How organisations can avoid an identity crisis

A key problem confronting many organisations today is IT service duplication.

When IT services are created in specific ways, to meet specific needs, they often involve underlying features or functionalities that could conceivably be utilised for alternate purposes as well. But unless these services are specifically designed with that possibility in mind, such cross-contextual utilisation cannot take place. Organisational resources must, therefore, be dedicated to recreating them over and over again.

For this reason, service-oriented architecture (SOA) has become an attractive alternative to domain-specific solutions. Through SOA, the organisation is empowered to focus on what matters: not the technology per se, but the service it provides. Once key services have been created and implemented, they can be delivered to any application that requires them, across domains, technologies and business contexts, thus maximising the business value they generate while also simplifying and consolidating the overall infrastructure.

In this light, identity management-the process of managing a wide range of user identities and their access to IT services-represents a particularly compelling opportunity for organisations interested in SOA. Consider the general problem of authenticating and validating users; this is a situation that comes up again and again, and solutions addressing it have, in the past, tended to focus on specific technologies or services.

A more cost-effective, simplified approach as suggested by SOA would allow the organisation to implement identity management once, as an underlying service designed to drive other services, then leverage it in as many ways as the organisation needs. This approach not only decreases the resources required for the service, but also helps to secure the organisation through federated control and management.

Furthermore, it renders the IT infrastructure more flexible and scalable. Changes made to the federated identity management system will instantly be delivered to all of its invoking applications, thus spurring a faster realisation of emerging business strategies.

For instance, consider cloud computing as a means of implementing software as a service (SaaS) or Web 2.0-style social networking; these are business strategies likely to benefit enormously from scalable, federated identity management because in both cases scalable, secure user validation on a mass scale is a crucial part of the strategy. And in the area of compliance, too, key wins are created by simplifying the work the organisation must do in order to ensure that compliance is achieved-both with internal security protocols and external government regulations.

Centralise identity management with IBM Tivoli Federated Identity Manager 6.2

All of these benefits come with IBM Tivoli Federated Identity Manager 6.2 (TFIM) (US), a centralised tool for managing authentication and validation requests across Java, .NET and mainframe environments. TFIM is designed to deliver on IBM’s service management framework of Visibility (seeing the business), Control (controlling the business) and Automation (industrialising the business, wherever that makes best business sense).

How does it accomplish this? Visibility is achieved through application integration across heterogeneous environments-organisations can easily manage user identities despite the fact that they apply in many different contexts. Control is achieved by minimising compliance exposure; when one tool is responsible for identity management, it is relatively simple to modify it as required to ensure regulation compliance. And Automation represents perhaps the most straightforward demonstration of TFIM’s many benefits. Business and user collaboration is enhanced, made more secure and accelerated because TFIM automatically does much of the work required to verify that the right people get the right access to the right services and data.

TFIM improves access visibility for the Enterprise Service Bus

One particularly elegant way to deploy TFIM within an organisation lies in coupling it with an Enterprise Service Bus (ESB)-essentially, a flexible infrastructure used to integrate different applications and services. ESBs connect isolated domains by routing messages between services, converting transport protocols and handling business events in order to orchestrate a big-picture business outcome.

Here, TFIM plays a vital role. User identities are decoupled from the requesting application; the ESB simply invokes TFIM to validate them whenever necessary. This means that applications using the ESB need not be coded with validation or authentication per se, yet they are nevertheless secure. Business risk is reduced, application creation cycles are faster and compliance is simplified because all changes to security are outsourced to TFIM and thus centralised and easy to audit. As users access services via the ESB, that access is rendered more visible via TFIM, helping organisations achieve and demonstrate compliance.

Secure services outside company walls

Alternately, consider TFIM as a means of extending key IT services beyond organisational walls to business partners or clients. While such a strategy can deliver new revenue by pairing services with customer needs and interests, once again, maximising security is absolutely essential if the strategy really is to deliver business value.

And in this context as well, TFIM delivers. Organisations with an IBM System z mainframe, for example, can deploy TFIM for z/OS to secure Web services via centralised z/OS security (PDF, 192KB) . Included support for multiple security tokens, including SAML assertions, RACF PassTickets, x.509 certificates and Kerberos tickets, allows the organisation to securely map identity pools-connecting Web service transaction access to actual user identities and thus enhancing end-user accountability and transparency. And in massively parallel, cloud-computing infrastructures designed to support Web 2.0 initiatives, which involve enormous pools of external users constantly logging in to leverage IT services, TFIM’s many authentication management features deliver similar business value.

TFIM now also supports OpenID-an emerging protocol for single sign-on (SSO), allowing users of Web applications to log on only once, even when services or applications span multiple systems. This new support not only simplifies the experience for the end-user, but also enhances security for both the end-user and the organisation. External identity providers chosen by the user can now be leveraged via OpenID to facilitate trusted communications across different Web sites or applications-in a typical scenario, the identity provider and application provider are not even aware of each other until an SSO transaction is requested.

What’s more, because TFIM supports options such as Microsoft Windows CardSpace and the Higgins Trust Framework, it becomes possible to eliminate the need to log-in with passwords at all. Instead, users have a “self-issued card,” which is then leveraged by TFIM as a means of brokering connections between service providers and the designated application.

Innovations simplify management and compliance

Other new features of TFIM 6.2 include:

• Improved ease of administration via a new command line interface to create scripts or execute common TFIM management tasks. These include TFIM domain management, key management, TFIM’s alias service, point-of-contact management, TFIM reporting commands, SAM 2.0 user administration, new configuration activation and others. All configurations required to perform SSO can now be handled using the command line interface.
• A trust chain editor. This improved editor now simplifies and accelerates end-to-end identity propagation across heterogeneous application environments with the help of a chain-mapping wizard.
• Integrated compliance reporting with Tivoli Security Information and Event Manager (TSIEM) (US). TSIEM can now access and report on TFIM user/admin activities, comparing them to security policies and sending alerts to designated staff when appropriate. TFIM can also generate action reports, should they be required during an audit.

TFIM 6.2 thus serves as a powerful tool to enhance security, drive compliance initiatives, realise SOA (PDF, 192KB) goals and lock down new services created to meet customer demand-all through an optimised, federated approach that will elegantly scale in proportion to the organisation’s needs.

• IBM Tivoli Federated Identity Manager (US)
• IBM Tivoli Security Information and Event Manager (US)
• Security and management for SOA environments (192KB)

Recent Articles

• Share the informational wealth with IBM Tivoli Wikis

  Mar 20

• Protect: Service management entry point for safeguarding assets and business resilience (US)

  Dec 2

• IBM and Business Partners deliver next-generation energy monitoring (US)

  Nov 18

• New Rational-Tivoli integration delivers faster, better software builds (US)

  Nov 11

• Monitor entry point: Enhance service management through superior visibility and tracking (US)

  Nov 04

• Optimise Facilities and IT problem response via a shared service desk (US)

  Oct 28

• Centralise and simplify encryption key management (US)

  Oct 21

• Pulse 2009: The pursuit of optimal service management goals and strategies (US)

  Oct 14

• Discover entry point: One powerful way to begin service management implementations (US)

  Oct 07

• Browse full Tivoli Beat archive (US)
• Get Adobe® Reader®