Identity-Driven Security

Basically, the crux with IT security is always to make sure that only certain persons – with their digital or in case of physical access real identities – are allowed to manipulate systems and take defined actions within the applications run on them. During the past couple of years we were able to observe that solutions disregarding identity are in fact not more than stopgaps.

In recent years, the development of IT was mainly characterized by the opening up of some of its formerly completely insulated spheres to the outside world. The question today is no longer how to prevent access at the edge of “outside world” and the enterprise, but to provide access to IT resources – restricted to defined groups of persons, who are authorized to take defined actions.

For example, employees are enabled to access certain applications and data. Suppliers are enabled to access certain items via portals – normally by using limited functions. Customers as well are allowed to use parts of application functionality, for example to place an order or to examine the delivery status of an order.

In all cases, two things are equally important, although being in contrast to one another: Access and control. To be able to control who is authorized to do what on which systems implies that in each individual case the identity is known. Those who are not in a position to have the digital identities of their customers, suppliers or employees under control, are taking a high risk.

Even today, there is still a number of security solutions with functions restricted to system level, starting from filtering packets via IP addresses and other protective mechanisms working on the level of IP addresses, up to Network Access Control solutions or Client Management products which recognize systems, but not individual users. You could argue that normally one user uses one system. But as with any other rule, there are exceptions: kiosk systems, computers in hospital wards, business PCs also used by kids for gaming or the access of helpdesk operators, just to mention some of them.

In the context of Network Access Control, identity is playing a significant role, for example when it comes to virus checking or authentication control. In most cases, different users need to access different applications in order to do their jobs, and sometimes also different rules must be followed. This is especially true for access from outside the enterprise network.

From this example we can easily conclude that security issues can be addressed successfully only in the context of digital identity. What is more: If the goal is to have a consistent security concept from the enterprise boundary down to the level of applications, a consistent look on identities is likewise needed. This means that security solutions must be able to access existent directories via open interfaces – or virtual directory services, in turn referring to directories for customers, partners or employees, thus creating a virtual total survey.

For the enterprise planning the realization of a security concept it is decisive to select components which are able to collaborate via open standards as LDAP or DSML with the repository systems (vulgo directory services) storing attributes about digital identities.

At the same time, reliable security requires reliable identity information. Security needs trustable identity data. So what we need first is providing an Identity Management infrastructure which supplies this reliable information. As long as a user possibly has several digital identities, which are not interlinked and whose data do not necessarily have the same actual status, security-relevant decisions such as “This user is authorized to access this or that information” are simply not possible.

Handling digital identities in the correct way is therefore one of the basic preconditions for being able to create consistent, enterprise-wide security solutions and to make enterprise systems accessible to other users in a defined and controlled way. Only an “identity-driven security” is in a position to provide the degree of security vital to today´s enterprises.

Created: 05.07.07, modified: 11.10.07