Thursday, March 15, 2007


I was thinking about multi factor authentication (see previous blog on the topic) and what else does adding factors to the authentication mix get us (besides closer to a DNA match of who we do business with)?

It got me thinking about Federation and trying to extend a different model of authentication and access to different users, different machines, different physical access levels, different logical (network) access for a single user type in multiple environs.

One thought I had was that interchangeability of factors lets me set up zero stringent to very stringent access control policies for virtaully any environ. The POA (Point of Authentication) is the gatekeeper, the devices in the network are the cops/enforcers, and whether you are a user or machine what the gatekeeper knows and shares with the cop governs where you go and what you do. There is also the O factor (Omnipotent) of full auditability so if the gatekeeper is at lunch and cop forgets TCP/IP for a second, that everything is still logged in the event things get really interesting.

Business case examples:

I work for the FBI. I spend time at NSA, CIA, DEA, and State Police. We all use multiple databases that share subsets of information and disinformation. I have two 'badges'. One is my badge that I wear on my beltloop with a lanyard attached that has some/all pertinent information about who I am and my clearance level. In essence where I can go in the pysical world.

Then I have a laptop or pda with a biometric scanner that can embed the biometric data, User ID/Password data, and a unique machine ID for my network access where ever I am.

That's a lot of factors, and gives me a lot of flexibility about how I manage who gets access to what, while keeping key data sets separate (somewhat) by using card and machine.



Anonymous Mike Gage said...

Interesting thoughts, seems like the closer we can get to a comprehensive data access security and identity management scheme the scariest elements of data security become alleviated.

Thursday, March 29, 2007 5:41:00 PM  

Post a Comment

<< Home