Wednesday, January 04, 2006

The Maturation of Identity Management

Proprietary mechanisms for individual application authentication (each corporation has their own unique set), RADIUS, VPN gateways, Active Directory, Vintella, RACF, RSA tokens, smartcards, biometrics, federation agreements etc ... are common examples of how it's done.

Strong authentication, while a good security practice, is not a cure all for electronic crime. It is expensive and often not user-friendly, so careful planning and realistic expectation setting are advised. Information Security pundit Phil Becker has made a name for himself with the claim: "Identity is Center." Let's respectfully agree to disagree with the simplicity of that assertion.

Who on what, both must be known, to combat today's sophisticated hacker threats. Signature-based deterents to identity manipulation are only effective at thwarting known attacks. Enterprises must focus on knowing first what is normal? - on their networks, on their database and server platforms, and on their workstations.

We believe the truth is closer to "Action is Center." Counter-intuitively, the heart of Identity Management is really applications, not people. Legacy apps have to change, to rely not on themselves but on central authorities to make action approvals. And those authorities must be behaviorally attuned. What you do, where you've been, the whens and hows ... these things matter far more than a match of ID with password, token, certificate, whatever.

Look at how credit cards and automated teller machines work for a good example to emulate. Each is more concerned with right behavior, far more than rigorous credential enforcement. Threat damages are comparmentalized (account separation, debit limits, historical profile), and overall design favors ease-of-use rather than total control.

Avoid the need for soviet style oversight of your information systems (by humanizing the interface and processes required for use). Technology should serve man, not vice versa.

2 Comments:

Blogger James McGovern said...

Actually I disagree with you both. Identity is more than who running on what. It should contain relationships and persona...

6:11 AM  
Blogger Guy said...

What in the world does that mean, James? Perhaps you can explain yourself using "thought leadership" techniques:

http://blogs.ittoolbox.com/eai/leadership/archives/002959.asp

7:38 AM  

Post a Comment

<< Home