Building Security

Managing the complex enterprise identification landscape

By Jianggan Li | 2 August 2008

Secure enterprise identification and authentication lie at the heart of today’s efficient organisation. We look at how to cost effectively provide access to shared facilities – whether physical premises or IT assets.

View photos

Related Categories

• BUILDING SECURITY

From this Section

• FEATURE

“ID, pl eas e,” asks the guy in uniform. You promptly hand over your identity card, in exchange for a pass allowing you to access whole or part of the premises.

Identification & authentication used to be that simple, when there were with only a few entry points to be guarded. Nowadays, that has changed.

“With more robust ways to share and use information come more potential vulnerabilities —from outside and within the enterprise,” says Tammie Tham, Security and Privacy Leader, IBM Global Technology Services, ASEAN. Access to an organisation is no longer restricted to entering its physical premises, as in the information age many applications are being accessed both inside and outside of the organisation’s perimeter, by variety of users such as the company’s own mobile workforce, business partners, suppliers and customers.

“We have to strike a balance between ensuring security and keeping the campus open for public access,” asserts a spokesperson of Singapore Management University (SMU).

The SMU campus is located in the heart of the city. The premises are designed to be a porous and accessible to the public except for entry into the school buildings. Many areas of the SMU city campus including the underground concourse are open to the public as part of the design of the city campus. Physical barriers (such as turnstiles, doors with card access) allow entries to restricted areas only to authorised holders of ‘access cards’ issued by SMU; while the university allows access to its network by staff, students, alumni and visitors. “The reality is people are the new network perimeter, and the lines of defence are in constant motion as people connect from device to device and network to network,” says Don Ng, Enterprise Security Director, Asia Pacific, Symantec.

Tham asserts that enterprises must establish an information classification programme, grouping the information into a few categories based on risk level.

That requires business units to map their existing information into the agreed classification categories, with management support and involvement. Ng recommends a centralised framework to ensure such policies are consistently applied across all applications and systems. When a user is authenticated, he is granted access to certain data, applications or physical assets through a set of authorisation privileges.

In addition, appropriate mechanisms and infrastructure ensure the correct authorisation occurs when external parties are accessing and invoking these services. Ng asserts that before allowing external parties in, organisations must be able to identify whom they are dealing with, “lest business critical information fall into the wrong hands.”

A good Network Access Control (NAC) solution is recommended by both Ng and IBM’s Tham for enterprises allowing external parties who wish to connect their own mobile devices to their internal networks. SMU allows contractors and visitors to access the campus wireless network, subject to approval. In addition, alumni are given access privileges to email and selected resources.

Access of external parties is easier to control in the physical space with well developed access pass system and well-enforced policies.. “Visitors, contractors, alumni and part-time staff are given temporary access passes to gain entries to specific areas they are visiting or working in,” says the spokesman of SMU.

Employing centralised authentication servers that all other applications and systems use, Single sign-on (SSO) technology allows a user to access multiple software systems by logging in only once. It addresses the problem of users having to remember different user name and password combinations, simplifying the logistics of identity provisioning.

Its implementation has been fairly widespread. Universities such as SMU have implemented SSO for access to all information systems. However the significant investments in building such infrastructure prohibit its universal adoption.

Another drawback of SSO is the potential of risk aggregation. As multiple applications could be accessed by presenting a single set of credentials, a single compromised password could result in multiple compromised applications.

Such risks can be mitigated through the use of two-factor authentication, effectively combining password access with another factor such as smartcards or biometrics. The methodology is already prevalent in online banking.

SSO is a typical use case of identity federation, which stores same user information across different identity management systems, enabling portability of identity information across multiple IT systems or even multiple organisations.

United Nations Development Programme (UNDP) has a clear identity federation strategy. UNDP is one of the largest UN agencies with offices in more than 160 countries, and works closely with fellow UN agencies. The multiple boundaries both on the organisational and policy side has made user provisioning within UNDP a major challenge, let alone the multiple standards used in the technical domain.

A flexible and resilient infrastructure was needed to bridge those gaps, while preserving each organisation’s own policy, security and access requirements. “There are many ways to solve one problem,” says Anton Shmagin, UNDP’s security architect. “We were looking for a simple, secure and elegant one.”

Shmagin oversees the UNDP identity infrastructure and plays a leading role within the UNDP Identity Management initiative. His team therefore chose a solution with different components from commercial vendors, freeware and custom developed modules.

Two of the biggest roadblocks were partners’ infrastructure readiness and obtaining everyone’s agreement on the common framework.

Access control, virtual directories, and identity federation infrastructure has been deployed. Implemented at UNDP in 2006, virtual directories serve as glue for several data stores and perform a highly available loadbalancing front-end for accessing UNDP’s Identity stores.

Virtual directories can be plugged into the infrastructure seamlessly, helping to overcome issues with different data formats and schema deviation. They are very useful for upgrade and migration processes as well as for data format unification.

“Identity federation was driven by a knowledge sharing initiative that encompassed many UN partner agencies,” Shmagin says. “It helped develop synergies between the agencies and brought very tangible results rapidly.”

It is believed by many that unified access for both physical facilities and information systems offers any benefits to enterprises. Ng explains that the integration provides chief security officers with a better risk management framework that is built around an integrated, holistic identity management and provisioning structure.

For example, if an employee changes job scope, his access to both physical and digital systems will need to change in conjunction with his new responsibilities. In the case of employee termination, access rights should be immediately removed to prevent any potential data leakage.

Though highly desirable, it is not a common practice yet. IBM’s Tham points out a key implementation challenge is to address issues arising from the fact that physical and IT security were handled by separate functional groups in the past. Other challenges include geographically dispersed offices, enterprises that share office space, etc.

In view of the complexity of today’s IT security environment, Ng believes in a system built on open standards and committed to supporting heterogeneous environments is capable of handling such demanding requirements.

And of course, identity management should be an indispensible part of the overall security strategy. Its enforcement is helped by other methods and technologies. In the physical space, SMU has security officers who man and patrol the the campus round-the-clock.

As an added security measure, the university has a more than 500 CCTV cameras on key strategic spots in the campus to aid security surveillance. “The campus is also sufficiently well lit at night as an essential safeguard,” reveals the university’s spokesperson.

It is likewise in the cyber domain. One last consideration, as Ng suggests it is important to consider monitoring access control across its entire lifecycle - from the time the user is created in the enterprise, all the way to the time the user leaves the company or has his privileges revoked or deleted.