Tuesday, September 25, 2012

Identity Management Steps, from the Ground Up

Norms and legal compliance often require companies to do strong authentication. But it must not be forgotten that strong authentication is merely the cherry on top of the cake.

Strong Authentication is an improvement upon Authentication, weak or not. Authentication is built upon a correct Identification of people. Identification allows for Authorization based on rules, for instance, ORBAC or RBAC.

Or, if we put it into natural questions:
  1. Who are we speaking about? Identification
  2. And who's that? What's he supposed to be doing around here? Authorization
  3. Let him prove he's really who he means! Authentication
  4. Let him prove that he's not cheating on authentication! Strong authentication.
Strong Authentication
Authentication
Authorization
Identification

The most important is to understand that a compliance requirement about Strong Authentication is only the tip of the iceberg. Any project targeting Strong Authentication should first concentrate on cleaning and validating Identification (list of users → list of all users → list of all users individually identified → up to date list of all users individually identified → up to date list of all users individually identified with all information related to their work assignments and related Authorizations), then choose specific areas among all possible Authorizations (among the many things people are allowed to do in the Information Systems, which are now to be protected?) and then enhance Authentication into Strong Authentication.