The first level is the directory, which is a specialized database, optimized for reading and searching operations, and it acts as the main component of any good solution. This is because it performs the function of a central repository for all the information needed by identity management software. Because a large portion of the information found in an identity management system is found in different locations, many directories form meta- or virtual directories. The difference between the two is that a meta-directory actually gathers the necessary information and stores it all in one place, while a virtual directory only points to where the information can be found.
Another level of protection is found at the internet level. Web access management is used to control users' interactions with web-based enterprise assets. According to the CISSP All-in-One Exam Guide the basic process looks like the following:
· User sends in credentials to web server
· Web server validates user’s credentials
· User requests to access a resource
· Web server verifies with the security policy to determine if the user is allowed to carry out this operation
· Web server allows access to the requested resource
This is just a very basic summary of what web access management looks like. In practice it often has a much more complicated tiered architecture, which utilizes everything from routers and firewalls to databases and the directory. Essentially what happens is once the user logs in, the server gives the browser a cookie (generally only a session cookie), which is then used to continually authenticate the user as long as they are logged in. If the user loses the cookie, either by timing out or clearing it manually, then they will be required to re-authenticate. This is referred to as single sign-on.As discussed in the previous post, passwords are an important part of authentication. As such, password management is important to a total identity management solution. The three common approaches to dealing with this are:
· Password synchronization – this allows users to only need one password for multiple systems. It makes it easier for users to have a more complex password, without causing them to create a security hazard by writing down their passwords. The major problem with this is that legacy systems are often impossible to incorporate into this type of solution as their code is not compatible.
· Self-Service Password Reset – a product is utilized, which allows users to reset their own passwords by providing certain identifying information, which in turn triggers an email response with the ability to reset their password. This program should not ask for publicly available identifying information.
· Assisted Password Reset – essentially the same thing as the self-service reset, except the user gives a help desk employee the identifying information and the employee then sends a new password to the user. The user is then required to change the password again in order to prevent the help desk employee from causing a liability.
Legacy single sign-on is another issue. It functions much like the single sign-on found in web access management. The only major difference is that it is for employees and the applications they use as opposed to the internet. Often legacy applications can be a hassle because they require a different type of authentication than the solution can offer, and in these situations IT departments may come up with some work around. The pitfalls of this type of system are that it is often expensive to implement and if anyone ever manages to hack their way in, they have access to everything.
Another issue that must be address is account management. New employees often find that it takes a good bit of time to get all the rights they need for their account in order for them to start productively performing their job. Also, it is quite common for employee accounts to still be active, long after that employee has been terminated. This causes multiple problems from a security standpoint. A better practice is for an automated system to be set up that allows HR to add or remove a new employee. When this happens a message needs to be sent automatically to that employee’s manager, who would be required to sign off on the permission to give or take away certain rights and access. After the permission is given, the changes automatically take place in the system. This type of system can be very expensive, but with more and more regulatory requirements going into effect, they are becoming more prevalent.
The final issue is fairly simple and that is the profile update. This involves adding, deleting, or changing user information as needed. Generally there needs to be a tool in place, which allows a user to log in and change non-sensitive data about themselves.
No comments:
Post a Comment