This new approach puts the Identity of our users at the centre of our security model, with the critical question being: ‘Is each remote user really who they claim to be?’ Also, it makes us take a long hard look at how we define the policies and procedures of Identity Management: how we issue the digital identities to our users and support them over their working life to keep their identities secure and private at all times.
From fortress to airport security
To meet this demand for Anywhere Access, we can no longer build ‘fortress’ style IT security where we simply trust everything on the inside and regard everything outside as hostile.
With VPN connections from teleworkers, Extranet web sessions from clients, wireless Lans in the boardroom and the boss wanting to read his e-mail from an Internet café on holiday, the security model we have to build is much closer to that of an airport.
You have to accept all-comers into your outermost, low security areas, but as individuals request access to more sensitive resources, you filter and control them according to their identity and their access privileges.
Identity is the foundation of trust
As in an airport, trust is entirely based upon the individual’s identity and authorisation level which must proved at each checkpoint they pass. Instead of showing their passport and visa to an Immigration Officer, the on-line user is challenged by their organisation’s Web Portal, VPN or RAS server to present their ‘Digital ID’ which comprises their Username plus their Authentication Credentials.
This Digital ID is then verified against an Authentication Server to ensure that the credentials match the identity, and that the individual has the appropriate level of authority to be allowed access.
Given that the user may be connecting from any web-connected computer anywhere, we are now entirely reliant on this Digital Identity to differentiate our trusted users from the rest of humanity on the Internet.
What form of Authentiation Credentials are best?
The authentication credentials that a user presents to validate their identity can take many forms: a standard password, a one-time passcode, a token, smartcard, biometric or any combination of these factors. Despite the claims of the various manufacturers – there’s no one form of authentication credential that is ideal for all users and applications.