My hope is that we’ve helped in answering your “what is IDM?” question in a friendly and informative way. Action Identity has an arsenal of premier partners and has experience implementing such solutions as the Oracle Identity and Access Management Suite, Novell Access Manager, Novell Identity Manager, Novell Secure Login, and Passlogix SSO.
To learn more about Identity Management Solutions, visit http://www.ActionIdentity.com If you have any questions, comments, or would like some clarification, just leave a comment below.
Looking for IDM FAQ ? Click here
Interested in learning more about IDM? Check out these other entries:
http://www.actionidentity.com/blog/post.cfm/unique-delimited-text-driver-solved
http://www.actionidentity.com/blog/post.cfm/messaging-protocols-soap-vs-rest-which-one-s-better
Dec 15, 2011 at 5:15 AM Good post .You’ve managed to mention some specific but simple tips for effective optimization.