Frank Schell

Performance Evaluation of Identity and Access Management Systems in Federated Environments

Identity and access management (IAM) systems are used to assure authorized access to services in distributed environments. The architecture of IAM systems, in particular the arrangement of the involved components, has significant impact on performance and scalability of the overall system. Furthermore, factors like robustness and even privacy that are not related to performance have to be considered. Hence, systematic engineering of IAM systems demands for criteria and metrics to differentiate architectural approaches. The rise of service-oriented architectures and cross-organizational integration efforts in federations will additionally increase the importance of appropriate IAM systems in the future. While previous work focused on qualitative evaluation criteria, we extend these criteria by metrics to gain quantitative measures. The contribution of this paper is twofold: i) We propose a system model and corresponding metrics to evaluate different IAM system architectures on a quantitative basis. ii) We present a simulation-based performance evaluation study that shows the suitability of this system model.

Towards Systematic Engineering of Service-Oriented Access Control in Federated Environments

The success of service-oriented architectures (SOAs) and the Web Service technology in fulfilling the businesss needs for inter-enterprise processes led to new challenges for security management in federated environments. Because of the predominant aspect of loose coupling in a SOA the issue of where to locate the processes of authentication and authorization, forming together the access control, a vital part of security management, has to be addressed during the design of access control systems. In the area of tension between local, service-oriented, and federated approaches for access control architectures we identify several essential dimensions, e.g. scalability and maintenance, for evaluating access control architectures. Due to the challenges of quantifying the metrics we propose a ranking system as it is widely used in risk assessment. We examine existing access control architectures and evaluate the different approaches based on our evaluation dimensions. The results of the performed evaluation will guide the design decisions of an organization fulfilling its security requirements in requirements engineering and software design. A case study illustrates how the evaluation criteria serve as a pattern to establish an organizations access control to secure Web Services.

Assessing identity and access management systems based on domain-specific performance evaluation

Identity and access management (IAM) systems are used to assure authorized access to services in distributed environments. The design decisions of IAM systems, in particular the arrangement of the involved components, have significant impact on performance, access control accuracy, and costs of the overall system. Hence, systematic engineering of IAM systems demands for criteria and metrics to differentiate architectural approaches. Therefore, we propose a system design framework for IAM that can be used to evaluate different design decisions in advance.

Föderatives und dienstorientiertes Identitätsmanagement: Konzept und Erfahrungen

ZUSAMMENFASSUNG Dieser Artikel beschreibt die Architektur eines integrierten Identitätsmanagements an einer Universität. Der beschriebene Ansatz basiert auf der Sicht der Universität als Föderation organisatorischer Einheiten und auf dem Prinzip der Dienstorientierung. Die Datenhaltung von Identitätsinformation erfolgt dezentral, wobei lediglich Abbildungsinformation, die für das “in Beziehung setzen” von Identitätsinformation zwischen den organisatorischen Einheiten notwendig ist, zentral vorgehalten wird, wenn dies vom Nutzer gewünscht wird. Der Aufbau eines solchen Systems und die technische Realisierung, welche klassische Identitätsmanagementkomponenten mit einem modernen, auf Web Services basierenden Ansatz vereint, werden anhand der Umsetzung an der Universität Karlsruhe beschrieben.