Toward Ubiquitous Strong Authentication @ VIRTUALIZATION JOURNAL

Toward Ubiquitous Strong Authentication

The foundation of a trusted network

It's almost a tautology these days to say that the Internet has become the life blood for business and personal communications. E-commerce and e-mail are two resounding examples of the transformation exerted by the "network of networks" on people around the globe. Unfortunately, the ubiquity and flexibility of the network has also brought its own set of challenges and security concerns, particularly in the area of user and device authentication.

A strong, ubiquitous authenticated computing environment is needed to address the growing security challenges threatening enterprises today. This article presents a vision for propagating strong authentication across all users, devices, applications, and networks, borrowing from ideas encapsulated in the recently launched Open Authentication reference architecture (OATH) initiative from a wide range of industry players, including hardware and software vendors, token manufacturers, and security companies.

The Need for a Strong Digital Identity

Although recent technology, communication, and geopolitical developments point toward the need for stronger network security, three network trends stand out as driving the imperative for strong digital identities: identity theft, the rise of federated identity networks, and the proliferation of IP devices.

Identity Theft Network Effect
The 2002 Federal Trade Commission (FTC) annual study on consumer complaints cited identity theft, for the third year running, as the most frequent reason individuals contacted consumer protection authorities. While services such as banking, health care, and insurance adopt the network, the fundamental security mechanism for protecting personal information online remains fairly unsophisticated. Since personal information, such as credit card accounts and Social Security numbers, are increasingly used and stored online, an experienced hacker can obtain a dozen passwords from you in a matter of seconds, from anywhere - at any time. A need for strong credentials is important to thwart the "network effect" related to identity fraud. If "something you know" can be stolen through the network, only "something you have" can reduce the threat. A security token in the form of a specialized device or a token integrated within personal digital assistants and mobile phones will be the only viable solution for reducing the threat posed by a global public network.

Rise of Federated Identity Networks
While network-based systems are becoming key to the infrastructure that manages corporate content, supply-chain data, and customer services, enterprises are increasingly challenged to provide access to a diverse and dynamic group of end users. The cost and complexity of managing identities across internal and external systems, combined with the necessity of opening up access to data, has created a need for the convergence towards federated identity networks, where identification, credentials, and attributes can be shared among partners. This greatly accelerates the need for stronger identity. If the establishment of technical standards is an important prerequisite for sharing identities, trust is the fundamental business requirement.

To authorize a transaction in a federated identity network, the relying party must be able to trust the credential and identity that was issued and verified by another entity. The strength of this identity must be confirmed and evaluated against the recipient's security policies. When an identity is shared, its strength determines the security that spans the entire access-control chain, creating complex dependencies and liabilities across multiple business and legal parties. The pervasive and interoperable deployment of strong identity technology, security, and operation best practices are therefore key when addressing the crucial issue of trust in federated networks.

Proliferation of IP Devices
(Rogue Devices)
Security and trust in any network is a function of all the elements that make up that network. This includes end-point client and server devices that can impersonate users and organizations. As network devices such as mobile phones, PDAs, portable digital music players, set-top boxes, and TPM-based laptops proliferate, the ability to distinguish between trusted and rogue devices is a fundamental security requirement. Since an authenticated device can act as the root of trust, it can also provide the security foundation for a new breed of applications such as identity-based anti-virus solutions and digital information rights management software. From this standpoint, device authentication is a core requirement of any strong identity management strategy.

Realizing the Vision

At the 2004 RSA Conference, a number of industry partners, including chip, smartcard and token manufacturers, operating platform companies, and PKI and VPN vendors announced OATH. These companies realized that for ubiquitous strong authentication to become a reality, corporate employees, Internet users and people accessing everything from health care records to government services, must have the confidence and desire to adopt new technologies such as the tokens described above. To drive this adoption, the technology industry must collaborate to lower the financial barriers and complexity that is associated with strong authentication today. Open technical standards and deployment profiles that promote interoperable solution components are powerful tools for lowering complexity and cost. Therefore, the development of an open and royalty-free specification for strong authentication is the OATH group's initial focus. Open, universal, strong authentication will provide device manufacturers, identity management vendors, security service providers, and application developers with a common framework for the strong authentication of users and devices.

To be effective, a specification must be jointly defined and published by key industry partners that share the vision of universal strong authentication. By laying the groundwork for ubiquity, integration, and interoperability, an open architecture can decrease the risk and complexity of deploying strong authentication products. In turn, the promise of reduced risks and costs will drive adoption across enterprises, service providers, and governments around the world. Ultimately, by making strong authentication part of the network fabric, the entire user community benefits; and by increasing the trust of the network end points, new types of secure interaction will also become possible.

The OATH member companies have laid out a roadmap for the creation of both a strong authentication specification and for the deployment of actual products based on the specification by the end of 2004. If we continue to collaborate, the fastest growing crime - identity theft - could soon become a relic of a bygone era.

For more information on the OATH initiative, please visit www.openauthentication.org

About Mark Griffiths
Mark Griffiths, vice president, Authentication Services, VeriSign Security Services, is a seasoned technology professional with more than twenty years experience in the computer industry. In addition to his management role in Authentication Services, Griffiths also hold the role of vice president, marketing, for the division as well. Griffiths is responsible for driving the product direction and marketing of VeriSign's Security Services to the Enterprise customer. Prior to joining VeriSign, Griffiths served as the Vice President of Corporate Marketing for VERITAS Software, reporting directly to the CEO. Griffiths led Product Management, Product Marketing and Corporate Marketing during what was arguably some of the most critical years for VERITAS. During his more than 4 year tenure, Griffiths was instrumental in helping to transform VERITAS from a niche technology vendor to a strategic supplier to major enterprises. Prior to VERITAS, Griffiths also held a variety of marketing leadership positions at Cisco and Novell.