Identity & access management policy for the 21st century
Tips, tricks and rules for creating IAM protocols
11 February, 2014
category: Corporate, Digital ID, Financial, Government, Health
Technology blurs network borders
Defining an enterprise’s network borders is another challenge organizations are facing when managing identity and access controls, Nigriny says. Mobile and cloud-based access has blurred the lines that define an organization’s logical boundaries.
So if a company like Boeing has a wing design that it needs to share with suppliers and then with a customer, the company needs to figure out how to protect this data and trust the identities of its partners, he says. “Being able to identify the resources and requestors is easily said, but far more difficult to do,” explains Nigriny.
He insists that granting access must to be based on more than name alone. Businesses need to first make sure that the person requesting access is indeed who they say they are. Next, they need to make sure that the person still works for the company. Finally they need to find out where that person is physically located through GPS for instance. He points to the example of ExxonMobil, which doesn’t let anyone have access to its drilling maps unless that person is physically on an Exxon rig.
This is one reason why more organizations are looking to identity federation to securely exchange identity information online. “The big trend is making identity portable, and making sure that a resource holder can accept identities issued by entities other than themselves,” Nigriny says.
Mapping out an IAM policy
Every identity policy should cover three main areas, says Judith Spencer, Policy Management Authority Chair for CertiPath.
First, the organization creating the policy needs to plan the actual credentialing of the community who will need identification, whether that’s employees, customers, vendors or some other group. Second, businesses need to consider how individuals will use those credentials. Finally, you need to account for exception cases, such as when a credential is lost or left at home.
Organizations also need to tailor their access requirements to the various user communities – employees, customers or vendors – to which they will grant access, Spencer says.
For example, an organization can impose more requirements on its employee community than it would on its customers because of privacy concerns. Even when dealing with employees, Spencer still believes it’s important to be cognizant of the cultural and social aspects of that community to keep an ID program running smoothly.
She recalls that prior to the U.S. federal government’s PIV credentialing program, several federal agencies were rebadging their employees. One agency had switched to smart card credentials and planned to collect fingerprints as part of the badge and issuance process. However, the agency failed to inform employees that they would be fingerprinted.
Federal employees routinely provide their fingerprints as part of the hiring process, so being fingerprinted wasn’t an issue in other circumstances. In this case, however, the biometric request caused uproar amongst employees. “They didn’t understand why they needed to give a fingerprint,” Spencer says.
Spencer also points to the example of when the Canadian government tried to enable citizen access to its online resources. Users were asked to set up an ID and password to access the website. The site asked password recovery questions such as, “What is your favorite color?” and “What is your favorite vegetable?” Though this process is common for most Internet users, some residents actually became paranoid that the Canadian government was going to use this information for purposes other than identity.
Planning for the what-ifs
Organizations tend to overlook certain factors when creating IAM policies. Spencer believes it’s important to plan for exceptional cases and write those what-ifs into the policy.
One such consideration is what to do when an employee shows up to work without his or her ID badge. Companies might assume that they would just send that employee home, but the reality is that this isn’t always feasible, especially in a place like Washington, D.C. where two-hour work commutes are common, Spencer says.
Spencer recently witnessed what one federal agency did when an employee forgot his badge. The agency asked him for his driver license, checked it into the system, and then gave him a temporary badge for the day. What made this situation unique, she explains, is that the agency also disabled the badge in the system until the employee showed up again with that credential.
“A lot of other organizations would have given a temporary badge without disabling the actual credential. But someone else could have taken possession of the other badge,” Spencer says. “Pieces like that need to be included in identity policies.”
Another problem businesses and agencies face is that they set the bar for access too high by creating policies that they can’t meet, says Gordon Hannah, principal at Deloitte & Touche LLC.
Implementing too many complex standards and safeguards can end up shutting out individuals who need to conduct high-risk, high-level functions and applications. “If you’re setting up policies that can’t be met, you’re already forcing your organization onto a noncompliant path,” Hannah says.
Before the federal government started to deploy smart card technology, they relied on user names and passwords. It got to the point that passwords had to be 14 characters long with both numbers and symbols and those passwords couldn’t be used repeatedly, Hannah explains. “You have to be careful that you can enforce the policy that you establish,” he says.
On the flip side, he says organizations need to create policies that hold users accountable and find ways to measure whether users are adhering to the policies.
Nigriny points to the fact that policies need quality assurance: How do you prove it’s actually working once it’s running, and how are you testing it to see whether it’s working? “We’re pretty good at doing this on the physical side, but I don’t think we’re quite as good on the logical side,” he says.
He believes this is due at least in part to the fact that access is shifting away from the traditional “four-walled fortress” model. Nigriny suggests that in the modern world access is about self-protecting a resource that could be exposed to hundreds, thousands or even millions of people.
“That’s a very hard problem, but it’s the one that we have to solve,” he says.
