Shulou(Shulou.com)06/01 Report--

Identification and management of identity

Since 2006, the three major business departments of China Mobile (referred to as China Mobile, listed in Hong Kong and New York), namely, the Management Information system Department, the Business support Center and the Network Department, have respectively completed the formulation of 4A platform standards. and start the construction of the 4A platform. Other network operators and the financial industry are also actively investigating and testing. Here is a brief description of the context of this wave of 4A platform construction, the value that 4A brings to customers, and the prospect of 4A.

The source of 4A

4A is not a name for original ecological innovation, so before introducing 4A, describe the terms related to it. Let's introduce 3A first. AAA has a most well-known connotation in the IT world, "Authentication, Authorization and Accounting (AAA) is a framework for intelligently controlling access to computer network resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. The AAA is sometimes combined with Auditing and accordingly becomes AAAA.-SearchSecurity.com". To put it simply, it is the scope of network access control and Internet billing, which becomes 4A if you join the audit. It is said that it is well-known, mainly because AAA protocol (AAA protocol) is a standard specification, represented by the famous Radius (Remote Authentication Dial-In User Service) protocol, which is widely adopted by network operators.

Well, in the security world, there is also a concept of AAA, "In computer security, Access Control includes Authentication, Authorization and Audit.- wikipedia.org". Access control (Access Control) is the subject of everlasting research and application in the security field. Its purpose is to ensure the controlled and legal use of network resources. Access control is to control resource access requests according to identity on the basis of identity identification. Users can only access system resources according to their own permissions, not ultra vires. 3A plays different roles and influences each other in access control. Through "Authentication" to verify the legal identity of the principal; through "Authorization" to limit the level of user access to resources; through "Audit" to record and review the process of user access to resources.

To illustrate the background of 4A, we have to explain another term, single sign-on (SSO). "Single sign-on is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords.-wikipedia.org". The most popular explanation for single sign-on is an authentication, which is popular everywhere. Its core lies in unified identity management, centralized login and authentication of users. On the one hand, single sign-on has a vast demand, and many enterprises have used related systems and technologies; on the other hand, a variety of single-point landing solutions are still being improved, which can not simply meet the needs of a wide range of enterprises. To solve the single sign-on problem, SAML (Security Assertion Markup Language) is the most famous in the world, and most manufacturers support it. However, due to the complexity of single sign-on implementation, SAML has not been widely used in China.

As mentioned earlier, the concept of 4A in the network security community has been pointed out in AAA protocol, which is not a new technology or concept. However, the domestic connotation of 4A is different from that of 4A in the world. At present, 4A is basically based on China Mobile and evolved on the basis of the definition in 2005. " 4A is the abbreviation of Account,Authentication,Authorization,Audit (account Management, Authorization Management, Authentication Management, Audit Management). Account (Account) management, authentication (Authentication) management, authorization (Authorization) management and security audit (Audit) in the business system are integrated into a centralized and unified security service system, referred to as 4A management platform or 4A platform. -China Mobile 4A Security Technical Specification. It is not difficult to understand the background of this concept. The thing that had a far-reaching impact on the vast number of foreign companies listed in the United States in 2006 was the full entry into force of the Sarbanes Act (SOX Act). The SOX Act is an important law promulgated by the United States, which involves the reform of accounting professional regulation, corporate governance, securities market regulation, etc., including listed companies registered in the United States and companies registered in foreign countries listed in the United States, must abide by the Act. Foreign enterprises and some American small enterprises listed in the United States will enter into force on July 15, 2006 or the fiscal year that ends subsequently. China Mobile is one of them.

By studying the 4A technical specification of China Mobile, it can be found that on the basis of compliance, the specification aims to strengthen the internal control audit, strengthen the supervision of this special resource, and limit a SSO platform construction scheme of the access control model. Account management is a term in application, which is academically called identity management (IDM) or identity and access management (IAM) "Identity Management (or Identity and Access Management) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network or an organization) and controlling the access to the resources in that system by placing restrictions on the established identities.-wikipedia.org". Several large IT enterprises such as IBM,CA,Novell,Sun have related solutions, which often involve their 4-5 series products, which have been released for more than 5 years, and there are continuous versions in the release. China Mobile puts forward its own norms and does not comment on the reasons for the solution. However, from the introduction of the concept of China Mobile 4A to the actions of many industries, we can see that the needs of many enterprises for access control (including identity management, single sign-on, compliance audit) keep pace with the times. and urgent requirements.

Value of 4A

China's economic development in the past 30 years has achieved a number of large enterprises, which have a large number of personnel, early IT process, continuous expansion of equipment and network scale, and many of them have been listed at home and abroad. These enterprises are faced with many urgent problems that need to be solved in the process of IT operation and maintenance. in terms of security, there are mainly three points:

1. The users of IT system in the enterprise are complicated. Specifically manifested in the complex composition of personnel, there are internal employees, outsourced employees, integrators, partners, customers; personnel mobility is complex, entry, transfer, departure, secondment, some deepen cooperation, some remove part of the cooperation. It is a great challenge to achieve efficient, clear and standardized enterprise resource authorization, effectively protect the rights and interests of legitimate users, and at the same time avoid the impact of personnel changes.

2. The complexity of the construction of enterprise IT system. Many enterprises have developed IT systems for more than 10 years, while many initial business systems continue to play its role. Therefore, in the IT environment within the enterprise, it is often filled with multi-era equipment, different times of technology, different versions of all kinds of systems. The IT operation and maintenance staff of the enterprise are unable to centrally manage each business system and implement a unified security policy.

3. With the attention of various countries to the internal control of enterprises, a series of laws and regulations require enterprises to further strengthen management and be responsible for shareholders' investment. Taking the SOX Act as an example, it requires that the internal control activities of enterprises, whether people or the operation process of the information system, must clearly define and keep relevant records, and there are also requirements for the audit process to be archived. This requires enterprises to improve IT governance, strengthen internal control and comprehensive information audit to ensure that meet the requirements of laws and regulations.

The management of users and resources is already very complicated. in order to comply with the regulations, the related account management and password change regularly will increase the workload of the enterprise, reduce the operation efficiency, and increase the probability of administrator's error. as a result, the operating cost of the enterprise continues to rise. 4A system is the technical means put forward by China Mobile to solve the above problems, which enables enterprises to effectively manage the user accounts of many applications, systems and devices, ensure the security of user login, and meet the relevant requirements of SOX audit.

Therefore, building a centralized security service platform within the enterprise and strengthening the management and control of special resources such as account (Account) on the basis of AAA in the traditional concept of access control will bring a lot of value to the sustainable development of the enterprise, as follows:

Simplify management, unify authentication, authorization and audit, and greatly reduce work complexity

The security of account is improved, the supervision of account maintenance is strengthened, and the password maintenance strategy of each system can be implemented uniformly.

Security is self-aware, all kinds of audit information in the process of accessing operation resources, and all kinds of audit information in business operation can be managed and monitored centrally, and the security situation is under control.

The responsibility lies with the person, and the security incident is located to the person, so as to prevent the problem from being held accountable due to the sharing of accounts by many people.

Easy to use, single sign-on eliminates the tedious need to re-enter user names and passwords when employees switch between systems, and there is no need to worry about not remembering all kinds of passwords

Find anomalies and conduct unified access audit to each system and all users, which is conducive to comprehensive statistics, correlation analysis of user behavior, and timely discovery of abnormal operation behavior.

Enterprise compliance, so that enterprises with minimum operating costs to meet the requirements of national laws and regulations

To protect investment, the enterprise follow-up system can be built on this system; user management, asset management, authentication and authorization, security response do not need to be developed repeatedly.

Eliminate the isolated island of information, so that all systems can share users, assets and other information; and can be efficient and convenient for data security management.

4A development observation

After four or five years of development, 4A is changing imperceptibly. 4A platform has gradually evolved into the IT infrastructure construction of enterprises, while the Account (account) management, which was originally added in AAA, has independently become an application under the platform. In the next few years, it can be expected that these trends will continue, at the same time, what changes and developments will 4A have?

1 and SIEM to form a three-dimensional audit environment

Compliance audit will be one of the sources of corporate demand in the next few years. For example, on May 22, 2008, the Ministry of Finance, the Securities Regulatory Commission, the Audit Office, the Banking Regulatory Commission and the Insurance Regulatory Commission jointly implemented the basic norms of Enterprise Internal Control (China's Sarbanes Act, also known as C-SOX) in listed companies. SIEM products collect all kinds of system logs and events and have the ability to carry out correlation analysis. However, SIEM products can not provide help to enterprises independently from audit to human and personnel operation audit. Therefore, the organic combination of SIEM experience accumulated in the industry for many years with 4A will provide guarantee for the safe operation of enterprises, establish a three-dimensional audit environment for enterprises, effectively help enterprises reduce operating costs, and meet the requirements of laws and regulations, which will get in-depth research and development.

2 constitute an omni-directional access control system with application gateway and terminal management

A perfect access control system is the direct guarantee of enterprise security, and independent access control means lack the ability of comprehensive proof to a certain extent. Therefore, at both ends of the business, the service user and the service provider adopt a two-pronged approach, that is, to monitor the equipment of the user and the identity and operation of the user, and to monitor the use of the equipment and systems that support the business, which will achieve the best results. In this way, 4A will not only be the monitoring provider, but also the active reporter and policy enforcer, so as to establish a comprehensive access control system.

3 help enterprises to realize the infrastructure construction of IT system

Since 2006, the improvement and construction of 4A has never stopped. On the one hand, the planning of "Big 4A platform" is starting, and new concepts and nouns will emerge as the times require; on the other hand, with the development of information construction of small and medium-sized enterprises, the construction of centralized security service platform will be gradually universal. Through the unified technical architecture of security services, new applications can be easily integrated into the unified platform. Through this platform, various IT resources (including applications and systems) of the system are centrally managed, providing centralized security services for each business system, and improving the security and manageability of the business.

In a word, the development of 4A will continue to develop in both depth and breadth. On the one hand, it will become the infrastructure such as the enterprise centralized security service platform; on the other hand, it will continue to go deep into the enterprise business system to protect the business of users.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.