Digital identities — in the form of user accounts and their associated passwords — are the means by which network administrators implement access controls to network resources. When your network is small and users only need access to a few data sources and applications, managing those identities is relatively simple. But as the organisation grows and becomes more complex, identity management can turn into identity chaos, unless you plan ahead to develop a strategy for keeping all those accounts and passwords under control.
Identity management becomes even more complicated when a single user has multiple accounts. For example, an employee might need to log onto a Windows Active Directory domain, access Novell eDirectory resources, and use custom applications that require him to provide credentials. And when companies merge, user account information from different directories and other identity stores must be combined.
Luckily, there are numerous solutions available to help you make it easier for your users to access the servers, applications and data they need, even in a network environment that spans multiple forests or multiple organisations (a federation). Let's take a look at some of your options, based on business size, network complexity and user needs.
The purpose of an identity management scheme
Identity management helps to simplify life for both users and administrators. Multiple accounts with different passwords require a lot of memorisation on the parts of users. Many will be tempted to use simple (easily cracked) passwords or to write their passwords down, which poses a risk to security. A good identity management scheme can solve this problem in one of two ways:
- Password synchronisation
- Single sign-on
Although at first glance these may appear to be the same, they work quite differently. Password synchronisation refers to a means of ensuring that the user's password is the same for all accounts and applications. Password synchronisation software allows a user to change his password once and have the change propagated to all of his accounts.
Single sign-on uses a "master" account and password. The user still has different passwords for different applications, but he doesn't have to enter them to access the applications. Instead, he signs on once with the "master" credentials and the single sign-on software retrieves the necessary credentials when needs to access a particular application and enters them automatically. The user doesn't have to remember all of those passwords (in fact, he doesn't have to ever know them; the individual application passwords can be generated for him).
Identity management makes the administrator's job easier by providing centralised provisioning (creation and maintenance) and deprovisioning (removal) of user accounts and making it easy to delegate administration over specific accounts to others. A good identity management scheme also includes self-service functionality so that users can perform some of their account management tasks (such as resetting their passwords) themselves, relieving administrators of that chore.
How identity information is stored
Identity information for a single user can be stored in many different locations and formats on the network. For example:
- Operating system logon credentials are stored in Active Directory on Windows 2000/2003 domains.
- Email account information is stored in a Global Address List (GAL) for Exchange servers.
- Application credentials can be stored in LDAP-compatible directories, in SQL or Oracle relational databases, or in flat text files (comma delimited, XML etc.).
