Q&A: Moving to Web Services Identity Management

Architecting fine-grained access to Web Services for many users at multiple organizations is difficult to implement or audit using identity management software. We discuss alternatives.

How do you manage identities for Web Services?

As many organizations complete their internal identity-management programs, they begin applying the technology to managing external identities, especially for Web Services projects.

Unfortunately, giving individual users from many organizations fine-grained access to Web Services isn’t easy to implement or audit using identity-management software. To discuss other options, Security Strategies spoke with Adarbad Master, chief technology officer; and Nigel Simmons, vice president of products, for Bethesda, Md.-based Epok, which sells a server-based software control layer for managing identities between multiple organizations.

Where are companies today in their identity management rollouts?

Master: An identity management rollout is basically the creation and administration of an identity … and a lot of companies are at the tail end of that, and are wondering what an identity can do now.

Are Web Services the next step for many organizations?

Yes, and the major use of Web Services inside companies has been the creation of portals … to expose their data mostly to employees. Now, however, they’re moving to expose data to partners, and [perhaps] customers. But while identity management was a way to capture the user lifecycle inside an organization, [its use] has migrated to capturing what I’ll call foreign users—and, really, identity management wasn’t designed to do that.

Why can’t identity management software accommodate foreign users?

Simmons: I’ll offer two examples why. In the first, a large financial institution recently … finished its identity rollout, and said, "I have identity management in place, now let me begin to service my customers [with it]."

Incidentally it’s pretty advanced; it uses about 70 roles. So [the company] began to tackle partners and customers … and [eventually] exceeded 100,000 roles in its role-based system … [which is] a nightmare to manage.

The second example involves [about 30] independent organizations that make use of single sign-on to a site. Well, here’s the problem: when new partners join, the site doesn’t know how to provision [the partners’] new users. … They don’t know whether that person at the partner is an administrator, or user, or a user with potential administrator privileges. So … [how do I] map that user onto existing roles?

Is this problem endemic to large-scale attempts to implement external identity management?

Master: There is a problem in scale. If it was one organization talking to another, with 10 or 15 people on a side, it wouldn’t be a problem. But we’re talking to organizations in the throes of outsourcing things in the tens of thousands. For example, Merrill Lynch is projecting having 100,000 brokers, many not in this country. It’s a question of how you manage fine-grained access for these folks, and the problem with an identity management system is that you’re trying to manage everything in-band.

Simmons: With Web Services, the problem doesn’t get easier; it gets worse. And this is going to be the Web Services Achilles heel, if it has one. … Imagine the poor character in the IT organization who has to program the XML firewall to deal with all [of those roles]. Where does all that information come from? That’s also where security holes begin to open up, because although the firewall is great at what it does, deriving information that is accurate and timely and which knows the changing business relationships with customers, that’s difficult.

How do organizations begin addressing identity problems in large-scale Web Services rollouts?

Master: We always talk about control and policy, but policy has become a code word for access policy … and capturing everything needed is not possible in today’s identity systems. … What it needs is a “you manage access control, and I’ll tell you what the policies are” approach. That control functionality is completely missing.

Simmons: And the key to doing that is the relationships that exist between organizations. … Compliance also plays into this in a huge way, because while may have started to tackle compliance internally, solving it externally is a large issue unless you can group tasks and identities between organizations, and create communities of interest.

What do you mean by communities of interest?

Master: The concept is that you can have a virtual organization that spans interests. S The Joint Strike Fighter project, for example, [which isn't an Epok customer]S [defines] country, company, organization, set of people in that organization S and the policies are likewise nested all the way down. S So the access one person has in the community is unique S and then the problem is just identifying what this person has access to.

Simmons: As [another general] example, organizations like the World Bank have a team concept-a bunch of people will actually get together to run a conference or talk about world hunger, and these are very dynamic and cross-functional systems, and this is where identity management needs to progress to. It's still got a lot of holes in it.

How does Epok tackle this problem?

Epok’s Trusted Data Exchange Server can classify materials between two sites. So, if you [analyze] two organizations, you can [define relationships between them] in software. You could also imagine a virtual group being expressed in the same way.

Does this work with internal identity management systems?

This is complementing all the investment folks have done in their identity management infrastructures. In no way are we trying to duplicate user identities in two areas. … We’re trying to bridge those users and relate them.

As an analogy, take telecommunications providers. Back in early ’80s, telephones used to [send] control tones along the telephone pole [wires] … whistling away as the call was connected. Then the telephone companies, in their infinite wisdom, pulled the control layer out into a separate layer, which led to caller-ID, and call-back capabilities … and that control layer was able to propel the phone companies forward into offering other services, like wireless services, and better data services. We think a similar control layer needs to happen on the Internet. …

Master: Think of it as a network of connected identity. … [With that network,] it’s what the organization asserts about the person accessing the service that’s important, it’s not the identity itself that’s important.

Related Articles:

Identity Management: Untangling Meta and Virtual Directories

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.