Monday, August 14, 2006

Identity - Device & User

I spent some time this weekend wondering about identity management and where it was going and here is what I kept coming back to:

Is identity then the compilation of identification and trust?

If so, then won't we by nature get into the business of identifying devices, and other tools and then seek to establish if they are trustworthy or not?

The way I was thinking about this is that a user's credntials (ID, Role, etc.) are essentially useless without a device that will enable the access to an authority that assigns a level of trust. Once identified and trust level established - you're in.

I then wondered if NAC was the logical extension of this - with health of device the gaiting factor of trustworthyness - and then challenges, logins, etc. being the ongoing validation of trust and assessment of risk. Does this mean that health is the only way? I hope not. How about knowing if the device is owned by you or by an outsider? Does this effect trustworthness of the device? Of the user?

How about knowing if the user is bad? Does this mean that the device is bad too? Tokens are nice in that it's another layer of trust for the user, but does nothing for the machine/device part of the identity.

Comments are welcome, and yes you will go through a 'challenge' to post a comment. I got sick of the breast enlargement cream adds and invites to check out various lotions, potions, powders, and pills.

identitystuff @


Post a Comment

<< Home