home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers

Network & Systems Management
F E A T U R E  
Setting The Stage For Authentication

  May 28, 2001
  By Brooke Paul


Clearly defined and communicated policies and procedures are an essential part of any information-security program. Your policies should include terms for information ownership, value classification and authentication. The communication of these policies will ensure that security is uniformly managed within your company and that business risk is reduced.



Authentication, our focus here, is the process that determines the identity of a person or system and is usually the first step in providing access to information resources. The goals of authentication are to ensure that only authorized individuals have access to data and systems and to provide an audit trail for accountability.

Since different authentication methods meet these requirements to varying degrees, you must craft your authentication policy carefully. The methods used for authentication should be sufficiently robust so as to reduce the risk to information resources in accordance with their business value.

The Relationship Between Authentication and Authorization

Authentication is closely tied with authorization. Authorization is the process of determining if access should be provided to a resource and occurs after authentication -- you must know the identity of someone before deciding if he or she should be given access to a resource. Authorization can be accomplished by using a profile that is associated with the identity that has been authenticated, or via permissions placed upon resources that control access based on identities and groups.

Four areas that need to be accounted for in your authentication policy are the methods of initial authentication for account creation; the value of data and systems being accessed; the method of access; and the privilege level of the account being authenticated.

  • You must determine the methods that will be used to authenticate an individual initially. In a corporate setting, where access is limited to internal employees, such authentication usually is accomplished by the human resources department. When someone is hired, he or she is required to provide employment history, social security number, personal references, a home address and other information. Further, most companies do routine background checks on candidates to ensure they are who they say they are and that they are not high risks because of bad credit or criminal histories, for example. You will need policies for initial authentication if you plan to provide services to a client that is unknown until registered. For example, you might be developing an Internet or extranet application for use by a new customer base. Your policy should state what types of information are required for legitimate initial authentication. These requirements might be minimal if the data being accessed is not critical or confidential. However, when providing access to high-value data, multiple information elements -- tax ID, home and/or business address or driver's license number, for example -- should be required so that you can perform some level of verification before creating a new account.

  • The requirements for authentication should be directly related to the value of the data and systems being accessed. This ties your authentication policy to another policy area: data-value classification. To determine the requirements for authentication, you must understand the value placed on the data and systems to which you are providing access. For example, you may have lower authentication requirements for access to internal print systems than to business-critical data, such as that produced by finance or HR departments.

  • The method used to access the data or systems should be taken into consideration when defining an authentication policy. For example, your authentication requirements for access to a given system may be lower if the system is being accessed from an internal network rather than from an extranet or the Internet. This is to help mitigate the risk associated with a less secure method of access.

  • Your requirements for authentication should match the level of access being provided. The requirements for authentication of a regular user account, for instance, might be lower than those for authentication of an administrative account.

   Page: 1 | 2 | Next Page





Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
10 Search Engines You Don't Know About
Go beyond Google and get vertical. These specialized search sites will help you find the business information you need -- fast.

Yahoo Profits Fall 23%, Cuts 1,000 Jobs
Ari Balogh was named to the post of chief technology officer as the companys for a "realignment" of employees.

More articles from our career center










InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Download Today
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo JitterPlug Into The Cloud
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet EvolutionPyramid Research
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2008  United Business Media LLC  |  Privacy Statement  |  Terms of Service  |  Your California Privacy Rights