Network Identity refers to a software solution that incorporates a set of network-concentric business processes and the supporting technology infrastructure to manage both the life cycle of identities and the relationship between these identities and business applications and information. The concept of network identity goes beyond simple user authentication or authorization for accessing applications and resources. It also entails the management aspects of the life cycle of identities and the implementation of business processes to support it. It is a useful distinction in the context of security breach issues and critical security flaws discussed in Chapter 1. Federated Identity refers to the use of identity information between companies and applications or across different security infrastructures over a network. Management of these identities is inter-company and inter-dependent. Federated identity extends the use of network identity within a company or enterprise to multiple business entities or security infrastructures. This includes complicated processes and implementations of how identities are registered, revoked, and terminated with an identity provider. Federated identity is obviously subject to more security risks and integration challenges than network identity. Single sign-on across companies is an example of federated identity functionality. It enables a user to access remote applications and resources by authenticating only once. After that single sign-on, a user's identity authentication is shared among different authentication security infrastructures. Identity management denotes the process of managing network identity and federated identity and provides the following functions:
OASIS [OASIS], as an industry effort, publishes a list of security standards supporting identity management. These standards include the following:
In addition, Liberty Alliance (http://www.projectliberty.org) is a consortium of more than 150 companies, nonprofit organizations, and government organizations worldwide that has developed open standards and specifications for enabling federated network identity architectures. These standards and specifications address key business requirements in terms of providing a single point of access to multiple resources. They also address enabling the integration and interoperability of legacy software products with an existing security infrastructure and other proprietary solutions. This chapter focuses on SAML, Liberty, and XACML, while Chapter 13, "Secure Service Provisioning," will cover SPML in more detail. The Importance of Identity ManagementIdentity management is becoming more important to application security, because security threats and identity fraud are becoming more common and complex, which makes it harder to prevent the related vulnerabilities. Having a robust identity management solution can lower administrative costs (via automated security service provisioning), enhance user productivity (via a streamlined user authentication process), and deliver strong and consistent security for end-to-end business applications (using a central, standards-based authentication point and shared credential management). In addition, it can foster new revenue opportunities through enhanced partnership opportunities. |