Securing identity management

Fully protecting ID management systems means going beyond firewall and DMZ strategies

Because the road to identity management usually traverses through Port 880, security experts recommend deploying alternatives to firewall and DMZ (demilitarized zone) protection strategies.

Minimizing an enterprise's risk of exposure while maximizing a company's opportunities with business partners begins with a flexible authentication layer that can accept multiple trusted security tools, says Brian Jensen, director of strategy for the security and privacy practice of New York-based PricewaterhouseCoopers. Relying on only one form of authentication can hold an enterprise hostage when establishing new transactions or business relationships. Jensen suggests that an authentication infrastructure should allow companies to leverage all of the trusted authentication standards, tools, and mechanisms, including SAML, the Liberty Alliance, Passport, American Blue Express, and more.

Access control is another potentially risky point of entry to an enterprise network. Generally, access to an enterprise’s sensitive, critical applications and transactions should be tied to a well-designed role/group-based access control model. Most importantly, a "permission framework" and its integration points need to be common throughout an organization, Jensen notes.

Locking down access to user directories, which entail LDAP, a relational database, or flat files, is also creeping into the administrator's consciousness. Sensitive data contained in the repositories must not violate privacy rules; feature personal, identifiable data; or allow unimpeded access. If the data is required in real time for a transaction or Web service, a call must be put forth to carry the information through a secure system.

"The data needs to be cleaned, and access to the information needs to be restricted -- who has access and why? Secondly, people who have access to this directory should not have carte blanche access," Jensen notes.

Lastly, updates to the directory from an authoritative source should be protected by SSL or by a network domain. Organizations that have implemented a Web SSO (single sign-on) model have already taken a big leap toward a secure identity management and privacy path, Jensen says.

(For more on identity management and privacy, return to "Does identity management clash with privacy?")


Copyright © 2003 IDG Communications, Inc.

How to choose a low-code development platform