When Millions Need Access Identity Management in an Interconnected World


Published on

Best-practice security solutions that scale to meet today’s huge numbers of users.

With millions of transactions occurring online almost every day, business today really occurs without boundaries. Customers, business partners, vendors and other constituents all need to access your network—or your cloud—to make purchases, find information or use applications. While these new categories of users are essential for maintaining a competitive edge, your organization also needs to carefully monitor them and grant appropriate, safe access to protected resources. And there are thousands—in many cases, millions—of them.

Their interest and involvement can be good for business. But how do you manage such a number? Manual procedures for identity management—everything from granting access to assets to managing user accounts—are a classic example of processes that simply don’t scale. They can work when the number of users is small. But manual procedures can become a significant burden when numbers reach into the thousands—and impossible when the numbers stretch to millions. Just think about resetting passwords. How could you maintain a help desk big enough for a world full of customers?

As organizations transform business by opening their systems to large numbers of internal and external online users, many of whom are mobile, they are increasingly adopting automated solutions that secure sensitive data, support end-user self service and help resolve problems. For today’s instrumented, interconnected and intelligent IT operations, best practices for identity management can help ensure secure, optimized and regulatory compliant operations.

Learn more: http://ibm.com/security

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

When Millions Need Access Identity Management in an Interconnected World

  1. 1. IBM SoftwareThought Leadership White PaperFebruary 2013When millions need access:Identity management in aninterconnected worldBest-practice security solutions that scale to meet today’s huge numbers of users
  2. 2. 2 When millions need access: Identity management in an interconnected worldContents2 Introduction3 Effective management based on self service andaccess control3 Security and compliance across the full user lifecycle4 Paths to success in the identity and access manage-ment environment5 Use case 1: Portal-based access for large populationsof users5 Use case 2: User access to cloud-based services7 Use case 3: Business partner access and applicationintegration8 IBM self-service solutions for internal and external users11 The IBM Security portfolio of identity and accessmanagement solutions11 IBM: Your trusted partner for leading IT securitysolutions12 For more information12 About IBM Security solutionsIntroductionWith millions of transactions occurring online almost every day,business today really occurs without boundaries. Customers,business partners, vendors and other constituents all need toaccess your network—or your cloud—to make purchases, findinformation or use applications. While these new categories ofusers are essential for maintaining a competitive edge, yourorganization also needs to carefully monitor them and grantappropriate, safe access to protected resources. And there arethousands—in many cases, millions—of them.Their interest and involvement can be good for business. Buthow do you manage such a number? Manual procedures foridentity management—everything from granting access to assetsto managing user accounts—are a classic example of processesthat simply don’t scale. They can work when the number ofusers is small. But manual procedures can become a significantburden when numbers reach into the thousands—and impossiblewhen the numbers stretch to millions. Just think about resettingpasswords. How could you maintain a help desk big enough fora world full of customers?As organizations transform business by opening their systems tolarge numbers of internal and external online users, many ofwhom are mobile, they are increasingly adopting automatedsolutions that secure sensitive data, support end-user self serviceand help resolve problems. For today’s instrumented, intercon-nected and intelligent IT operations, best practices for identitymanagement can help ensure secure, optimized and regulatory-compliant operations.
  3. 3. IBM Software 3Effective management based on selfservice and access controlToday’s need for effective identity management is the result of anexplosive growth in connectivity. An insurance company, forexample, that until recently managed access for a few thousandemployees now needs to manage millions of customers and part-ners conducting online transactions through a sales portal. Agovernment agency previously managing access only for itsemployees now needs to manage access for millions of citizensand a wide range of other agencies accessing information online.Organizations in areas such as healthcare, finance and other cus-tomer services industries rely heavily on interaction and dataexchange between large numbers of partners and consumers.The result has been a sudden and unprecedented increase in thescale and requirements of online business operations—and anincreased demand on organizations’ identity managementsystems. Organizations now need systems that can give employ-ees, business partners and external end users the self-servicecapabilities they need to quickly enroll for new services andresolve individual problems—including the ever-present issueof password resets—without having to contact the help desk.At the same time, organizations need systems that giveadministrators—whether IT operators, line-of-business manag-ers or human resources professionals—control over permissionsand other user-access functions.IBM offers industry-leading solutions based on the principles ofthe IBM Security Framework to meet scalable identity andaccess management needs. These solutions deliver useradministration and management, resource protection, and audit-reporting capabilities to help reduce the risks of securitybreaches and non-compliance.For example, IBM® Tivoli® Federated Identity Managerprovides capabilities such as business-to-consumer self-serviceenrollment and federated single sign-on (SSO) support thatorganizations can supply to their external constituents.IBM Security Identity Manager is an automated, policy-basedsolution that manages the lifecycle of user access across ITenvironments within the organization. IBM Tivoli SecurityPolicy Manager allows organizations to centralize fine-grainedsecurity policy management to enforce access control acrossapplications, databases, portals and business services.Security and compliance across the fulluser lifecycleAn effective identity management solution meets a full range ofonline business needs—from pressures to stay competitive byproviding greater access to more information and services, torequirements to demonstrate compliance by controlling andmonitoring all user activities and their associated access privi-leges. The solution should include tools for restricting useraccess to only those IT resources appropriate to their role and/or job function, centralized user self service, simplified adminis-tration and approvals processing, periodic revalidation of useraccess rights, and documentation of policy controls. Add to allthat the need to manage the rising costs of account provisioningand deprovisioning, recertification of access rights, help-deskcalls, password resets and other administrative tasks.As organizations grant access to different types of users, includ-ing employees, customers, business partners and suppliers, theyneed best-practice solutions that can support the full lifecycle ofuser identity, from the efficient onboarding of new users to theirfinal off-boarding and the elimination of unidentified or“orphan” accounts.
  4. 4. 4 When millions need access: Identity management in an interconnected worldExternally, they need a secure, easy-to-use solution that makesminimal demands on the organization’s IT staff to administer.Internally, they need to create user accounts in ways that allownew hires or employees with new roles to be productive as soonas possible. To avoid potential security exposures, they need toretire accounts and associated access privileges quickly foremployees who leave the company. Additionally, internal usersneed secure access to externally hosted applications, includingcloud-based applications and business partner applications.Cloud environments usually support a large and diverse commu-nity of users, so managing identities across multiple cloud ser-vices is especially critical. Identity federation and capabilities forrapid onboarding must be available to coordinate authenticationand authorization with the enterprise’s back-end or third-partysystems. A standards-based, SSO capability is required to sim-plify end-user logins for both internally hosted applications andthe cloud, allowing end users to easily and quickly leverage cloudservices.When it comes to compliance, organizations need enterprise-wide capabilities to ensure that both internal and external accessare governed by effective authentication, to monitor authoriza-tion and network traffic, and to support the system withcomprehensive audit and reporting capabilities.Regardless of the type of user, the solution should enhancesecurity by helping to fill gaps in security measures. It shouldmitigate the risk of issues such as fraud, theft of intellectualproperty or loss of customer data. It should help reduce costsby streamlining business and IT processes that grant usersaccess to resources.Paths to success in the identity andaccess management environmentEach organization has to determine the details of ensuring effec-tive identity management, because each organization has its ownneeds, goals and set of users. Leading use cases for identity andaccess management, however, typically fall into three categories:●● Portal-based access for large populations of users●● User access to cloud-based services●● Business partner access and application integrationIn each case, organizations are transforming the way they pro-vide user access. To achieve this transformation, they typicallyprovide self-service functions as they help ensure secure opera-tions and support regulatory compliance.For these scenarios—which are rapidly increasing in number andcomplexity as banking, retail and public sector organizationsincrease the value-added services in their online operations—theorganization not only must address issues of security, scalabilityand usability, it must also manage back-end tasks for applicationintegration. Organizations deploying service-oriented architec-ture (SOA) solutions need an effective policy-based approachthat incorporates security management and services that can beintegrated with existing SOA components.
  5. 5. 5IBM SoftwareUse case 1: Portal-based access for largepopulations of usersA large state health information exchange portal needs to pro-vide 3 million consumers and several hundred payers and associ-ated providers with access to clinical and administrative data.It also must enable secure collaboration among healthcare orga-nizations, facilities operators and insurance companies. It needsa solution that can centrally manage user authentication toensure that patient records remain private as it securely expandsaccess to consumers, payers and providers. By ensuring identitymanagement and enforced access control, the solution must sup-port compliance with Health Insurance Portability andAccountability Act (HIPAA) security regulations and updatedhealthcare information exchange (HIE) requirements.How Security Identity Manager helpsThrough the use of roles, accounts and access permissions,Security Identity Manager helps automate the creation, modifi-cation and termination of user privileges throughout the entireuser lifecycle. For internal enterprise users and for trusted part-ners or suppliers who need access to internal company resources,Security Identity Manager enables the organization to grantpermission to access information and applications and then tocontrol access as the user’s role and responsibilities change.Users are granted self-service capabilities in areas such as pass-word reset, but the detailed workflow and processes for definingaccess rights based on role/job requirements and for avoidingaccess conflicts of interest make Security Identity Manager themost appropriate choice for effective internal identitymanagement.How Tivoli Federated Identity Manager helpsFor business-to-business and business-to-consumer scenarios, inwhich organizations extend access to large numbers of externalusers, Tivoli Federated Identity Manager provides self-serviceenrollment capabilities, as well as federated SSO and centralizedauthentication support to enforce access control. It also validatesusers and eliminates the need to provide multiple IDs and pass-words, reducing the workload for IT administrators. Usingfederated SSO and user access management techniques to helpintegrate this information can provide quick benefits andsavings.Tivoli Federated Identity Manager can expand collaborationwith business partners who need limited access to internalresources by providing entry-level federation capabilities andby scaling to larger numbers of applications and users when nec-essary. The result: lower identity management costs, improvedcompliance and reporting, and simplified integration of servicesincluding centralized user access to software as a service.Use case 2: User access to cloud-basedservicesA global financial services company with 120,000 employees,3 million external users and operations in 50 countries imple-ments a cloud computing architecture to standardize its ITinfrastructure and services. In the process, the companyconsolidates several data centers into a few next-generation datacenters. The hybrid cloud solution that results provides thecompany with an automated, virtualized infrastructure on a sin-gle platform with different severs, self-service request-drivenprovisioning from a service catalog, and secure access to servicesbased on roles and business needs.
  6. 6. 6 When millions need access: Identity management in an interconnected worldTo achieve security management in its new cloud-based datacenters, the organization implements Tivoli Federated IdentityManager, securing collaboration with business partners andproviding SSO for external users into the hybrid cloudenvironment.Similarly, an organization with 2,000 software engineers spreadacross 25 teams implements a developer cloud environment togive teams access to services whenever and wherever they needit. Users log in to request capabilities—including operatingsystems, memory, disk space, middleware and more—and gainaccess in minutes.To achieve secure and dynamic access for users and to eliminatelag times in delivering that access, the organization implementsSecurity Identity Manager. Password resets that used to takehours or days to complete now take only minutes—because userscan log into a self-service portal and reset their passwords them-selves. As new members join the team, they can gain rapid accessto services, and as members depart, IT staff can remove theiraccess rights to all systems with one command, rather than log-ging into dozens of different systems.How Security Identity Manager helpsGiving internal users access to a cloud-based application isessentially the same as providing access to other applications.Security Identity Manager provides identity management capa-bilities that enable the organization to provide internal users,including privileged users, with self service and access rights tocloud-based services.Securing access to cloud-basedapplications and servicesEnterpriseIT organizationOn-premiseprivate cloudTrusted partner/hybrid cloud• Federated identity• Security events• Data entitlementsPublic cloudDynamicinfrastructureWith Tivoli Federated Identity Manager, the organization can centrally controlaccess for large numbers of users to its cloud-based services hosted byexternal providers such as salesforce.com.
  7. 7. 7IBM SoftwareHow Tivoli Federated Identity Manager helpsUsing cloud-based computing to provide online applicationsand data to a large group of users—everyone from employees inother parts of the organization to customers and business part-ners—requires particular attention to security. The larger thegroup, the more difficult it is to manage user identity. WithTivoli Federated Identity Manager, however, the organizationcan centrally manage and enforce access policies to on- and off-premises applications and services (including integrating withsoftware-as-a-service and cloud-based solutions) and reduce ITadministration costs while helping enterprises strengthen andautomate user access rights.Tivoli Federated Identity Manager’s SSO capabilities enable theuser to go directly to cloud-based applications and informationwithout having to manage identities within the cloud. The user’sidentity is federated into the cloud transparently to the user. Ina typical scenario, authentication of the user takes place outsidethe cloud and involves IBM Security Access Manager for Web,included within Tivoli Federated Identity Manager. SecurityAccess Manager for Web, also available as a standalone offering,combines user access and web application protection into ahighly scalable user authentication, authorization and web SSOsolution. The Tivoli Federated Identity Manager package alsoincludes IBM Tivoli Federated Identity Manager BusinessGateway, which provides standalone capabilities to support fed-erated SSO and integration into cloud and software-as-a-serviceofferings.Use case 3: Business partner access andapplication integrationAn insurance company is migrating its legacy, host-based appli-cation to a new portal-based solution and needs to provide ser-vice providers, mobile agents and clients with information ontheir policies and contracts. The organization also requiresfine-grained, authorized access to insurance policies and con-tracts based on roles and additional attributes. Concern forcompliance and data security issues lead the company to deployTivoli Federated Identity Manager and Tivoli Security PolicyManager to enable easy and secure SSO capabilities for bothinternal and external users, ensure an auditable record acrossthe enterprise, and enforce data-level access control on aneed-to-know basis.Single sign-on can simplify user access to multiple applications and sourcesof data.EmployeesBusinesspartnersClientsSingle sign-oncentralizedaccessmanagementCross-domainwebapplicationsSingle domainwebapplicationsEnterpriseapplications
  8. 8. 8 When millions need access: Identity management in an interconnected worldHow Tivoli Federated Identity Manager helpsTivoli Federated Identity Manager simplifies application integra-tion for identity management via an identity mediation service.Instead of requiring tiers of access for reaching the application,the solution validates, transforms and authenticates users onetime to provide application access, whether it is to legacy main-frame-, Java- or Microsoft .NET-based applications. For enter-prise users and business partners who require special access tosecure information, this use of identity management providesa record as identities are mapped to access for audit and compli-ance use.How Tivoli Security Policy Manager helpsTivoli Security Policy Manager provides organizations the abil-ity to manage and enforce fine-grained entitlement and data-level access control on a need-to-know basis. In the case ofthe insurance company, Tivoli Security Policy Manager allowsmobile employees access to client contracts based on roles andon additional business attributes and context critical to ensuringprivacy and data security.IBM self-service solutions for internal andexternal usersSecurity Identity Manager and Tivoli Federated IdentityManager provide self-service functions for streamlined manage-ment of internal or external user access to business informationand applications. The results can be dramatic—up to 80 percentreduction in provisioning time for new employee accounts, upto 40 percent reduction in identity management administrativecosts and up to 35 percent reduction in password-related callsto the help desk.1Security Identity Manager provides complete identity lifecyclemanagement capabilities that support enrollment, permissionand access control for the complete period in which a person isemployed at a company—with management functions that alsowork for business partners, suppliers and other external constitu-ents who may need trusted access to internal resources. Thesolution combines role management and user provisioning todeliver appropriate access rights to users. In addition, a hierar-chical role structure streamlines administration and providesvisibility into user access to infrastructure resources. Web selfservice for managing roles, accounts and passwords furthersimplifies administration and reduces administrative costs byenabling users to perform tasks themselves. Self-service requestscan be configured to define which attributes are allowed forself service and which require approval. This is ideal for ahigh-volume, large-scale web environment where the exactidentity of users is not known.When users must access resources beyond their own organiza-tion, Tivoli Federated Identity Manager provides a highly scal-able business-to-consumer self-service solution for enrollment,along with strong authentication, in which:●● External users initiate enrollment and select their passwords.●● The organization customizes challenge/response options,authentication methods and access to applications.●● The user deletes the account when it is no longer needed.Tivoli Federated Identity Manager provides the federated SSOand user access management techniques that are necessary forintegration across organizational boundaries.
  9. 9. 9IBM SoftwareThe solution provides an identity trust management frameworkthat enables an organization to know who is connecting toresources and what credentials they are using—without havingto manage users individually. This is ideal for protecting assetswhere users are connected to critical resources from accesspoints over the Internet or other less-secure environments.The two solutions can be deployed independently or together.While Tivoli Federated Identity Manager manages user authen-tication and authorization to applications, Security IdentityManager focuses on the management of user identities andpasswords in a closed-loop, workflow-based solution.Combining both products can provide access to an expandedset of applications and services. Organizations also can employa phased implementation to gradually increase the number ofusers supported. This enables the organization to prove thesolution’s business value with a smaller initial set of users, andthen expand the number of supported users over time.Security Identity ManagerThis automated, centralized, policy-based solution utilizes roles,accounts and access permissions to manage user access through-out the entire user lifecycle. Using user self service, delegatedadministration, automated approvals processing, periodic revali-dation of access rights, and documentation of controls, it canhelp increase user efficiency, reduce IT administration costs,enforce security and manage compliance. Security IdentityManager is designed to reduce cost and risk by easing theonboarding and off-boarding of users, and by reporting onuser activity and ongoing access certification.Security Identity Manager helps organizations solve major chal-lenges of identity management: meeting internal and regulatorycompliance requirements, maintaining an effective security pos-ture and achieving a measurable return on investment.Security Identity Manager is a centralized source for identity management throughout the user lifecycle.
  10. 10. 10 When millions need access: Identity management in an interconnected worldUsing Security Identity Manager, the organization can:●● Simplify and reduce the cost of administration with stream-lined group management and bulk user recertification●● Reduce setup time and training with simplified policy,workflow and configuration●● Support enhanced security and reduce help-desk costs withcentralized password management●● Correct and/or remove non-compliant access rights automati-cally or through periodic access recertification workflows●● Enhance security and compliance with separation of duties●● Define processes for workflow and provisioning usingpredefined templatesSeparation-of-duties capabilities can strengthen security andcompliance by creating, modifying or deleting policies thatexclude users from membership in multiple roles that may pres-ent a business conflict. For example, a user in an accountsreceivable role cannot also have an accounts payable role. Thispreventive approach can guard against violations occurring inthe first place.Security Identity Manager supports role-based provisioning,which grants access rights according to corporate policies andindividual duties, as well as request-based user provisioning,which automatically routes a user’s requests for access to theappropriate manager for approval. The resulting flexibility helpsorganizations administer quick, secure user access. It enables theprovisioning of new users in minutes rather than days so theycan be productive as soon as possible.Tivoli Federated Identity ManagerTivoli Federated Identity Manager facilitates collaboration insideand outside an organization by delivering federated SSO. It pro-vides a central, standards-based web access management systemto manage and enforce user authentication, SSO and self servicefor business-to-business, business-to-employee and business-to-consumer deployments across the enterprise. For scenarios inwhich the number of consumers connecting and interacting witha company often number in the millions, this user-centricsolution relieves the complexity and expense of provisioning andmanaging user accounts.Tivoli Federated Identity Manager helps organizations establisha framework for knowing which users are connected to servicesand what credentials are being used to connect without havingto manage individual users.Small businessusersTivoli Federated Identity ManagerBusiness GatewaySmall businessTivoli Federated Identity ManagerFinancial enterpriseTivoli Federated Identity ManagerSupplier entrperiseEnterpriseusersEnterpriseusersSalesforce.comMicrosoftGoogle AppsIBM LotusLiveIBM Security SolutionsTivoli Federated Identity Manager provides users external to the organizationwith easy-to-use, self-service access to services.
  11. 11. 11IBM SoftwareUsing Tivoli Federated Identity Manager, an organization can:●● Provide federated SSO for secure information sharing acrossprivate, public and hybrid cloud deployments●● Support user self care for business-to-consumer and mobileuser scenarios with initial password selection, passwordchange/reset, and the ability to customize challenge/responseoptions for customer-specific needs●● Manage user authentication and identification informationabout business partners through multiple open standards-based identity and security tokens●● Reduce administrative costs, establish trust and facilitatecompliance by managing, mapping and propagating useridentities●● Simplify integration with business partner websites to reducesecurity vulnerabilities●● Allow users to share private information without needing toshare user identities and passwordsTivoli Federated Identity Manager provides automation for cre-ating accounts, creating or modifying user profiles, and creatingand changing passwords or secret questions. It is also an SOAidentity service solution that provides end-to-end identitymediation and token validation across diverse applications, ser-vices and mash-ups through its Security Token Service (STS).The IBM Security portfolio of identity andaccess management solutionsSecurity Identity Manager and Tivoli Federated IdentityManager are included within the IBM Security identity andaccess management portfolio, which enables organizations tocontrol, monitor and authenticate user access to protected dataand applications. These solutions balance security and usability,while also simplifying management of the complex user profilesand access needs in cloud computing environments. At the sametime, they can help organizations cope with the security chal-lenges of mobile workers and trusted insiders, who often posethe biggest threat to an organization’s information integrity anddata privacy.IBM: Your trusted partner for leading ITsecurity solutionsThe IBM Security Framework, an integrated portfolio of soft-ware, hardware and services built to deliver security intelligence,helps organizations address today’s complex security environ-ment. The IBM Security Framework delivers a unified approachto enterprise security that manages key functions ranging fromthreat detection to user access, compliance, cost reduction andconfiguration management—and much more—all with afoundation in world-renowned research and development tohelp protect business-critical data, support compliance activities,and reduce the risk of today’s advanced threats.For more informationTo learn more about IBM Security solutions, contact yourIBM representative or IBM Business Partner, or visit:ibm.com/security
  12. 12. About IBM Security solutionsIBM Security offers one of the most advanced and integratedportfolios of enterprise security products and services. Theportfolio, supported by world-renowned IBM X-Force®research and development, provides security intelligence to helporganizations holistically protect their people, infrastructures,data and applications, offering solutions for identity and accessmanagement, database security, application development, riskmanagement, endpoint management, network security andmore. These solutions enable organizations to effectively man-age risk and implement integrated security for mobile, cloud,social media and other enterprise business architectures.IBM operates one of the world’s broadest security research,development and delivery organizations, monitors 13 billionsecurity events per day in more than 130 countries, and holdsmore than 3,000 security patents.Additionally, IBM Global Financing can help you acquire thesoftware capabilities that your business needs in the mostcost-effective and strategic way possible. We’ll partner withcredit-qualified clients to customize a financing solution to suityour business and development goals, enable effective cashmanagement, and improve your total cost of ownership. Fundyour critical IT investment and propel your business forwardwith IBM Global Financing. For more information, visit:ibm.com/financing© Copyright IBM Corporation 2013IBM Corporation Software GroupRoute 100Somers, NY 10589Produced in the United States of AmericaFebruary 2013IBM, the IBM logo, ibm.com, Tivoli, and X-Force are trademarks ofInternational Business Machines Corp., registered in many jurisdictionsworldwide. Other product or service names might be trademarks ofIBM or other companies. A current list of IBM trademarks is availableon the web at “Copyright and trademark information” atibm.com/legal/copytrade.shtmlMicrosoft is a trademark of Microsoft Corporation in the United States,other countries, or both.Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.This document is current as of the initial date of publication and may bechanged by IBM at any time. Not all offerings are available in every countryin which IBM operates.THE INFORMATION IN THIS DOCUMENT IS PROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS ORIMPLIED, INCLUDING WITHOUT ANY WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the termsand conditions of the agreements under which they are provided.The client is responsible for ensuring compliance with laws and regulationsapplicable to it. IBM does not provide legal advice or represent or warrantthat its services or products will ensure that the client is in compliance withany law or regulation.Statement of Good Security Practices: IT system security involves protectingsystems and information through prevention, detection and response toimproper access from within and outside your enterprise. Improper accesscan result in information being altered, destroyed or misappropriated orcan result in damage to or misuse of your systems, including to attack others.No IT system or product should be considered completely secure and nosingle product or security measure can be completely effective in preventingimproper access. IBM systems and products are designed to be part of acomprehensive security approach, which will necessarily involve additionaloperational procedures, and may require other systems, products or servicesto be most effective. IBM does not warrant that systems and products areimmune from the malicious or illegal conduct of any party.1 Results and savings based on IBM customer experience frominstalled systems.TIW14069-USEN-01 Please Recycle