Identity Management

Complex Technology

Identity and access management affects nearly every organization, to one degree or another. It is an exceptionally complex technical area, including identification, authentication, and authorization. A wide array of software and hardware solutions have grown to fill the technical needs defined by these concepts, the correct configuration of which being paramount to ensuring proper access to corporate systems and data.

• Identification refers to the need to validate a user’s identity, prior to the assignment of security credentials – including hardware tokens like smart cards, and logical tokens like usernames and passwords. The corporate processes around this function are frequently prone to social engineering attacks, for example helpdesk impersonation, and require regular testing and training to maintain proper control of security tokens.

• Authentication (AuthN) refers to the confirmation of a user’s identity to an automated system, including both physical (e.g., gates and turnstiles) and logical (e.g., computer networks and corporate applications) access. Public key infrastructure (PKI), hardware tokens, and biometric solutions are commonly implemented, to provide the higher assurance of multi-factor authentication. It’s true that AuthN solutions can be exceptionally complex, especially given the mobility and collaboration requirements of most large organizations. As a result, there are a significant number of security controls that must be assessed and validated to ensure that proper security posture is maintained across all physical and logical systems.

• Authorization (AuthZ) refers to the level of resource access granted to authenticated users, including both physical (e.g., room access) and logical (e.g., application and data) access. There are a number of different AuthZ concepts that may be suitable, given the level of assurance required – including discretionary access control (DAC), role-based access control (RBAC), and attribute-based access control (ABAC). The implementation and configuration of a suitable AuthZ solution requires extensive knowledge across multiple domains, and a deep understanding of corporate data handling goals. Regular security testing is also required.

Extensive Capabilities

Aerstone’s service offerings in the IdAM and PKI space include:

• Security training and consulting
• Microsoft Active Directory design, implementation, and migration
• Design metadirectory and virtual directory solutions
• Implementation of HSPD-12 compliant PKI solutions
• Architecture of single sign-on (SSO) and reduced sign-on strategies
• Design and implementation of authorization strategies, including RBAC and ABAC models
• Security testing of PKI-enabled applications and websites
• Implementation of identity federation solutions