Enterprise IT Identity & Access Management

Introduction to IAM Buyer's Guide

Yale Li — Tue, 01 Apr 2008 14:00:00 GMT

“Our vision for security is to create a world where there is greater trust — where people and organizations can use a range of devices to be more reliably and securely connected to the information, services and people that matter most to them.” - Bill Gates, Chairman, Microsoft

“As a CIO, I strive to ensure productive, secure, cost effective solutions that help our users realize their potential. Identity and Access Management is the foundation for any solution that I provide to our users.” - Ron Markezich, VP, Microsoft

Thank you for visiting my weblog. Please scroll down because I'll keep the Introduction page at top.

Audiences: CIOs, CSOs, IT Directors/Managers, Enterprise/IT Architects, IT Pros, PMs, Consultants, IAM Product Vendors, Developers

Purpose: To share my personal view and experience on how Identity & Access Management (IAM, also referred as IdM or IdA) should be done in enterprise IT B2E (Business to Employees) environment (up to half million seats and one million nodes globally). Unlike most other IAM Internet sites, I do not sell products or services. I see IAM from a buyer's angle rather than from a seller's angle. My goal is to purely share information and benefit other enterprise IT divisions / departments to improve security, increase productivity, minimize cost, and satisfy regulatory compliance in long term. Hopefully, this will also set an IT requirements bar for IAM product vendors.

Yale Li, PMP, CISSP, ITIL, CCNA, MCSE+I, MCSD, MCDBA, MCNE, CLP, CWSE, CLSE, CNP, CCP, ASE

Disclaimer: All opinions posted here are those of the author and are in no way intended to represent the opinions of author's employer. This posting is provided "AS IS" with no warranties, and confers no rights. Use of included code samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Major IAM Vendors

Yale Li — Tue, 01 Apr 2008 14:00:00 GMT

Vendor selection is critical in IT business. I still remember an old story when I joint big blue family last Century: a wise advice was spread among IT decision makers globally: “You will never be fired if you buy from IBM”.

It had worked for a long while. Then, people got fired. Finally, you can not buy PCs from IBM because they are sold to Lenovo. Despite of the result, this phenomenon reflects an enterprise strategy: go with the industry and market leader.

In currently IAM industry and market, a question is “who is the leader?”. My answer is none because no single vendor can provide a complete end to end IAM solution. Near a hundred IAM vendors are fighting a war to become the leader. Mergers and acquisitions happen frequently.

Before you invest on IAM projects, you should be aware of major IAM product vendors. Just like buying a car, you will have more choices if you know all major auto makers. I have gathered most major IAM vendors in following list (in alphabetic order):

A10 Networks - http://www.a10networks.com

Abridean (bought by nCiper) - http://www.abridean.com
ActivIdentity (renamed from ActivCard) - http://www.actividentity.com
Alacris (bought by Microsoft) - http://www.microsoft.com/windowsserversystem/clm
Aladdin - http://www.aladdin.com
ASG - http://www.asg.com
Authentify - http://www.authentify.com
Avatier - http://www.avatier.com
Axalto (see Gemalto) - http://www.axalto.com
Bayshore - http://www.bayshore.com
BEA - http://www.bea.com
Beta Systems - http://www2.betasystems.com/en
BHOLD - http://www.bholdcompany.com
BindView (bought by Symantec) - http://www.bindview.com
BMC - http://www.bmc.com
BNX Systems - http://www.bnx.com
Bridgestream - http://www.bridgestream.com
CA - http://www.ca.com/

Centrify - http://www.centrify.com/

Citrix - http://www.citrix.com
Courion - http://www.courion.com
Credentica - http://www.credentica.com
Datapower (bought by IBM) - http://www.datapower.com
Digital Persona - http://www.digitalpersona.com
Enatel - http://www.enatel.com
Entegrity - http://www.entegrity.com
Entrust - http://www.entrust.com
Epok - http://www.epokinc.com
Eurekify - http://www.eurekify.com
Evidian - http://www.evidian.com

Fastpass - http://www.fastpasscorp.com

Fischer Int’l - http://www.fischerinternational.com
Gemplus (see Gemalto) - http://www.gemplus.com

Gemalto (merger of Gemplus and Axalto) - http://www.gemalto.com
GlobalSign - http://www.globalsign.com

HID - http://www.hidcorp.com

HP - http://www.hp.com

IBM - http://www.ibm.com

Identity Engines - http://www.idengines.com
Imanami - http://www.imanami.com
Imprivata - http://www.imprivata.com
Indala - http://www.indala.com
Jericho Sys Juniper - http://www.jerichosystems.com

LogicTrends - http://www.logictrends.com

Maxware - http://www.maxware.com
Microsoft - http://www.microsoft.com

Mirapoint - www.mirapoint.com

M-Tech - www.mtechit.com

nCipher - http://www.ncipher.com
NetIQ - http://www.netiq.com
NetPro - http://www.netpro.com
NeuStar - http://www.neustar.biz
Novell - http://www.novell.com
Oblix (bought by Oracle) - http://www.oracle.com/oblix
OctetString (bought by Oracle) - http://www.oracle.com/octetstring
Omnikey - http://www.omnikey.com
Oracle - http://www.oracle.com
OSM - http://www.cosuser.com
Paramount Defenses - http://www.paramountdefenses.com

Passlogix - http://www.passlogix.com
Persistent Sys. - http://www.Persistent.com
Philips - http://www.philips.com
Ping Identity - http://www.persistentsys.com
Proginet - http://www.proginet.com
Protocom (bought by ActivIdentity) - http://www.protocom.com
Quest - http://www.quest.com
Radiant Logic - http://www.radiantlogic.com
Red Hat - http://www.redhat.com
RSA Security (bought by EMC) - http://www.rsasecurity.com
SafeStone - http://www.safestone.com
Secured Services - http://www.secured-services.com
Securent - http://www.securent.net

SecurIT - http://www.securIT.biz
Sentillion - http://www.Sentillion.com
Siemens - http://www.siemens.com
Sun - http://www.sun.com
Sxip - http://www.sxip.com
Symantec - http://www.symantec.com
SymLabs - http://www.symlabs.com

Thor (bought by Oracle) - http://www.thortechnologies.com
Trustgenix (bought by HP) - http://www.trustgenix.com
Valicert - http://www.valicert.com

VASCO - http://www.vasco.com
Veridicom - http://www.veridicom.com
Voelcker - http://www.voelcker.com
ZeroKnowledge - http://www.zeroknowledge.com

I understand it is not practical to review every product of every vendor through an individual effort. In order to rate vendors fairly, I encourage you to join the community and post your comment if you have experience with any vendors and their products.

RSA 2007 Conference Take Aways

Yale Li — Sat, 10 Feb 2007 04:00:00 GMT

There was no much exciting news at RSA2007. I think I need to write a few things down here or otherwise I will no longer remember them:

- Information Centric Security: The information is the king. However, the king can not live in a castle all the time. You, as a security professional, should be a knight to protect the king no matter where the king goes. How: add security controls to data in addition to network (for example, use Rights Management Server to protect data in addition to IPSec).

- User Centric Identity: Identity and Access Management is all about enabling people to do business more efficiently and securely. It will be supported by solutions such as Strong Authentication, Identity Lifecycle Management, Federation Services etc. You will see that more and more dedicated security companies merged into bigger business companies as a trend.

Following is a link to photo taken for Bill Gates' last RSA conference keynote speech with his successor Craig Mundie. Identity is one of three major area in their security strategy (the content in this blog is a kind of input to that vision). The other two are Network and Protection.

http://blogs.technet.com/photos/yaleli/picture633509.aspx

Review - Microsoft CLM Certificate Lifecycle Manager Beta 2

Yale Li — Wed, 25 Oct 2006 13:00:00 GMT

I reviewed CLM Beta 1 half year ago and rated it low. Now, CLM Beta 2 is ready for prime time and I'm going to deploy it in production environment. I've seen a lot of improvements in Beta 2 so many cons in Beta 1 are removed. Base CSP Smart Card support is a huge for me. For smart card PIN distribution to users, CLM provide 3 - 4 ways:

- User Provided: The admin or user will provide the initial PIN at the time of enrollment

- Random: Nobody knows the initial PIN; Users will need to do self service PIN unblock to get the initial PIN.

- Server Distributed: CLM will print the initial PIN on a hard copy of user letter; This simulates bank ATM PIN distribution; A template is provided with many configurable variables for letter customization.

- Custom Distributed: This allows you to program custom API if above ways don't work for you.

Pros:

- Microsoft Base CSP Smart Card support

- Custome API to enhance CLM functionalities

- Format (Initialize) smart card

- HSM support for agent key protection

- SQL 2005 support

- Turn key system and no coding is required

- Can manage both smart cards (including USB tokens) and certificates

- Feature rich self service Web UI

- Built-in work flow engine to handle approval and notification

- Flexable policies

- Temp smart card

- Easy installation

Cons:

- In multiple forest environment, each forest needs its own CLM and SQL database.

- Granting permission is tedious work

- CLM Client and .NET Framework 2.0 are required on client PC for self service.

Overall Rating:

8 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - ADFS v1 & Preview - ADFS v2

Yale Li — Wed, 25 Oct 2006 13:00:00 GMT

Active Directory Federation Service (ADFS) is a component of Active Directory released as part of Windows Server 2003 R2. ADFS v1 can be used in various B2B/B2E/B2C Web Single Sign On and Identity Federation scenarios.

Pros:

- Enable Federated SSO between organizations

- Enable Extranet SSO within the same corporate environment

- Support either password and client cert/smart card logon

- AD and ADAM intergration

- Easy installation (ADFS-A, ADFS-R, ADFS-Proxy, ADSF-Web Agent)

Cons:

- NT Token based and Claims based web app support only

- Requires Windows Server R2 and ADFS web agent installation on IIS web server

- Everyone with machine join rights can setup ADFS Account server and Resource server (corporate may lose controll without security policy)

- No CardSpace support

Overall Rating:

8 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

ADFS v2, to be released in Longhorn Server timeframe, will add support for:

- Rich client web service apps

- Windows CardSpace

- Others (undecided yet, such as manageability, SAML 2.0 support, brokered authentication ...)

IAM in TwC

Yale Li — Sat, 10 Jun 2006 03:00:00 GMT

I attended 2006 Microsoft EE & TwC Forum recently and tried to find out if there is any relationship between IAM and TwC. It is interesting that TwC (Trustworthy Computing) has Identity and Access Control as a grand child.

At top level, TwC has four children, referred as 4 pillars:

1. Security

2. Privacy

3. Reliability

4. Business Practices

At next level, the Security pillar in TwC has three children, known as 3 elements:

1. Fundamentals

2. Threat and Vulnerability Mitigation

3. Identity and Access Control

Finally, IAC (Identity and Access Control) itself has 3 parts:

1. Trustworthy Identity: Strong Authentication and Credential Management (http://download.microsoft.com/download/9/e/2/9e206d8a-37a2-4c17-a6df-ef1e82ce37f4/TrustworthyID.doc)

2. Access Policy Management: Authorizing for Access (http://download.microsoft.com/download/e/e/4/ee4eb053-31bf-4180-96a5-91866e43ee6c/AccessPolicyMgt.doc)

3. Information Protection (http://download.microsoft.com/download/2/b/d/2bdcaef5-865f-46f0-a555-cb6ce5c6bd0e/information_protection.doc)

The forum content (such as Microsoft's 10 year authentication and authorization strategies) may be confidential and not available for public yet. But above docs should provide you enough readings about IAM in TwC.

IAM Strategy

Yale Li — Thu, 08 Jun 2006 10:00:00 GMT

IAM is a combination of processes, technologies, and policies enabled by software to manage digital identities in their lifecycle and specify how they are used to access resources. IAM is a superset of AAA (Authentication, Authorization, Auditing)*. Here are some general strategies for enterprise to consider:

Obtain executive sponsorship because IAM is an important part of information security
Understand your business and define processes first
Automate provisioning process
Offer self services to employees
Buy: Directory Servers, Meta Directories, Virtual directory servers, Administration products (directory and PKI management tools, and provisioning products)
Build: Access Layer, Workflow Processes
Architect: Integrates above compoments and processes together, takes forethought and skill (may not need all components at first)
Lay out requirements and business logics as much as possible before starting integration
Before signing a contract with any vendor, check out references and foster a good partner relationship

*Note: Gartner and Forrester have 4 A's with additional Administration. Auditing is also referred as Audit or Accounting or Accountability.

How to Reduce TCO of Identity & Access Management

Yale Li — Wed, 07 Jun 2006 10:00:00 GMT

Identity & Access Management is an expensive investment in IT. Here are some tips to reduce Total Cost of Ownership:

Follow the rule of economy of scale - If more people use the same solution, the unit cost of the solution will decrease. Therefore, you should always search and use the most popular out of shelf IAM solution in the market place first. Your own custom built solution should be the last resource only when no other commercial solutions are available or they can not meet your needs.
Automate repeating manual tasks - Labor time is always expensive than machine time. You should identify the repeating manual IAM tasks and automate them as much as possible. Most of those tasks can be done by scripting. Technet Script Center is a good resource for Microsoft solutions such as Active Directory: http://www.microsoft.com/technet/scriptcenter/default.mspx. I'll provide more IAM script in Sample Code category in the future.
Outsource your IAM operations - If your company's IT team is based in North America or Europe, you should definitely consider outsourcing IAM Tier 1 or Tier 2 support to offshore, such as India or China. The cost could be reduced to 1/8th for US companies. It will also help to outsource IAM Tier 3 and Architecture/Integration work to larger IT service companies such as Microsoft*, IBM and HP.

In TCO, hardware is the smallest portion, support is the largest portion, and software is in the middle. Currently, Microsoft MIIS is the lowest cost solution for identity lifecycle management service and Microsoft CA is the lowest cost solution for certificate service.

*Note: Microsoft has a new IT service offering called Microsoft Managed Solutions. This is different from Microsoft Consulting Service.

Authentication Strategy

Yale Li — Tue, 06 Jun 2006 10:00:00 GMT

Authentication is the procedure through which a user or a device or a service (or application) provides sufficient credentials to satisfy access requirements to another service, application, or system.

User Authentication Strategy:

· Prepare and plan for Strong User Authentication

· Educate line of business application owners to use standard OS and directory protocol authentication and avoid application custom authentication.

· Use PKI product for digital certificate service and RMS product for license servic

· Keep Password logon as temporary authentication method for problematic road warriors

· Use Kerberos V5 as authentication protocol

· Use Smartcard/PIN two factor authentication, and evaluate USB Tokens, Wireless Smart Card, Biometrics, TPM authentication

Application/Service Authentication Strategy:

· Use Managed Password (strong password and changed by application itself), Hash, or Software Token for system account

· Evaluate TPM as long term solution for application/service authentication

Device Authentication Strategy:

· Use EAP-TLS machine cert in conjunction with user smart card cert for wireless LAN access

· Use Windows Vista (with Network Access Protection feature at server side) for wireless Corpnet LAN connection

· Use Windows Mobile 2005 (with software cert authentication) for wireless phone device email synchronization

· Evaluate TPM as long term solution for device authentication

Authorization Strategy

Yale Li — Mon, 05 Jun 2006 10:00:00 GMT

Authorization (or establishment or entitlement) defines a user's (or process') rights and permissions to a resource. After a user (or process) is authenticated, authorization determines what that user can do to the resource.

Here are some authorization strategies to improve security:

By default, grant users no rights and permissions
Grant users least privileged rights and permissions on "need to know" basis
Push authorization processes from upper/applications layers to lower/OS layers as much as possible
Prepare or plan Role-Based authorization
Move from manual authorization management processes to automated authorization management processes with next generation IAM role/group management products

Please be aware of that Role-Base authorization will be a subset of Claim-Based authorization in long term.

Auditing Strategy

Yale Li — Sun, 04 Jun 2006 10:00:00 GMT

Auditing (also referred as Audit or Accounting or Accountability) ensures that the activities associated with user access are logged for monitoring, regulatory and investigative purposes.

Auditing Strategies for IAM to be compliance:

Identify regulations you company must be compliance: such as SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), Basel II.
Assess current compliance baseline and perform gap analysis
Implement IAM controls and compare with industry standards and best practices, such as ISO 17799
Measure, test, remediate, and demonstrate your IAM controls
Ensure IAM audit logs are secure and scalable
Get IAM reporting tools that meet auditor's needs

Usually, enterprise IT should have a dedicated governance/audit team (or professionals) to provide compliance guidelines. If not, you should consult with external audit professional service.

How to Improve Security with Identity & Access Management

Yale Li — Sat, 03 Jun 2006 06:00:00 GMT

Every time I told a friend I got an IT security job, I was always asked a similar question "Do you catch hackers or virus?". Of course, the popularity of the Internet definitely puts external threats and attacks on enterprise IT security's radar. However, I still personally believe internal threats and attacks cost more damage.

According to a 2003 study by the Computer Security Institute (CSI) and the United States Federal Bureau of Investigations (FBI), nearly half of all security breaches—an astounding 45 percent—come from within the enterprise by disgruntled or malicious employees. Industry analyst firm The Gartner Group estimates that more than 70 percent of unauthorized access to information systems is committed by employees and believes that more than 95 percent of intrusions result in significant financial losses.

SUA, LPA and SAT are good IAM defense weapons against internal identity theft:

SUA (Strong User Authentication): Password is always weak. You should plan for 2 factor authentication (see Technology Category for definition) such as Smart Card, USB Token, or RSA SecurID. When you evaluate/buy a technology, an important thing is to give equal weight to associated lifecycle management system.
LPA (Least Privileged Authorization or Access): A strategy to minimize internal security risk is to reduce attack surface area. LPA is an execution of this strategy. First, you need to classify your data. Then, the access will be granted for different class of data on a "need to know" basis. A suite of software products could be used to help LPA (such as group management, role management, rule management, authorization management, access management, self service, workflow etc.).
SAT (Security Awareness Training): IAM is about process and software is just an enabler. One import process is user security awareness training. For example, it is easier to prevent social engineering through this training process and it is hard (or even not possible) through technology. You need to develop training courses and deliver it to all users.

An IAM project to improve security will cost money. Here is a rough estimate formula to calculate cost justification:

value of all data ($) × probability of breach (%) > cost of project ($)

How to Increase Productivity with Identity & Access Management

Yale Li — Fri, 02 Jun 2006 06:00:00 GMT

With right IAM solutions, your business can increase employee's productivity (or avoid the loss) significantly. Before you look into IAM solutions, you should identify major factors impacting employee's productivity in your business. Some common factors are:

New employee setup time - the waste time to get a new network/system account and proper permissions to access resources. An employee could loss up to two day's productivity.
Existing employee transition time - the waste time to get proper permissions to access new resources. An employee could loss up to one day's productivity.
Employee password (or PIN) reset time - the waste time to get a new password or PIN after it's forgotten. An employee could loss up to half day's productivity.
Business merger/acquisition transition time - the waste time to consolidate identity and access for two or more organizations. This is also referred as business agility problem.
IAM service/support overhead - the waste time to get a new IAM related service or support.

The productivity loss can be calculated by average lost hours multiplied by average wage. In the case of the password reset, industry data shows the productivity loss is from near $100 to over $200 per employee per year.

After you analyze business productivity loss, you can look for effective IAM solutions (which of course should cost less than the lost dollars). In this area, the IAM solutions are:

· Automated real-time provisioning management - the system will create/update accounts and groups instantly in Directory after data in authoritative HR system is updated. For example, you run SAP as HR system and MIIS as Meta Directory/Lifecycle Manager, your will need MIIS SAP connector (such as Microsoft MIIS SAP MA Beta or M-Tech ID-Sync MIIS SAP MA).

· Self Services - the intranet web applications (some with a workflow engine at back) enabling employees to help themselves. For example, a Q/A based Password Reset web app will allow employees to reset password instantly (such as Microsoft MIIS 2003 SP2 or M-Tech P-Sync).

· Automated group/entitlement management - similar to automated provisioning, the system will take care employee’s group membership and entitlement automatically without manual intervention. Currently, this type of IAM solution is new and not mature in the market (such as Quest ActivRoles Server, upcoming Microsoft MIIS code name Gemini, and Microsoft Mission Ridge).

You don't have to spend extra dollars for a dedicated IAM product to resolve the agility problem. This solution should be just a bulk provisioning feature in a good provisioning management product.

How to Help Regulatory Compliance with Identity & Access Management

Yale Li — Fri, 02 Jun 2006 01:00:00 GMT

You can use IAM solutions to help demonstrating regulatory compliance such as SOX Section 404 and 302, HIPPA, GLB, Basel II Capital Accord, FDA 21-CFR-11, HSPD-12, EU Privacy Directive, PIPEDA, and LSF.

SOX: There are many SOX compliance tools and you may wonder why IAM is needed. SOX compliance tools are very good at roles and SoD (separation of duties) analysis, but are weak at workflow management, reverse synchronization, and integration with multiple target systems, etc. IAM solutions are strong in those area and can meet following SOX requirements:

Controlling the accessibility of financial information
Monitoring and auditing financial information accessibility in real time as well as periodically
Making sure that users access permissions to financial data are added and removed in a timely manner
Making sure that these controls are applied to all systems associated with financial or business transactions and not only to the traditional financial systems

HIPPA: Similarly, IAM provides very specific solutions to help healthcare organizations meet following HIPAA requirements and reduce overall organizational risk:

Each user must be uniquely identified before being granted access to confidential information.
Access to PHI must be restricted to only those persons who need access as part of their role, and the conditions of this access must be clear.
PHI must be reasonably safeguarded against intentional or inadvertent disclosure.
Access to protected resources must be tracked, so that complete access reports can be generated.
Login attempts must be tracked so that suspicious login attempts can be analyzed and corrective action taken.
Access to protected resources must be terminated quickly when an employee leaves the company.
A user's session can be terminated after a specific period of inactivity.
For large corporations, procedures must be implemented to protect private information of a healthcare entity from access by someone in the
larger organization.
Procedures for creating and managing passwords must be implemented.

GLB: IAM solutions will help addressing following GLB requirements:

Evaluate IT environments and understand the security risks
Establish information security policies
Conduct independent assessments
Provide training and security awareness programs fro employees
Scrutinize business relationships to ensure adequate security
Upgrade security programs that are in place

Authentication Protocols and Standards

Yale Li — Fri, 02 Jun 2006 00:00:00 GMT

Some of most popular authentication protocols and standards are:

· KERBEROS v5:

Kerberos is an open standard for distributed systems authentication (RFC 1510). It relies on shared secret (or password) authentication by users to an authentication server called a Key Distribution Center (KDC). The KDC grants users access to applications, optional delegation of access from an application service to another service, and optional inter-domain trusts between groups of KDCs. In Windows servers and clients running Microsoft Windows 2000 Server or later, the Kerberos version 5 authentication protocol is the basis of authentication to Active Directory. It has an extension (PKINIT) to support smart card logon. It is also integrated into SMB, HTTP, and RPC, as well as the client and server applications that use these protocols.

· NTLM:

Windows NT Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows NT operating system and on stand-alone systems. NTLM stands for Windows NT LAN Manager, a name chosen to distinguish this more advanced challenge/response-based protocol from its weaker predecessor LAN Manager (LM). NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

· X.509:

The X.500 directory standards published by the ITU contain a subsection, X.509, which sets out recommendations for an authentication services framework. X.509, in its third revision, defines both a detailed syntax for certificates and an operational protocol specifying how a certificate is used for authentication. X.509 based authentication (such as Smart Card Logon and SSL/TLS Client Certificate) requires either an internal PKI Infrastructure or an external certificate service.

· Transport Layer Security 1.0/Secure Sockets Layer 3.0:

SSL 3.0 and TLS 1.0 are closely related protocols. SSL 3.0 is a proprietary Netscape Communications protocol, while TLS 1.0 is the Internet Engineering Task Force (IETF) standard. TLS, or RFC 2246, operates at the transport layer of the protocol stack. It’s invoked automatically whenever a user’s workstation connects to a server that requires secure communications. TLS/SSL uses a handshaking procedure to authenticate the server and (optionally) the client through X.509 certificates, to negotiate the algorithms for the session, and to exchange session keys for encryption and message digests.

· EAP-TLS

EAP-TLS uses a TLS handshake as the basis for authentication. TLS authenticates peers by exchanging digital certificates. In EAP-TLS, certificates are used to provide authentication in both directions. The server presents a certificate to the client, and, after validating the server's certificate, the client presents a client certificate. Naturally, the certificate may be protected on the client by a passphrase, PIN, or stored on a smart card, depending on the implementation. One flaw in EAP-TLS protocol noted by many observers is that the identity exchange proceeds in the clear before exchange of certificates, so a passive attack could easily observe user names.

· TTLS and PEAP

The structure of TTLS and PEAP are quite similar. Both are two-stage protocols that establish security in stage one and then exchange authentication in stage two. Stage one of both protocols establishes a TLS tunnel and authenticates the authentication server to the client with a certificate. (TTLS and PEAP still use certificates to authenticate the wireless network to the user, but only a few certificates will be required, so it is much more manageable.) Once that secure channel has been established, client authentication credentials are exchanged in the second stage.

TTLS uses the TLS channel/tunnel to exchange "attribute-value pairs" (AVPs), much like RADIUS. (In fact, the AVP encoding format is very similar to RADIUS.) The general encoding of information allows a TTLS server to validate AVPs against any type of authentication mechanism. TTLS implementations today support all methods defined by EAP, as well as several older methods (CHAP, PAP, MS-CHAP and MS-CHAPv2). TTLS can easily be extended to work with new protocols by defining new attributes to support new protocols.

PEAP uses the TLS channel to protect a second EAP exchange. Authentication must be performed using a protocol that is defined for use with EAP. In practice, the restriction to EAP methods is not a severe drawback because any "important" authentication protocol would be defined for use with EAP in short order so that PEAP could use it. A far greater concern is client software support. PEAP is backed by Microsoft, and clients are beginning to become available for recent professional versions of Windows (XP now, with Windows 2000 support coming shortly). Suppliers of PEAP clients for other operating systems have yet to materialize, which may restrict PEAP to being used only in pure Microsoft networks.

· Remote Access Dial-in User Services:

RADIUS, or RFC 2138, encrypts user ID/password information or challenge/response token information over the network. While initially created to support remote or network access servers, RADIUS has evolved to provide a standard mechanism by which Internet service providers (ISPs) relay authentication requests back to corporate customers.

· Security Assertion Markup Language (SAML):

When combined with XML-based remote procedure calls (RPCs) such as the Simple Object Access Protocol (SOAP), SAML serves as a distributed authentication protocol between authentication and other security services. As such, SAML allows loosely coupled security domains with heterogeneous systems and authentication methods to federate authentication. Liberty Alliance specifications leverage SAML as the underlying protocol while providing extensions such as account linking and global logout.

· Web Service Security (WSS):

Web Services Security (WSS) specifies ways to encode authentication and other security tokens in Simple Object Access Protocol (SOAP) message headers. Web Services Security Language (WS-Security) outlines encoding mechanisms for user IDs/passwords, X.509 certificates, Kerberos tickets, and SAML assertions.

· eXtensible rights Markup Language (XrML):

XrML is an XML-based usage grammar for specifying rights and conditions to control the access to digital content and services. Using XrML, anyone owning or distributing digital resources (such as content, services, or software applications) can identify the parties allowed to use those resources, the rights available to those parties, and the terms and conditions under which those rights may be exercised. These four elements are the Core of the language and determine the full context of the rights that are specified. In other words, it is not sufficient to just specify that the right to view certain content has been granted, but also who can view it and under what conditions.

· Simple Authentication and Security Layer:

SASL, or Request for Comment (RFC 2222), is a generalized negotiation mechanism and authentication abstraction layer for any connection-based protocol, including Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol 4 (IMAP4), and Lightweight Directory Access Protocol version 3 (LDAPv3).

· Secure Shell:

SSH, now at version 2.0, is a secure protocol and set of tools for secure, remote user authentication and access to servers. SSH can be used to secure any network-based traffic by setting it up as a ”pipe” (i.e., binding it to a certain port at both ends). This makes it useful for functions such as running X-Windows across the Internet. SSH runs on most UNIX systems, Windows servers, and client platforms, and there are open source SSH solutions for these environments. The SSH protocol consists of three major components: the Transport Layer Protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy; the User Authentication Protocol authenticates the client to the server; and the Connection Protocol multiplexes the encrypted tunnel into several logical channels.

· BAPI:

The Biometric Application Programming Interface (BAPI) defines a standard software protocol and application programming interface (API) for communication between software applications and biometric devices. BAPI is designed to bring standards and compatibility to the biometric hardware and software markets. In 2000, Microsoft acquired BAPI technology from I/O Software with the intention to integrate the technology into the upcoming versions of Windows. As a direct result of Microsoft's integration, BAPI will be positioned to provide a seamless and consistent plug-and-play experience to Windows, and the vast majority of PC users. Triggered by Microsoft's commitment to the integration of biometrics, a quickly growing number of biometric vendors have adopted the BAPI standard. Microsoft my extend Kerberos in Blackcomb to support domain Biometrics logon (Longhorn local Biometrics logon has been but).

Many other authentication methods are B2C focused and will not be explained here (such as IIS Basic, Digest, Form Based, Passport and InfoCard etc.)