Comments on: The marriage of identity yin and security yang

Now more than ever, organizations need to make sure these two things are working in harmony, or they will either hold back the business or greatly increase security risk.

[ManuNamboodiri]

You have looked at answering two fundamental questions - who has access and how do we enforce it? The first part is identity and the second is broadly security (though I would say controls at the application, OS, network or data encryption that look at identity and give a pass/fail on access). I might even add a third dimension - i.e. for how long is access valid? This is where policies of retention etc come in.

In any case, the pivotal aspect of this is always identity - this leads to all the rest of the questions. How we use identity to enforce everything else is, I think, the crux of the whole security practice.

Disclaimer: Being from BitArmor, I think all these policies should be embedded in the data itself :)

[skswave]

Ultimately, This is where the role of the TPM in the PC will become better understood. The TPM provides a container for tamper resistant identity for both users and devices. The other key is that it is a vendor neutral industry standard solution that everyone can leverage. The key to all identity based networks like cell phones and set top boxes is that the identity can be trusted. The strong benefit of the TPM is that it is owned by the owner of the platform and not the network so it can be used for multiple applications from VPNs to pay pal. The merger of identity and security has helped the Mobile phone industry make huge strides and it will change how we all use our PCs.

[dan_griffin]

I'd like to see the TPM used in that role, too, but have you ever tried to buy a PC with a TPM chip from, say, Best Buy? My point is that, partly because of MS Windows SKU differentiation, consumer PCs generally don't include TPMs.

Since TPM usage, and the few scenarios such as drive encryption that actually support it, are enterprise driven, the next question is who owns the chip and the keys that are bound to it? Hint - if the laptop is a managed or enterprise asset, then it's not the user that owns those keys. So are you sure you want to use it for your personal Pay Pal account? Are you sure your employer wants you to do so?

Phones have the same problem, and so do chip (smart) cards for that matter.

In any case, I agree that all of the above pose big opportunities for intra-enterprise solutions. But confusing ownership of the asset between the user as an employee and the user as an individual consumer is problematic.

[rcraig_courion]

I agree wholeheartedly with your analysis. Over the past few years identity and access management (IAM) has become a priority for enterprises for a variety of reasons, including cost controls and regulatory compliance, as well as security. Many CIOs are now more concerned about the internal threats posed by employee misconduct or disgruntled ex-employees, than by threats coming from outside the network. Similarly, the severe brand damage that the leakage of sensitive customer, patient or employee information can cause gives CIOs an additional incentive to deploy an effective IAM system. I also agree that identity management can be a business-enabler for an organization. When a company ensures that only the right people have the right access to the right resources and are doing the right things, the business can save money and run more effectively with reduced security risk.