Username and Password please....
to authenticate is to prove or serve to prove the authenticity of something. I have a guy (okay, more than one guy!) at work that is questioning "why have 2 authentication sources; - why do we have Active Directory and eDirectory??" I said - "2 sources??; we have a few hundred when you look at every place there is a store of login IDs and passwords". Just a typical organization with well over 50,000 identity-related objects to keep tabs on, that has grown by necessity and not careful planning. What are you ensuring the authenticity of?? Well - its an account in my system of course. But where does that account come from, - how did it get there, and what are you doing to make sure that its presence in your system is appropriate? Aren't these more pressing issues?
The key idea in this post is to point out that when you give somebody in your organization a username and a password to some system, database, or application, you are saying that knowledge of these credentials is all you need to gain access to whatever data or power is behind the curtain. If that is all you need to prove, why not just give out a single user ID and password of "password" to everyone?? What differentiates one user of the system from another? Wouldn't that save a lot of headache to just have one ID and password? Is this really authenticating? No - its surely not. This is a fundamental data integrity issue (or more so, the metadata the for the user accounts), and the potential for undermining the value of the data stored the in protected system. Not a wise move in the current regulatory environment...
What you allow / require in order for an account to be created is your declaration of value of whatever resource you are hoping to protect by authenticating. Your diligence in making sure that any account, for whatever reason fails the appropriateness test for access to your system, is promptly and verifiably removed from the account store is your profession of how serious you are about data security. Of course there are all kinds of ways (besides a username and password) to authenticate someone or something for access, but the business need / grounds for possession of credentials is the real issue. The way to ensure that access is appropriate is to maintain the integrity of your Identity data to an appropriately high standard. What are you doing to ensure that all accounts in your system are appropriate? Does the data you maintain give you a clear picture on this?
So - why 2 authentication sources? - why 400? because it is not the role of the information security professional to decide what is the best / most cost effective tool for the organization, it is to make sure that the accounts granted access are valid. This is done by making sure that what data / metadata that exists in the account store is authentic; that it is not allowed to be altered in any inappropriate way, that it is kept clean and consistent. The heavy lifting of the authentication process is not done in the exchange of usernames and passwords, it is done when the account is created, disabled, and deleted. The battle is won in making sure that the data that gets into the account store is appropriate, and is removed when it is not. Consider these issues when thinking about what account stores (vendors and products) are appropriate for your organization.
No comments:
Post a Comment