Traditionally, security administration has focused on enforcement products.

Each product comes bundled with administrative tools to register users and to manipulate the rules that authenticate identity and control access. Product-centric, stove-piped control embeds a hidden cost of administration. Moreover, it jeopardizes security as users change jobs and eventually terminate. Assets and resources are not recovered.

The cost and quality of administration can be significantly improved if administration is reinvented to focus on users rather than products. Doing so demands a facility, called a 'user profile,' to keep track of the electronic privileges and assets assigned to each user. This article describes the content of a robust user profile and its utility, then suggests requirements for simplified, cost-effective control.

User Profile Content

 

Figure 1 classifies four areas of user profile content.

Identification data describe users and their commercial or employment relationship. Certainly, the common name of users appears, as does information to reach users inside or outside the company. Contact information may include email address, IP address, direct dial number, cell phone and fax numbers, USPS address and internal mail address.

Relationship data explain the organizational fit/affiliation and functional responsibility of users. Relationship data include employing organization, relationship/account status and work location as well as the internal organization, business unit and/or manager responsible for the user. Relationship data are the link to manual or systemic provisioning rules to control access to systems and assets. Lastly, identification specifies the unique distinguishing name within the profile. That identity could be the basis for single sign-on (SSO). More likely, however, the profile identity will be cross-referenced to other account identities for specific application or network services, and to external token identifier or subject of a digital certificate, if used.

Authentication data are the matching credential for each electronic identity that may be submitted to an entry point for authentication. Perimeter LAN/NOS, VPN/RAS and web control will be supplemented with user-specific application and internal network service entry points. Credentials contain a resource identity, authentication mechanism such as password or token, and the protective fact or secret known only to the user. Credentials could be recorded for each application or service the user needs to fulfill their functional responsibilities.

Security models separate authentication (who you are) from authorization (what you can do). Many products employ a rules structure in which users having identical access to a group of resources are grouped together. Resources may be IP addresses, URLs or applications within a system. A permission may be to read or update. By subscribing users to the group, they are permitted limited access to any resource in the resource group.

The value of the profile may be extended to manage the allocation and reclaiming of assets. Equipment, credit cards and building access may be required for users to fulfill their jobs. Which assets are recorded depends upon the business need to improve user-specific control. In the process, better control may be brought to mobile resources, desktop upgrades, help desk services and physical security.

User Profile Utility

Figure 2 suggests three user profile integration stages. The effectiveness and benefits of the user profile grow with each stage. The three stages are:

1. Centralized records (red).
2. Enterprise identity and access rights management (purple).
3. Enterprise SSO (blue).


At first, the profile merely details user-specific electronic privileges and assets. If integrated with a process that detects changes in user status or job, the ongoing need for current services can be validated manually and new provisioning of additional services controlled. Query and reporting tools can bring order to exit processing, user licenses, help desk services and allocation of and organizational responsibility for high cost assets, such as laptops. While not a boon for process automation and enforcement, knowing what a user has yields standalone value.

Second, the profile serves as the repository for identity and access rights to be replicated to the data files supporting individual enforcement points. The profile would be integrated with a provisioning process that systemically links a user's position with the need for systems and assets. Based on the profile, the rules in each enforcement point or product can be manipulated, ensuring timely control as well as administrative automation.

Ultimately, the profile becomes the data file supporting security proxies yielding apparent single sign-on. Active Directory (user) group objects manage access to resources within the Windows 2000 and XP environments. Web SSO, firewall, VPN and RAS products behave the same way. A profile retains user identity, authentication credentials and user group subscriptions. Access requests are intercepted to validate rights based upon a previously submitted credential. An enterprise could provide apparent SSO across multiple environments by modifying service request controls to look to the enterprise user profile for credentials and access rights. Not only would administrative costs and the data on which enforcement depends be improved, the end-user experience would be simplified.

System Requirements

Table 1 relates system requirements to the three stages of profile integration.

Table 1. System Requirements by Profile Use

 

While significant benefits can be achieved with centralized records, the larger payoff is process automation leading to SSO. To manage risk and ensure benefits, enterprises should converge on a target design with a multi-stage development program.

As Syntegra's (www.syntegra.com) vice president of strategic consulting services, Mark Becker works with senior executives, user communities and technologists to define valuable opportunities to use web, directory, security and messaging-centric Internet and client/server technologies.