Open Standard Authentication in the Enterprise, Part 1

 

In the next few posts, I’m going to talk about SSO in Enterprise environments, with emphasis on Federal Government Agencies.

Federal Agencies are facing multiple issues with managing digital identities for employees and contractors. While most Agencies use Active Directory as their primary authentication directories, most of them have a number of other authentication sources, such as Novell eDirectory, Mainframe based access sources, Oracle identity based access sources etc. All of these environments have different schemas, different UserID naming conventions, and different password requirements. The diversity of these environments, non-standard access, and different authentication mechanisms bring application management costs up, increase identity management costs, and overall do not provide a good foundation for new challenges that come in the near future.

Federal Government agencies operate under multiple guidelines from the Executive Office of the President (EOP), Office of Management and Budget (OMB), Federal Information Processing Standards (FIPS), and other federal bodies that specify standards and future directions.

The following are a few high profile requirements that each Agency is facing and must provide a standard based solution:

  1. Strong authentication requirement via PIV;
    • Federal Agencies are required, per HSPD12, to implement strong authentication solutions for their physical and logical access. This standard is specified via FIPS 201 and its corresponding standards.
  2. Reduction in identity management costs by reducing the number of active user accounts and passwords associated with the same human user;
  3. Reduction in cost in application management and hosting, by moving them into Private Clouds or by using applications in the Public Clouds.

Besides the above mentioned requirements, solutions must support other Federal Government guidelines. One example is OMB’s publication 04-04. This publication includes guidance on identity proofing, use of the credential, and auditing. OMB-04-04 recommends agencies conduct a risk assessment and determine the appropriate level of assurance in the user’s asserted identity. The publication provides a categorization of potential impacts and guidance to compare the impact profile from the risk assessment to the impact profiles associated with each assurance level. Solutions that issues digital identities must be able to assert the assurance level of the issued identities.

Implementations of these requirements within existing environments that have been built on legacy technologies is extremely challenging and sometimes increases the complexity of already complex IT environments.

In the next post I’ll discuss different solutions that are commonly used today to solve SSO requirements.

thanks!