attributes, objects and context to grant or withhold resources — and to reflect changes in the system as they happen. If critical user information is locked in silos, there’s no way to build a complete picture of the user. Granular authorization becomes impossible.
Manage Globally, Act Locally
Today’s systems may need to tap multiple identity sources — Active Directory, other LDAP directories, SQL databases, and other APIs and Web Services — to get to a single user’s data. The RadiantOne federated identity and directory service (FID) uses a new approach to identity that consolidates and rationalizes disparate identity data, providing a single access point for authentication, authorization and information sharing projects.
The highly distributed environments of federal agencies require each agency to enforce security at the local level (acting locally) while delivering the identity data they own into a larger environment so it can be shared with another agency that needs it (managing globally).
Agencies must be able to quickly integrate disparate user populations and various aspects of a user’s profile across different authoritative sources — and deliver identity-as-a-service
to consuming applications and other agencies. This requires a platform that can connect to existing silos of identity, understand the local data model, create a common data model, and deliver (publish) the right data in the right protocol, schema and structure. It must have the ability to rationalize
data and correlate/disambiguate the user across different systems to create a 360-degree view of each user.
“Today, when you plug in your computer, you know that you will get electricity from the wall outlet in the right wattage. When you plug in your phone, you know you will get a dial tone,” Schuller said. “With identity-as- a-service, I can plug in my application and know that I will get the right data for authentication and authorization.”
A Moving Target
Identity is a moving target. Emerging rules and changing technologies will necessitate changes in authentication and authorization methods and protocols. By abstracting and federating the identity function, organizations can create a core
of identity that is flexible enough to deliver in whatever form an application needs.
“In a move to the cloud, IT just needs to take the virtualized image and configure it to match what is
expected by the cloud provider,” Schuller said. “You have a simple point-to-point sync that anyone can do, without lots of complex additional business logic.”
For IT leaders, this loosely coupled architecture enables new levels of agility, making it easier to build
and deploy systems in response to emerging needs.
“When you virtualize and rationalize your existing identity silos, your identity consumers can go to one place instead of many places,” Schuller said. “Once you prove to application owners that they can consume identity-as-a-service, you’ve effectively freed them up to focus on the business aspects of the application. You’ve solved a problem for them.”
To learn more about a federated identity and directory service, visit www.radiantlogic.com
Moving Forward
Many government agencies are already using this approach.
• The Department of Homeland Security (DHS) has identity data scattered across multiple repositories: FEMA, TSA, US Borders and Protection Agencies, etc. To grant secure access while preserving a high level of access control, DHS set up a Trusted Identity Exchange or TIE based on RadiantOne. The solution provides a secure ‘one-stop-shop’ of trusted information about people who access DHS applications and data, allowing agencies to collaborate and share data and increase effectiveness, and respond more quickly in emergencies.
• NIST’s National Cybersecurity Center of Excellence (NCCOE) is a public-private partnership for businesses and government agencies to address pressing cybersecurity issues. RadiantOne FID, a key component of its reference architecture for Access Rights Management (ARM) in the financial services sector, improves security, flexibility and speed in the identity infrastructure.