Transcription of User Identification and Authentication Concepts
1 1 Chapter 1 User Identification and Authentication Concepts The modern world needs people with a complex identity whoare intellectually autonomous and prepared to cope with uncer-tainty; who are able to tolerate ambiguity and not be drivenby fear into a rigid, single-solution approach to problems, whoare rational, foresightful and who look for facts; who can drawinferences and can control their behavior in the light of foreseenconsequences, who are altruistic and enjoy doing for others,and who understand social forces and trends. Robert Havighurst This chapter introduces the main Concepts of user identification andauthentication. It also provides the terms used throughout this book. Security Landscape Information is an asset for today s organizations and individuals. Informa-tion may be less or more important and very often has a monetary disclosure, improper modification, or unavailability of informationmay incur expenses (loss) or missed profits for the organization or theindividual.
2 Therefore, most organizations and individuals protect informa-tion to a certain extent. IT security is the science of protecting informationassets from threats. Page 1 Thursday, May 17, 2007 2:36 PM 2007 by Taylor & Francis Group, LLC 2 Mechanics of User Identification and Authentication An information asset is an atomic piece of information that has meaningto the organization or the individual. Information assets have an information assets of a business organization are owned by a businessowner, and those of an individual are owned by the actual delegate the responsibility of protecting information assetsto the IT department, the Information Security department, or the Infor-mation Risk Management department; individuals typically protect theirown resources, but they may interact with other individuals and organi-zations, and may seek advice or transfer protection responsibilities to otherindividuals and is managing protection is considered a custodian of theinformation asset.
3 However, the owner is still responsible for valuatinginformation, posing requirements for information protection, ensuring thatinformation is protected by following defined procedures for informationprotection and auditing the protection mechanisms in place. The custodianis responsible for defining security protection mechanisms that meet therequirements of the information organizations and individuals typically have three main require-ments to information asset protection:1. Confidentiality: information protection from disclosure to unautho-rized individuals and other organizations. Information that representsa patent, a trade secret, most types of military information, or financialinformation are examples of information that typically needs protec-tion from disclosure. The company payroll information is normally aresource that requires protection from unauthorized Integrity: information protection from accidental or intentionalmodification that may affect data validity.
4 Financial transactionsare a typical example of an information asset that requires integrityprotection. If an individual wants to transfer $1000 and someonemodifies the amount to $20,000, it does make a Availability: information and services that expose information toorganizations and individual users must be available when usersneed them. If an online Web banking application uses very securetechnologies for user Authentication , information encryption, andsigning but the site is down and not available to users who needit, then it will hardly meet protection an ideal world, a custodian will apply the best technologies in termsof countermeasures to protect confidentiality, integrity, and availability ofinformation assets. However, IT costs money in terms of hardware, soft-ware, training, labor, and other resources required to provide protection,confidentiality, integrity, and availability.
5 Targets may be set accordingly Page 2 Thursday, May 17, 2007 2:36 PM 2007 by Taylor & Francis Group, LLC User Identification and Authentication Concepts 3 so that protection is cost effective in relation to the information assetbeing of the level of protection, and mainly due to unclearrequirements set by the information asset owners, by failing to implementprotection for properly defined requirements, as well as due to hardware,software, and configurations thereof that may have security flaws, infor-mation assets may be vulnerable to one or more security threats that willtypically compromise information asset confidentiality, integrity, or avail-ability. Threat agents such as malicious individuals (or attackers) may giverise to threats and exploit vulnerabilities exist in the protection scheme and they are verylikely to exist regardless of the time and effort spent to protect the informationasset the possibility exists that a threat agent will exploit a vulnerabilityand compromise information asset protection.
6 This is referred to as risk . Thelevel of risk can sometimes be quantified and is often represented by theproduct of the value of a potential damage to asset protection multiplied bythe probability of this occurring. Risk is not a problem but rather thelikelihood of a problem happening, so risk probability is less than 100percent. A risk that is 100 percent likely to occur is a problem such asa risk that has materialized and should be treated as typical approach to information security management is to analyzerisks to information assets and mitigate these risks by imposing counter-measures. Furthermore, information security protection will also devisereactive (contingency) plans to minimize damage if for some reason arisk materializes and turns into a is very important for a security professional to understand the require-ments of business for information asset protection, to understand the risksfor the particular information asset, as well as to devise and understand thecountermeasures for information asset protection from protect information, security professionals must implement securitycontrols.
7 User identification and Authentication play a vital role in securitycontrols by providing user identity and assurance before user access toresources is granted to an book provides insight into how user identification and authenti-cation mechanisms work, and provides security professionals with infor-mation on when to use specific mechanisms and what the implicationsof doing so would be. Authentication , Authorization, and Accounting Whether a security system serves the purposes of information asset pro-tection or provides for general security outside the scope of IT, it is Page 3 Thursday, May 17, 2007 2:36 PM 2007 by Taylor & Francis Group, LLC 4 Mechanics of User Identification and Authentication common to have three main security processes working together toprovide access to assets in a controlled manner. These processes are:1.
8 Authentication : often referred to as Identification and Authentica-tion, determining and validating user Authorization: providing users with the access to resources thatthey are allowed to have and preventing users from accessingresources that they are not allowed to Accounting: providing an audit trail of user actions. This is some-times referred to as following sections discuss these three processes and the relationshipbetween them. Identification and Authentication A computer system comprised of hardware, software, and processes isvery often an abstraction of an actual business model that exists in thereal world outside the computer system. A financial application, forexample, can be considered a model of actual financial relationshipsbetween actual organizations and individuals. Every element of the actualfinancial relationship can be projected onto the computer model (financialapplication), and then the computer model can be used to determine theoutcomes of financial interactions between components of the actualsystem projected into the computer individuals using a computer system are typically humans (andsometimes applications or services) that exist outside the system.
9 The userID is a projection of an actual individual (or application or service) into thecomputer system. The computer system typically uses an abstract object,called a user account, that contains a set of attributes for each actualindividual. The object has a name (user ID or logon ID) that is used torepresent the abstract object to the system. Additional attributes of the objectmay include the full name of the actual user, the department for which heis working, his manager and direct reports, extension number, etc. Objectsmay or may not have credentials as their attributes. Apart from the user IDor logon ID, a security system will typically assign users an internal number(Security Identifier) that is used by the system to refer to the abstract a unique abstract object in the form of a user account foreach individual who will access resources in a computer system is veryimportant.
10 This object is used to identify the user in the system; this objectis referred to by the system when user access to information assets isdefined, and the system will also trace user actions and record an audittrail referring to the actual user by his abstract object ID. The user ID is Page 4 Thursday, May 17, 2007 2:36 PM 2007 by Taylor & Francis Group, LLC User Identification and Authentication Concepts 5 therefore the basis for access control and it also helps to implementaccountability. Hence, it is essential to have a separate user ID for eachuser, because each individual has specific access requirements and shouldbe individually kept accountable for his process of Authentication is often considered to consist of twodistinct phases: (1) identification and (2) (actual) Authentication . Identification provides user identity to the security system.
