Complexity is the name of the game in today’s high-volume identity environments.
“For larger organizations and in customer-facing environments, the quantity and size of datasets are increasing along with performance expectations and data diversity,” notes Gartner analyst Kevin Kampman in his recent report, “The Role of Virtual Directory and Synchronization Services in Large-Scale Identity Deployments.”
And nowhere are these trends more evident than the government agencies tasked with securing the nation and serving its citizens.
Like any identity-heavy enterprise with critical security and privacy demands, government entities need to manage and maintain complex heterogeneous environments with disparate identity sources and multiple applications.
Such organizations are facing the same issues around managing constituent, employee, and contractor data as any enterprise, but often in greater volumes. In fact, as Kampman also points out in his report: “national, state, agency, consumer and constituent data can easily match or exceed the data about the associate population of a major business.”
Within a federation of such data-driven agencies, volumes can grow to epic proportions. Radiant Logic CEO Michel Prompt recently shared an example: “Our virtual directory technology was used to connect users from across all the military branches, and what made that deployment interesting was the numbers the identity team was dealing with. This organization has huge amounts of data, finite limits on how much data it can move at a time, and data from different locations has to be normalized to a common perspective. The scale is immense.”
Expanding View of Identity
Everything begins with identity: the username and password that confirms that a person is who they claim to be and the attributes that fill in the picture, enabling access to resources.
But every organization – and every different type of data store – has its own authoritative naming system, and that leads to costly complexity when dealing with multiple identity stores within an organization or federating identity across multiple organizations.
Originally designed for local administration, identity and application stores now hold mission-critical data that cannot be easily consumed by the solutions that require it – and those solutions are becoming as complex as the identity infrastructures that must support them.
According to the Kampman report, “The growth of applications and services in the cloud, the emergence of identity providers, and stronger relationships between communications subscribers and vendors has placed significant emphasis on identity information.”
Because each application contains its own separate list of users, identities are locked inside these silos, divided by distinct protocols and identity representations. To perform secure authentication and authorization, applications want to look to one standards-based directory. However, with multiple user stores belonging to a myriad of applications, identities are scattered across disparate user lists-each with its own access protocols, policies, and security means.
And for the government sector, the stakes could not be higher. Defense and intelligence agencies must enable-and protect-GPS-driven information exchange that spans the globe in real-time. Such organizations are not just dealing with connections from identity-to-identity or identity-to-applications, they may be linking weapons system-to-weapons system, where each second-by-second decision has life and death implications.
The privacy and security demands of government at all levels make it imperative that organizations know who they’re dealing with, from the initial vetting and on-boarding process to the trust frameworks that enable the sharing of identity information across agencies. Security can mean the physical badge an employee or contractor uses to gain access to buildings, but at the root level, it’s all about the attributes that determine whether an individual can open applications or access classified resources.
These attributes need to comefrom authoritative sources, which may be scattered across an agency-or even held within another agency. These days, no single source is authoritative for everything, even within an organization. And as agencies scale out to large federations, every environment is becoming increasingly distributed.
Because identity is often managed across multiple agencies, trust relationships between those agencies must established, so attributes can be gathered and asserted across agencies for authentication and authorization. Within federations, the identity provider must be able to package a diverse, distributed set of information in a way that’s consumable by the relying party.
As Kampman says, “You have to think about how you’re publishing information from your environment and also consuming it from others. What does your identity storefront look like? Are you packaging your information properly to meet the authentication and authorization requirements of that particular relying party?”
Advanced Directory that Syncs, Scales, and Caches
So how can identity teams in the government sector deal with all these issues? In his report, Kampman says: “A virtual directory plus a cache is optimal for many high-performance, high-volume situations.”
With identity virtualization, the speed of the underlying source is never an issue. Virtualization creates one global LDAP list of identities from across all data stores that the client application can query. And, because it’s stored in a persistent cache, one lookup in the global list immediately returns the results, while backends are shielded from excessive queries, and even the slowest database can be reached at the speed of a directory.
Extra performance becomes especially important when enriching identity profiles by joining identity attributes from across multiple sources. As Kampman concludes in his report, “The use of a cache with a virtual directory may be required as performance expectations grow. An example of this might include aggregating profile information across dissimilar repositories or where the performance or availability of the source repositories isn’t sufficient.”
Effective joins give a complete view of each identity, which is essential not only to ensure security, but also for gathering the most information about each user.
What’s Next: Federated Identity and FICAM Roadmap
Although government entities at every level are dealing with many of these challenges, the federal government is trying to deal with the fragmentation and complexity with a new government-wide initiative. The Federal Identity, Credential, and Access Management (FICAM) roadmap provides agencies with architecture and implementation guidelines to meet the identity, credential, and access management challenges they face every day.
As part of the roadmap, FICAM introduced the Authoritative Attribute Exchange Service (AAES) as the means of securely sharing authoritative identity attributes within an agency. According to the guidelines, the AAES: “…enables agencies to connect various authoritative data sources and share identity and other attributes within the shared enterprise infrastructure.” (page 219)
According to Prompt, “A federated identity system based on virtualization sits above all your diverse data stores, regardless of format or schema, and pulls them into a coherent whole. With a smart caching system and seamless joining of data from across silos, a virtualization package can augment your data sources-open source or proprietary, LDAP, AD, SQL, or otherwise-and unify them into the ideal authentication and authorization attribute server.”
With this unique model-driven approach, agencies can securely share credential and identity information throughout the federated infrastructure. This complete identity service aggregates and correlates identities across systems-from both ICAM agencies and their contractors-to providea single authoritative source of digital identity, without the need for heavy customizations or hard-coded synchronizations.
“Radiant is leading the use of an identity service based on virtual directory technology in the government sector,” Prompt continues, “by creating a complete federated identity service, enabling the new Authoritative Attribute Exchange Service, so government entities can better share secured identity attributes across the infrastructure.”
Anne Garwood is a technology writer and editorial director at Radiant Logic.