The Current and Future Direction of Identity Assurance. A critical foundation for identity and access management solutions

Transcription

1 The Current and Future Direction of Identity Assurance A critical foundation for identity and access management solutions Viewpoint paper systems with identity management. The surge in the number of managed identities has increased not only the administrative burden on companies, but they also represent a significant cost to organizations and a strain on their IT budgets.

2 Table of contents Introduction...1 Definitions...1 Identity proofing...2 Authentication...2 Something you know...3 Something you have...4 Something you are or do...4 Emerging authentication trends...5 Conclusion...5 About the authors...6

3 Economic pressures are forcing companies to look for better, more efficient, and lower-cost ways of addressing identity management. But in a market that is still emerging, what is the best option for your organization? This paper explores the current state of the market and offers recommendations about the future direction of identity management. Introduction In his book, The World Is Flat: A Brief History of the Twenty-First Century, Thomas Friedman discusses the need for companies and individuals to view the commercial environment as one without boundaries, enterprise, or nation if they want to remain competitive in the global marketplace. However, removing traditional enterprise boundaries exponentially increases the complexities and challenges of managing digital identities that businesses require to conduct their day-to-day operations. Enterprises can no longer only manage the identities and associated rights of their direct employee base. Now, they must manage information about the identities, rights, and permissions of business partners, suppliers, and customers. This sharp increase in the number of managed identities has also increased the administrative burden and places a significant, ongoing strain on the valuable IT budget. Economic pressures are forcing companies to look for better, more efficient, and lowercost ways of addressing identity management. As momentum gathers behind the federation movement, the importance of trust in the digital identity increases. The result is a growing trend for identity assurance as a critical foundation for any identity- and accessmanagement solution. Definitions The issues of Who can I trust? and How much can I trust them? are the motivation behind the emergence of identity assurance as a key consideration for any identity-management strategy. So what does identity assurance mean? Identity assurance is defined as the process of verifying an individual s claim to ownership and use of an identity and associated data set that is used to establish credentials at the point of use. It is not a single technology or process, but a framework that establishes the authenticity of individuals and their continuing right to use a set of credentials. This framework consists of two distinct components: Identity proofing The processes and tools used to ensure that the individual to whom a set of credentials is issued has a valid claim to the identity data associated with the credentials Authentication The processes and tools used to consume, validate, and use the credentials, and establish a level of confidence about the user s identity, which allows access control decisions to be made For identity assurance to be effective, both components are required to assign a confidence level to the mapping of the individual and to the digital identity. The strongest authentication process available will not provide a high-level security if the ability to obtain the appropriate set of credentials is not tightly controlled. Conversely, the most stringent processes to validate an individual s identity mean nothing if it is protected by a weak authentication mechanism. The formula below defines the relationship between identity proofing and authentication, and how they affect identity assurance: IA = min(ip, AuthN) (IA = identity assurance, IP = identity proofing and AuthN = authentication) This is interpreted as identity assurance strength, which is the lesser of the strengths of identity proofing and authentication. 1

4 Identity proofing Every business exchange is based upon this value proposition: Is the value I get from this exchange worth what I am being asked to provide in return? In the world of arts and antiquities, collectors are willing to pay substantial sums of money for original pieces. This makes verifying the authenticity of the art work essential if the seller is going to convince the buyer to pay for the piece. The fact that the canvas is signed by Picasso and looks like a genuine piece means nothing unless there is documentation that supports this claim. Too often in the IT world, we accept the signature or credentials as the only criteria we need to provide system or data access. Seldom is the authenticity of the credentials considered as part of the access control decision. To establish the authenticity of an identity, an organization needs to consider the following questions: Is the individual s claim to the credentials set valid? Can the individual produce documentation to show the authenticity of the claim? Is the credential set valid? Does it belong to a living, breathing individual? Is the credential set unique? Is there sufficient information provided to uniquely identify the individual? What is the risk associated with issuing the credential set to the wrong individual? Are the resources protected by the credential set confidential? The need to establish, maintain, and verify the authenticity of the identity is the primary driver behind the growing number of identity-proofing service providers, such as ChoicePoint and ID Analytics. These companies specialize in aggregating and analyzing data from multiple sources to establish an identity score that reflects the level of assurance that the data is accurate and the claim is authentic. How is this different than the credit score provided by credit bureaus such as Experian and Equifax? The answer lies in the primary purpose of the score. A credit score is intended to identify whether individuals are financially qualified to receive a loan, credit card, or mortgage for which they have applied. It uses the person s identity data to discover the financial profile of an individual, not to validate the authenticity of the individual making the claim. The identity score uses identity data to access as many information stores as possible, including credit bureaus, with the sole intent of confirming that the individual claiming the identity is authorized to do so. Characteristics of identity proofing Identity proofing is definitely not a one-size-fits-all solution. The level of identity proofing performed must be appropriate to the level of confidence required in the authenticity of the individual. Identity proofing can be as simple as sending a click here to validate to the address entered in a self-registration screen. It may involve extensive background checks and the capture of biometric information. The level should be driven by the value proposition of the intended business exchange. So the application of the full Federal Information Processing Standards (FIPS) 201 standards is probably not appropriate for users registering on Twitter. To be effective, identity proofing must cover more than just the creation or assignment of credentials to the identity. An effective identity-proofing solution must continue to monitor and validate the claims of the identity s rights to the credential set and increase the level of proof required throughout the life of an identity. Authentication Authentication, the ability to verify that the user has a valid credential when making a request, is and always will be a foundational component of any security solution. When making a credit card payment, purchasers are often asked to show their driver s license as a means of confirming their identity. The problem is that in the digital world, this face-toface interaction is not possible, so we must trust the credential set provided, and by implication, the issuer of the credential set, to identify the individual. Without adequate identity proofing to back each credential, even the best security policies are useless. Authentication is the process of a person proving they have been granted credentials to gain access to a system or application. There is also an additional layer of authorization that will determine what level of access an identity may have. In this example, the driver s license does not contribute in any way to the payment that is being authorized by the credit card company. 2

5 Factors of authentication Understanding the strength of the credential set is critical to the authentication process. The stronger the credential set, the more confidence an organization can have that the identity is valid. So what is a credential set? A credential set is made up of one or more factors of authentication, typically defined in three distinct classifications: Something you know, such as a password or a fact about the identity Something you have, such as a smart card or physical token Something you are or do, such as your fingerprint or the way you type Organizations can increase the level of confidence in a user s identity by combining more than one of these factors into the credential set, which is known as multifactor authentication. Typically, the more factors included in the authentication process, the higher the level of confidence in the credential set. As with identity proofing, it is important to select an appropriate authentication level for the resources being protected. Although vendors are finding new and innovative ways to capture authentication factors at lower prices, the total cost of ownership associated with implementing multifactor authentication is still significant and should be considered in the design process. With the virtually limitless options for authentication types and combinations, there is no silver bullet. In the end, enterprises must balance risk, cost, and usability to determine what strength of authentication is required to address their specific needs. Something you know The something-you-know authentication factor is by far the most widely deployed authentication mechanism, largely because it represents the lowest cost and is the least complex to implement and maintain. However, it also has a low confidence factor, because the known information can be shared with or discovered by other parties. Although policies and controls can be implemented to increase the level of confidence for the something-you-know factor of authentication, it should still be viewed as a mechanism that is only used to protect low- to mid-level resources. Passwords Although the effectiveness of passwords has been in question for some time, there are no signs of their popularity slowing anytime soon. They still remain the dominant factor of authentication. A key element of a good password authentication mechanism is the ability to define and implement a password management policy that addresses some of its inherent weaknesses. By implementing simple policies such as password aging, password reuse, and password complexity, it is possible to increase the level of confidence associated with the credential set. However, a balance is required to ensure that the policy itself does not weaken the password. Enforcing a highly complex password that changes too frequently may cause the individual to write the password down to remember it, creating the infamous yellow sticky note under the keyboard vulnerability. Regardless of how good the policy, passwords remain susceptible to phishing, social engineering, keystroke loggers, and malware attacks. Knowledge-based authentication Knowledge-based authentication (KBA) is built around authenticating the user through a response to a question. The benefit of KBA is that it can be extended beyond the digital world and used to authenticate the user to both a self-service portal and a help desk operator. KBA falls into two primary categories: static and dynamic. A static KBA solution uses a set of questions the user sometimes selects and answers, such as mother s maiden name. The authentication mechanism asks the user to provide the standard response to one or more of the questions. For example, a user will have to answer three-out-of-five questions correctly to gain access to the system. Static KBA solutions are weak because the standard answers can be relatively easy to discover, particularly as more and more information is available online through social networks. Dynamic KBA solutions are gaining popularity as a means of addressing the primary weakness of the static solutions. A dynamic KBA will ask questions to which the answer changes over time. Dynamic KBAs are used widely in the banking industry and include questions such as What was the value of the last deposit? and What is the current balance in your account? The probability that anyone other than the individual would know this information is small. Although still weak in comparison to other factors of authentication, dynamic KBAs represent a low-cost, highly usable solution. 3

6 Something you have The something-you-have factor of authentication is growing in popularity, particularly with government agencies. It is based on the concept that the user owns something, usually a physical token, that is able to provide a unique signature that can be used to identify the user. In many something-you-have solutions, the signature is a one-time password (OTP) that is generated for a defined time period when it is valid. Something-you-have is currently the most popular second factor of authentication, especially when combined with a password in a multifactor authentication solution. Although on the surface, something-you-have appears to provide a high-confidence solution, it does have some weaknesses that must be recognized and understood. As stated above, most of these solutions are based on the generation of an OTP, which basically turns the something-you-have factor into a something-you-know factor that can be shared with another party. Physical tokens Historically, physical tokens have been the most popular mechanism for providing the something-you-have authentication factor. The tokens are small devices, such as a key fob, that the user carries and displays an OTP that is refreshed at predefined intervals. Each time a user logs into a system, the OTP will be different, eliminating the vulnerabilities exploited by many current-day attacks. Even if a keystroke logger was able to obtain the OTP, there is an extremely limited time frame when it is valid and can be used. Although a popular solution, physical tokens do present several issues: The physical tokens are relatively expensive to buy. Distribution and management of the tokens represent a significant administrative undertaking. As the token needs to be with the user, the something-you-have-to-remember aspect of the solution can affect productivity and help-desk costs when people misplace or forget the token. Many of the tokens are battery powered, have a limited life span, and need to be replaced periodically. Software tokens Software tokens work in a similar way to physical tokens, but as the name suggests, are software based. Instead of requiring the user to carry a physical device, the token is stored on a standard end-point device, such as a laptop, desktop, or smart phone. Software tokens solutions are based on several concepts, most commonly OTP or public-key infrastructure (PKI). Software tokens are used to support OTP functionality in a software format vs. physical token as described above. This is typically less costly and is easier to distribute to users. Additionally, software tokens do not have a life expectancy problem due to battery limitations. The biggest drawback is the software token is typically installed on the user s PC. This limits the user to only accessing the protected resource from that PC. Additionally, any person who gains access to that PC will have access to the OTP information. As mobile device technology advances, software tokens are becoming more widely used on those mobile devices, thus eliminating some of the inherent issues with PC installations. A PKI solution leverages an X.509 certificate-based infrastructure to securely complete a challengeresponse transaction. As the user attempts to access the resource protected by the token, the resource issues a challenge a time-stamped random string of characters. The software token receives the challenge and encrypts the string of characters with the person s private key and then sends the encrypted value back to the resource. The resource decrypts the string using the user s public key contained in the certificate, and, if the decryption produces the original challenge, access is granted. Smart cards Smart cards have not become as popular as token solutions because they require a heavier footprint on the end-user device; however, vendors are beginning to build readers and agents into standard device configurations. This has increased interest in smart cards, which provide a great deal of flexibility and are able to store user credentials and digital signatures. Additionally, regulations such as the Homeland Security Presidential Directive/HSPD-12 are driving requirements to link physical and digital security solutions a requirement that smart cards are ideally suited to address. More recently, smart card form factors can support an OTP screen, which increases the card s capability for multiple situations and provides a greater level of identity assurance. Smart cards are quickly gaining in popularity and are expected to surpass OTP device popularity in the near future. Something you are or do The something-you-are-or-do factor is the holy grail of authentication, because it does not rely on the issuance of a set of credentials but rather uses a biometric or behavioral analysis of the individual as the credential. This makes this authentication the most difficult to forge and provides the highest level of confidence. Unfortunately, it is also the least mature method, and viable solutions are only recently becoming available in the marketplace. 4

7 Due to the personal information used as the basis for this form of authentication, there are significant data privacy concerns that must be addressed. Individuals are concerned about the misuse of biometric data and are resistant to providing this type of information without assurances. Biometric authentication Biometric authentication is the fastest growing in the area of physical security. It relies on capturing a digital image of a physical characteristic that is unique to the individual, such as a fingerprint, retinal scan, or face topology. Biometric authentication has struggled to gain widespread use for many of the same reasons that have inhibited the growth of smart cards: costs and the additional footprint on the end-user device. However, as with smart cards, vendors are beginning to build fingerprint scanners and agents into standard device configurations. This, along with improved reliability, is making some basic form of fingerprint recognition a viable, cost-effective option and small, niche companies, such as DigitaPersona and Identiphy, are emerging to fill this need. Voice authentication Voice authentication is similar to biometric authentication in that it captures physical characteristics of an individual s voice and then compares it to a stored voice print. As with biometrics, voice authentication has suffered due to issues with the accuracy and reliability of results. Although voice recognition falls into the something-you-are-or-do category, there are still some concerns as to whether it can be compromised and whether the accuracy of the results is affected by environmental conditions. Behavioral authentication Behavioral authentication measures the way an individual interacts with the end-user device, such as typing speed and the pressure with which keys are hit, and it uses these measurements to build a profile that represents a behavioral pattern. The system is then able to authenticate the user by comparing his or her behavior to the pattern and requiring that it fall within predefined parameters to grant access. Behavioral authentication is still in its infancy as a factor of authentication, and there are few deployments of any major size. Emerging authentication trends There are a growing number of new or emerging solutions to address the weaknesses and remove hurdles that exist with the current authentication factors listed above. Risk analytics is experiencing increased use to enable users access to elevated access levels. Risk analytics will take session variables into account when granting a user access. These variables may include the geographic source of an IP address, time of day, and number or frequency of access attempts. Systems are designed to analyze this information and make authentication and authorization decisions. Digital DNA or device identification uses information about the end-user device as an additional item within the credential set. Typically, it reads unique identifiers and the configuration for the individual s designated device and then stores the information in the authentication database. At the point of authentication, the device s information is compared to the information stored in the database to validate the user. Conclusion As companies increasingly use federation services to minimize the cost and complexity of their identityand access-management infrastructure, they need to engage with a trusted third party that can help provide an identity-assurance solution. Third parties are also shaping market initiatives such as the Liberty Alliance Project s Identity Assurance Framework. These standards are needed to establish a common language and market best practices necessary to persuade companies to trust their identities to a third party. However, the identity-assurance marketplace will continue to grow, based on a strong business model built around managing and validating credentials that have been appropriately proofed. These business models will succeed or fail based on getting it right and the trust that can be assigned to the identities. The company that is able to prove the credibility of the identities and credentials they provide will quickly gain a significant market share. Successful companies will need to have the ability to reach into a multitude of data stores that cross all aspects of an individual s life, such as government agencies, credit bureaus, financial institutions, and Internet service providers. They must also be capable of providing authentication at multiple strength levels and in a format specified by the client. Finally, successful companies must deliver all of these functions as easy-to-use, highly available, global services that enable clients to minimize their up-front investment and ongoing expense. 5

8 About the authors Mark O Neill Mark O Neill has more than 19 years of proven technical and leadership expertise. O Neill is responsible for defining and engineering security solutions that address the internal needs of HP and its clients. He is directly involved in architecture and design, enabling infrastructure solutions for major international clients, primarily in the government and automotive industries. His specialty is in directory services, identity management, and provisioning technologies. Scott Morris Scott Morris is a lead security architect with HP. He has worked in information security and identity and access management for 10 years. Morris is responsible for identity and access management within client architectures. He focuses on the areas of identity management, strong authentication, and information risk and security. Share with colleagues Copyright Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA2-9257ENW, Created September 2009; Updated November 2010, Rev. 2