For the next three days I’ll be attending the Gartner Identity and Access Management Summit. I’ll post a daily summary of the sessions I’ve attended. If any of the sessions have something particularly noteworthy, I’ll relay those interesting items via Twitter.
Well, another Gartner Identity and Access Management Summit has come and gone. It is great to be surrounded by people enthusiastic about identity and security. The biggest thematic difference between this event and events of a few years ago is the recognition that establishing identity is not longer based primarily on the strength of the authentication factor. There was almost no talk of X.500 certificates versus one-time password key fobs versus smart cards. The energy of the discussions was around contextual awareness during the authentication process.
I was only able to make it to one session on this last day due to my travel needs. I attended @bobbarkley’s Identity Assurance which was an overview on how the government has progressed in establishing agency identity providers and audits of those providers. Additionally, the government has formed a more structured application risk assignment process. In the graphic below, an individual application is ranked in each category on the left column. Whichever row has the risk assignment farthest to the right determines the authentication level needed for access to that application. Thus, if everything scores a low but the financial impact to the use of the application is moderate, then access to the application requires a credential meeting level 3 requirements.
Requirement levels, or more specifically, LOAs are as follows:
Level 1 = no proof, just a password that maybe the same one assigned to multiple people
Level 2 = single factor, such as individually assigned passwords, with some documentation presented (but not verified) of who issued the credential
Level 3 = multi-factor (say, fixed password plus one time password) with documentation presented and verified of who issued the credential
Level 4 = multi-factor with FIPS 140-2 hard token + encryption with government issued or financial services issued documentation presented, in person and a biometric of the individual captured for reference
LOA = Levels of Authentication, got to love government acronyms
Clearly, level 4 requires quite a bit of material to prove the person is indeed who they say that they are.
All in all a great conference and I am hoping to have the opportunity to attend next year to see how the industry advances in 2011.