You are previewing Identity Management: A Primer.
O'Reilly logo
Identity Management: A Primer

Book Description

Identity Management: A Primer provides a complete and comprehensive overview of the elements required for a properly planned identity environment. In it, the authors cover the entire gamut of IDM-related matters, including directories; authentication; provisioning; role-based access control; single sign-on; governance, risk, and compliance; implementation and roadmap; public key infrastructure; electronic identity smartcards; and a wealth of other important topics. As the title indicates, this book is a primer in which the key issues of identity management are identified and appropriate strategies and preventative measures are covered in an easy-to-understand format with extensive use of real-world case study examples. Students and IT professionals alike will appreciate this resource as they seek to understand and master the complexity of identity in a virtual world.

Table of Contents

  1. Copyright
  2. About the Authors
  3. Foreword
  4. Introduction
    1. What Is Identity Management?
    2. The History: Where Has Identity Management Come From?
    3. The Current Status: What's the State of the Industry?
    4. The Future: What to Look Out For and What to Avoid
      1. What Are the Pitfalls?
      2. What Is the Future?
  5. 1. Identity
    1. 1.1. What Are the Components of a Person's Identity?
    2. 1.2. So Where Does Privacy Fit In?
      1. 1.2.1. Privacy Rules
      2. 1.2.2. Is This Where a "Trusted Third Party" Fits In?
    3. 1.3. Where Do Roles Fit Into the Concept of an Identity?
    4. 1.4. Can I Have Multiple Identities in an Identity Management Environment?
    5. 1.5. Discussion Questions
    6. 1.6. Case Study
      1. 1.6.1. Questions
  6. 2. Managing Identities and Identity Stores
    1. 2.1. Identities and User Accounts
    2. 2.2. What Is an Identity Store?
    3. 2.3. Why Multiple Stores Are a Fact of Life
      1. 2.3.1. The Options
      2. 2.3.2. Central Directory Server
      3. 2.3.3. Distributed Repositories
    4. 2.4. Strategies for Multiple-Store Environments
      1. 2.4.1. Directory Provisioning
    5. 2.5. Managing Roles
    6. 2.6. Role Modeling
    7. 2.7. Delegated Administration and Self-Service
    8. 2.8. Discussion Questions
    9. 2.9. Case Study
  7. 3. Directories
    1. 3.1. Schemas and Namespace Planning
      1. 3.1.1. Object Classes
      2. 3.1.2. X.500
      3. 3.1.3. When Is a DN an RDN?
      4. 3.1.4. Directory Namespace
      5. 3.1.5. LDAP
    2. 3.2. The Power of a DIT
    3. 3.3. Issues to Be Aware Of
    4. 3.4. Authoritative Sources
    5. 3.5. Directory and Database Design
    6. 3.6. Virtual Directory
    7. 3.7. The "M" Word
    8. 3.8. Selecting a Configuration
      1. 3.8.1. Central Directory Configurations
        1. 3.8.1.1. Logical
        2. 3.8.1.2. Physical
    9. 3.9. Discussion Questions
    10. 3.10. Case Study
  8. 4. Authentication and Access Control
    1. 4.1. Methods of Authentication
      1. 4.1.1. Identification
      2. 4.1.2. Protection
      3. 4.1.3. Combining Authentication Methods
        1. 4.1.3.1. One-factor Authentication
        2. 4.1.3.2. Two-factor Authentication
        3. 4.1.3.3. Three-factor Authentication
      4. 4.1.4. Choosing a Methodology That's Right for You
    2. 4.2. Levels of Authentication
    3. 4.3. Authentication Assurance Levels
    4. 4.4. Registration Assurance Levels
    5. 4.5. Access Control
      1. 4.5.1. Identities and Access Control
      2. 4.5.2. Single Sign-on
        1. 4.5.2.1. Enterprise SSO
        2. 4.5.2.2. Web SSO
      3. 4.5.3. Fine-grained Access Control (a.k.a. Entitlement Management)
      4. 4.5.4. XACML
    6. 4.6. Discussion Questions
    7. 4.7. Case Study
  9. 5. Provisioning
    1. 5.1. The Mark of a Robust Process
    2. 5.2. Zero-day Start
    3. 5.3. Business System Issues
    4. 5.4. Workflow
    5. 5.5. The Role of Roles
    6. 5.6. The Benefits of Roles
    7. 5.7. Automating a Provisioning System
    8. 5.8. Sequential and Parallel Authorization
    9. 5.9. Discussion Questions
    10. 5.10. Case Study
  10. 6. Role-Based Access Control
    1. 6.1. So What Is RBAC?
    2. 6.2. Why Is RBAC Important?
      1. 6.2.1. Increased Productivity and Efficiency
      2. 6.2.2. Increased Security
      3. 6.2.3. Business Visibility of Security Administration
      4. 6.2.4. Speed of Response to Business and Organizational Change
      5. 6.2.5. Management of Heterogeneous Systems
      6. 6.2.6. Scalability
      7. 6.2.7. Improved Business Processes and Value-chain Efficiency
      8. 6.2.8. Regulatory and Legal Requirements and Corporate Governance
    3. 6.3. How Should RBAC Be Implemented?
      1. 6.3.1. How Many Roles Should There Be?
      2. 6.3.2. How Do You Handle Exceptions?
    4. 6.4. Role Discovery
    5. 6.5. A Word of Caution
    6. 6.6. Discussion Questions
    7. 6.7. Case Study
  11. 7. Single Sign-on and Federated Authentication
    1. 7.1. Single Sign-on for the Enterprise
      1. 7.1.1. ESSO
      2. 7.1.2. SSO Sessions
        1. 7.1.2.1. Integrated Windows Authentication
    2. 7.2. Web SSO
      1. 7.2.1. The Use of Proxies and Agents
      2. 7.2.2. A Word About Policy Enforcement
    3. 7.3. Federated Authentication
      1. 7.3.1. The Components: ID Providers and Service Providers
      2. 7.3.2. WAYFs and Other Things
      3. 7.3.3. What Are the Pitfalls?
    4. 7.4. Discussion Questions
    5. 7.5. Case Study
  12. 8. Governance, Risk, and Compliance
    1. 8.1. HR Pattern-based Auditing
    2. 8.2. Pattern Reporting
    3. 8.3. Business Policies (IT Controls and SoD Rules)
    4. 8.4. Best Practices for System Cleansing and Auditing
    5. 8.5. Sample Graphs
    6. 8.6. Federated Authentication Auditing
    7. 8.7. Discussion Questions
    8. 8.8. Case Study
  13. 9. Implementation and Roadmap
    1. 9.1. Getting Started
      1. 9.1.1. Engage the Sponsor and Identify the Stakeholders
      2. 9.1.2. Evaluate Business Needs
      3. 9.1.3. Evaluate the Existing IT Environment
      4. 9.1.4. Perform Gap Analysis
      5. 9.1.5. List and Evaluate Possible Technical Solutions
      6. 9.1.6. Risk Analysis
      7. 9.1.7. Create a Roadmap
      8. 9.1.8. Consider an RFP Process Based on Your Findings
      9. 9.1.9. Create the Program Roadmap
    2. 9.2. Setting Out
    3. 9.3. Physical Implementation
    4. 9.4. Typical Project Structure
      1. 9.4.1. A Risk Assessment Template
    5. 9.5. Sample Roadmap
    6. 9.6. Navigating the Political Landscape
      1. 9.6.1. Involving the Stakeholders
    7. 9.7. Challenges
      1. 9.7.1. Budget, Budget, Budget
      2. 9.7.2. Skilled Resources
      3. 9.7.3. Corporate Structure and Governance Model
      4. 9.7.4. Vendor "Churn"
      5. 9.7.5. The Games Vendors Play
      6. 9.7.6. The Importance of Project Management
    8. 9.8. Discussion Questions
    9. 9.9. Case Study
  14. 10. Public Key Infrastructure
    1. 10.1. Why Do We Need PKI?
    2. 10.2. How Does PKI Work?
      1. 10.2.1. Some Terminology
    3. 10.3. How Is PKI Used?
      1. 10.3.1. Server-side PKI
      2. 10.3.2. Client-side PKI
    4. 10.4. The Components
      1. 10.4.1. Certificate Authority
      2. 10.4.2. Issuing Process
      3. 10.4.3. Revocation Process
        1. 10.4.3.1. Certificate Revocation List
        2. 10.4.3.2. OCSP Responder
      4. 10.4.4. Certificate Policy and Certificate Practice Statements
      5. 10.4.5. X.509 Certificate Usage
      6. 10.4.6. CA Hierarchy
      7. 10.4.7. Certificate Server
    5. 10.5. Key Generation
    6. 10.6. Certificate Management
    7. 10.7. Certificate Issues
    8. 10.8. Implementation Considerations
      1. 10.8.1. Certificate Production
      2. 10.8.2. Certificate Key Generation
      3. 10.8.3. Certificate Revocation
      4. 10.8.4. Token Storage
      5. 10.8.5. Storage Device Production
    9. 10.9. A Final Comment
    10. 10.10. Discussion Questions
    11. 10.11. Case Study
  15. 11. Electronic Identity Smartcards
    1. 11.1. History
      1. 11.1.1. Financial Sector
      2. 11.1.2. Mobile Phone Sector
      3. 11.1.3. Ticketing Sector
      4. 11.1.4. Identification Sector
    2. 11.2. Interoperability
    3. 11.3. Privacy
    4. 11.4. Deployment Issues
      1. 11.4.1. Card Production System Configuration
        1. 11.4.1.1. Registration System
        2. 11.4.1.2. Smartcard Management System
        3. 11.4.1.3. Hardware Security Module
        4. 11.4.1.4. Collator
        5. 11.4.1.5. Printer
      2. 11.4.2. Physical Layout
      3. 11.4.3. Data Structure
      4. 11.4.4. Card Type
      5. 11.4.5. Card Lifecycle
    5. 11.5. An Ideal Platform
    6. 11.6. Discussion Questions
    7. 11.7. Case Study
  16. A. Case Scenario
    1. A.1. Background
    2. A.2. The "As-Is" Situation
    3. A.3. The "To-Be" Requirement
    4. A.4. Constraints
    5. A.5. System Descriptions
      1. A.5.1. Student System
      2. A.5.2. Staff System
      3. A.5.3. Associates System
      4. A.5.4. Library System
      5. A.5.5. ID Card System
    6. A.6. Data Repositories
      1. A.6.1. Staff Directory
      2. A.6.2. Active Directory
      3. A.6.3. Community Database
    7. A.7. Program of Work
      1. A.7.1. Activity 1: Policy Definition and Core Directory Establishment
      2. A.7.2. Activity 2: Identity Management and Automatic Provisioning
      3. A.7.3. Activity 3: Workflow-based Provisioning
      4. A.7.4. Activity 4: Web Single Sign-On (SSO)
      5. A.7.5. Activity 5: Federated Authentication
      6. A.7.6. Activity 6: Server Account Management
      7. A.7.7. Activity 7: Role Management and Fine-grained Authorization
    8. A.8. Exercise
  17. B. Standards
    1. B.1. Directory Standards
    2. B.2. Authentication Standards
  18. C. Glossary
  19. D. Public Key Cryptography Standards
  20. E. X.509 Specification
  21. F. Key Lengths