Integrating a credential management system is hard and complicated, but is it?
Credential management typically plays a part in a wider secure infrastructure and as such must be able to work with multiple software systems such as LDAP directories and certificate authorities.
In addition to the software solutions, hardware components including smart cards, USB tokens, HSMs and smart card printers may also be required. The role of a CMS is to provide a common management interface between all the various components that are involved in creating a secure credential, therefore it should support the required technologies out-of-the-box.
Over time, security standards change, and new technologies become available, it is important that a CMS is designed to cope with this change both in order to support newer devices and systems, but also to aid the transition between them ensuring the ongoing security of system access as technology changes are implemented.
Differing organisations have different requirements for deployment infrastructures, be they on-premise, hybrid or private cloud, CMS server components should be capable of being deployed in multiple environments in a simple and scalable manner.
Multiple types of people will inevitably interact with a CMS, be they administrators who set security policies, IT teams who integrate the system into the existing environment, operators who perform day to day issuance and help desk services and end users themselves who may collect updates to their credentials via self-service. The interfaces deployed to these differing roles must be appropriate to the platform the individuals are using be that a desktop PC, mobile device or kiosk interface.
CMS software integration requirements:
- The CMS should support integration and synchronisation with standard LDAP directories as a source of user data, ideally also providing the ability to map user attributes from the directory into the CMS and provide control over which data (if any) is editable.
- For larger organisations where an IAM system (Identity and Access Management) is used to provision user accounts and provide identity governance the CMS must be able to integrate with it to automate the process of credential requests. Further lifecycle operations such as updates and revocation should also be made available over easy to integrate APIs.
- The data passed into a CMS from an external source should be configurable, ideally using zero-code or low-code mechanisms to reduce the cost and time required for integration
- A CMS should be capable of integrating with PKI certificate authorities (CAs), acting as a registration authority, dependent upon the capabilities of the CA this should support policy retrieval, certificate request, certificate retrieval, suspension and revocation
- Where archived certificates are required (e.g. for email encryption) the CMS should be capable of either integrating with the CAs key archive store for request and retrieval or provide its own key archive capability.
- Ideally a CMS should support integration with multiple CAs simultaneously, e.g. an internal CA for network logon and an externally trusted CA for email signing
- Where organisations wish to migrate between CA vendors the CMS should provide mechanisms to ease the migration and provide a smooth transition
- For organisations using software to monitor the health and availability of deployed software, the CMS should be able to integrate with such solutions using standard protocols such as SNMP (Simple Network management Protocol), ideally supporting both pull (SNMP Agent) and push (SNMP trap) mechanisms for maximum integration flexibility
- The CMS should integrate with MDM (Mobile Device Management) systems to enable PKI credentials to be deployed to mobile devices
- The CMS should integrate with card bureau providers who can deliver smart cards at large volumes
CMS hardware integration requirements:
- The CMS should be technology independent supporting a range of security devices such as smart cards and USB tokens from a variety of vendors
- The CMS should support virtual smart card technology including client and server-based solutions
- The CMS should support hardware security modules for securing private key material, ideally on-premise hardware and SaaS solutions should be supported
- The CMS should support integration with smart card printers, ideally providing the ability to graphically and electronically personalise smart cards in a single integrated process
CMS deployment requirements:
- The CMS server components should be deployable on premise, in the cloud or in hybrid environments
- The CMS server components should be deployable on multiple load balanced servers for scalability and fault tolerance
- Standard operating system and database technology should be utilised by the CMS to enable ease of support
- Different interfaces for administrators, operators and self-service users should be provided appropriate to their role and client being used
- The CMS should be supplied with a full installer, but also provide the option to be installed as part of a network deployment package
- Ideally tools to verify deployments both pre and post install should be provided to ease deployment in complex network environments
How MyID has helped governments and large organisations.
A European government organisation used MyID to help transition between RSA and Primekey certificate authorities when the RSA solution became end of life
The national ID of Kuwait deployed MyID on multiple load balanced servers to achieve reliable issuance of millions if smart cards and mobile credentials to citizens
The US TWIC program used MyID’s integration with IDEMIA smart card personalisation bureau to deliver cards at scale to millions of port workers
The US department of state use the MyID zero-footprint self-service kiosk to deploy derived PIV credentials to devices in US embassies via a simple self-service process.
MyID is a feature rich credential management system which enables organisations to manage the digital identities of their employees throughout their employment. Easily managing the lifecycle of the credentials from issuance to revocation.
Secure devices such as smart cards, USB Tokens, virtual smart card, smartphones and tablets provide organisations with a convenient form factor to securely store and use digital identities.
To find out more, request a MyID demo today.
Trusted by Governments and Enterprises Worldwide
Where protecting systems and information really matters, you
will find Intercede. Whether its citizen
data, aerospace and defence systems, high-value financial transactions,
intellectual property or air traffic control, we are proud that many leading
organisations around the world choose Intercede solutions to protect themselves
against data breach, comply with regulations and ensure business continuity.