Identity management

As an Identity Management (IdM ) of the targeted and conscious handling of identity, anonymity and pseudo- anonymity is called. The identity card is an example of a state- prescribed form of identification.

Context

Through the Internet networking, the question of anonymity conscious or conscious handling of parts of one's identity has reached a new and previously unprecedented level of complexity. The Internet is regularly played with (partial) identities. But there are also serious processes and issues of anonymity on the Internet and the identifiability. In many ways, identity management systems can be problematic if not, it is clear what happens to the data that can inadvertently lead to any further identification if necessary.

In the real as in the digital world, there are various forms of identity management. According to ISO / IEC JTC 1/SC 27/WG 5 " A framework for IdM " includes IdM:

• The identification process of a unit (including optional authentication )
• The information associated with the identification of an entity within a certain context
• Secure management of identities.

• Scope ( within organizations or across organizations / federal )
• Life cycle of the identity of the facility, modification, suspension or termination until the archiving
• Media, which contain data ( Token Card )
• Systems in which the data is stored (directories, databases, etc.)
• Linking of roles with duties, responsibilities, privileges and rights to access resources
• Management and protection of information ( attributes) of identity, which change over time
• Allocation and management of the different roles of identities

Requirements for identity management

Identity management deals primarily in the world of computing with the management of user data, the individuals are associated. A person can have multiple identities here quite a while identity is usually assigned to only one person. The identity is a collection of personal attributes that the person who uses this identity individualized.

Example: In an online role-playing game, the person Joe User establishes an identity one: King Niels, cruel ruler of the people of lemmings with the attributes of stupid, fight strong and stingy. The same person Joe User has a different identity, the profile is determined by characteristics Interested in classical music, credit card number is 1234 1234 1234 1234 and already has three CDs purchased from an online shop.

Network identities includes individuals they are therefore usually critical data because the identity is linked to the person. If the online store identity ( Alice Evil ) can be used by another person, the person would have in the above example (Joe User) the problem that Orders run at the expense of the owner's identity in the wrong hands.

Multiple identities or accounts are required both in the network world, as well as in real life and are widely used. Examples:

• License (including the name of the owner, picture, vehicle class )
• Customer of the bank ( with account number, account balance, name and credit rating)
• Customer card at the gas station ( with customer name, customer number and score )
• Frequent flyer account ( customer name, number, status and score )

It can be from a main identity of each entity, this is defined by the totality of all its associated attributes. These attributes can the entity known ( name), unknown, be permanent (DNS) or variable ( software version, hair color).

Misuse of identities (usually to the detriment of the actual owner ) is referred to as identity theft

The management of identities occurs mainly on IT level, since far more accounts of a person shall be assigned, as in real life. Especially in business, it is a significant task, the various accounts ( mail, operating system, ERP access, Internet access, etc.) to consolidate a person.

Why identity management?

One of the reasons why people with identity management deals in companies ( in anglicized usage Identity Management), the request, personal data is consistent, always available and willing to hold reliably. Services like a mail system or a personnel accounting rely on this data without it would not be individualized operation possible.

Example: An employee has a mail account that is only assigned to him. For this he needs an individual email address, a so-called account with the appropriate Password. This data is intended only for him and not for the general public.

Counter-example: A company presentation is uniform for all employees and requires no customization.

Many such individualized services now have their own data master records of persons: The mail server has a configuration file with all participating mail users, personnel accounting their own master database. This together with the data to match the variety of all the other services among themselves was a high administrative challenge: Anderten example, employees on the basis of marriage to her name, had in all the systems involved are carried out adjustments.

In the nineties, the first step towards harmonization of these data was the introduction of a directory service. This collected personal data and set it for example using a standardized procedure is available (see LDAP).

Now it was recognized, however, that although many, but by no means could gather all of the services under such a directory. Especially in the area of human resources, it proved to be extremely critical to leave personal data such directory. Such services have kept ahead of their own data and could not be synchronized with respect to directories.

In turn, this change in data Personal data banks could retain control over their data, data changes such as a name, but was now transmitted via synchronization mechanisms for identity management out to: With the advent of Identity - management, these barriers have been breached for the first time all other participating systems announced.

Identity management of companies

The larger a company is, the more identities and permissions need to be managed. These so-called identity management architectures are used. These are software components that manage the identities and their access rights.

The concept of identity management in the software environment does not include a well-defined functions. Thus, for example, simple systems focus exclusively on the synchronization of personal data, while more comprehensive architectures, however, include workflow processes that involve a hierarchical model approval from superiors to implement data changes.

An identity management architecture should have a provisioning module, which allows users automatically based on their respective roles (and responsibilities ) to supply in the organization individual permissions. Here, however, is already facing the question of how far Identity Management has exclusive management of personal data over the course aims to integrate application functionality (eg, the " Quota" is on a mail server is not a piece of personal data, but rather a Application Information ).

Identity management in an enterprise has many interfaces to the so-called Access Management, which manages the access rights, for example, portals, single sign -on (SSO ) enables or security policies managed. For the combination of Identity Management and Access Management (IT), the term " Identity and Access Management " (IAM or IDAM) was coined in Information Technology, therefore, now.

Components of an identity management architecture can be numerous. Common base is called the directory service in which the personal data are stored by employees who are most frequently and most systems queried (name, email address, phone number, etc.). This directory service can both be a Metadirectory or just a dedicated directory service for such a security architecture. Other components may be: NDS, up eDirectory, SAP systems, active directories, application-specific databases. In all these systems, personal data are stored, which are compared with each other via identity management. The actual software of an identity management operates as a broker between all these components and works as a process usually on a dedicated hardware / software ( ex. application within an application server ). This software is called the Meta - Directory.

Here also the functioning of the provisioning is clear: Using the Meta - Directory, the user data and rights to all connected systems are distributed ( in the best case, all systems used in the company ). Thus, the identity management can be centralized.

Other possible functions:

• Federated Identity Management, which deals with the identity of deployment and use across corporate boundaries
• Password synchronization, so that a user only needs one password in all connected systems
• User self-service, with which a user can recover, reset or change a password for a system. Integrated solutions achieve this via a web front-end. Good solutions can synchronize password changes between the systems directly, regardless of where the user has changed the password.

Identity management on the World Wide Web

The development of interactive technologies has a great interest in the mapping of social relationships on the Internet created ( see also Social software). In this context, there are a variety of efforts to develop an " identity layer" as another layer protocol for the Internet. Objective here is to obtain a reasonable assurance about the identity of online communication partner without having to replace at the same time an unnecessary amount of personal data. The range of initiatives ranging from the microformat vCards through services such as ClaimID that assign a collection of web pages to specific individuals, to more comprehensive Microsoft's architecture.

In this context, criticism of the shortening of the identity concept has arisen, the much more thinks in psychology and sociology as managing discrete properties technically implemented accounts. Bob Blakley, former Chief Privacy and Security Architect with IBM Tivoli software and today at the Burton Group, sees this as a general symbol of the bureaucratization of the life-world:

"The West Conducted a nuanced discussion of identity for centuries, until the industrial state DECIDED identity did what a number you were Assigned by a government computer"

A concept of identity management in web applications has been presented by Dick Hardt in his presentation " Identity Management 2.0 " pictorially. It is to be achieved, the concept of " the platform knows the identity " to " I am as the platform opposite of " change, ie the authorization spatially and temporally analogous to the non-digital - identification documents of identification to separate.

EU research projects

As part of the 6th Framework Programme (FP6 ) 2002-2007 issued in 2004, PRIME ( Privacy and Identity Management for Europe), a research project on "Identity Management" started and funded with 10 million euros to settle outstanding issues and technologies, the European Union to promote, which are also data protection laws needs. In Germany, the Independent Centre for Privacy Protection Schleswig- Holstein ( ULD ) Contact person for the project, collaborate in the well-known persons from research and industry. The Internet standardization consortium W3C is a subcontractor of the ULD also involved.

Another EU FP6 research project was also launched in 2004: FIDIS ( Future of Identity in the Information Society). This project is the so-called "Network of Excellence " a forum of experts be established, which currently consists of 24 operating in Europe partners. The line in Germany, the University of Frankfurt.

Ahead of the two projects, the European Commission, the study " Identity Management System (IMS ): Identification and Comparison Study " can be created.

With the launch of the 7th Research Framework Programme 2007-2013 of the launch of further projects on identity management. PICOS studied and developed a contemporary platform for identity management in mobile communities. Prime Life developed various technologies that enables individuals with regard to the increasing risks of the information society, regardless of their activities to protect their autonomy and retain control over their personal data. SWIFT uses identity as a key technology for the integration of services and transport infrastructure, and has the goal to extend identity management in the network infrastructure.