Who Do I Need to Be Today?
I've posted about this before, elsewhere, and the point I make hasn't changed. Federated Identity, Single Sign On, converged access control...these are all great concepts, and ones that I hope can come to be ubiquitous someday, while preserving many peoples expectations of privacy. What you see in this image is the current state of things.
No less than 8 authentication systems are represented (and that doesn't include the PasswordSafe db holding complex passwords.) 2 to the power of 3. Multiple factors of multi-factor. I probably should have laid my car keys on the desk as well to show the remote door-lock system on the key-fob as well as the expensive and potentially unnecessary RFID enabled ignition key.
So why so many systems? Being a consultant, I do work for many of our clients. Work that often requires I go onsite, access their facilities, networks and systems, and perform tasks or analyze their infrastructure. In some cases, I do so without obvious and overt permission (these are the Social Engineering gigs, which I regrettably don't get to do enough of...VERY fun), but instead have been charged by the client to see what I can learn by lying, preying on human behavior, and exploiting human weaknesses. In most cases, though, I am expected and welcomed at the front door, given temporary credentials and expected to deliver. Most of our clients don't integrate back into our infrastructure, nor do we reach into theirs to extend our domain of identity management. This means that, with nearly every new contract I can expect some new form of authentication token...be it a badge, sticker with my name and picture, network account, etc. And a lot of effort goes into managing both the credentials themselves (Authentication) and the access control associated with the credentials (Authorization.) Pay attention you Security+ candidates! This is important stuff you need to be familiar with!
So how can we minimize these duplicated efforts? There is no silver bullet, but we can start to make progress by using open methods of authentication. If you've looked into VeriSign Unified Authentication or maybe other authentication products and services you've (hopefully) heard of OATH. There are a lot of federated solutions out there, some of them are even good ones. I'm not selling product here, although I do think VeriSign Unified Authentication is a pretty good one. The point is that historically, open systems tend to be more secure than closed ones; "Many hands make light work" and all that, or "many eyes make better code" as the Open Source community would say. Closed systems provide security through obscurity which is not really any security at all.
When shopping for a new identity management system, I'd look for one that can support a wide variety of auth mechanisms, including proximity cards, smart cards of various flavors, OTP, etc. They are out there, and the benefit for a converged security posture can be significant.
