Information Technology Reference
In-Depth Information
9.12
identity and priilege Management
Identity is the collection of distinguishing attributes that define who a person or
device is. An identity credential is an object that contains a set of distinguishing
attributes that describe a particular person or device. These distinguishing attri-
butes may be a picture, an employee identity number, a social security number, a
Media Access Control (MAC) address, or an IP address. The identity credential
may be an identity card, driver's license, or digital certificate. Identity manage-
ment is the issuance/revocation of identity credentials, processing presentation of
credentials, and evaluation of identity credential attributes to verify the bearers of
credentials are indeed who they say they are.
The credentialing request may require bearers to present the credential (some-
thing they have), enter a pass code or personal identification number (something
they know), submit to a biometric reading like a fingerprint or retina scan (some-
thing they are), or sign in via electronic signature pad (something they do). The
process of validating an identity is
authentication
. The validation of identity is usu-
ally in conjunction with processing a privilege request.
A privilege request may be to access a building, room, system, or document.
Although a person's identity may be confirmed, there remains a question of per-
mission to have the requested access. The process of validating a privilege is autho-
rization. The attributes of the identity credential may include privilege attributes.
A person may have privilege to enter the building, but lack the privileges to enter
the data center or the research and development department. The entire process of
identity and privilege management can get quite complex. Table 9.13 provides an
applied IA
2
summary for identity and privilege management.
9.12.1
Applied IA
2
: Identity and Privilege
Management Capability
Identities may include associations with encryption keys (public keys and private keys)
as well as digital signatures. The introduction of Web services and service-oriented
architecture (SOA) adds complexity to identity and privilege management by requir-
ing each Web service to obtain an identity, associate a set of privileges with each ser-
vice, and then authenticate and authorize each service request. However, automated
services may request access to other automated services. The requesting service needs
a unique identity. The service provider authenticates the requesting service and makes
an authorization decision. Figure 9.8 provides an entity authentication and authoriza-
tion taxonomy where the service requesting entity can be people or technology.
As shown in Figure 9.8, the entity attempts activity via a request point. The
access method is the point of passage to the service provider. This may be physical
(guard), video, card reader, computer, etc. The credential is a claim of identity and
claim of privilege. The credential details enter a credential system that makes a
