How to use a Smart Card?

One thing that I am seeing here in Europe is that there is a difference in how "Smart Cards" are perceived.

In the U.S., we're not too keen on them, and are mostly used for "proximity" functions, meaning we apply them to readers for physical building access. To verify Identity within applications, most organizations prefer to use muti-factor authentication with hardware tokens (e.g., RSA SecurID) Of course, passwords are still used to access physical systems as well, plus some activity in biometric authentication (fingerprint scanning) but this is still in an early adopter stage, but showing some promise with laptop manufacturers.

In Europe there is a potentially greater use for Smart Cards. They do the physical access functionality, but are also used to authenticate to enterprise hardware systems, clock in and out, provide digital signatures, VPN access and even pay for lunch in the company cafeteria.

So it would seem that there are some differneces, unless you're in the Executive Branch of government or attached to the Military. In both of those organizations, Smart Cards required for access and authentication.

Which model is right? Why do we rely on separate "badging" and "access" mechanisms in the U.S.? Is it because RSA got there first? Is it better to have these things separate to provide multi-factor and multi method (card and token) authentication?

Identity Abroad

I'll be spending the next few weeks doing some work in Germany doing some custom connector work with NetWeaver Identity Manager at our offices in Darmstadt, Germany. I'm hoping to have the chance to learn more about how Identity Management works in a different environment. I'll be posting my observations from time to time, along with the usual reporting on news and NW IDM tips.

New School Identity Management?

I'm all for a discussion of changes in the Identity Management world, in fact I encourage them. I think it's a pretty dynamic world. As Mark Diodati mentions in his article "Changing times for identity management" (login required) There are elements of IdM that are established parts of IT infrastructure, and then there is "New School Identity Management, where he talks about Privileged account Management, AD Bridges and Virtual Directories"

All due respect to Mark, who I know has been around the IdM world for some time, but none of these elements should be considered New School and have been around for quite some time.

• Privileged Account Management - I don't know of an engagement I've worked on in the last 5 years that did not have some concern about the creation and management of both Privileged and Service accounts. If anything, because of their nature, these accounts have a greater need to be created in such a way that they are done according to mandated processes and recorded for audit and review.
• AD Bridges - While not a technology I've gotten to work with a lot I know that many a mixed UNIX/Microsoft shop consider the Vintella/Quest tools to be indispensable.
• Virtual Directories - Again, a technology that's been around for a long time. I've been working with Virtual Directory technologies since 2004, where I would commonly show customers how to map information, provide access controls and even used the Virtual Directory as a write back mechanism to supported repositories.

I can say that I'm glad these Identity Management technologies are finally getting their time in the sun. Some of these technologies have not been considered as interesting or sexy since they worked with a subset of users. I think we can all agree that there are more end users than UNIX accounts or system accounts so they should receive some more attention.

However, in the end, the design and implementation of an Identity Management solution must be holistic in nature. Regardless of one's opinion on the New School qualities of the all the technologies Mark mentions in his article, they must all be considered and planned for in the final design.