How much security is enough?

With the increased importance of outsourcing, cyber collaboration, information sharing, and legally binding digital signatures, your partners and clients share your risks and are now key stakeholders in this equation.

Prudent and transparent security is now a cost of doing business. Those that modernize now survive, those that don't, won't.

To modernize efficiently and effectively 1) Find a community that defines cyber security prudence and 2) Adopt enterprise architecture and project management practices to control your modernization initiatives.

Monday, April 7, 2008

Who will take care of the orphans?

If physical security isn't informed when a person leaves an agency, then what are the chances that their FIPS 201 smart card will be revoked? You are right, the chances are not good. We call these cards "orphaned credentials." The credential is still operational but doesn't belong to a valid identity within the enterprise. The credential, has, in fact, lost its parent.

As things stand today, we as a community, will have many FIPS 201 Orphans. HSPD-12, FIPS 201, and the Federal Common Policy are brilliant. But if we stop now, we stop short in modernizing identity management.

One of the key concepts that we (Litmus, NASA, EDS) present in our IDM Reference Architecture is the need to FUSE identity management and credential management processes. This fusion ensures that valid cards will never become orphans.

Here is a concept diagram which explains the "ideal" case. The outer arrow represents the identity management processes. These processes are responsible for managing identities through their lifecycle to include identity onboarding and offboarding, and identity changes (e.g. change of legal name, roles, positions, duties, clearances, ...).

In the ideal case, Identity Management processes will trigger Credential Management processes (inner arrow) because the two capabilities are FUSED.

Wouldn't it be great if for each person (identity) that separates from an agency, the identity management processes automatically trigger the credentialing processes in an automated and reliable manner and the credential is terminated within minutes?

Yes. This is possible and necessary to make our FIPS 201 smart cards "fit for use."

If you aren't sure if orphaned credentials will be a challenge at your agency, ask your physical security department or your IT service desk. Ask them how they find out when a person leaves the agency. You will be shocked with number of manual tasks they remember to do and only if they are notified of the separation. Ask them in sequence for employees, contractors, and then consultants/on-loan staff/temps/interns. As you progress your questions through the sequence, the problem will become more and more apparent.

To prevent orphaned credentials, we, as a community, need to FUSE our identity management processes and credential management processes. We need to do so in a consistent and rigorous manner across the entire federal enterprise. We will increase the reliability of our smart cards and make them fit for use, no matter which agency happens to be managing the identity.

Posted by James Ryan
Labels: , , ,