IMPORTANT SECURITY SERVICES

The architecture will describe the security mechanisms andservices that will be used to implement the access control policy.These will include but not be limited to the following.

User name service — The user name service is usedfor assigning unique names to users and to resolve aliases wherenecessary. It can be thought of as a data base, data baseapplication, or data base service. The server can encode and decodeuser names into user identifiers. For the distinguished user nameit returns a system user identifier or identifiers. For the systemuser identifier it returns a distinguished user name. It can beused to store information about the user. It is often used to storeother descriptive data about the user. It may store officelocation, telephone number, department name, and manager’s name.

Group name service — The group name service is usedfor assigning unique group names and for associating users withthose groups. It permits the naming of any arbitrary but usefulgroup such as member of department m, employees, vendors,consultants, users of system 1, users of application A, etc. It canalso be used to name groups of one, such as the payroll manager.For the group name, it returns the names, identifiers, or aliasesof members of the group. For a user name, it returns a list of thegroups of which that user is a member. A complete list of thegroups of which a user is a member is a description of his role orrelationship to the enterprise. Administrative activity can beminimized by assigning authority, capabilities, and privileges togroups and assigning users to the groups. While this is indirectit is also usually efficient.

Authentication server — The authentication serverreconciles evidence of identity. Users are enrolled along with theexpectation, i.e., the reference data, for authenticating theiridentity. For a user identifier and an instance of authenticatingdata, the server returns true if the data meets itsexpectation, i.e., matches the reference data, and false ifit does not. If true, the server will vouch to its clientsfor the identity of the user. The authentication server must betrusted by its client and the architecture must provide the basisfor that trust. The server may be attached to its client by atrusted path or it may give its client a counterfeit-resistantvoucher (ticket or encryption-based logical token).

Authentication service products — A number orauthentication services are available off the shelf. These includeKerberos, SESAME, NetSP, and Open Software Foundation DistributedComputing Environment (OSF/DCE). These products can meet somearchitectural requirements in whole or in part.

Single point of administration — One implication ofmultiple points of control is that there may be multiple controlsthat must be administered. The more such controls there are, themore desirable it becomes to minimize the points of administration.Such points of administration may simply provide for a commoninterface to the controls or may provide for a single data base ofits own. There are a number of standard architectures that areuseful here. These include SESAME and the Open Software FoundationDistributed Computing Environment.

RECOMMENDED ENTERPRISE SECURITY ARCHITECTURE

This section makes some recommendations about enterprisesecurity architecture. It describes those choices which, all otherthings equal, are to be preferred over others.

Single-user name space for the enterprise — Prefera single-user name space across all systems. Alternatively, havean enterprise name server that relates all of a user’s aliasesto his distinguished name. This server should be the single pointof name assignment. In other words it is a data base applicationor server for assigning names.

Prefer strong authentication — Strong authenticationshould be preferred by all enterprises of interest. Strongauthentication is characterized by two kinds of evidence, at least one of which is resistant to replay. Users should be authenticatedusing two kinds of evidence. Evidence can be something that onlyone person knows, has, is, or can do. The most common form ofstrong authentication is something that the user knows such as apassword, pass-phrase, or personal identification number (PIN),plus something that they carry such as a token. The token generatesa one-time password that is a function of time or a challenge.Other forms in use include a token plus palm geometry or a PIN plusthe way the user speaks.

Prefer single sign-on — Prefer single sign-on. Auser should have to log on only once per workstation per enterpriseper day. A user should not be surprised that if he changesworkstations, crosses an enterprise boundary, or leaves for theday, that he should have to log on again. However, he should nothave to log off one application to log on to another or log on tomultiple processes to use one application.

Application or service as point of control — Preferthe application or service as the point of control. The firstapplicable principle is that the closer to the data that thecontrol is, the fewer instances of it that there will be, the lesssubject it will be to user interference, the more difficult it willbe to bypass, and consequently, the more reliable it will be. Thisprinciple can be easily understood by contrasting it to the worstcase — the one where the control is on the desktop. Multiplecopies must be controlled, they are very vulnerable to userinterference, not to say complete abrogation, and the more peoplethere are who are already behind the control. The second principleis that application objects are both specific, i.e., their behavioris intuitive, predictable from their name, and obvious as to theirintended use. Contrast “update name and address ofcustomer” to “write to customer data base.” Oneimplication of the application as the point of control is thatthere will be more than one point of control. However, there willbe fewer than if the control were even closer to the user.

Multiple points of control — Each server or serviceshould be responsible for control of access to all of itsdynamically allocated resources. Prefer that all such resources beof the same resource type. To make its access decision, the servermay use local knowledge or data or it may use a common service thatis sufficiently abstract to include its rules. One implication ofthe server or service as the point of control is that there willbe multiple points of control. That is to say, there are multiplerepositories of data and multiple mechanisms that management mustmanipulate to exercise control. This may increase the requirementfor special knowledge, communication, and coordination.