Web Services and Identity Management

Two technologies go hand in hand to provide stronger authentication and more efficient enterprise processes.

Web Services technology is a collection of standards and protocols designed to

• reduce the amount of work it takes to accomplish integration (and thereby reduce cost and schedule), and

• provide flexible interfaces between systems that won't “break” when one system or the other is updated or revised.

IT departments are already using the Web services approach to integration because it has many advantages over previous approaches, and now physical security systems are beginning to use Web services to connect to other systems as well.

This is creating an interesting circular relationship between Web services and identity management systems. As companies integrate more business applications using Web services, they find that establishing identity management is a critical prerequisite. And if they decide to implement a fully integrated, central identity management system, they find that Web services is the best way to integrate it with their various business applications and systems.


More Integration Means More Complexity

Companies that use Web services to expand the integration of systems across the enterprise quickly realize that the integration brings with it a new layer of management requirements. First, they need to manage “who can do what” with the new business applications. That involves information security and a way to manage user identities and privileges. Second, now that computer systems can easily talk to each other, it is important for the systems to have a reliable way of identifying just who they are talking to (the identities of other computer systems).

Additionally, business managers need to establish which systems can or can't have particular kinds of conversations (managing privileges of computer systems). This is where identity management systems come into the picture. An identity management system (IDMS) can be used to manage the identities and privileges of computer systems as well as people. Thus most significant deployments of Web services for corporate information systems will sooner or later result in the deployment of an IDMS.


Why an IDMS?

The implementation of an enterprise-wide identity management system is of great interest to corporate security for several reasons.

• An IDMS will close IT security gaps related to enrolling and terminating employees.

• The deployment of an IDMS is typically accompanied by a role-based access control (RBAC) scheme for the information systems. Once roles are jointly defined by human resources and business managers, and once IT security privileges are assigned to the roles, security privileges can be automatically granted upon enrollment in the IDMS. Privileges are also automatically changed when an employee's position changes, and revoked automatically upon the employee's termination.

• Physical security can leverage the defined corporate roles by defining access control privileges to match, aligning physical security more tightly with the organization's job roles. This doesn't require the access control system to be integrated to any other system.

• Physical security can leverage the HR enrollment of employees by integrating the physical access control system (PACS) with the IDMS, so that access control privileges are managed automatically along with IT privileges as HR enrolls, re-assigns and terminates employees.

Using an IDMS as a common point of reference, physical and IT access control can be synchronized. And using role-based access control to establish privileges based upon job functions, both physical and IT access control can be policy-driven.

Even if no identity management system is used and the physical and IT access control systems are not integrated with each other, RBAC can be used in both physical and IT systems to provide a policy-driven access control approach that aligns with the organization. Maintaining this scheme requires more human attention than with integrated systems. On the other hand, it does strengthen security while making it very manageable and auditable.

This content continues onto the next page...