Editor's note: This is part of a series on achieving cybersecurity readiness. Part one of this series looked at...
the concept of cybersecurity readiness and proposed seven elements or objectives as fundamentals for achieving that state. Part two examined the first element on that list: building a cybersecurity plan. Part three focuses on the technology aspects of an information security architecture, and part four covers information security risk management.
Identity management, sometimes called identity and access management (IAM), is much more than simply providing users with logon capabilities to a system or network. Identity management is one of the fundamental cybersecurity objectives outlined in part one of this series that can help enterprises achieve a state of cybersecurity readiness. An identity management system is also a core security function that is intended to increase security and productivity while reducing redundancy and decreasing cost. While identity management may seem like a simple concept, there are a number of complexities and layers that must be understood before it can be used effectively.
Identification and authentication
The primary components of identity management include identification and authentication. Identification is the process by which a subject claims an identity. A simple identity claim may be made by offering a username when attempting to access a network, for instance. Some trusted representation of a subject's identity needs to exist prior to using it for identification. Authentication occurs when a subject proves her identity claim. Proving an identity claim may be as simple as offering a corresponding password along with the username.
Basic identity management systems include username/password systems. A username/password system is considered a single-factor authentication system where the username and password are both factors that represent something you know. Such basic identity management systems are popular because they are inexpensive and binary in operation. That is, either you know the username and corresponding password or you do not.
Dieter Schuller of Radiant Logic discusses consumer identity management systems.
However, these simple systems prove nothing about who is using the identity credentials. The best that can be said about the operation of this kind of identification and authentication scheme is: "Someone in possession of John Smith's credentials just logged in." There is no verification or validation of who may be using a given single-factor credential. Attempts to improve the trust level of single-factor username/password systems by requiring long, complex passwords that are changed frequently make these systems more difficult to use, but they do not provide any meaningful improvement in creating additional trust regarding the user of the credentials.
More complex and generally more expensive multifactor authentication systems are required if a closer correspondence between the user identity and the identity credential is required.
A strong authentication system would ideally provide verification of an identity claim while preventing someone from improperly claiming an identity that does not belong to them. A strong authentication scheme requires some form of multifactor authentication to achieve greater levels of trust than is available from a simple single-factor password/username system.
Common implementations of multifactor authentication systems include additional identity factors of:
- Something you have + something you know (two factors)
- Something you have + something you are (two factors)
- Something you have + something you know + something you are (three factors)
A token-based system uses an identity tied to a physical object that you have, the token, along with a personal identification number (PIN) or password that you know. The security of a token-based system depends on both the physical security of the token and of the knowledge of the password or PIN. Common examples of token-based systems include an ATM card used for banking or a personal identity verification smartcard that the U.S. federal government uses to grant access to government facilities and information systems. Tokens may also be a challenge/response device that generates a one-time password in response to a system challenge.
Identity management systems that use biometrics tie a unique physical characteristic, i.e., something that you are, to an identity credential. Examples of biometric elements include:
- Facial recognition
- Iris, retina scanning
- Hand geometry
- Voice recognition
Unlike password-based authentication systems where the password is either known or unknown, biometric-based identity management systems suffer from both false-acceptance and false-rejection problems where there is a percentage of inputs that are either improperly accepted or improperly rejected. Therefore, biometric systems are generally used as only one factor in a multifactor identification and authentication scheme. For instance, biometrics may be used where a fingerprint is used with a token card plus a PIN for three-factor identification and authentication. It's important to note that relying on biometrics carries risk because the information is static, and once biometric data is exposed, it should no longer be used for any type of authentication.
Identification and authentication, as stated earlier, is intended to increase security. The identification and authentication systems discussed here provide the basis upon which strong authorization and accountability capabilities are built. Controlling access to networks and being able to understand how the networks are being used is critical to cybersecurity.
Stay tuned for the next article in this series, which will examine authorization and accountability and discuss mandatory, discretionary, role-based and rule-based access control systems.
Learn how to obtain the right threat intelligence metrics for your enterprise
Read more on data obfuscation techniques and how to use them
Find out about the security benefits of MAC address randomization