Information Technology Reference
In-Depth Information
Attempts
activity via
rough
an
By presenting a
To a
at provides a
Request
Point
Access
Method
Credential
System
Entity
Credential
Decision
Biometric
Deny
Bar Code
Grant
Computer
Physical
Person
User
Credential
Claim of ID
Optical Laser
Provisional
Guard
C
Entities
- Person
- System
- Process
- Application
- Device
- Etc.
RFID
Mag Card
Reader
Computer
Claim-of-
Privilege
Authentication
Authorization
On-Line
- Port
- Service
- Daemon
- Etc.
Computer
Auth Service
Service
Request
Databases, Audit Logs, Etc.
Figure 9.8
entity authentication and authorization taxonomy.
This is accomplished in part through architecting, designing, and implement-
ing an identity and privilege management infrastructure. Authentication for iden-
tification and authorization for privilege are separate functions; the first determines
who someone is (or what the process, protocol, or application is), and the second
determines what that someone is permitted to do—what privileges he or she has.
Identity, once established, is more or less constant; privileges may come and go
according to job responsibilities, department, project, etc.
Authentication and authorization services must also manage identification and
privilege
revocation
. If someone is a victim of identity theft, new identifying creden-
tials (e.g., a new credit card or driver's license) may need to be issued, and the old
credentials must be revoked. Moreover, knowledge of that revocation must be dis-
seminated to those who may use the credentials for authentication. Likewise, when
a credential like an ID badge is lost, any privileges associated with that credential
must be revoked.
The mechanics of identity and privilege management include security guards,
cipher locks, key locks, magnetic card readers, biometric capture devices (e.g., fin-
gerprint, facial recognition, retina scan), and signature capture. Credential and
verification reading devices are supported by back-end servers to validate the iden-
tification information and verify associated privileges.
The required security levels and budget limitations drive the choice of these IA
mechanisms. Depending on requirements, security level may require two-factor or
