|
In computer science, identity management is the management of the identity life cycle of entities (subjects or objects) during which: - (1a) the identity is established: a name (or number) is connected to the subject or object;
- (1b) the identity is re-established: a new or addtional name (or number) is connected to the subject or object;
- (2a) the identity is described: one or more attributes which are applicable to this particular subject or object may be assiged to the identity;
- (2b) the identity is newly described: one or more attributes which are applicable to this particular subject or object may be changed;
- (3) the identity is destroyed.
Identity management in public and private domain Identities may be managed by either the entities themselves or by other parties, which may be private parties (like for example employers or shops) or public parties (like personal records offices and immigration services).
Identity management in the public domain is known by the name of National Identity Management. Following the 911 attacks, attempts are made worldwide, to improve the quality of National Identity Management, in particular through the application of biometrics to Identity Documents. However, it is to be doubted whether biometrics will stop terrorists. See: http://secure.gvib.nl/afy_info_ID_1322.htm TIAS Business School Eindhoven - Thesis on Biometrics in National Identity Management
Identity management and ICT (IdM) or Electronic Identity Management
Identity Management (IdM) has developed several interpretations in the IT industry and is now associated as the management of a user's credentials and how they might log onto an online system. However, this view is quite narrow. The focus on identity management goes back to the development of directories such as X.500 where a namespace is used to hold named objects that represent real life "identified" entities such as countries, organizations, applications, subscribers and devices. X.509 defined certificates that carried identity attributes as two directory names, the certificate subject and the certificate issuer. X.509 certificates and PKI systems were used to prove one's online "identity". Therefore we should consider identity management as the management of information (as held in a directory) which represents real life identified items (users, devices, services, etc). Engineering such systems means that explicit information and identity engineering tasks become necessary. X.500 is the set of ITU-T computer networking standards covering electronic directory services such as white pages, Knowbot and whois. ...
In general, a namespace is an abstract container, which is or could be filled by names, or technical terms, or words, and these represent (stand for) real-world things. ...
In cryptography, X.509 is an ITU-T standard for public key infrastructure (PKI). ...
In cryptography, a public key infrastructure (PKI) is an arrangement which provides for third-party vetting of, and vouching for, user identities. ...
The term Identity engineering is used where one puts engineering effort into managing large numbers of interrelated items (which have identifiers or names).
IdM - two perspectives In the real world context of engineering online systems, Identity Management can be given two perspectives: - The user access (log-on) paradigm - A smart card and its associated data that a customer uses to log on to a service or services (a traditional view);
- The service paradigm - A system that delivers personalised, role-based, online, on-demand, multimedia (content), presence-based services to users and their devices.
The user access paradigm Identity Management in the user "log on" perspective would be an integrated system of business processes, policies and technologies that enable organizations to facilitate and control their users' access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. It represents a category of interrelated solutions that are employed to administer user authentication, access rights, access restrictions, account profiles, passwords, and other attributes supportive of users' roles/profiles on one or more applications or systems. Authentication (Greek: αυθεντικός = real or genuine, from authentes = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. ...
A password is a form of secret authentication data that is used to control access to a resource. ...
The service paradigm In the service paradigm perspective, where organisations are evolving their systems to the converged services world, the scope of identity management becomes much larger and its application more critical. The scope of identity management includes all the resources of the company that are used to deliver online services. This includes devices, network equipment, servers, portals, content, applications and products as well as a user's credentials, address books, preferences, entitlements and telephone numbers. See Service Delivery Platform and Directory service. The term Service Delivery Platform (SDP) refers to a recently embraced architectural style applied to telecommunications infrastructure problems. ...
A directory service is a software application — or a set of applications — that stores and organizes information about a computer networks users and network resources, and that allows network administrators to manage users access to the resources. ...
Today many organisations are facing a major clean up in their systems to bring identity coherence to their world. This coherence is required in order to deliver unified services to very large numbers of users on demand - cheaply and with security and single customer view facilities.
Emerging fundamental points of IDM - IDM provides a significantly greater opportunity to an online business beyond the process of authenticating and authorizing users via cards, tokens and web access control systems.
- User-based IDM is evolving from user/password and web access control systems to those that embrace preferences, parental controls, entitlements, policy based routing, presence and loyalty schemes.
- IDM provides the focus to deal with system-wide data quality and integrity issues often encountered by fragmented databases and workflow processes.
- IDM embraces what the user actually gets in terms of products and services and how and when they do that. Therefore IDM applies to the products and services of an organization such as health, media, insurance, travel or government services, as well as how these products are provisioned and assigned to (or removed from) "entitled" users.
- IDM can deliver a single customer view that includes their presence and location, single product and services and single IT infrastructure and network views to the respective parties and therefore IDM is related intrinsically to information engineering and information security and privacy.
- IDM covers the machinery (system infrastructure components) that delivers such services because a user's service could be assigned to: a particular network technology; content title; usage rights; media server; mail server; soft switch; voice mail box; product catalogue set; security domain; Billing System; CRM or Help Desk and so on.
- Critical to IDM projects are considerations of the online services of an organisation (what are the users logging on to) and how are they managed from an internal perspective and the customer self care perspective.
Customer relationship management (CRM) covers methods and technologies used by companies to manage their relationships with clients. ...
IDM Solutions Solutions which fall under the category of Identity Management:
Management of Identities
Access Control In voice telecommunication, provisioning means to provide telecommunications services to a user or customer. ...
Workflow is the operational aspect of a work procedure: how tasks are structured, who performs them, what their relative order is, how they are synchronized, how information flows to support the tasks and how tasks are being tracked. ...
Delegated administration describes the decentralization of Role-based-access-control systems. ...
Password synchronization is defined as any process or technology that helps users to maintain a single password that is subject to a single security policy, and changes on a single schedule across multiple systems. ...
Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. ...
Directory Services Look up Business in Wiktionary, the free dictionary. ...
Single sign-on (SSO) is a specialized form of software authentication that enables a user to authenticate once and gain access to the resources of multiple software systems. ...
Signing out is a process of terminating an authenticated session, of de-authentication, in order to prevent the session being used by someone else later using the same terminal or browser window for example. ...
- Identity Repository (directory services for administration of user account attributes)
- Meta-data Replication/Synchronization
- Directory Virtualization (virtual directory)
- e business scale directory systems
- Next generation systems - CADS and CADS SDP
Other categories Standards Initiatives In computer systems security Role-Based Access Control (RBAC) is an approach to restricting system access to authorized users. ...
IEEE 802. ...
- Project Liberty - An industry consortium
- Shibboleth - Identity standards targeted towards educational environments.
See also |
Feeds |
Contact