System of identification and access control of Identity and Access Management (IdM, IAM)

Determinations

The solutions Identity Management (IdM) are intended for centralization and control automation by accounts of users and access rights to enterprise information systems and also increases in level of control over use of IT infrastructure. Integration of such solutions with a corporate system of personnel records allows to automate business processes of management of access at employment of workers, their transfer to other position, for the period of the holiday and also in case of dismissal.

The system of identification and access control (Identity and Access Management, IdM, IAM) is the solution which is a certain core which integrates all data on the employee in the organizations: not only a full name and a unique identifier, but also when he suited what position he holds what rights he has, and, respectively, to what systems it can have access. They can be the most different, since the Active Directory where there is an account of the employee and finishing with systems which are necessary for his daily work. Access to all information systems is controlled by means of IdM. If there is no such system, often there is a duplication of functions, i.e., the employee, coming to new work, is forced to create several requests for gaining access to different information systems, and the administrator creates several accounts. It attracts both time expenditure, and labor. At the same time access rights can be not created about one week, the certain time log yielding losses to the organization in a type of impossibility of accomplishment by the employee of his job responsibilities turns out. If to speak about password protection, then the employee without use of solutions of the class Access Management is forced to remember several passwords for an input in each of these systems that attracts risks in respect of security. Certainly, the person is not able to remember all passwords, he begins to write them, and can put a piece of paper under the keyboard or paste on the monitor that is potential threat of information security of the organization.

The complexity of tasks which solution is assigned to these means led to creation of the specialized systems - Identity and Access Management (IAM, management systems for identification and access, or SUID, we will use further this abbreviation). Few years ago they appeared in the market as independent products though any information resource and before emergence of specialized SUID located utilities and access control to it. It first of all belongs to such resources as OS DBMS, difficult application programs of a class ERP CRM SCM , etc.^[1]

The market of solutions UID grows at the advancing rates in comparison with IT market indicators in the world, as well as the market of means of ensuring of the information security (IS) in general. According to the forecast of the analytical IDC group, by 2010 universal turnover of solutions on the basis of SUID will exceed 5 bln. dollars. Based on the researches IDC, around the world in 2005 23% of the total finance costs for cybersecurity were selected for purchase of the software of UID.

2018: HID Global: Trends in the field of identification technologies

HID Global notes five main trends of 2018 which will have significant effect on how the organizations use the entrusted identifiers.

Transition to clouds

• Simplicity of deployment of cloud solutions, flexibility, different connectivities and advantages regarding performance – all these factors promote active implementation of clouds. Cloud platforms of access control with the API interface and a developer kit of SDK will stimulate distribution of the new software solutions expanding possibilities of the organizations for the maximum investment payback. Card issue on the basis of cloud computing will also develop the industry thanks to simplicity, security of solutions and the optimized expense structure: the task of how to add physical identifiers with cloud mobile ID of citizens is even more often set for the governments of the different countries.
• Cloud authentication and management of credentials will and promote further integration of mobile devices, tokens, cards and the intercomputer workstations. Digital certificates in an ecosystem of IoT will be based on the entrusted cloud services for delivery and management of certificates for thousands of devices.

The connected devices and Wednesdays are focused on protection of IoT

• Digital certificates will become a principal component of trust in IoT ecosystem. Unique digital identifiers for printers and coders, mobile phones, tablets, video cameras and automation systems of buildings will begin to be issued and also broader spectrum of such objects as cars with network capabilities and medical devices will appear.
• Support of the reading function NFC in Apple iOS 11 will promote implementation of applications on the basis of IoT, such as protection of a brand, loyalty program and other options of use that will even more increase need for security for IoT ecosystem.

Turning point in development of mobile access: adoption of technology in mass market

• 2017 became year of mobile access, and active implementation of this technology will continue also in 2018. The maturity of mobile solutions and their integration into other systems in combination with the opportunities of mobile devices promoting increase in convenience to users, increase in operational efficiency and providing higher level of security will lead to the accelerated growth and widespread introduction of mobile access.
• Emulation of cards, the NFC mode, the most desired for management of mobile access, is supported only for the Apple Pay; thus, Bluetooth remains the standard of communication for cross-platform mobile access. Nevertheless, the organizations will invest in readers and other infrastructure supporting NFC and BLE to be ready to the future.

Convergence of a physical and digital security

• The management concept physical identification and access (PIAM) will lead to convergence of a physical and digital security on the uniform identifier, having regarded identity as of paramount importance. The government, finance, power and other regulated markets will become the first who will use solutions for secure access to buildings, to e-mail, websites and VPN.
• There are new convergent models of identification using cloud authentication and mobile devices. For example, verifiability of presence of the person in a certain place, the mobile identifiers checking physical ID of citizens, and smart cards using which authentication of users on corporate resources is carried out.

The analytics of data will stimulate risk management for forecast models and development of new opportunities

• Devices, control systems of access, the IoT application and other solutions connected with a cloud provide reliable data for expanded analytics. The analysis of these data can be used for optimization of working solutions and ensuring more convenient access for end users.
• The predictive analytics and biometrics will play a crucial role in security of people, meeting all requirements of employees in providing high quality individual services in a workplace. The analytics will also help to reduce a downtime at the enterprise, to stimulate industrial automation and to improve compliance to statutory requirements using condition monitoring of the production based on solutions for position fix in real time.

Features of IT infrastructure of large enterprise

• Set information to the system of users: employees, contractors, clients
• End-to-end business processes pass through several information systems
• Users work in different IT systems and perform in them different functions
• In each information system there are settings of access rights and the procedure of authentication

Purposes of management of access rights

• Risk reduction, connected with illegal or untimely issue or a withdrawal of access rights of users
• Reduction in cost of management of access rights
• Increase in efficiency of processes of management of the rights: fast issue of provisional licenses, the minimum downtime at setup of the rights, etc.

The main objectives of SUID and its place in the general management structure security

Assignment of UID in a separate system reflects need of users for consolidation of the UID functions under one "umbrella"; the truth, the sizes of this umbrella specialists estimate differently.

Accounting and use of standards and standards at creation of SUID

In creation of any systems it is reasonable to use standards as in them the best national and international experience is generalized. It is reasonable to follow technology standards, and - it is necessary for the regulating rules and legal acts. Therefore both developers of these or those systems, and their users should know those rules which regulate area of their activity.

SUID in this sense is not an exception. All respondents during preparation of the overview experts unanimously supported that these systems should rely on standards, and only open. As the main the general standards on management of IT and the organization of information security, such as COBIT, ISO 17799:2005 (BS 7799), ISO 27001:2005 are called. Experts add the requirements directed to fight against abuses in business which were developed on the basis of practice of the last years to them: HIPAA (Health Insurance Portability and Accountability Act), SOX 2002 (Sarbanes - Oxley Act defining requirements to an internal control system and audit for fraud prevention), BASEL II (risk management in financial institutions) and the standard of the Bank of Russia of service station of BR IBBS for the organizations of a banking system of the Russian Federation.

From technology standards as experts consider, founders of SUID first of all should adhere to the following:

• the general standards on information security are XKMS, PKI, XML-SIG, XML-ENC, SSL/TLS, PKCS, S/MIME, LDAP, Kerberos, X.509, etc.;
• standards on exchange of identification data of users are SAML, WS-Fed, XACML, SPML, etc.;
• standards of integration are WSDL, WSRP, JSR-115, JCP, SOAP, etc.;
• standards of Web services there is WS-Security, WS-Fed, WS-Policy, WS-Trust, etc.;
• standards of directory services - X.500, DSML, LDAP, JDBC, etc.

Before implementation of SUID

Most the modern enterprises concerning questions of providing Information Security very nezrela: corporate users are at the very first, basic level from four this company accepted in classification. Therefore not superfluous will be to remind those main actions which specialists recommend to hold before implementation of SUID.

Before beginning such project, the company should conduct examination of resources, access to which is going to be arranged; classify these resources to destination; describe business challenges of specific employees and divisions; formalize really operating order of approval and technology of providing access; develop a role model of access to resources and the corresponding processes of its approval and providing. After that on the processes and models existing and developed again it is possible "to try on" specific technologies. Among them there can quite be also elements of the inherited IT infrastructure, for example the address directories or other databases containing user profiles.

Functional structure of SUID

Experts select the following basic features which should be implemented within SUID:

• the uniform management of accounts in the different systems (with a possibility of delegation of a part of the rights to structural divisions of the company) allowing to automate accomplishment of the security policy admitted to the organizations in the field of access control (including mobile) to different information resources, applications and services;
• support of modern means of authentication (including multifactorial, including biometrics) with a possibility of single registration in a system;
• control of lifecycle of the user in the systems of the enterprise from the moment of acceptance of the employee for work before his dismissal;
• automatic synchronization of accounts of users of all connected systems (first of all the systems of personnel records) according to corporate politicians and rules;
• flexible and clear tools the politician and regulations of data streams from SUID to the connected systems and back;
• the user-friendly interface of the end user providing access to the corporate address directory and means of self-service for recovery of passwords, formations of requests for access to required resources and control of their passing;
• means of design, deployment, configuring, administration and monitoring of system operation;
• means of maintaining magazines and substantive audit;
• integration with external systems of monitoring, security audit and support;
• scalability.

Processes and stages of creation of the systems of access rights

• Employment, transfer, dismissal
• Withdrawal in the holiday/decree, an exit from the holiday/decree
• Change of service duties
• Changes in IT infrastructure
• Participation of the user in cybersecurity incidents
• Connection/shutdown of external users
• Audit and recertification of the rights ^[2]

Stages of creation of an access control system

Authorization system of admission

Problems of an authorization system of admission

Role model (RBAC)

• Formalization of access objects
• Obtaining list of subjects of access
• Audit of the current access rights
• Selection of business roles
• Determination of a basic permission set for each role
• Formalization of roles of access, creation of matrixes of access
• Building of process of management of access rights
• Process regulation (development of documents)

Diseases of growth of Rbacprezentation ^[3]

• In pure form the model is insufficiently flexible as it does not consider:
  • context of actions of users
  • attributes of users
  • parameters of an environment in which users work

• Service duties require creation of unique roles from a large number of users
• It is difficult to maintain current status of access rights at organizational changes

RBAC: variations and development

• "Classical" RBAC – static privileges
  • Role Manager = "Viewing orders" + "Change of orders"
  • if (user.hasPrivilege(‘view_order’)) …
  • Shortcoming: does not support a section on objects attributes

• Dynamic check of object attributes
  • Role "Manager of branch 123" = "Viewing orders of branch 123" + "Change of orders of branch 123"
  • if (user.hasPrivilege(‘view_order_’ + order.branch) …
  • Shortcoming: leads to "role explosion" – creation of a role for each value of attribute

• Dynamic check of attributes of the subject
  • Role "Manager of branch" = "Viewing orders of a svoyegofilial" + "Change of orders of a svoyegofilial"
  • if (user.hasPrivilege(‘view_order’) && user.branch==order.branch))

• Logical continuation – ABAC(Attribute-Based Access Control)

Centralization of management: Identity Manager

• Leads all options of management of roles to uniform model
• On a centralized basis manages the rights in IT systems of the enterprise
• Implements business scenarios: hiring, dismissal, holiday, etc.

Identity Manager "bottlenecks"

• Works within RBAC model
• Does not consider attributes of business objects
• It is limited to the roles existing in the IT system

Attribute model of access (ABAC)

• Access rights are defined by the logical rules made in terms of business attributes
• Subjects (users), resources (objects), actions and Wednesday have attributes
• The model is standardized within XACML 3.0 (the first version of-2003 g)

ABAC: Scheme of the organization of access

Approaches to access control (standard and hybrid)

IDM / IAM

Results

• There has to be an opportunity to quickly check who where has access (had access to some date in the past)
• Determination of basic set of access rights and creation of a role model requires many hours of interaction with business divisions
• The register of owners of resources is surely necessary
• IDM and other automation equipment are the tool, but not end in itself
• An ultimate goal – increase in efficiency and risk reduction, connected with excess access

The UID functions in OS, DBMS and the applied systems

As it was noted above, corporate information resources have own mechanisms of identification and providing access rights to users at the level of OS, DBMS or applications. Experts note that the means of UID implemented in modern information resources approach by the opportunities the specialized systems more and more, between them there is a loan of procedures and functions.

Favorable impressions cause the last achievements on access control in such products in some specialists as SAP NetWeaver Oracle Application Server e-Business Suite. Others note that though solution providers of a class ERP and promoted with the products in the direction of UID much further of developers of operating systems, their problem is that ERP solutions quite often are under construction as certain data warehouses (silo), and therefore they do not provide due integration with corporate politicians of UID: ERP are responsible for identification and authorization of users only for the modules.

Directions of development of SUID

According to the expert opinion, taking into account such requirements to SUID as scalability, hierarchy and support of a geographically-distributed structure, the most suitable for these systems the three-level architecture with three basic components is today: the storage of identification data, the server and the console of centralized operation of UID implementing business logic (workflow) of UID.

Separation between personal and working accounts is erased

Though at you it will hardly turn out to enter into corporate VPN network under the account from Facebook (in any case meanwhile), six of ten polled IT heads (63%) believe that the authentication methods applied in the consumer world can be used also for secure access to corporate applications. Moreover, according to approximately same number of respondents, their security services experience certain difficulties in attempts to provide to users so intuitive method of login what is applied in these services and slightly more than a half of respondents (52%) consider that within three years employees will use the same accounts both for access to corporate online resources, and for access to the personal data in public online ^[4]

And such turn can seem a little unexpected, especially taking into account huge number of the consumer websites offering free OTP-applications, delivery of OTP passwords through the SMS and even advancing technology of push-authentication. The option "Remember Me on This Device" — the simplest form of contextual authentication at which the second factor is involved only at login from unknown pair of the browser and the device and most of which of IT heads (63%) consider as the future of two-factor authentication is familiar to all of us.

Offer employees new tools for mobile work? Perhaps...

Good news is that only 35% of the organizations completely prohibit access to working resources from mobile devices — smartphones and tablets, and the majority (56%) permit such access, let and with some restrictions. It can mean that the Chief information officers limiting access from mobile devices are insufficiently fully sure of the applied access control methods to permit employees to use more actively mobile devices. At the same time, the same heads in the next two years intend to expand considerably scope of two-factor authentication on mobile devices (from 37% to 56% today — in two years). We still should see whether this gain of security will contribute to the development of mobile technologies in a corporate environment. But anyway, innovations which cornerstone Bluetooth Smart, biometrics and push-technologies is can promote more active implementation of two-factor authentication.

Though the vast majority of the polled IT heads recognize existence of obstacles for expansion of use of mobile technologies in the organizations, the nature of these difficulties can be very different, since concerns concerning security (50%), additional load of management of IT (48%), increases in expenses (43%) and finishing with other difficulties, including aspiration to provide transparency of IT (30%) and need of observance of regulatory requirements.

Cloud: explosive growth, mechanism of a uniform input (SSO) and access control

Explosive growth of number of cloud applicaions in a corporate environment explains aspiration once and for all to solve a so-called problem of "password fatifue" — fatigue of users from passwords when employees in the daily activity have to keep 10-25 couples of logins and passwords in memory. From this point of view, almost in half of the organizations respondents (49%) it is going to implement the solution providing a uniform input (SSO) in cloud applicaions, and approximately the same number of respondents (47%) agreed that in their organizations such need becomes ripe.

Today the technology of password management password vaulting is the most widespread access control method to cloud applicaions which are used in the organizations of 53% of respondents. Among other applied methods — IDaaS (28%), cloud SSO solutions (28%) and IAM solutions on own infrastructure (23%).

Practically all polled IT heads (95%) consider a uniform input in cloud applicaions as the tool promoting increase in mobility and productivity of employees in the organization.

Market situation of SUID in Russia

Increase in demand for SUID was outlined in Russia recently, and at the expense of UID the Russian companies spend only 2% of the budget of information security. According to experts, it is in many respects caused by the fact that implementation of UID technologies requires existence in the company of a packet of the normative and methodical documents providing strict formalization of process of providing access for users to information resources. Due to the lack of complex documentary providing in the field of cybersecurity many Russian enterprises are not ready to implementation of SUID yet.

As a restraining factor of distribution of these products experts call high price - from 60 to 100 dollars on the user and also the fact that these solutions are found on a joint of functions of IT department and division of security (that complicates acceptance and implementation of organizational administrative measures on UID). So far in Russia only several SUID is implemented. However it is possible to assume that in the near future in this direction the break will be performed. Right now large and interesting projects which provide step-by-step deployment of UID within one-two years are started.

Today in Russia SUID are of interest to the big enterprises and the organizations with the developed IT infrastructure, such as large telekomoperator, banks, insurance companies, industrial holdings, oil and gas corporations and state structures. Estimating annual purchasing amount in the Russian market of SUID for several next years, our experts give a wide fork - from five to several tens millions of dollars. At the same time they consider that the number of potential customers, for the next three-five years will be about one hundred companies at project cost from 1 mln. dollars.

IDM/IAM system and projects

• The IDM/IAM systems directory and projects is available on TAdviser
• The systems of identification and access control to information resources of the enterprise - IDM (the market of Russia)

Notes