Who is "The Stig" in Your Organisation?
Michael Schumacher was recently unveiled as "The Stig", the mysterious test driver from BBC TV's Top Gear programme. Or was he? Several drivers have previously claimed to be The Stig, including former Formula One driver Perry McCarthy and, most recently, speculation has centred around stunt driver Ben Collis as the "real" Stig. Most hardened Stig watchers are casting scorn on the claim that it was Schumacher all along and many would prefer not to know his true identity in the first place, preferring the mystery.
All of this is neatly analogous with some of the issues we face with dealing with identity and anonymity within enterprise IT environments. In many cases, the thought of anonymous users fills us with horror, after all it seems instinctive to want to authenticate all users of our systems and link the account they use to access resources back to a real-world person. But there is also a valid counter argument from the users themselves regarding privacy. Just because we want to know who they are doesn't mean we necessarily should know this. What really matters is that they are entitled to do what they are trying to do.
It all boils down to trust. As long as a user authenticates either to our application, or to a trusted third-party, and as long as their authentication credentials match those in our security database, we don't absolutely need know who they really are. We just have to trust that the authentication mechanism in place is sufficient to protect our resources .We don't need to insist that users hand over their real-world identity just to log onto basic applications. This is where the claims-based model for identity starts to come into its own. Rather than holding lots of personal identity data in local databases, applications can balance the needs of security and privacy by accepting tokens issued by third parties that make claims about the user. Claims such as access rights can be handed over without ever exposing personal data about the user that the application does not need to know. This has the dual advantage of making application development far simpler whilst balancing security and privacy. In this case, The Stig can get to keep his helmet on as long as he is in possession of the correct token. Microsoft "Geneva" platform for claims-based access to applications can provide all the tools organizations need to move to this sort of security model.
However, there are very often cases where we really do need to unmask The Stig. Many organizations use generic accounts, especially within Active Directory, for elevated access rights or for running services. For example, a generic Domain Admin account might be used to access a particular application and it's quite likely that several people know the password for this account, just as there are rumoured to be several real drivers who wear the Stig's white helmet. This can be a serious risk to security as it may be very difficult to keep track of who has access to this particular account, especially if the password is passed around by word of mouth. People who have long since left the organization may still retain access if passwords are not changed regularly or a list of users maintained. In this case it is far better to link admin accounts to a real-world identity through an Identity Lifecycle Management service such as Microsoft Forefront Identity Manager and to take away access rights automatically when someone leaves the organization. Sorry, Stig, but in this case the helmet has to come off.
Oxford Computer Group (OCG) is an IT services company that specializes in Identity and Access Management. With operations in the UK, US, BeNeLux and Germany, OCG has an enviable repository of expertise, solution components and training courses. OCG has deployed over 400 enterprise wide identity and access solutions. and its instructors have trained more than 4,000 people on Microsoft IDA technologies. OCG has also been recognized by Microsoft on multiple occasions – most recently as the Microsoft UK Identity Partner of the Year 2009. For more information on OCG, please visit www.oxfordcomputergroup.com
Notes to the Editor:For additional information, please contact: press@oxfordcomputergroup.com or visit our website www.oxfordcomputergroup.com