Chapter 13. Secure Service ProvisioningDesign Strategies and Best Practices | Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management

Topics in This Chapter

Business Challenges
User Account Provisioning Architecture
Introduction to SPML
Service Provisioning Security Pattern
Best Practices and Pitfalls

Service Provisioning refers to the software services that enterprises use to centralize and manage the process of supplying users with access to corporate systems and business data. Provisioning security service for user accounts (or user account provisioning) is a variant of service provisioning that is specific to security services, for example, creation of user accounts, password reset, and synchronization of user credentials (such as passwords) across application systems. Application service provisioning is a specialized form of service provisioning that simplifies complex software installation and policies to make the application service available in advance. Service provisioning has become one of the emerging technologies and industry interests.

When a business expands its IT infrastructure to meet increasing business needs, it builds and extends many home-grown applications or commercial off-the-shelf packages. These applications or packages have their own account management and services components. For example, they may have different security policy for the password or user ID length. Some legacy applications or packages that were developed in the past may not be flexible enough to support a centralized identity management infrastructure. Thus, provisioning services across a large number of servers, applications, or packages, such as manually managing the creation of user accounts or synchronizing heterogeneous user identities is highly complex and challenging.

Cryptocard Technology [cryptocard] reports that provisioning security service for a user costs from US$68 to US$102 on average. This is based on industry surveys and research about creating a new user account or managing password changes. The unit cost includes the staff resources to create the service request, the integration effort to create a user account or reset a password across heterogeneous systems, and the operating expenses for maintaining and sustaining the underlying service provisioning architecture. In practice, service provisioning is more complex than just resetting the password or creating a new user account for a single system manually.

This chapter outlines the functionality provided by secure service provisioning and describes the technologies and standards available today. It also defines a service provisioning architecture and discusses the differentiators for security vendor products that support secure service provisioning. In this chapter, we focus on user account provisioning, which is one important component in managing user identities and security policies. Application service provisioning is not in scope of this book.