Guidelines for Identity Management Implementation

Computerworld - Last month, we talked about an approach to identity management that would produce not only secure, consistent access to appropriate information, but business advantage as well (see story). However, technology isn't perfect, and applications don't yet integrate easily in a standardized, secure fashion. So the most important task in implementing identity management is to map interactions that more or less correlate to interfaces among applications.
Instead of building additional layers of functionality and complexity, one should strive to define a strategic architecture for applications and infrastructure. This presents opportunities to simplify infrastructure, reducing long-term costs. It also greatly simplifies application integration and Web services projects. To that end, we've found the following guidelines helpful for customers designing and implementing an architecture for identity management -- regardless of operating system.
Architecture Guidelines
The overarching goal for identity management is to create a single, unambiguous identity for all security principals. This identity should be one that can be processed by a directory's native security system. Identifications that make sense for humans but not for computers -- such as Social Security numbers or employee IDs -- must be translated to a security identifier (such as SID and UID), adding complexity and risk. Avoid such translation where possible.
Store this unambiguous identity in a single directory that includes a flexible security mechanism. Directory synchronization and Lightweight Directory Access Protocol directories don't incorporate security mechanisms.
Don't try to make one identity/security integration tool fit all applications or scenarios. Use the best available option to integrate each application with the identity/security information and ensure secure, seamless operation with the shared infrastructure. Link each application's identity information with the common directory. Link authentication and authorization frameworks for direct resource access, through access control lists or role-based access control.
Build a prioritized list of available integration technologies, based on the interfaces supported by your applications to be integrated. For example, for mainframe applications, find an application to integrate the directory with mainframe security systems such as RACF, ACF2 or Top Secret.
Don't overlook any existing interfaces or capability supported by a given application. Many common off-the-shelf applications, such as those from SAP AG and PeopleSoft Inc., support varying levels of integration with an external directory. Traditional single sign-on products and public-key infrastructure frameworks require one to reverse-engineer an application's security systems. Using existing functionality is much simpler and leads to better security.
For applications that don't integrate with a common identity/security infrastructure, consider more generic security integration approaches. In these cases, a single sign-on product, Web services wrappers