Authentication - It's All about Risk
Authentication - It's All about Risk
In many enterprises I have been in, I'm usually asked "What's the best authentication method to use?" or "What do I recommend?"
The reality is both of these questions are wrong. The purpose of this paper is to illustrate for the reader:
Why this is so
Explain a risk framework
Frame the discussion about significant sea changes in the internet that are rapidly approaching
It's All about Risk
What is authentication? It's a way of measuring trust about a person trying to gain entry. In the medieval days, trust was a soldier by a door who asked "Who goes there" and using his knowledge of the person (his memory, his five senses and his instructions on who to allow or deny) allowed them entry or not.
As time progressed, identities that were traveling from one place to another were often given tokens to present at the other end. There was something that the two parties had agreed upon in advance to establish trust.
So if I showed up at your door presenting you with a special piece of cloth, gold, etc. you would examine it and, if it looked the one you had agreed to, you granted me entrance.
In other cases, the two parties would agree on a secret password. The knowledge of this was very limited to only the two parties and to whomever they told the secret to.
Thus, when I arrived at your door and told you the secret password that you agreed upon, you granted me access.
The three examples above are of something you are, something you have and something you know. They are all ways of measuring trust.
As life got more complicated there was a growing trend of people masquerading as another. For example, people in the past who were carrying tokens might have been murdered en route and their tokens used by the murderer to gain entrance to the castle.
Thus people learnt the hard way that there are degrees of trust.
This led to parties agreeing to use combinations of three methods. So, when you show up at the castle gate and present the stolen token but don't know the password, then you are lead to the dungeon instead of the king or queen.
The point I am making is that the degree of trust required is dependent upon the degree of risk.
For example, the ruler might have open gates to their outer walls of the castle, allowing trades people in to conduct their trade while having stronger degrees of authentication for different doors leading into the inner walls and sanctuaries of the castle.
The rulers decide that the risk for the outer layers is very low while the inner sanctuaries have higher degrees of risk.
Based on this, the rulers then use different authentication methods e.g. a token to gain entrance beyond the outer walls, a token and a password for the next door and finally only allowing someone in to the inner sanctuary who the rule can see and recognize before granting them access.
Today's Enterprises
Modern enterprises have identities passing through their electronic and physical walls all the time.
However, I have frequently found that, unlike kings and queens of old who would have done their risk assessment and constructed the castle accordingly to risk (i.e. having moats out front, drawbridges and then tougher levels of access to the inner sanctuary), most enterprises have the moat out front (their DMZ, firewalls and physical access controls to the buildings) and then use a uniform unique identifier and a password to allow access internally and...that's normally about it.
Common exceptions to this statement are financial and military enterprises which often have more different layers of authentication (like RSA tokens and smart cards).
Whenever I see reliance upon the uid and password, the first image that comes to my mind is the enterprise as a giant mash mellow that's just been toasted over a campfire. The outside is a little hard but when you push in through it, underneath it's all soft and gooey.
Then I normally laugh inside myself when someone in these enterprises asks me what "other" authentication method should they use? The question is laughable since they are letting the tail wag the dog.
In this case, the tail is the measure of trust. The dog is the enterprise risk. I laugh since how can one measure trust without first deciding on the risk?
All too often, the question is a result of some authentication sales person trying to sell their method of measuring trust.
You Need to Start With Risk
Read the full article here: Authentication - It's All about Risk
In many enterprises I have been in, I'm usually asked "What's the best authentication method to use?" or "What do I recommend?"
The reality is both of these questions are wrong. The purpose of this paper is to illustrate for the reader:
Why this is so
Explain a risk framework
Frame the discussion about significant sea changes in the internet that are rapidly approaching
It's All about Risk
What is authentication? It's a way of measuring trust about a person trying to gain entry. In the medieval days, trust was a soldier by a door who asked "Who goes there" and using his knowledge of the person (his memory, his five senses and his instructions on who to allow or deny) allowed them entry or not.
As time progressed, identities that were traveling from one place to another were often given tokens to present at the other end. There was something that the two parties had agreed upon in advance to establish trust.
So if I showed up at your door presenting you with a special piece of cloth, gold, etc. you would examine it and, if it looked the one you had agreed to, you granted me entrance.
In other cases, the two parties would agree on a secret password. The knowledge of this was very limited to only the two parties and to whomever they told the secret to.
Thus, when I arrived at your door and told you the secret password that you agreed upon, you granted me access.
The three examples above are of something you are, something you have and something you know. They are all ways of measuring trust.
As life got more complicated there was a growing trend of people masquerading as another. For example, people in the past who were carrying tokens might have been murdered en route and their tokens used by the murderer to gain entrance to the castle.
Thus people learnt the hard way that there are degrees of trust.
This led to parties agreeing to use combinations of three methods. So, when you show up at the castle gate and present the stolen token but don't know the password, then you are lead to the dungeon instead of the king or queen.
The point I am making is that the degree of trust required is dependent upon the degree of risk.
For example, the ruler might have open gates to their outer walls of the castle, allowing trades people in to conduct their trade while having stronger degrees of authentication for different doors leading into the inner walls and sanctuaries of the castle.
The rulers decide that the risk for the outer layers is very low while the inner sanctuaries have higher degrees of risk.
Based on this, the rulers then use different authentication methods e.g. a token to gain entrance beyond the outer walls, a token and a password for the next door and finally only allowing someone in to the inner sanctuary who the rule can see and recognize before granting them access.
Today's Enterprises
Modern enterprises have identities passing through their electronic and physical walls all the time.
However, I have frequently found that, unlike kings and queens of old who would have done their risk assessment and constructed the castle accordingly to risk (i.e. having moats out front, drawbridges and then tougher levels of access to the inner sanctuary), most enterprises have the moat out front (their DMZ, firewalls and physical access controls to the buildings) and then use a uniform unique identifier and a password to allow access internally and...that's normally about it.
Common exceptions to this statement are financial and military enterprises which often have more different layers of authentication (like RSA tokens and smart cards).
Whenever I see reliance upon the uid and password, the first image that comes to my mind is the enterprise as a giant mash mellow that's just been toasted over a campfire. The outside is a little hard but when you push in through it, underneath it's all soft and gooey.
Then I normally laugh inside myself when someone in these enterprises asks me what "other" authentication method should they use? The question is laughable since they are letting the tail wag the dog.
In this case, the tail is the measure of trust. The dog is the enterprise risk. I laugh since how can one measure trust without first deciding on the risk?
All too often, the question is a result of some authentication sales person trying to sell their method of measuring trust.
You Need to Start With Risk
Read the full article here: Authentication - It's All about Risk
Megjegyzések
Megjegyzés küldése