Managing IAM middleware


There are a lot of different jobs in IT.

My first few positions were in software development. Then networking and infrastructure, and a bit later on, along-side security teams. When I was introduced to IAM in 2003 (then called ‘authentication and authorization’) it was so new there wasn’t a nice, tidy category for it. A few years later, I noticed Oracle had put IAM in a ‘middleware’ bucket so I guess that’s how we’ll refer to it — even if Wikipedia describes middleware a bit differently.

Implementing IAM middleware isn’t an overly natural thing to do. It isn’t the same as the standard application development, server rack upgrade or firewall install. So it can be useful to consider IAM projects and operations in comparison to these three common IT activities:

  • Software Development — Like application development, IAM has to consider user requirements including usability, attributes and business rules for data. BUT developing a single system is far easier than implementing IAM. There are more system integration points — it is middleware — making it technically more difficult. For a project manager, IAM also has more project teams to coordinate. For example, I’m currently working on a provisioning initiative that has five technical delivery teams and spans two large organizations.
  • Infrastructure — IAM typically (if not always) involves a directory, and directories, notably Microsoft AD implementations, are paired with operating systems. Infrastructure changes to these operating systems impact IAM and vice-versa. The big difference between IAM and infrastructure projects is that IAM middleware requires tailored configurations and/or custom software components. In a large organization, standard infrastructure (or infrastructure services) can meet their needs. IAM is not so standardized as the management of identity is more closely tied to business needs and strategy. Assuming
  • Information Security — Protecting privacy and access to information is part of both the IAM and security worlds, and IAM is often described as a sub-set of information security. But IAM is about letting people in and the remainder of info sec is about stopping access… Implementing IAM requires an understanding of these two different views in order to create solutions that meet compliance requirements while still meeting user needs for access.

Managing IAM middleware well is the goal and understanding the differences between IAM and traditional IT practice areas is key to successful projects.




Old job, new job

It has been a while since I’ve had a new ‘primary’ contract so I thought a post on the old and new is in order.

Since 2007, I’ve been the IAM Program Manager for the Alberta Government department of Innovation and Advanced Education. We assembled a development team to build a new IAM solution for the department’s growing online services. Web applications for post-secondary students were the main priority but business partner access to online services and SharePoint sites was also required.

The solution was built on top of Active Directory Federation Services (AD FS) and was developed in .Net. The services developed include self-service registration, authentication, authorization, identity proofing, access administration and reporting. We call it the Secure Identity and Access Management System, or SIAMS for short.

Today, that IAM solution has 650,000 identities, processes over 100,000 logins per month and supports 35 business applications. It supports a host of self-service features like password reset via SMS, and can deliver up to LoA 2 identity proofing.

I’m proud of the team that put the system together and very appreciative of the support I received from Innovation and Advanced Education’s management over the years. Code Technology will remain on the job with Dallas Gawryluk taking over the reins in an expanded project management role.

My new position is as a Systems Integration Project Manager with Alberta Health Services. The IAM solution on this project is quite different, and the job I’m being asked to do is already both interesting and challenging.  Working with multiple teams, I am hired to plan and deliver an implementation of an enterprise IAM solution for clinical users and access administrators.

New faces, new issues — and after seven years, a slightly different commute to work. I’m looking forward to the next year!


Canadian Access Federation: A model that works

The largest and arguably most successful identity federation in the world is the network used by higher education institutions.  Academics, faculty and their partners have enjoyed the benefits of single sign-on, secure wireless access and identity sharing since 2003.  Interest has recently spiked in consumer login and citizen identity federation, so it is worth looking at how academia has tackled Federated ID.

There are national identity federations currently operating in over 30 countries, involving thousands of post-secondary institutions.  In the UK Access Management Federation alone there are over 900 members and approximately 250 service providers. In the US, the InCommon federation boasts over 5,000,000 users.

In each of these federations, schools and service providers trust each other via a central body (hub), based on rules that are formally established for participation.

Canadian Access FederationHigher education federations are focused on ‘circles of trust’.  A circle of trust is a collection of organizations that, typically, operate in the same business sphere and have common traits and ambitions.  For example, the Canadian Access Federation (CAF) is made up of over 50 Canadian universities and colleges, plus a growing number of cloud service providers that are involved with student services.  The CAF circle doesn’t include banks, insurance companies or telcos, or for that matter, social media operators.

Higher education federations work because of these well-defined circles of trust.  Participants can release and consume identity information, including a privacy-enhancing, opaque and unique identifier, because the relying parties (schools and cloud service providers) trust the identity providers (schools).  And, most importantly, the users of the federation – the students, faculty, administrators and alumni – are comfortable trusting all the parties in the federation.

The identity information available in the CAF includes name, email address, institution, and ‘scoped affiliation’ (aka role, such as student, faculty, staff, etc.)  This relatively rich claim-set allows a relying party to make access decisions, at least at a course-grained level of authorization.

(Note that some relying parties will still want to have enrolment processes in place to handle access to specific applications or data.  These sites will need to perform additional verification steps to authorize access to services.)

The CAF standard claim-set of identity attributes is based on the eduPerson Object Class.  This specification allows many sites and web applications to provide automatic access without further ‘interrogation’ of the user.  As examples:

  • The eduPersonOrgDN claim represents the institution or organization of a researcher.  It can be used by the RP to give a researcher access to a collaboration folder specific to that institution, plus a common collaboration folder that all researchers can use.
  • The eduPersonPrincipalName claim can be used by the RP as a key to link a faculty member to a specific record, or to a set of permissions within a web application.  This in turn allows for automated provisioning to take place, with the other identity attributes used to populate the user profile maintained by the RP.
  • The eduPersonScopeAffiliation attribute – let’s say it is set to ‘alum’ – can act as a general course-grained entitlement, used to tailor a portal to the specific needs of alumni.  For example, the portal could offer alumni special offers or encourage donations.

It is within this relatively rich framework of trusted identity claims that higher-ed federations have a distinct advantage over social media-based identity networks. Social media identities are fine for low-value transactions (personal blogs, commenting on news articles, etc.), but are nowhere near strong enough for academic and business transactions.  Only within a trusted federation, where the rules of participation are clear and binding, can identity information be appropriately shared.

The CAF and its international counterparts allow for new connections and new services to be established based on trust and collaborative service delivery.  It is a proven model that aspiring identity federations can learn from when planning the next generation of access networks.


IAM for the smaller enterprise

My clients find identity solutions to be complex and costly to implement.  For mature and/or large enterprises, these issues are simply a cost of doing business — and compliance or online strategic drivers are usually sufficient to fund and launch an IAM initiative.

For the smaller enterprise there appear to be two paths followed: do nothing or do it poorly.  When done poorly, shoddy IAM implementations  can result in poor credential management, lousy availability and inappropriate access controls.

So how does a smaller company or organization deal with identity properly? How can users be efficiently identified online without building expensive, custom solutions? What service levels and supports are possible for a login service when staff go home at 5pm? How can niche needs like strong authentication be met without excessive server license costs and complex implementations?

Enter the cloud.  Cloud-based IAM service providers are maturing and there are a number of solutions that offer the smaller organization solutions.  For example:

  • Symplified offers a full IAM service that promises plug-and-play integration with surprising depth, including support for mobile devices and apps.
  • PhoneFactor has a slick and secure solution for two-factor authentication that can be licensed on a per-use basis.
  • TransUnion have a robust identity proofing service for the critical process of confirming the identity of an online visitor.

Using one or more of these solutions allows for rapid deployment of IAM for smaller organizations.  The cost savings are considerable and services levels are beyond what most companies could hope to provide on their own.  There still remains integration work — applications need to be ‘plumbed’ to inter-operate with the cloud solutions — but all the heavy-lifting of designing and configuring a solution is eliminated.

The maturation of cloud IAM solutions means an increased number of companies can implement secure and compliant solutions without the long lead-times and high cost of traditional product-based offerings.  In this age of rampant data breaches and increased focus on compliance, this is a welcomed development.


Service Management and identity

Identity & Access Management (IAM) systems need to be reliable, perform well and have adequate end-user support.  When assessing Service Management needs for an IAM environment,  a number of factors need to be considered.

Wikipedia defines IT Service Management as ‘is a discipline for managing information technology (IT) systems, philosophically centered on the customer’s perspective of IT’s contribution to the business.’  Service Management for an IAM system needs to consider both the business area and end-user needs – and these may differ depending on perceptions, actual usage patterns and functions of the IAM system.

To this last point, IAM offers a wide range of functionality: authentication (login), authorization, account creation, provisioning, administration, reporting, etc.  The service management profile for these functions can vary; for example, login and authorization services need to be highly available and well supported, while functions like reporting are less critical.  Assessing service management for IAM, therefore, needs to look at each functional area of the system.

Data centre service management has swung wildly in the past 30 years, from centrally controlled and highly available mainframe environments to more lax client-server setups of the late 80s and early 90s.  Today’s expectation for the quality of enterprise data centre services has returned to a more strict standard.  Business sponsors and users expect the equipment, network and services to be highly available, with scheduled outages and evergreen plans (for future expansion).

Help desk services need to be assessed to ensure IAM services are properly supported.  Help desk support can range from the basic email, ‘best-effort’ model to full 24/7 phone and remote take-over support.  Understanding end-user requirements is critical to striking a balance between help desk costs and a quality support model.

I’ve had a number of clients identify 24/7 support for their infrastructure and help desks – and then balk when the cost of such a service is realized.  The justification for the blanket support is that if the application is promoted as being online, it needs to always be available.  Many clients want to respond to help requests when they occur.  However, in my public sector experience anyway, these systems (and the IAM providing protection) are often used for non-critical purposes.  Registering for a program, accessing document stores, even retrieving information needed for business purposes – these types of transactions are rarely critical in nature and tend not to deserve ’round the clock support.

In the private sector, the decision to provide this type of support is strictly a financial one.  The cost of supporting users versus the revenue gained (and the long-term benefit to the brand) can be calculated to support extended hours for support.

IAM that supports medical systems are perhaps the one type of system that will always require extended support hours, highly available systems and responsive end-to-end architectures.  This is particularly true for systems that support health workers (physicians and nurses) and their access to patient and reference information.  Failing to implement an appropriate high level of service management for the IAM systems used in healthcare can be disastrous.

It will be interesting to see what the new breed of patient-oriented portals choose to provide in the way of redundancy, performance and support services.  These emerging systems are geared to providing patients access to their own health information – data that they can use for education, self-diagnosis or treatment – but it isn’t clear that the portals will need to be highly available.  If they do, the sponsors will need to dig deep to fund their operations.

Service management is key to a sustainable identity management solution and a proper assessment of technology, people and processes is an important part of any IAM review.


Related: Kuppinger Cole have an article on ITIL vs IT Service Management that is worth a read.