In this post, ITS Identity Management Manager Celeste Copeland discusses the biggest misconception about identity management and she shares what’s next in the identity management field. This post wraps up this ITS News series about ITS Identity Management.
What’s the biggest misconception about identity management at ITS?People often do not understand the difference between authentication and authorization (authN and authZ) and why both are needed to secure an application. Here’s an analogy to explain the difference:
I have a driver’s license. You can check to see who I am by comparing my face to the driver’s license photo. That is the equivalent of authentication. You are checking to see that I am who I say I am. Similarly, Onyen authentication using Web Single Sign-On (SSO), Lightweight Directory Access Protocol (LDAP), Active Directory (AD) or Kerberos is verifying who you say you are by checking your Onyen password and sometimes a second factor like Duo.
But just because I am who I say I am and my face matches the picture on my driver’s license, that doesn’t mean I should be allowed to drive a tractor trailer. I have a C class license so I can drive a car, but I am not authorized to drive other classes of vehicles. That’s what authorization checking is for. Similarly, Onyen authentication is not enough to determine that a user should have access to a specific website. You should also check identity attribute information, which can be queried in LDAP or else passed through the SSO header to the application. You may just want to check if the person is a student or staff member, or if he or she is a member of a particular group, before granting access to your application or specific functionality within it.
Identity Management staff will be happy to help with any questions that will help make your application more secure.
What are some of the next-generation tools or trends in the field of identity management?Higher-education institutions are paying close attention to what’s going on in the TIER (Trust and Identity in Education and Research) effort from Internet2, which is the advanced technology community through which education and research organizations communally innovate and solve common challenges.
A large reason for this organization’s existence is to stay on top of IT trends for identity management. Each year I and other members of the Identity Management team attend the Internet2 Tech Ex conference, where there are many sessions that explore new trends with identity management. A hot topic this year was multi-factor authentication, and the team learned a lot about the Duo implementation from other universities there.