AuthenticationWorld.com
The business of authentication
- Authentication Categories
- Password Authentication
- Single Sign On Authentication
- Access Control Authentication
- Authentication - Enterprise Security
- Authentication Strength
- Authentication Transaction
- Authentication Management
- User Authentication
- Authentication Federation
- Authentication-Biometric
- PKI Authentication
- Token Authentication
- Wireless Authentication
- Document Authentication
- Authentication -Outsourcing
Authentication - Management Policies
A modern enterprise authentication management policy must encompass:
- Identity data governance
- Authentication strength policies
- Authentication change management governance
- Password management policies
- Contractual service level agreement policies
- Authentication hot-fix policies
- Failover policies
- Disaster recovery policies
Identity Data Governance
A layered enterprise identity strategy requires that identity data used in enterprise provisioning and de-provisioning processes, authentication and authorization decisions have the following:
- Only come from enterprise approved authoritative identity sources
- Data quality be excellent
- Changes to enterprise identity data be approved by an enterprise identity data governance committee before any changes are made
Authoritative Sources Only
The identity data used by the enterprise for creating new identities, modifying user roles and privileges, terminating a user, authenticating and authorizing a user must come from a approved enterprise authoritative source. Often times, the authoritative sources for enterprise identity types such as contractors, consultants, temps, business partners and vendors may not be evident. This requires work at the senior management level in creating and/or assigning responsibility to authoritative sources. All other identity type silos must be shut down or take their identities from authoritative sources only.
Identity Data Quality
The quality of the identity data is critical to the successful operation of the enterprise layered identity security infrastructure. This normally means:
- Clean-up of existing identity data within authoritative sources
- Implementation of modern provisioning systems
- Changes in the way identity business processes operate
This can be a time consuming and initially expensive set of tasks to implement. However, there are often hard dollar savings that can also be realized by automating portions of the identity provisioning process.
Identity Data Governance
Changes to the identity data used at the enterprise level by the authoritative source needs to be pre-approved by the identity data governance committee. I have personally seen where HR makes changes to their underlying identity data causing new roles and/or identity data attributes to be created. These are then populated from the Human Resource Management System (HRMS) to the enterprise directories. The unexpected changes caused numerous systems consuming enterprise identity data to fail when they received identity data types they didn't know what to do with.
Create an identity data governance committee with representatives from the authoritative systems, the CIO, CSO, identity management team and application owners. Consider and approve the impact of changes to enterprise level identity data before implementing them.
Authentication Strength Policies
As described in the previous section, the enterprise needs to create a set of authentication strength policies.
Authentication Change Management Governance
Changes to the authentication mechanisms and routine maintenance, need to follow a clear set of change management governance policies. For example, the addition of a new security mechanism may require application owners being given advance notice and a chance to comment before implementation. Application owners should also be notified of routine downing of security servers for maintenance in advance.
Password Management Policies
A clear set of password management policies must also be established. For a detailed discussion of what a password management policy must contain refer to the password management section of this website..
Service Level Agreements
Contractual service level agreements need to be in place for:
- Enterprise authoritative sources
- Enterprise directories
- Enterprise security servers
- Network servers and load balancers
- Web services
Without this, the enterprise may cruise along until one day one of the pieces fails, brining portions of the enterprise to a grinding halt.
Authentication Hot-Fix Policies
Polices need to be put in place to address the following:
- Enterprise authentication mechanism hot fixes. Approval streams need to be set as well as business and technical processes well documented AND TESTED.
- Immediate identity termination - A clear set of human resource, business and technical processes needs to be in place to quickly terminate an identity and remove them from the enterprise systems.
Failover Policies
A well thought out set of failover policies needs to be in place. This must meet enterprise availability requirements. THIS NEEDS TO BE WELL TESTED.
Disaster Recovery Policies
The enterprise must set the risk for security layered identity management systems disaster recovery. Oftentimes, I find the thinking around this totally outdated to the times. The layered identity security infrastructure must be ALWAYS available. There is no time to drive or fly tapes to a backup facility and then 24-96 hours later have the system operational. The hits to the enterprise are too great from the layered identity security system.
User Authentication
Password
Authentication
Single
Sign On Authentication Access
Control Authentication Authentication-Enterprise
Security Authentication
Strength Authentication
Transaction
Authentication
Management User
Authentication Authentication
Federation Biometric
Authentication PKI
Authentication Token
Authentication Wireless
Authentication Document
Authentication
Authentication - Outsourcing
