Trust and Identity Management:
An organization’s ability to ensure only authorized access to its systems and data—and to prove that it has done so—is a critical piece of protecting systems and information, easing compliance, enforcing accountability, and streamlining routine operations. Controlling access, in turn, depends heavily on secure processes for identity management—defining identities, associating them with credentials, placing those credentials in the right hands, and managing them over time. Organizations that manage identities securely and efficiently can place more trust in their business processes—and so can their customers, partners, and regulators. In contrast, organizations without effective identity management can be exposed to serious security risks through poorly enforced policies, shared passwords, and users with the wrong privileges. Identity management comprises several business processes that require careful thought and design. Questions organizations must consider include:
- Whose (or what’s) identity is being managed? The organization’s identities may be tied to employees, customers, citizens, electronic devices, software applications, or web/cloud services. Managing the credentials associated with these identities might not be a simple one-to-one task. Certain credentials may be shared by multiple identities—for example administrators sharing root access credentials to IT systems potentially reducing accountability.
- How strong or secure must the identity be to satisfy business requirements? Numerous factors might determine the appropriate level of assurance for identities; these include the value of the data being accessed, the risks and impact of something going wrong, and external mandates or standards, to name a few. But with a trend toward shared infrastructure, shared services, and shared staffing it will be important to agree on common assurance levels that meet the majority of requirements.
- What type of credential is used to embody the identity? The death of passwords for authentication purposes has been widely predicted, yet they are still commonplace. Numerous methods exist to establish higher assurance credentials but all come at an operational cost and an increased level of complexity. Options include smart cards, OTP tokens, digital certificates, mobile phones, or a host of proprietary schemes.
- Which identity management processes are of greatest concern? Faced with the need to issue identities and credentials, validate them, and periodically replace them, organizations should consider the entire lifecycle of digital identities and credentials as they seek to establish trust. This challenge might span multiple business systems, each with different security requirements—potentially leading to conflict and inconsistency.
- How are the identity management tasks themselves secured? The trustworthiness of an identity depends on the trustworthiness of processes used to manage it. Theft of credentials can be of incredible value to an attacker. Theft of a system administrator’s password can expose far more data than the single credential. Organizations must take steps to ensure that their identity management processes are especially secure, or these processes could become weak links in the organization’s overall data protection strategy.
- Does the process fulfill requirements for auditing and compliance? Your organization not only needs to implement effective processes but also prove that it has executed each one of these processes consistently. It’s important to identify dependencies between disparate business processes. For example, IT organizations can become disconnected from HR processes that require revocation (de-provisioning) of credentials when an employee exits the organization.
Organizations face numerous challenges as they attempt to put in place effective identity management processes. Fluctuating employee populations, multiple locations, mergers and acquisitions, and shifting business policies make it increasingly important—and challenging—to manage identities closely. While regulators push organizations to increase their levels of assurance, economic imperatives push them toward highly integrated, service-oriented systems that create special challenges for identity management.
Risks Associated with Trust and Identity Management
- Ineffective identity management can leave organizations vulnerable to many types of attacks and directly impact the organization’s compliance with external privacy-driven mandates.
- Attackers can target identity processes themselves, gaining access to credentials. These breaches can potentially go unnoticed for extended periods of time, enabling attackers to steal sensitive information or control critical processes.
- Investment in high strength authentication technologies such as tokens and smart cards can lead to a false sense of security if the credential issuance and management processes are not secure.
- Organizations can neglect system and device identities. In a world of distributed and automated systems, credentials for devices and business applications can pose even greater risk than credentials for real people.
- The assurance level of digital IDs, particularly when applied to digital signatures, can have significant legal ramifications when applied to electronic documents and contracts.
Trust and Identity Management: Thales e-Security Solutions
Products and services from Thales e-Security and its partners can help your organization implement secure and efficient identity management processes that improve your ability to control access to information and systems, enforce business policies, recover from attacks quickly and effectively, and ease auditing and compliance obligations. As organizations increasingly seek to manage identities in ways that deliver a higher degree of assurance, Thales can ease the transition to strong authentication with solutions designed for a range of applications. Whether you face identity management challenges for enterprise workers or for credit card issuance and mobile payments processing that must conform to specific industry mandates, solutions from Thales and its partners will help you maintain secure processes that enforce business policies while maximizing operational efficiency.
In addition to fostering high-assurance identity management for a broad range of end-users and IT personnel, Thales product and services can also address the challenges associated with device identities and credentials. They can be used to facilitate the implementation of highly secure manufacturing processes—issuing and managing secure device credentials even in less-trusted off-shore, or even hostile environments.
- Take advantage of hardened, tamper-resistant products that protect critical credential management processes from attack.
- Maintain effective identity management despite the growth of highly integrated, automated, service-oriented systems.
- Ease the transition to stronger forms of authentication for a wide range of business processes—including specialized security processes.
- Implement manufacturing solutions that employ secure device identities, even in less trusted manufacturing environments.
- Avoid having to make troubling tradeoffs between assurance levels, on the one hand, and efficiency, performance, and scalability on the other.
- Accelerate deployments—products from Thales interoperate with applications and devices from leading security vendors.
- Work with experts in today’s regulatory environment—from national and state regulations to industry standards.