1. IntroductionDuring the last half of the decade, theeconomy has been going through a cyclicprocess: businesses have been encouraged tocut spending, encouraging layoffs of allnumbers; mergers and acquisitions of greatproportions have been occurring; andemployee disatisfaction leading tosometimes corporate negligence, espionage,and identity fraud has occurred.Corporations have learned that to succeedin this type of environment, they must beversatile, lean, and economically diligent.This often does not sit well with theiremployees, as often is the case that theymust go through lay off procedures.Another major initiative in curving thespending has been to develop and furtherenhance business practices.
All the concepts I have just talked abouthave one common theme: managingidentities and securely provisioning and de-provisioning identities effectively, toresources inside and outside of yourorganisation. This may sound easy, butwith new technologies come hurdles ofdeveloping and incorporating businesspractices, privacy policies, corporate goals,because often technologies are immatureand these technologies may have raisedvisibility with management, especially withthe great cost of purchasing andimplementing. I thought it may beinteresting to talk about where thetechnology has gone and how standards,like Service Provisioning Mark-upLanguage (SPML) are being developed toensure the longevity of the technologies acompany has invested in would sustaintheir investments they have made.Investments have been great thatcompanies are determined to ensure thetechnologies facilitate efficiency with theirorganisations but provisioning is a difficulttool to implement from a business processpoint of view and from a deploymentpoint of view.
Throughout this paper, I will bediscussing about the concept of identities,defining provisioning and how SPML,Service Provisioning Mark-up Language,can make a difference, especially asbusinesses mature. During the stage ofdefining the technologies that are beingdeveloped to make provisioning an easiersolution to deploy and manage,understanding the concept of identities,how provisioning came about and whytechnologies like SPML are important isessential to make provisioning customerdeployments successful. I will start off bydefining what is an identity, why they needto be managed then moving into thetechnology of provisioning, providing abusiness scenario, and explaining whySPML is such an important technologywithin all the XML standards there are.
1.1. What are identities?Users identities are pieces of informationthat identify your association of existenceat work, at home, with your friends, on thephone, on the Internet, everywhere. In thescope of this paper, identities are really atthe core of your business. To allow users toutilize and benefit from the manyapplications and services offered today,organisations of all types assign identifiers,or unique codes, to individuals in order torepresent their uniqueness to theorganisation, and easily map to applicationsand services. Individuals may take onmultiple roles, throughout their lifetimewith their employer, by using theseidentifiers as their digital identities whenthey move through the organisationalstructure. These identifiers may morph asthey adapt from business to business orsupplier to manufacturer but the uniquenessmaps back to the original identifier.Identities are required for all users,including employees, business partners andcustomers. As online operations become thestandard of todays business model, identityis also becoming a key asset to all levels ofbusiness operations.
86 1363-4127/04/ 2004, Elsevier Ltd
User provisioning with SPMLGavenraj SodhiComputer Associates,Irvine, California, 92694,USA
Gavenraj Sodhi is ProductManager eTrust at ComputerAssociates International, Inc.(CA). In this role, Gavenraj isresponsible for defining andevangelizing the product andmarketing strategy for theeTrust Admin product lineand contributes to the overallIdentity and AccessManagement securitysolution strategy within CAseTrust brand unit. Gavenrajis co-founder and currentsecretary of the ProvisioningServices TechnicalCommittee (PSTC), creatorsof the Service ProvisioningMark-up Language (SPML)Standard, and chairs theMobile & DirectoryChallenge as well as servingon a number of industryconsortia groups includingthe Identity ManagementSteering Committee withinthe Open Group.Gavenraj holds a degree inChemical Engineering fromIllinois Institute ofTechnology with a Masters inBusiness Administration fromthe University of Phoenix.Previously, Gavenraj servedin a variety of positions inthe Provisioning and Identity& Access Management spacefor a number of years atBusiness Layers(Netegrity) and Access360(IBM).
1.2. The management of identitiesfor provisioningMultiple, parallel approaches to managingidentities have often appeared even withina single company. However, identitiescannot be securely and cost-effectivelymanaged in silos. A consistent, efficient andsecure method is needed to manageidentities both internally and externally.Managing identities and identifiers acrossthis complex landscape is now a coreorganisational survival skill that requiresconsistent, cost-effective administration andenforcement of access privileges with end-to-end auditing of all identity-relatedactivity.
The proliferation of identities has alsoincreased the need to manage access tobusiness assets. An organisations successdepends on the integrity, confidentiality andprivacy of its information and processeswith the ability to audit governance,compliance and use. Because todaysbusiness systems are all too accessible,organisations need fine-grained, policy-based protection to protect their mission-critical data and services.
2. Business and technologytrendsOrganisations want to leverage the 24/7availability of the Web to provide theircustomers with access to information. Inmany cases, this also includes the ability toplace orders, track shipments and deliverydates, ask questions and contact customerservice representatives. However, we are alsoliving in a time concerned with identitytheft and security of personal data as wellas financial and other business confidentialdata. Additional concerns are posed bysuper users, who can gain unrestrictedaccess to virtually all of your files andcommands regardless of their permissions and ghost users where some accesspoints are not revoked after an employee
leaves a company. Today, organisations needto provide auditable proof that onlyappropriate access is granted to criticaldata.
2.1. Dimensions of identity andaccess managementOrganisations need to manage relationshipswith multiple and distinct populations ofidentities. These may include employees,customers and business partners. Every typeof population requires identity and accessmanagement, but has its own uniquerequirements:
Employee populations need atraditional, inward-facing securitymanagement solution that focuses onusers access to physical resources and ITsystems, and protects internal systems. Inaddition, it must reduce costs andimprove auditing while supporting tensor hundreds of thousands of users. Keyto its success is the integration of thesolution itself, as well as with businessprocesses. Customer populations need anoutward-facing security managementsolution that enables provisioning ofsecure web access to customer services.From the business perspective, its focus ison customer acquisition and enablingnew customer services. From thecustomers perspective, its focus is onease of use, and providing confidentialityof personal data and transactions.Additionally, this solution must bescalable to supports tens of millions ofcustomers. Business-oriented identity and accessmanagement, also known as B2B(business to business), is focused oncross-organisational transactions. Itdepends upon legal frameworks, whichallow transactions to securely occurbetween independent entities. It suppliesa secure Web services infrastructure toaddress the issues associated with
User Provisioning with SPMLGavenraj Sodhi
Information Security Technical Report. Vol. 9, No. 1 87
cross-company authorization andprovides implementations of applicablestandards, including: UniversalDescription, Discovery and Integration(UDDI), Security Assertion Mark-upLanguage (SAML), Service ProvisioningMark-up Language (SPML) and PublicKey Infrastructure (PKI).
3. What is Provisioning andhow it is becoming thecenterstage in identitymanagement?The automation of business-orientedworkflow of systems, resources, services,and devices to employees, partners,contractors, suppliers, and temporaryworkers is defined as Provisioning.Provisioning of user objects, monitoring ofall activities, reporting of all transactions,and de-provisioning of user objects is afundamental concept of user lifecycle
management and how your businessoperates day to day.
Employees, contractors, temporaryworkers, partners, and suppliers are allgranted access to a wide range of corporateassets, from office building access toaccessing of computer systems, files,directories, databases, mail systems, andfinancial systems. In addition, they may beassigned laptops, calling cards andcorporate credit cards. Provisioning is nolonger limited to IT practices.Organisations need to manage the digitalidentity across entire organisations,provisioning all IT systems, Web services,devices and entrance badges and securingaccess to files, directories and databaseswhile monitoring of all these activities withan end-to-end audit. Where Provisioningdifferentiates from standard manualbusiness practices is that when employees,contractors, temporary workers, partners,
88 Information Security Technical Report. Vol. 9, No. 1
Typical Enterprise Provisioning Architecture
and suppliers are terminated, access rightsto all systems, devices, files, etc are allterminated. In effect, this helps reduce theprobability of any former employee,contractor, and other affiliates fromillegally using corporate assets.
The idea of provisioning evolved in thelate 1990s, from the economic troublesthat slowly evolved and as corporateAmerica needed to become more lean andefficient. Provisioning started out, as isoften the case, as being just a manualprocess within ones organisation when anew company joined an organisation,moved from one position to another, left orwas terminated from their position. Themanager of the employee would generallyfill out an employee form or request,providing the form to Human Resources,and kicking off a number of tasks (allmanual and heavily paper driven) ofpurchasing a computer for that employee,
to allocating accounts for that user, and/orthe assignment of physical security devicesto them. Essentially these provisioningactivities took days or even weeks tocomplete, inefficiency at its best.Provisioning encapsulates the art ofapplying workflow and businessautomation, derived from how businessesoperate deep from their business logic andhow they operate at the individual businessunit level and at grand scales, how theyoperate with their partners and suppliers.
Thanks to the Internet, businessrelationships have become worldwidevirtually, conceptually conceived via thegeneration of the computer. Business is nolong within ones enterprise but now therelationships are being mapped out to cross-domain of federated models and exiting theclosed corporate boundaries. Within thiscomes new challenges and even greaterimportance of open standards.
User Provisioning with SPMLGavenraj Sodhi
Information Security Technical Report. Vol. 9, No. 1 89
Example of a Provisioning Process: Provisioning Work Flow for a New User joining the company for his First Day at Work.
A feed process or some sort of identityprocessing system will notify theprovisioning system of identity changes,which may then trigger provisioning actionsto take place against managed resources.The triggering will encounter identityupdates from an identity repository such asan X.500 LDAP directory.
The graphic on page 89 shows a newuser, Joe Newguy, being added to anorganisation as a VP of Finance role, alsohis title in this case, and is receiving anumber of subset roles, which will enabletranslation to business logic based on theseroles. With these subset roles, work flow isgenerated and processed and approvalrequests are sent out.
The Provisioning system will translatethis business requests and translate them tobusiness and IT activities for resources andservices, for example, the contractor willneed a Laptop with a number of officetools, an email account, access to thefinancial system, a telephone extension witha speakerphone, and business cards. Onceapprovals are received, updates are made torespective systems where Joe Newguy willbe performing his job function.
In the process of obtaining theseapprovals, certain manual activities mayneed to take place including buying theLaptop, install the software on the laptop,setup the user accounts and database access.In parallel, the telephone must be installedand setup on the provisioned desk, and thebusiness cards need to ordered. A robustnotification and escalation mechanismneeds to be in place for the provisioningactivities to address certain workflowactivities including buying the Laptop andordering business cards.
The provisioned user, Joe Newguy, mustbe maintained, over his lifecycle as anemployee with the company, so on the daythat Joe leaves, the system would be able toget him out of the system immediately.
3.1. Provisioning parties involvedMany groups have interests in theprovisioning and de-provisioning of users inones organisation. Different groups havedifferent needs that need to be met with aProvisioning solution.
Groups that would be directly involvedwith a Provisioning Solution:
Line of Business Managers howcomprehensive and modular is thesolution? Does it address all of mycritical needs? How easy is it to use? CanI integrate within my existinginfrastructure? Senior Executives what is thetimeline for deployment,implementation? Can it keep up with thebusiness as it changes? Is it going tomake the company operate moreefficiently and effectively, while providingnew business opportunities and allowingus to save money? Network Administrators is theProvisioning solution reliable, scalableand secure? Is the system easilyconfigurable and manageable? Does ittrack changes, keep audit logs, andprovide the ability to build reports? Isthere support for developing customconnectors to our existing systems? Doesit support open standards to plug-n-play?
3.2. Provisioning and securityProvisioning and Security Management fithand in hand. Communication between theprovisioning server(s) and the managedendpoints (target systems) must be secureand encrypted but also the fundamentalbusiness process for which workflow isdynamically being generated to support thesecurity policies and business practices ofthe organisation, for which the provisioningof users if being conducted for.