CS Jul-Aug 2023
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
identity & access<br />
THE NEW ROAD AHEAD<br />
A NEW NATIONAL ROADMAP FOR IDENTITY AND ACCESS MANAGEMENT SINGLES OUT STRATEGIC OBJECTIVES,<br />
ALIGNS EFFORTS WITH NATIONALLY DEFINED PRIORITIES AND SUPPORTS LONG-TERM PLANNING<br />
With the National Institute of<br />
Standards and Technology's draft<br />
roadmap for identity and access<br />
management (IAM) clearly signalling a strong<br />
push for meaningful change, NIST is now<br />
carefully considering the responses that it<br />
sought on where it is hitting the mark and<br />
where the roadmap might need to be beefed<br />
up (feedback closed on 1 June).<br />
Amongst the specific questions that NIST<br />
wanted addressed were:<br />
Are the guiding principles clear? Are any<br />
important principles missing?<br />
Do any of the strategic objectives need<br />
clarification? Are any key objectives<br />
missing?<br />
Are there specific activities, research or<br />
guidance that should be included and,<br />
if so, why?<br />
Which strategic objectives are most<br />
likely to have an impact and<br />
should be prioritised?<br />
Why is the roadmap so important? "As we<br />
become more reliant on connected<br />
technologies, we also become more reliant<br />
on authentication," states Tim Hollebeek,<br />
industry technology strategist, DigiCert.<br />
"Offline, we use our handwritten signatures<br />
or show photo ID against which our visages<br />
can be compared. Online, however, our<br />
identities have to be verified remotely and<br />
many of the ways in which we currently do<br />
that are aging badly. Passwords, for example,<br />
have been an enduring part of authentication<br />
for decades. They've also been an enduring<br />
risk for organisations whose passwords can<br />
often be easily guessed, are easily forgettable<br />
and are often reused across accounts."<br />
Similarly, users are now demanding greater<br />
levels of privacy and greater autonomy over<br />
what they share and with whom. 'Mobile<br />
driver's licence' standards are also emerging<br />
out of private and public sectors - such as<br />
the EU's digital identity wallet - which aim<br />
to provide a digital solution to mirror the<br />
authority of an offline photo ID for remote<br />
identity verification. It is amid this shifting<br />
landscape that the NIST roadmap intends<br />
to guide organisations to a modern<br />
authentication framework, he adds.<br />
"Any new guidance on Identity and Access<br />
Management will have to deal with new<br />
realities, such as the rise of remote work and<br />
the increase of workers accessing corporate<br />
resources through VPNs and from noncorporate<br />
Wi-Fi," adds Hollebeek. "The first<br />
stage of improving authentication is to take<br />
authentication responsibilities out of users'<br />
hands. Humans - as they say - are the<br />
weakest link and so the responsibility for<br />
authentication should be shifted away from<br />
them and towards technical solutions. Digital<br />
certificates offer a way to do that, offering<br />
seamless and strong authentication for users,<br />
based on Public Key Infrastructures."<br />
He argues that authentication processes<br />
should be automated to as great an extent<br />
as possible to handle the variety of devices,<br />
users and other assets that will be requesting<br />
access to a given network. "NIST is absolutely<br />
clear on this when it comes to digital<br />
certificates. It states in its SP 1800-16<br />
framework: 'Automation should be used<br />
wherever possible for the enrolment,<br />
installation, monitoring and replacement of<br />
certificates, or justification should be provided<br />
for continuing to use manual methods that<br />
20<br />
computing security <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk