Extending identity management's realm

With the security benefits and administrative efficiencies of user identity management coming into focus for IT leaders, some experts say those same benefits can be extended to routers, switches, applications, Web services and devices by creating a common interoperable identity model for other nodes on a network.

The thinking is that the two together - the identities of users and things - complete an infrastructure capable of policy-based management and security for the distributed computing environment of the future.

Experts say the goal is to have one place to administer and apply security, and management controls based on a set of policies or permissions that can be applied via identity.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

With the security benefits and administrative efficiencies of user identity management coming into focus for IT leaders, some experts say those same benefits can be extended to routers, switches, applications, Web services and devices by creating a common interoperable identity model for other nodes on a network.

The thinking is that the two together - the identities of users and things - complete an infrastructure capable of policy-based management and security for the distributed computing environment of the future.

Experts say the goal is to have one place to administer and apply security, and management controls based on a set of policies or permissions that can be applied via identity.

"It's a single point for administering policies, a single infrastructure for enforcing policies and a single infrastructure for storing policies that are applicable to anything that can be named or identified," says James Kobielus, an independent consultant and analyst. "It's about management efficiencies, tighter security and more consistent security across your entire infrastructure."

Users say it's high time the user identity concept was expanded.

"Metadirectories, virtual directories, provisioning systems, access management systems, the Security Assertion Markup Language and a slew of other technologies have been focused on people. Now it's time to address other identities: networks, devices, applications, services and other IT objects that must be managed and secured," says Fred Wettling, chairman of the Network Applications Consortium (NAC ), a user group with interoperability at the top of its agenda.

Wettling, who also is the infrastructure architect at engineering, construction and project management firm Bechtel, says his interest is pure selfishness. "I want to make my life easier," he says.

Standards stampede

It appears others do, too, including standards bodies and major IT organizations such as Boeing, Lockheed Martin, Chevron/Texaco, GlaxoSmithKline and other high-profile NAC members.

Last month, NAC, the Open Group and the Distributed Management Task Force (DMTF ) got together to begin creating a framework that describes a common identifier for things.

Another group is working on the same issue. The Extensible Resource Identifier (XRI) Technical Committee at the Organization for the Advancement of Structured Information Standards (OASIS) has been developing a common identifier for network resources that can be shared across corporate boundaries.

"This identifier thing, it's just like a hitching post," says Marty Schleiff, associate technical fellow and cyberidentity specialist at Boeing. "It is someplace to bring other pieces of information together, to aggregate them. That aggregation then constitutes an identity from the perspective of whatever uses that information such as a device or an application."

Today, there are many identifiers, such as URLs, media access control addresses, IP addresses, digital certificates, secure chips in PCs, phone numbers and Universal Product Code symbols that work in well-defined contexts.

The DMTF also has protocols such as the Common Information Model and the Systems Management Architecture for Server Hardware that use this identity concept in a particular context.

Experts say what's missing is a common framework that would make it possible to share identifiers across systems, applications and company boundaries.

"The goal is interoperability," Bechtel's Wettling says.

He says a simple example is how USB technology works today. A user plugs in a mouse that reveals its identity to the PC, which recognizes it and knows what it can do.