 | Issue: | Asia-Pacific II 2003 |
| Article no.: | 11 | |
| Topic: | Network Security and Identity Management | |
| Author: | M Rajagopal | |
| Title: | Managing Director | |
| Organisation: | ATW Technologies Pvt Ltd | |
| PDF size: | 156KB |
About author
M Rajagopal is the founder and Managing Director of ATW Technologies Pvt Ltd, a software company providing custom e-solutions to global companies. ATW’s products include SignOne for identity management and application security and Net@Work for enterprise information portals, groupware and KM (knowledge management). M Rajagopal, an IT and management professional, worked with Tatas and ITC Ltd (part of the BAT group) in senior techno-managerial positions before starting Daedalus Inc., his own IT consulting company in 1996. M Rajagopal is an alumnus of the prestigious Indian Institute of Science as well as the Indian Institute of Management at Bangalore.
Article abstract
At different times, in different contexts, we all play different roles, have different needs, have different rights and different responsibilities. When working with today’s networks, an enterprise network or the Internet, for example, the level of access needed and granted must be suitable to the user’s role within a given context. Identity management systems need to authenticate a user’s identity, provide appropriate authorisation, guarantee security and monitor the use actually made of the authorisation granted so that it can be billed.
Full Article
The Challenge The world, as we knew it, has changed beyond recognition during the last decade. If you were Rip Van Winkle waking up in 2003 after 20 years of slumber, you would think you were still dreaming! Things we see around us, including many we take for granted today, such as e-mail, video-conferencing, web conferencing, virtual reality, telemedicine, e-learning, global roaming, VoIP, pay-per-use software, telecommuting and the like, will be old hat tomorrow. The concept of the enterprise, workspace, employees, vendors, customers and partners, even competitors, is different and changing rapidly. Distance is being conquered; geography is truly history! There are still challenges affecting the human condition to be overcome – poverty, hunger, illiteracy and diseases like HIV and cancer, but some of these, hopefully, will be mitigated by ICT solutions. Convergence between PCs and TVs, mobile phones and PDAs, IP-enabled smart appliances and the like is already happening. Telecommuting is becoming a necessity due to congested urban traffic and living conditions. Globetrotting professionals need unified multi-modal communication solutions. AI-based, voice-activated devices can access a larger community of users, especially those experiencing difficulty in working with written information. Such solutions would be a boon for citizen-friendly e-governance as well as a host of professional and commercial support systems. Access to the Information Society At different times, in different contexts, an individual can be an employee, a customer, a vendor, a partner, a citizen, who as a function of his or her role will have different access levels to a host of different ICT environments. How will all these globally networked environments know him or her as being, without a doubt, an authorised user of the system and not a malicious impersonator in order to gain the relevant access privileges? Only with proper authorisation can security be guaranteed, transactions permitted or usage time allowed and appropriate charges be accounted for and billed. Until the system can trust the user and the user can trust the system, networks will not be widely used for critical applications or for serious business. This is one of the challenges of the networked community for which Identity Management provides part of the answer, though by no means the complete, or only one. Identity Management Identity Management, as the name suggests, ensures the person’s identity in each relevant context and provides the person with the relevant authority to complete desired transactions. A typical Identity Management system has several functions: authentication: the authentication process answers the question ‘Who are you?’ non-repudiatably and securely. That is, neither party can deny having entered into the particular online transaction, although the contents of the transaction are visible only to the two parties involved. Most solutions use ‘user IDs and secret passwords’, but there are also more secure options such as digital certificates, smart cards and, more recently, biometrics – such methods as finger print or iris scanning. This ‘authentication’ service can be handled internally by each application or, preferably, centrally for services to avoid duplication. It can also be delegated to a ‘trusted’ third party, such as a Certifying Authority. For closed community applications, such as within an enterprise or even for an Internet portal, authentication is a simpler process and the user’s credentials can be verified directly or indirectly by the enterprise or portal. In a widespread networked community, or collection of communities, the user may belong directly to one of the communities within which, for the purpose of identification, he is considered an ‘insider.’ When this ‘insider’ has to transact information outside of his or her immediate community, then authentication requires a more complex two-step process. The person is authenticated by his own community (also referred to as a domain) as above, but has no standing, as such, in the external community. His community then becomes his or her ‘guarantor’ to the external community, a concept called a ‘trust relationship’ where the external domain ‘trusts’ the person’s domain rather than the person. authorisation: the authorisation process answers the question ‘What can you do here?’ given that you are the person identified as above. This requires translation of the ‘core identity’, says John Doe, into a ‘context specific identity’, says the ‘Sales Manager’ within his employer’s context. This context identity can be based on individual, role or group characteristics and is linked to the core identity. As Sales Manager, John may get access to his company’s sales data while as ‘Gold Card Member’ in his e-shopping context, he may get access to special deals. In an external domain situation, John Doe is not identified, so his own domain needs to send John’s ‘authorisation’ credentials each time he needs to transact information with the external domain. The transaction can then take place based on the ‘Trust Relationship’ established between the domains secure transaction: the authentication and authorisation processes need to be done in a secure environment i.e. no one other than the parties involved must be able to maliciously ‘tap’ into this transaction and possibly steal the ‘identity’ of the person. The content of the transaction itself needs to be bulletproof. This is implemented using methods such as encryption of both the person’s credentials and the transaction content. The information is either scrambled so only the two parties to the transaction can decode it and / or the communication channel itself is secured by creating a virtual private connection between the parties. More sophisticated identity management solutions will have additional components such as: provisioning: provisioning actually adds the user’s context-specific credentials (authentication and authorisation) directly into each relevant context. In the absence of this piece in the identity management solution, all contexts must not only ‘trust’ a central intermediary, (internal or external), for the user’s credentials, but also be amenable to be modified accordingly. The latter is by no means feasible in most real life enterprise situations due to legacy and / or package solutions, which are not amenable to change monitoring: monitoring helps the identity management system ensure that the granted authority is not exceeded or abused by the user. When payment for services is involved, measuring the actual usage of granted authority or resources is necessary and not just ensuring that the authority is not exceeded. This can be a fairly complex process for the identity management solution. The identity management system must go ‘below the hood’ of each context (also called resource) under its control to learn the details of each transaction and feed this information back to the identity management solution. These data or measurements must then be passed on to the internal or external billing and payment systems, based on the nature and value of the transactions to complete the business cycle. Sounds simple? Read on! Within a closed community such as a traditional enterprise, today’s identity management solutions are fairly viable. Typically, an enterprise ‘knows’ its employees, customers, vendors, contractors and partners. They can be easily identified as long as you can keep the ‘outsiders’ out by using identity management and other means such as firewalls, network security, anti-virus software. Nevertheless, even in this ‘trusted’ environment, experience has shown that over 40 per cent of the breach of security detected comes from known ‘insiders’! When we are dealing with a truly diverse networked community, where multiple concepts of an employee, customer, partner, contractor and vendor can exist according to the context, the problem is magnified enormously. In addition to these problems of identity management, we add those of handling the great number and wide variety of multimedia, multi-modal services and content available in these communities, as well as the diverse payment they use – pay-per-use or pay-per-service, etc. – therefore measurement becomes exponentially more difficult. Solutions such as biometrics offer the most promise for the ‘authentication’ part of identity management. Biometrics is more widely usable and less prone to error and misuse than systems such as digital certificates and passwords. However, the cost and availability of the biometric sensors and interfaces and the high storage and fast search needed for biometric identification need to be addressed. With the academic research currently underway on the use of artificial intelligence to track user behavior online, it may provide new ways to establish identity that go beyond even the biometric authentication process. In brief, once the person’s identity is established and the person is authorised to use the ‘allowed services’, the problem becomes one of monitoring and measuring and the services that are actually used so they can be billed accordingly. Currently, complex measurements are simplified. This simplification introduces a degree of inaccuracy that often results in and over or under-charging. As services become more sophisticated and complex, newer, more precise, methods of monitoring and measurement will be needed to ensure accurate billing. Regional Impact What are the implications of identity management for the Asia-Pacific region and, indeed, all of the world’s developing regions? The success and growth of the networked world, of the global economy and the information society will be based upon ‘trust’. Secure identity management solutions provide a way for complete strangers and unknown entities to trust one another in a given context for a pre-defined series of transactions. As such, service recipients know that their identity is secure and service providers know that the recipients of their services are entitled to receive them and that their payments are assured. The widespread, global availability of low-cost, fool proof identity management solutions that have the potential to include all the world’s citizens, not just today’s select few, will bridge the digital divide and make each person in every region of the world a potential consumer and provider in tomorrow’s networked world. Identity management helps guarantee the security and trustworthiness of the networked ICT world. It helps the information society to reach out to a larger community of individuals and embrace them, include them as stakeholders, thereby fulfilling the promise of a borderless, egalitarian, networked world.
