Strong identity key to collaboration and cloud, says Jericho Forum

Strong identity is essential to cloud-based services, but many businesses and technology suppliers are barking up the wrong tree, say security experts.

Strong identity is essential to cloud-based services, but many businesses and technology suppliers are barking up the wrong tree, say security experts.

"The industry needs to take a step back from the technology and focus on what is important," says Paul Simmonds, board member of IT security group, Jericho Forum.

Simmonds, a former CISO at ICI and AstraZeneca, says one of the biggest business demands is for a secure way to collaborate with partners and customers.

For this reason, the Jericho Forum is working on a set of basic principles about identity that organisations should consider when implementing IT systems.

The document, due for release in May, is designed to give a high-level view of what is important in identity and what system designers need to get right to ensure what they build meets the needs of the business and can be practically applied.

"First, there needs to be a separation of identity and access management because together these two will never enable collaboration," says Simmonds.

In the cloud environment in particular, he says, system identity must be about identity and system access must be about access.

"Second, it is important to recognise that identity is not just about people, and needs to encompass devices, computer code, organisations and agents," says Simmonds.

Enterprises need to identify devices to make access decisions, they need to identify code to distinguish it from malware, most collaboration is between organisations, and actors need to be distinguished from their human and digital agents, he says.

Because identity should encompass all these factors, says Simmonds, strong identity can be achieved only through multiple attributes to work out a user's entitlement in any given scenario.

A board member would, for example, be given full access to an HR system if he or she is using a company laptop that is connected to the company network and meets the minimum security requirements.

The same board member would not be given full access to the HR system if he or she is connected to a home network using a personal laptop, even if it meets the minimum security standard.

"There would be different access decisions using a rules-based system that looks at multiple attributes," says Simmonds.

Such a rules-based system, the Jericho Forum believes, will be far more flexible and fit for cloud-based environments than any role-based or user-based system.

"It should not be only about the user, but also attributes such as the device they are using, their location, the user group they belong to," he says.

The Jericho Forum recognises that it may still be a ten-to 15-year journey towards achieving strong identity, but there are things organisations can and should be doing until a global standard is achieved.

For example, says Simmonds, a wireless networking system that allows access only to certified staff members using certified endpoint devices would separate identity and access management, while using multiple attributes to work out entitlement.

Organisations should also be looking to use already established sources to verify claims, such as DocCheck and open standards such as the security assertion markup language (saml), he says.

Read more on IT risk management