Archive for the ‘Authentication’ Category

The Five Challenges of Identification

Tuesday, May 4th, 2010

Part 2 of 6 on the subjects of authentication and authorization

By Lisa Grady, Product Manager

In my previous post, The Overlooked Step in the Authentication Process: Bring Your Security to the Next Level with Improved Identification, I discussed the importance of identification within the realm of authentication. Now let’s take a look at the challenges you face with this process:

    1. Identities are often distributed among many heterogeneous data sources. As companies expand services to constituents outside the enterprise, identity integration becomes even more difficult, with an increasing number of disparate data sources to integrate. And that’s not all that’s on the rise; as you move your identities to the web, user bases that once numbered in the low hundred thousands can rapidly increase to millions. It’s very challenging to quickly identify a high volume of users across so many sources.
    2. Each identity silo manages schema elements and data structures differently, which further complicates how information is reached. For example,Name” can be represented as givenName in source A, FNAME in source B, and FirstName in source C.
    3. Each data source supports its own access mechanism. LDAP may be used to reach information in a directory, SQL reaches information stored in a database, and web services reach identities within an application. This makes it difficult to reach a designated source without the proper access tool.
    4. User overlap is practically guaranteed. While the identifiers for a user—such as logon name—may be different, you’re likely to find duplication across different data sources. One person may be found in several silos, each with its own definition of an identity.
    5. Most WAM applications are not equipped to handle multiple identity sources or protocols. When an application searches for a user, it typically expects to find that person within a single repository—but that’s not how today’s heterogeneous identity environments work. While some sophisticated applications may offer some sort of round-robin searching to find the correct sources, they’re not really built to handle high volumes or requests that return more than one result.

    So in order to provide a reliable authentication service, you must deal with multiple data sources, different schemas, unique access mechanisms, and duplicated identities—within an environment that features increasingly disparate data sources and a growing number of users.

    With the numbers of identities and data sources growing substantially more complex, integration is essential in order to properly handle authentication. The only solution for such a multifaceted infrastructure would be to combine these resources into a unique “logical list” —stay tuned for more on this topic!—that works with existing identity silos. This is part of what we call “Manage Globally, Act Locally,” where you integrate identities to create a clean global list of all your users for the identification phase, while delegating the credential checking aspect of authentication back to the authoritative sources.

    In my next post, we’ll look at how identity and context virtualization can help you build that global list, so you can integrate your identities and authenticate more effectively across heterogeneous systems.

    Are you currently battling some of the authentication challenges I discuss here? Join the conversation or send me an email at blog@radiantlogic.com.

    Tags: , , , , , , , ,
    Posted in Authentication, Identity Integration | No Comments »

    The Overlooked Step in the Authentication Process: Bring Your Security to the Next Level with Improved Identification

    Wednesday, April 21st, 2010

    Part 1 of 6 on the subjects of authentication and authorization
    By Lisa Grady, Product Marketing

    In hopes of unraveling some of the complexities surrounding identity and access management, I’ll be writing a six-part blog series that digs into the challenges of authentication and authorization and uncovers solutions that may work for your company. To kick things off, let’s take a look at exactly how authentication works.

    You Can’t Check My Credentials Until You Figure Out Who I Am

    Authenticating users in today’s distributed, heterogeneous environments can be a complicated process. Put simply, authentication is the process of verifying the claimed identity of a unique user. This process is made up of two very important steps:

    1. Identification
    2. Credential checking

      3. Authentication Process

    Both components are essential, yet credential checking often receives the bulk of the attention—which is a little like buying the lock before you have the door. Although it’s often overlooked, identification is the unsung hero of authentication.

    Identification is the ability to locate a unique identifier for a user within a distributed system. So when a user logs into a system—say, a portal—the unique identifier for that user must first be located.

    The Challenge: Heterogeneous Data Sources, Overlapping Identities

    Now, if all your identities are stored in a single repository, finding that unique user is a relatively easy process. Unfortunately, this is almost never the case. Typically, you’ve got many user stores to handle all the different constituents—employees, partners, customers, suppliers—in your enterprise. These data sources come in many flavors, from LDAP to SQL, and even web services. Most companies, both large and small, find themselves managing a variety of disparate data stores, without the means to integrate them. This can be especially challenging if your company has gone through mergers or acquisitions.

    So when a user enters a username, it’s no simple matter to return a unique identifier for them. The authenticating application must search through all your diverse data sources, each with its own schemas and protocols, including Microsoft Active Directory, ADAM, Oracle Databases, and many others. And what happens if one identifier is found in multiple sources? Do these multiple identities represent the same user? Or different users? How should applications handle these overlaps?

    The Goal: A Unified Infrastructure

    So how can you solve these identification challenges? End users want a seamless experience where they type in their username and password and get access. And IT professionals want a way to simplify the identification process, even as the identity landscape grows more complex. A unified infrastructure means a better experience for customers, partners, and employees. And an integrated environment  makes it much easier to recognize and validate a user’s identity efficiently.

    We’ll dive deeper into the challenges of identification in my next post, then take a look at how to unify your infrastructure (and yes—it can be done!) in the one after that. So stay tuned for more on this topic—and add us to your RSS feed, so you can follow along.

    How does your organization handle user authentication across disparate data sources? Join the conversation here or contact me at blog@radiantlogic.com.

    Tags: , , , ,
    Posted in Authentication, Authorization, Provisioning, Virtual Directory Server | 1 Comment »