Management's Holy Grail: Integrating Identity and Access Control

Six modules in Computer Associates' new eTrust Identity and Access Management Suite, used in any combination, provide an integrated solution to managing identities, from provisioning to enforcement.

As identity management rollouts proliferate and companies increasingly turn to Web Services, security managers face a growing concern: managing it all.

To help ease identity management administration across disparate enterprises, Computer Associates (CA) announced what it terms “an integrated identity and access management suite.” ETrust Identity and Access Management Suite consists of six modules—companies can use them in any combination—and will cover everything from identity provisioning to enforcement to auditing.

“One of the biggest problems we've heard out there is a lack of integration between the components for managing identity throughout the organization,” says Bilhar Mann, CA’s vice president of eTrust product management.

The initial module, eTrust Admin (for identity lifecycle management), is already available. It also allows for cross-platform and application provisioning.

Expect the other five modules for CA World in May 2004, says Mann. They will address, in turn, access control to Windows, Unix, and Linux-based servers, files, and applications; auditing; an identity repository; single sign-on; and Web-based access control.

While a number of tools already exist for provisioning, enforcement, and auditing, Burton Group analyst Phil Schacter says any move towards identity management consolidation is welcome. “Today’s information-enabled organization is characterized by a growing number of touch points for employees, customers, and partners.” Given the proliferation, “integration is absolutely essential to the successful management of identities—and by extension, streamlined, secure [Web] services.”

CA’s Mann says companies are being driven toward consolidated identity management in order to contain costs and meet such regulations as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, as well as sharing access control with Web services partners.

The CA suite uses Service Provisioning Markup Language (SPML) for cross-organization control of access control. Specifically, SPML is “an XML-based expression syntax for the query and exchange of user, account and resource provisioning requests,” says the Organization for the Advancement of Structured Information Standards (OASIS), which manages the standard.

In addition, Mann says the suite complies with Security Assertion Markup Language (SAML) and Liberty Alliance standards. Both are methods of securing Web services. The standards allow federated identities to be shared with other organizations.

As more companies move toward Web services, they must manage and successfully administer identity management—or else. “If you don't have identity management, Web services won't hold up,” notes Mann. “The biggest problem with Web services right now is a lack of security, and we all talk about security in abstract terms. But if Web services doesn't have enough security, you're exposing business processes.”

He notes that CA, along with IBM, Microsoft, and BEA, are “all coming together to define core Web Services security standards, because … we all want to have Web services be successful.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.