Information Technology Reference
In-Depth Information
Conclusion
We have covered the design of an Identity and Access Management system
in fairly great detail in this paper.
The core philosophy of the LIMA approach is loose coupling between the
various functional components of IAM. In most cases, the loose coupling is
from the use of appropriate data design, specifically a meaning-free
identifier. Other elements of loose coupling are replicated data using master
data management principles, event notification and idempotent messages.
We have also provided tips to aid the design of the user data stores, user
administration functions and a simple service interface.
The LIMA approach obviates the need for expensive and complex
commercial IAM products, yet avoids reinventing the wheel (especially for
security-sensitive processes) by leveraging commodity components like CAS
and Shibboleth for access management. It also allows you to design the
bespoke parts of an IAM system based on some simple foundations and
extend it as required using technologies and tools familiar to your
organisation.
In spite of its simplicity, the LIMA approach adheres to security principles (as
enunciated in an early section), so it is not a naïve oversimplification of IAM.
We have not spelt out the many wrong turns we took in our own
implementation, but rest assured there were many. We have told you only
the successful design decisions we finally arrived at, and also the decisions
that we know we should have made, even if we didn't. So this document
contains many hundreds of thousands of dollars worth of hard experience,
corresponding to the amount of money you will save compared to either a
proprietary commercial IAM product roll-out or a completely independent
in-house development with its inevitable missteps and suboptimal choices.
Of course, you may also discover some simplifications and optimisations of
your own, so this document is by no means the last word on IAM. In any
case, we hope our experience as documented here will illuminate your path
and make your IAM implementation even more successful than ours. (Don't
forget to have an independent security audit done of your system before
you go live!)
Good luck, and good hunting!
