Home » Magazine Archives » May 2006
Security Technology and Design
Most Read
Most Emailed
E-mail Article
Print Article
Defogging Identity-Based Access Control
A simple explanation of a complex new concept that’s changing physical access control.The Latest from SIW
The security week that was: 05/16/08 IFSEC Report: Understanding IBM's play in security Canadian private security firms can't meet demand for 2010 games IFSEC report: March Networks unveils Cieffe strategy Live from IFSEC: The challenges of TWIC Basler enters surveillance industry
By Phil Libin
Professionals in every industry have a specialized and acronym-laden jargon deftly wielded to communicate insider concepts and stymie casual observers. The security industry, historically no stranger to obtuse buzzwords, is currently in even worse linguistic shape than most. The problem is convergence.
Security is attempting to bring together identity management, video surveillance, access control and IT. These meetings are earnest and clumsy, promising and frustrating, and, perhaps most of all, confusing. Experts from five different industries are now slinging incompatible jargon at each other, and a lot of pretty straightforward ideas are being obscured in the crossfire.
For the next thousand or so words, let's get back to basics and look at the four big questions in the merger between identity management and access control: What? Why? When? and How?
What Is It?
The world is becoming identity based. Today, access to physical and logical resources tends to be managed by ad-hoc, single-purpose systems. A card gets you into a building, and a password logs you onto a computer. The card and password aren't linked to each other, and neither is strongly tied to your identity. Counting physical keys, prox cards, PINs, alarm codes and computer passwords, an average person has about a dozen identity representations. I have 8,398. The disadvantages are obvious.
An identity-based access control system tries to improve the situation by separating your identity from your privileges. Your identity is then linked to a credential (a smart card or passport or entry in a database), which is secured against physical or electronic forgery attempts. Once there's a good way to determine your identity, an identity-based system lets privilege providers specify what you are, or aren't, allowed to do. Your identity is then managed by a central authority (such as your employer, industry consortia, or government), while local privileges and access rights are managed by your building facilities supervisor, IT department, HR staff, or drill sergeant.
Why Do We Need It?
There's a ribald old joke that everyone seems to know; it asks why a dog licks a certain part of its own anatomy. The familiar punch line: “Because it can.” You don't need to look for more subtle reasons access control and identity management should come together. Their merger provides improvements to security, convenience and lower total cost of ownership by eliminating the redundancies and loopholes inherent in running separate and parallel systems. If it can be done, it should.
Physical and information security were already fully converged hundreds of years ago. Think of the man riding “shotgun” on a Wells Fargo stagecoach. It's only in the past few decades that the two practices have separated. Instead of “Why should convergence happen?” the question should be, “Why has it taken so long for modern-day convergence to really get under way?”
