Saturday, May 03, 2008

Provisioning Concepts

Something that always comes up when working out new provisioning solutions is the problem of how to deliver account information to new users. Some solutions I've seen revolve around:
  • Sending logon information to the users manager or sponsor
  • Calling the user down to IT or IS to deliver the information
  • Setting up the user with default credentials.

In all of these cases there's the risk of having other people besides the "provisionee" who have access to login information. This also does not scale when large number of users need to be provisioned as happens in Higher Education or when bringing new systems into the enterprise.

Now this can all be made slightly more secure by requiring the user to change their password when they login for the first time.

A popular way to handle this is through the use of what is called Account Claiming or Account Activation. In this process, login information is delivered to the "provisionee" either by email or postal mail with their login ID and a temporary password. The user is directed to a specific URL where they will be asked to enter their login ID and temporary password. After this information is loaded workflows can then be executed that require the user to amongst other things:

  • Enter additional required information
  • Set security information such as challenge/response questions
  • Confirm existing identity data
  • Perform other organizational/institutional tasks as required

This can be further secured by requiring that part of the temporary password be something only the user will know, such as elements of SSN, Birthdate, graduation year, etc. This helps us to fall into the old security formula of something you know + something you have = maxium security. I think that the ultimate levels of security will occur when the something you have is biometic in nature, but that is a discussion for another time.

Post a Comment