Identity correlation is, in information systems, a process that reconciles and validates the proper ownership of disparate user account login IDs (user names) that reside on systems and applications throughout an organization and can permanently link ownership of those user account login IDs to particular individuals by assigning a unique identifier (also called primary or common keys) to all validated account login IDs.[1]
The process of identity correlation validates that individuals only have account login IDs for the appropriate systems and applications a user should have access to according to the organization's business policies, access control policies, and various application requirements.
In the context of identity correlation, a unique identifier is one that is guaranteed to be unique among those used for a group and for a specific purpose. There are three main types, each corresponding to a different generation strategy:
For identity correlation, a unique identifier is typically a serial or random number. In this context, a unique identifier is typically represented as an additional attribute in the directory associated with each particular data source. However, adding an attribute to each system-specific directory may affect application or specific business requirements, depending on the requirements of the organization. Under these circumstances, unique identifiers may not be an acceptable addition.
Identity Correlation involves several factors:
Many organizations must find a method to comply with audits that require them to link disparate application user identities with the actual people who are associated with those user identities.
Some individuals may have a fairly common first and/or last name, which makes it difficult to link the right individual to the appropriate account login ID, especially when those account login IDs are not linked to enough specific identity data to remain unique.
A typical construct of the login ID, for example, can be the 1st character of givenname + next 7 of a erial number, with incremental uniqueness. This would produce login IDs like jsmith12, jsmith 13, jsmith14, etc. for users John Smith, James Smith, and Jack Smith, respectively.
Conversely, one individual might undergo a name change either formally or informally, which can cause new account login IDs that the individual appropriates to appear drastically different in nomenclature from the account login IDs that the individual acquired prior to any change.
For example, a woman could get married and decide to use her new surname professionally. If her name was originally Mary Jones but she is now Mary Smith, she could call HR and ask them to update her contact information and email address with her new surname. This request would update her Microsoft Exchange login ID to mary. smith to reflect that surname change, but it might not actually update her information or login credentials in any other system she has access to. In this example, she could still be mjones in Active Directory and mj5678 in RACF.
Identity correlation should link the appropriate system account login IDs to individuals who might be indistinguishable, as well as to those who appear to be drastically different from a system-by-system standpoint. Still, it should be associated with the same individual.
Inconsistencies in identity data typically develop over time in organizations as applications are added, removed, or changed and as individuals attain or retain an ever-changing stream of access rights as they matriculate into and out of the organization.
Application user login IDs do not always have a consistent syntax across different applications or systems. Many user login IDs are not specific enough to directly correlate back to one particular individual within an organization.
User data inconsistencies can also occur due to manual input errors, non-standard nomenclature, or name changes that might not be identically updated across all systems.
The identity correlation process should consider these inconsistencies to link up identity data that might seem unrelated upon initial investigation.
Organizations can expand and consolidate through mergers and acquisitions, which increases the complexity of business processes, policies, and procedures.
As an outcome of these events, users are subject to moving to different parts of the organization, attaining a new position within the organization, or matriculating out of the organization altogether. At the same time, each new application that is added has the potential to produce a new, completely unique user ID.
Some identities may become redundant, others may violate application-specific or more widespread departmental policies, others could be related to non-human or system account IDs, and still others may no longer be applicable to a particular user environment.
Projects that span different parts of the organization or focus on more than one application become difficult to implement because user identities are often not properly organized or recognized as defunct due to business process changes.
An identity correlation process must identify all orphan or defunct account identities that no longer belong to such drastic shifts in an organization's infrastructure.
Under such regulations as Sarbanes-Oxley and Gramm-Leach-Bliley Act, it is required for organizations to ensure the integrity of each user across all systems and account for all access a user has to various back-end systems and applications in an organization.
If implemented correctly, identity correlation will expose compliance issues. Auditors frequently ask organizations to account for who has access to what resources. For companies that have not already fully implemented an enterprise identity management solution, identity correlation and validation are required to adequately attest to the true state of an organization's user base.
This validation process typically requires interaction with individuals within an organization who are familiar with the organization's user base from an enterprise-wide perspective and those who are responsible and knowledgeable of each individual system and/or application-specific user base.
In addition, much of the validation process might ultimately involve direct communication with the individual in question to confirm particular identity data that is associated with that specific individual.
In response to various compliance pressures, organizations can introduce unique identifiers for their entire user base to validate that each user belongs in each specific system or application in which he/she has login capabilities.
To effectuate such a policy, various individuals familiar with the organization's entire user base and each system-specific user base must be responsible for validating that certain identities should be linked together and other identities should be disassociated from each other.
Once the validation process is complete, a unique identifier can be assigned to that individual and his or her associated system-specific account login IDs.
As mentioned above, in many organizations, users may sign into different systems and applications using different login IDs. There are many reasons to link these into 'enterprise-wide' user profiles.
There are a number of basic strategies to perform this correlation, or "ID Mapping:"
Often, any process that requires an in-depth look into identity data brings up a concern for privacy and disclosure issues. Part of the identity correlation process infers that each particular data source will need to be compared against an authoritative data source to ensure consistency and validity against relevant corporate policies and access controls.
Any such comparison that involves exposure of enterprise-wide, authoritative, HR-related identity data will require various non-disclosure agreements either internally or externally, depending on how an organization decides to undergo an identity correlation exercise.
Because authoritative data is frequently highly confidential and restricted, such concerns may bar the way from performing an identity correlation activity thoroughly and sufficiently.
Most organizations experience difficulties understanding the inconsistencies and complexities within their identity data across all their data sources. Typically, the process can not be completed accurately or sufficiently by manually comparing two lists of identity data or executing simple scripts to find matches between two different data sets. Even if an organization can dedicate full-time individuals to such an effort, the methodologies usually do not expose an adequate enough percentage of defunct identities, validate an adequate enough percentage of matched identities, or identify system (non-person) account IDs to pass the typical requirements of an identity-related audit.
Manual efforts to accomplish identity correlation require a great deal of time and people effort and do not guarantee that the effort will be completed successfully or in a compliant fashion.
Because of this, automated identity correlation solutions have recently entered the marketplace to provide more effortless ways of handling identity correlation exercises.
Typical automated identity correlation solution functionality includes the following characteristics:
Identity correlation solutions can be implemented under three distinct delivery models. These delivery methodologies are designed to offer a solution that is flexible enough to correspond to various budget and staffing requirements and meet both short and/or long-term project goals and initiatives.
Software Purchase – This is the classic Software Purchase model where an organization purchases a software license and runs the software within its own hardware infrastructure.
Identity Correlation as a Service (ICAS) – ICAS is a subscription-based service where a client connects to a secure infrastructure to load and run correlation activities. This offering provides full functionality offered by the identity correlation solution without owning and maintaining hardware and related support staff.
Turn-Key Identity Correlation – A Turn-key methodology requires a client to contract with and provide data to a solutions vendor to perform the required identity correlation activities. Once completed, the solutions vendor will return correlated data, identify mismatches, and provide data integrity reports.
Validation activities will still require some direct feedback from individuals within the organization who understand the state of the organizational user base from an enterprise-wide viewpoint and those within the organization who are familiar with each system-specific user base. In addition, some validation activities might require direct feedback from individuals within the user base itself.
A Turn-Key solution can be performed as a single one-time activity, monthly, quarterly, or even as part of an organization's annual validation activities. Additional services are available, such as:
Related or associated topics that fall under the category of identity correlation may include:
Compliance Regulations / Audits
Management of identities
Access control
Directory services
Other categories