Network technologies such as the Internet have provided users and other entities with virtually unlimited access to remote systems and associated applications. This type of access in many cases has become a complex maze of processes that is often offloaded to third-party systems to manage. Application heterogeneity has increased exponentially, and rapid growth has forced enterprises to develop and deploy applications ever faster, even at the expense of integration and ease of administration. Historically, enterprises generally only had to consider these issues at an internal level. In many situations however, these enterprises now have to grant external access to employees, supply chain partners, contractors and customers. Organizations that employ third-party service providers (application, network or otherwise) generally, must manage users and access rights across both their internal systems and the systems run by service providers.
Provisioning systems automate the task of establishing new users' rights and privileges across multiple applications. For example, these systems can augment existing security practices by enabling administrators to quickly cut off terminated employees, and when necessary standards evolve, provisioning systems can automate changes in employment status and responsibility across business partner networks. Other types of provisioning systems can be designed to manage financial interactions between parties as another example.
Most provisioning systems include a rules engine and workflow system; a logging and audit system; a database to support the workflow and auditing tasks; and agents that communicate with applications to add, delete, suspend or change users and privileges. Not all provisioning systems have equal spans of control, however. Most enable database and application access, but vendors often need to increase their support for provisioning devices, access to buildings and service subscriptions, as well as automate the ordering of equipment and other supplies. Given the divergent requirements to design and support such systems and often across great distances, networks and geographical boundaries, network security has become a major concern and consideration when attempting to implement and service an effective provisioning system.
An aspect of network security that is generally required by provisioning and other systems involves establishing a secure and encrypted channel of communications between remote parties and to properly authenticate the parties (machines and humans) that may attempt to communicate over such channels. One such aspect involves a master entity that produces a set of security credentials for a remote entity and then attempts to deliver those credentials to the remote entity in order to establish secure communications. These types of transactions often expose the security credentials to other people or systems having access to the provisioning process and/or are peripherally involved in the process. As can be appreciated, security can be compromised if other parties or entities can access or become aware of security information involving other parties to a transaction. For example, there generally is no need for anyone working with or processing security credentials to be aware of the underlying nature or value of the credentials. Thus, lower security-level staff members should be able to handle these credentials without significant risk of a security breach. Another problem with many conventional security techniques is that the security credentials often are not kept persistent (remain the same across conversations). This also can affect the ability of services to support multiple entities across a plurality of communications channels.