Here are some thoughts on devices, devices’ identities and implications for identity management solutions in enterprises … What is your experience in this space? Your comments are welcome.
There is no doubt that devices (laptops, PDAs, mobile phones, etc.) are pervasive in today’s society. Some of these devices are normally used both for work-related matters and for personal matters: the separation between work, public and private aspects of people’s life is more and more blurred.
From an enterprise perspective, this introduces additional risks and threats, in particular about the integrity of these devices and their trustworthiness to access enterprise intranets and networked resources. Private devices (e.g. personal laptops, etc.) can as well be used at work - with potential lower security and assurance levels (e.g. about installed software, patch control, local access control settings, etc.) than the ones mandated by enterprise security administrators. Current enterprise services, applications and information are mainly protected by traditional access control systems that usually only take into account human-based identities (via login/passwords, digital certificates, etc.) or (in more advanced situations) only human-based identities that are strongly bound to a given device.
I believe that, to have better control of managed resources, it is going to be more and more important for enterprises to explicitly identify devices, along with their properties i.e. consider the identity of a device as a self-standing entity or the identity of a device as one of a group of known entities. Furthermore, trust and assurance is required about the authenticity and validity of a device’s identity.
Dealing with devices’ identities and various degrees of associations to human identities is not trivial. This has an impact on current identity management solutions, as it involves:
making decisions on how to model devices’ identities;
provisioning them to enterprise systems and solutions;
dealing with their lifecycle;
setting proper access control policies (covering various “combinations” of users’ identities and devices’ identities) and enforcing them;
dealing with trust and assurance aspects.
I am not aware of any solution/approach addressing all these aspects and “simultaneously” handling different types of identities (e.g. network-level identities, device identities, users’ identities, etc.). Any comment?
No comments:
Post a Comment