Identity management

from Wikipedia, the free encyclopedia

As identity management ( IdM ) of target-oriented and conscious handling is identity , anonymity and pseudo-anonymity called. The identity card is an example of a form of identification prescribed by the state .


Networking via the Internet has made the question of conscious anonymity and the conscious handling of parts of one's own identity reach a new and previously unknown level of complexity . (Partial) identities are regularly played on the Internet. But there are also serious processes and questions of anonymity on the Internet and identifiability. In many ways, identity management systems can be problematic if it is not clear what is happening to the data that may inadvertently lead to further identification.

There are various forms of identity management in the real as well as in the digital world. According to ISO / IEC JTC 1 / SC 27 / WG 5 A framework for IdM, IdM comprises:

  • the identification process of a unit (including optional authentication )
  • the information associated with the identification of an entity within a given context
  • the secure management of identities.

A “unit” ( entity ) can be anything that can be clearly identified as such (person, animal, device, object, group, organization, etc.). Entities can have multiple identities that can be used in different contexts. According to the definition of ITU-T Recommendation X.1252 (ITU: International Telecommunication Union, ITU-T: Telecommunication Standardization Sector of the ITU), the term IdM is understood as the management of attributes of a unit (e.g. customer, device or provider). The management of digital identities is not intended here to validate people (IdM-GSI).

The following topics are relevant in the context of digital identity management:

  • Scope (within organizations or across organizations / federal)
  • Identity lifecycle from establishment, modification, suspension to termination or archiving
  • Media containing the data ( tokens , cards)
  • Systems in which the data is stored (directories, databases, etc.)
  • Linking the roles with duties, responsibilities, privileges and rights for access to resources
  • Management and protection of information (attributes) of the identity that change over time
  • Assignment and management of the various roles of identities

Identity Management Requirements

In the world of data processing, identity management is primarily concerned with managing user data that is assigned to individual persons. A person can have several identities, while an identity can usually only be assigned to one person. The identity is a collection of personal attributes that individualizes the person using this identity.

Example: In an online role-playing game , the person Joe User establishes an identity: King Niels, cruel ruler of the Lemmings people with the attributes of stupid , strong-fighting and stingy . The same person Joe User has a different identity at an online shop, whose profile is determined by characteristics Interested in classical music , credit card number is 1234 1234 1234 1234 and has already bought 3 CDs .

Network identities belong to people, so they are usually critical data because the identity is linked to the person. If the online shop identity were used by another person ( Alice Evil ), the person in the above example ( Joe User ) would have the problem that orders at the expense of the identity owner fall into the wrong hands.

Multiple identities or accounts are necessary both in the network world and in real everyday life and are widely used. Examples:

  • Driver's license (with name of the owner, picture, vehicle class)
  • Customer at the bank (with account number, account balance, name and credit rating)
  • Customer card at the gas station (with customer name, customer number and point balance)
  • Frequent flyer account (with customer name, number, status and score)

One can start from a main identity of each entity, this is defined from the totality of all attributes assigned to it. These attributes can be known to the entity (name), unknown, permanent (DNS) or changeable (software version, hair color).

Misuse of identities (usually to the detriment of the actual owner) is known as identity theft .

The management of identities takes place primarily on the EDP level, since there are far more accounts to be assigned to a person than in real life. In companies in particular, it is a not insignificant task to consolidate the various accounts (mail, operating system, ERP access, Internet access, etc.) of a person .

Why Identity Management?

One of the reasons why you are in business with identity management (the anglicized parlance identity management employed), the requirement of personal data is consistent , constantly available and reliable ready injury. Services such as a mail system or personnel accounting are dependent on this data, without them no individualized operation would be possible.

Example: An employee has a mail account that is only assigned to himself. For this he needs an individual email address, a so-called account with the corresponding password. These data are only intended for him and not for the general public.

Counterexample: A company presentation is uniform for all employees and does not require any individualization.

Many such individualized services now have their own data master records for the persons: The mail server has a configuration file with all participating mail users, the personnel accounting has its own master database . Comparing these and the multitude of all other services together with their data was a major administrative challenge: If, for example, employees changed their names due to marriage, adjustments had to be made in all systems involved.

In the 1990s, the first step towards standardizing this data was the introduction of a directory service . These collected the personal data and made them available, for example, using a standardized procedure (see LDAP ).

It was now recognized, however, that many, but by no means all, services could be gathered under such a directory. In the area of ​​human resources in particular, it turned out to be extremely critical to leave personal data to such a directory. Such services kept their own data and could not be synchronized with directories.

With the advent of identity management, these barriers were broken for the first time: The personal databases could retain sovereignty over their data, but data changes such as a name were now transmitted to identity management via synchronization mechanisms, which in turn passed this data change to everyone communicated to other participating systems.

Corporate identity management

The bigger a company is, the more identities and permissions have to be managed. So-called identity management architectures are used for this. This is a combination of manual, machine, organizational and technical measures to ensure appropriate authorizations in the company and thus avoid conflicts of interest. Software components that manage identities and their access rights are often used.

The term identity management in the software environment does not include a precisely defined range of functions. For example, simple systems focus exclusively on the synchronization of personal data, while more comprehensive architectures, on the other hand, incorporate workflow processes that contain a hierarchical approval model by supervisors in order to implement data changes.

An identity management architecture should have a provisioning module that allows users to automatically assign individual authorizations based on their respective roles (and also tasks) in the organization. The question arises here as to how far identity management should integrate application functionalities beyond the exclusive management of personal data (e.g. the “ quota ” on a mail server is not a personal data, but application information).

Identity management in a company has many interfaces to the so-called Access Management , for example, for portals the access rights managed, single sign-on allows or (SSO) security policies managed. The term “Identity and Access Management” (IAM or IdAM) has meanwhile been coined in information technology (IT) for the combination of identity management and access management .

Components of an identity management architecture can be diverse. The common basis is the so-called directory service , in which the personal data of employees are stored, which are queried most frequently and by most systems (name, email address, telephone number, etc.), which is referred to as metadirectory . If this is simply a dedicated directory service for such a security architecture, which only contains the IDs (identifiers) and a few other attributes and requests the rest from the connected systems as required, then such a system is referred to as a virtual directory . Products from different providers are used for this: NDS , eDirectories, SAP systems, active directories . Data sources from application-specific databases, e-mail systems and personnel department software are also accessed. A distinction is made between these components in source and target systems, although there are also combinations of both, such as the e-mail systems. Personal data is stored in all of these systems and is compared with each other via identity management. The actual software of an identity management operates as a broker between all these components and works as a process mostly on dedicated hardware / software (e.g. application within an application server ). This software is known as an identity management system .

This is where the functionality of the provisioning becomes clear: The meta / virtual directory distributes the user data and rights to all connected systems (in the best case all systems used in the company). In this way, identity management can be centralized.

Other possible functions:

  • Federated Identity Management , which deals with the provision and use of identity across company boundaries
  • Password synchronization so that a user only needs a single password in all connected systems
  • Approval workflow for rights and roles embedded in the corporate structures (departments, management hierarchies)
  • Basis for a PKI infrastructure that can be built on an IAM system with sufficiently high data quality
  • User self services , with which a user can recover, reset or change a password for a system. Common solutions implement this via a web front end. Good solutions can synchronize password changes directly between the systems, regardless of where the user changed the password.
  • Administration and control of privileged user accounts that violate the relevant rules on the separation of functions due to design decisions of applications . These are, for example, root accounts .

Identity management on the World Wide Web

The development of interactive technologies has generated a great deal of interest in mapping social relationships on the Internet (see also social software ). In this context there are a number of efforts to develop an “Identity Layer” as a further protocol layer for the Internet. The aim is to obtain adequate security about the identity of the online communication partner without having to exchange an unnecessarily large amount of personal data at the same time. The spectrum of initiatives ranges from the microformat vCards to services like ClaimID , which assign a collection of websites to specific people, to Microsoft's comprehensive architecture.

In this context, criticism has also arisen of the shortening of the concept of identity, which in psychology and sociology means much more than the administration of discrete properties of technically implemented accounts. Bob Blakley , formerly Chief Privacy and Security Architect of IBM Tivoli Software and today with the Burton Group , sees this as a general sign of the bureaucratization of the living environment:

"The West conducted a nuanced discussion of identity for centuries, until the industrial state decided that identity was a number you were assigned by a government computer"

A concept of identity management in web applications was illustrated by Dick Hardt in his presentation "Identity Management 2.0". The aim is to change the concept from “the platform knows the identity” to “I identify myself to the platform”, i. H. to separate the authorization spatially and temporally analogous to the non-digital identification documents from the identification.

Enterprise Identity and Access Management reference model

The reference model consists of seven modules which, taken by themselves, only have a descriptive role and do not offer any functionality themselves;

  1. Policies & workflows (policies) and workflows (work processes) form the basis for a regulated work process, because they create the prerequisites for starting or continuing processes at all.)
  2. Repository Management (The repository management has the task of centrally storing and managing the information in an EIAM that can be of use to entities in a network. This enables a single digital identity per user / entity to be achieved.)
  3. Life cycle management (The life cycle shows the steps that are necessary to integrate and manage entities via digital identities up to their deletion in an EIAM system)
  4. Access Management (Access Management includes the decision on access rights based on user identities, roles and access rights.)
  5. Information Protection (Information Protection should always adequately protect a company's information from attacks.)
  6. Federation (Federation or federation enables the secure exchange of identity or authentication information of digital identities of different units or organizations, based on a previously established trust relationship.)
  7. Compliance & Audit (An audit based on compliance, legal conformity promotes the stability of a company's infrastructure by checking compliance with regulations. Compliance serves to ensure compliance, while an audit takes over the review.)

EU research projects

As part of the 6th Research Framework Program (FP6) from 2002 to 2007, the European Union started a research project on "Identity Management" with PRIME (Privacy and Identity Management for Europe) in 2004 and funded it with 10 million euros to clarify open questions and technologies that also comply with data protection laws. In Germany, the Independent State Center for Data Protection Schleswig-Holstein (ULD) is the contact for the project, in which well-known people from research and industry work together. The Internet standardization consortium W3C is also involved as a subcontractor of the ULD.

Another EU-FP6 research project was also started in 2004: FIDIS (Future of Identity in the Information Society). In this project, an expert forum is to be set up with the so-called "Network of Excellence", which currently consists of 24 partners operating in Europe. The University of Frankfurt is in charge of Germany .

In the run-up to the two projects, the European Commission had the study "Identity Management Systems (IMS): Identification and Comparison Study" drawn up.

With the start of the 7th Research Framework Program from 2007 to 2013, further projects on the topic of identity management started. PICOS investigates and develops a contemporary platform for identity management in mobile communities. PrimeLife develops various technologies that enable individuals, in view of the increasing risks of the information society, to protect their autonomy and maintain control over their personal data regardless of their activities. SWIFT uses identity technologies as the key for integrating service and transport infrastructures and aims to expand identity management into the network infrastructure.

See also


  • Sebastian Rieger: Uniform authentication in heterogeneous IT structures for a secure e-science environment . 1st edition. Cuvillier, Göttingen 2007, ISBN 3-86727-329-4 (dissertation).
  • Norbert Pohlmann : Cyber ​​security: The textbook for concepts, principles, mechanisms, architectures and properties of cyber security systems in digitization. Springer Vieweg, September 2019, ISBN 978-3-658-25397-4 , pp. 213-240.

Web links

Individual evidence

  2. ITU-T Recommendation: Baseline identity management terms and definitions . Retrieved February 22, 2011.
  3. ( Memento of the original from January 18, 2014 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot /
  5. Norbert Pohlmann: Cyber ​​Security: The textbook for concepts, principles, mechanisms, architectures and properties of cyber security systems in digitization . Springer Vieweg, 2019, ISBN 3-658-25397-5 , pp. 213-240 .
  6. ^ Sixth Framework Programs . Retrieved February 22, 2011.
  7. ^ Geographical location of the company . Retrieved February 22, 2011.
  8. ^ Seventh Framework Program (FP7) . Retrieved February 22, 2011.