Identity correlation

In information systems, identity correlation is a process That reconciles and validates the proper ownership of disparate user account login IDs ( user names ) That lies are systems and Throughout applications year organization and can Permanently link ownership Of Those user account login IDs to Particular Individuals by Assigning a unique identifier to all validated. [1]

The process of identity correlation validates that individuals have access to the organization’s policies, access control policies and various application requirements.

A unique identifier, in the context of identity correlation, is any identifier which is guaranteed to be unique among all identifiers used for a group of individuals and for a specific purpose. There are three main types of unique identifiers, each corresponding to a different generation strategy:

  • Serial numbers, assigned incrementally
  • Random numbers, selected from a number. Although not unique, some identifiers of this type may be appropriate for identifying objects in many practical applications, and so are referred to as “unique” within this context
  • Name or codes awarded by choice, by EPC Information Services of the EPCglobal Network

For the purposes of identity correlation, a unique identifier is typically a serial number or random number. A unique identifier, in this context, is typically represented as an additional attribute in the associated directory with each particular data source. However, it may be necessary to apply the requirements of the specific requirements of the organization. Under these circumstances, unique identifiers may not be acceptable to an organization.

Basic Requirements of Identity Correlation

Identity Correlation involves several factors:

1. Linking Disparate Account IDs Across Multiple Systems or Applications

Many organizations must find a method to comply with audits that require it to link disparate application user identities with the actual people who are associated with those user identities.

Some individuals may have a fairly common first and / or last name, which makes it difficult to link to the right person.

A typical construct of the login ID, for example, can be the first character of givenname + next 7 of sn, with incremental uniqueness. This would produce login IDs like jsmith12, jsmith 13, jsmith14, etc. For users John Smith, James Smith and Jack Smith, respectively.

Conversely, it is possible to change the name of a person’s name and the name of the person in question.

For example, a woman can get married and decide to use her new surname professionally. If her name was originally Mary Jones but she is now Mary Smith, she could call HR and ask her to update her contact information and email address with her new surname. This request would not be available on the Microsoft Exchange server. In this example, she could still be mjones in Active Directory and mj5678 in RACF.

Identity correlation should not be interpreted in the same way as in the case of the individual.

For more details on this topic, please see: The Second Wave: Linking Identities to Contexts

2. Discovering Intentional and Unintentional Inconsistencies in Identity Data

Inconsistencies in identity data typically develop over time in organizations as applications are added, removed or changed and as individuals have attain or retain an ever-changing stream of access rights as they matriculate into and out of the organization.

Application user login IDs do not always have a consistent syntax across different applications or systems and many users.

User data inconsistencies can also occur due to simple manual input errors, non-standard nomenclature, or name changes that might not be identically updated across all systems.

The identity correlation process should take these inconsistencies into account as soon as possible.

3. Identifying Orphan or Defunct Account Login IDs

Organizations can expand and consolidate from mergers and acquisitions, which increase the complexity of business processes, policies and procedures as a result.

As an outcome of these events, users are subject to moving to different parts of the organization, attaining a new position within the organization, or matriculating out of the organization altogether. At the same time, each new application has the potential to produce a new user ID.

Some identities may become redundant, others may be in violation of application-specific or more widespread departmental policies, others could be related to non-human or system IDs.

Projects that span different parts of the organization or focus on more than one application become difficult to implement because they are not always properly organized or recognized as being defunct due to changes in the business process.

An identity correlation process must identify all orphan or defunct account identities that no longer belong to such drastic shifts in an organization’s infrastructure.

4. Validating Individuals to their Appropriate Account IDs

Under such regulations as Sarbanes-Oxley and Gramm-Leach-Bliley Act , it is required for organizations to ensure the integrity of each user in all systems.

If implemented properly, identity correlation will expose compliance issues. Auditors frequently ask for advice on what to do. For companies that have not already fully implemented an enterprise identity management solution, identity correlation and validation is required to adequately attest to the true state of an organization’s user base.

This validation process typically requires interaction with individuals within an organization, which is based on the knowledge and experience of individuals.

In addition, much of the validation process might ultimately involve direct communication with the individual in question to confirm particular identity data which is associated with that particular individual.

5. Assigning a single primary or common key for each system or application

In response to various compliance pressures, organizations have an option to introduce unique identifiers for its entire user base to validate that each user belongs in each specific system or application in which he / she has login capabilities.

In order to carry out such a policy, it is necessary to ensure that the identity of the person concerned is not compromised. .

Once the validation process is complete, a unique identifier can be assigned to the individual IDs.

Approaches to Linking Disparate Account IDs

As mentioned above, in many organizations, users may sign into different systems and applications using different IDs. There are many reasons to link these into “ enterprise-wide user profiles.

There is a number of basic strategies to perform this correlation, or “ID Mapping:”

  • Assume that account IDs are the same:
    • In this case, mapping is trivial.
    • This article is about a long time ago.
  • Import mapping data from an existing system:
    • If an organization has implemented a robust process for mapping, this data is already available and can be imported into any new Identity management system.
  • Exact matching on attribute values:
    • Find one identity attribute or a combination of attributes on one system.
    • Connect IDs on the two systems by finding users whose attribute (s) are the same.
  • Approximate matching on attribute values:
    • The same as above, but instead of requiring attributes or expressions to match exactly, tolerate some differences.
    • This allows for misspelled, inconsistently capitalized and somewhat diverse names and similar identity values.
    • The risk here is that it should be matched by this process.
  • Self-service login ID reconciliation:
    • IDs, on which systems, they own.
    • Users could make or make mistakes-so it’s important to validate user input, for example by asking users to also provide passwords and to check those passwords.
    • IDs are for. IDs and passwords in general, rather than asking them which IDs are for.
  • Hire a consultant and / or do it manually:
    • This still leaves open the question of where the data comes from-perhaps by interviewing every user in question?

Common Barriers to Performing Identity Correlation

1. Privacy Concerns

Often, any process that requires an in-depth look into identity data brings up a concern for privacy and disclosure issues. Part of the identity correlation process, which will be used to determine the quality of the data.

Any such comparison that involves an exposure of the enterprise-wide, authoritative, HR-related identity data will require various non-disclosure agreements either internally or externally,

The author of this article is the author of the article “Corresponding author.”

2. Extensive Time and Effort Requirements

Most organizations experience difficulties understanding the inconsistencies and complexities that lie within their identity data across all of their data sources. Typically, the process can not be completed accurately or sufficiently by means of a manual comparison of two lists of identity data or even executing simple scripts to find matches between two different data sets. If yes, please provide details on the identity of the person concerned. IDS to Pass the typical requirements of an identity-related audit.

See also

  • Sarbanes-Oxley Act (SOX)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Information Technology Audit (ITA)

Manual efforts to accomplish identity correlation require a great deal of time and effort, and do not guarantee that the effort will be completed successfully or in a compliant fashion.

Because of this, automated identity correlation solutions have recently entered the marketplace to provide more effortless ways of handling correlation corrections exercises.

Typical automated identity correlation solution functionality includes the following characteristics:

  • Analysis and comparison of identities within multiple data sources
  • Flexible match criteria definitions and assignments for Any combination of data Elements entre any two data sources
  • Easy connectivity either directly or indirectly to all permissible sources of data
  • Out-of-the-box reports and / or summaries of data match results
  • Ability to manually override matched or unmatched data combinations
  • Ability to view data on fine-grained level
  • Assignment of unique identifiers to pre-approved or manually validated matched data.
  • Export / Export / Import / Export
  • Ability to customize data mapping techniques to refine data matches
  • Role-based access controls in the solution to regulate identity
  • Ability to validate identity data against end-users

Three Methods of Identity Correlation Project Delivery

Identity correlation solutions can be implemented under three distinct delivery models. These delivery methodologies are designed to offer a solution that is flexible enough to meet a variety of needs and needs.

Software Purchase – This is the classic software purchase.

  • Training is available and recommended
  • Installation Services are optional

Identity Correlation as a Service (ICAS) – ICAS is a service-based correlation activities. This offer provides full functionality offered by the identity correlation solution without owning and maintaining hardware and related support staff.

Turn-Key Identity Correlation – A Turn-key methodology requires a client to contract with and provide data to a solution. Once completed, the vendor will return correlated data, identify mismatches, and provide data integrity reports.

Validation activities will still require some direct feedback from individuals within the organization who understand the state of the organizational user base in an enterprise-wide viewpoint. In addition, some validation activities may require direct feedback from individuals within the user base itself.

A turn-key solution can be performed as a single-time or monthly, quarterly, or even as part of an organization’s annual validation activities. Additional services are available, such as:

  • Email Campaigns to help resolve data discrepancies
  • Consolidated or merged list generation

See Also: Related Topics

Related or related topics which fall under the category of identity correlation may include:

Compliance Regulations / Audits

  • Sarbanes-Oxley Act (SOX)
  • Gramm-Leach-Bliley Act
  • Health Insurance Portability and Accountability Act
  • Information Technology Audit

Management of identities

  • Identity Management
  • Unique identifier (Common Key)
  • Identify
  • User Name
  • User ID
  • Provisioning
  • Metadirectory

Access control

  • Access control
  • Single Sign On (SSO)
  • Web Access Management

Directory services

  • Directory service
  • Lightweight Directory Access Protocol (LDAP)
  • metadata
  • Virtual directory

Other categories

  • Role-based access control (RBAC)
  • Federation of user access rights on web applications across Otherwise a-trusted networks


  1. Jump up^ Harris, Shon. “CISSP Certification All-In-One Exam Guide, 4th Ed.” (November 9, 2007), McGraw-Hill Osborne Media.

Leave a Comment

Your email address will not be published. Required fields are marked *