“The essence of Identity Management as a solution is to provide a combination of processes and technologies to manage and secure access to the information and resources of an organization while also protecting the user profiles.”

The Definite Guide To Identity Management, realtimepublishers.com

Our preferred approach towards Identity Management is to start by a Risk Management study, as stated in the Risk Management section. In order to conduct business with confidence, an organisation needs to establish that it can conduct business safely and part of the trust relies in the appropriate security measures and management of user data.

Identity Management has also a restructuring effect on the organization: when it comes to analysing the processes in place to handle user data, many processes are analyzed and usually optimised: which department is going to maintain the master database of internal users? And of external contacts? Who is granting and revoking access rights? Does it exist a validation procedure of this allocation? ... The consequence of this processes review is to reconsider the provisioning workflow and the delegated administration model within the organisation.

Risk Assessement and processes (re)engineering are the two high-level tasks of the Identity Management expertise. When the organisatin has identified its strategic directions, it comes to implementation. At this stage, the organisation needs a authorisation model and an infrastructure to support it.

Role Based Access Control (RBAC, whose model is represendted on the left) is the most advanced and recognised authorisation model available today. We found this book is very relevant and usefull in structuring the approach. More and more products available on the market declare to be RBAC compliant and Paradigmo believes this is the road to follow. Unfortunatelly, there is little support to design an enterprise access control model without the support of a product suite. If an organisation selected a access control product, it can stick to it. However, is such a product required in small- or medium-size organisations? How can these organisations model their access control and find pragmatic ways to implement it at the infrastructure layer? Proposing such solutions is one of Paradigmo's added value.

The authorization model is implemented by the infrastructure layer. Any organisation can fit its current infrastructure components into the diagram that is presented here below.

The infrastructure layer includes all the user repositories within the enterprise. Repositories are synchronized between themselves and are fed from authoritative sources (i.e. human resources database, client database...). The management layer provides the provisioning, workflow, delegated administration functions... that are required to maintain up-to-date and consistent authentication and authorization data within authoritative sources and infrastructure layer. The enterprise infrastructure components (namely, the operating systems, the web and legacy applications) access the data maintained at the infrastructure layer through the access layer whose crucial role is to maintain confidentiality, integrity, availability and accountability of the enterprise information whilst providing the commonly refered as 'four as' functions (authentication, authorization, access control and auditing).