What are the fundamental design issues that must be addressed to succeed with Web-based applications today? The
answer is likely to vary from security specialist to security specialist. One thing that has become clear, however, is that effective identity services are a crucial aspect in modern application integrations.
Some best identity services practices for securing ''the digital ecosystem'' are encapsulated in a recent directive from The Open Group Jericho Forum. This working group holds that the current ''border centric'' approach to services security will prove inadequate for Internet-centric application integration. [Ed.Note: See related ''Cloud integration security best practices start to emerge'' story.]
The Jericho Forum recently published a set of Identity Commandments to help IT professionals begin to address the needs for operating in cloud computing scenarios. What guidance does the group offer? Here is a sample: Using a single database for aggregation of identity data is ineffectual and even dangerous, the group contends. To buttress that view, Jericho Forum points to recent personal data breaches of Sony and LastPass (where password information held in the cloud went missing). Identity, Entitlement and Access Management (IdEA) Commandments per the Jericho Forum encompass all the “entities” – both human and digital – and promotes a comprehensive and complete view of identity entitlement and access management. They are:
1. All core identities must be protected to ensure their secrecy and integrity.
2. Identifiers must be able to be trusted.
3. The authoritative source of identity will be the unique identifier or credentials offered by the persona representing that entity.
4. An entity can have multiple separate persona (identities) and related unique identifiers.
5. Persona must, in specific use cases, be able to be seen as the same.
6. The attribute owner is responsible for the protection and appropriate disclosure of the attribute.
7. Connecting attributes to persona must be simple and verifiable.
8. The source of the attribute should be as close to the authoritative source as possible.
9. A resource owner must define entitlement.
10. Access decisions must be relevant, valid and bi-directional.
11. Users of an entity's attributes are accountable for protecting the attributes.
12. Principals can delegate authority to another to act on behalf of a persona.
13. Authorized principals may acquire access to (seize) another entity's persona.
Source: The Open Group