Strong Authentication Deployment Challenges
Applies To: Forefront Identity Manager Certificate Management
While the use of digital certificates and smart cards provides an excellent approach to deploying stronger authentication over traditional username / password based systems, there are additional deployment considerations customers are faced with to provision and manage these technologies in a cost effect manner.
Deploying certificates and smart cards within a large enterprise environment can create a significant operational burden, unless tools are available to assist with the provisioning and lifecycle management process.
The business and technical challenges that customers typically face when deploying a certificate services based solution architecture that leverages a certificate and smart card management system such as FIM CM are described below.
Ease of Use and End User Acceptance – Users are reluctant to accept new authentication technology unless it can provide proven benefits, provide greater flexibility than their existing authentication solution, or is easier to use. Technologies that allow for user-self servicing must be simple enough for the user to perform the functions they need.
Alignment with Corporate Security Policies and Standards – The nature of IT security controls is that it’s typically mandated for compliance reasons and reflect requirements as dictated by corporate policies and standards. The solution chosen must be flexible enough to meet these requirements.
Reduction of Help Desk Burden and Minimization of Additional Management Overhead – Any solution that is implemented must minimize the impact on help desk staff and network administrators. The solutions that have the greatest return on investment are those that reduce the existing access control management burden that is typically inherent in help desk operations today.
Selection of Correct Authentication Technology – The technology and form factor selected for the authentication technology has to be able to meet security requirements, solve immediate security problems, position the organization for future requirements, and provide a simple and easy to use interface for end-users. The authentication technology selected should be scalable so that it can meet immediate authentication requirements and future encryption or digital signing requirements.
Lost, Stolen or Forgotten Smart Cards – There is a significant change for help desk staff and network administrators when the decision is made to migrate from user name and password based authentication to smart card or token based authentication. The management challenges and logistics concerning the replacement of lost, stolen or forgotten cards should not be overlooked and must be considered as part of overall certificate and authentication device management lifecycle.
Deployment of Smart Card Middleware – Until the release of Base Cryptographic Service Provider (BaseCSP), the deployment of smart cards meant the installation of smart card middleware matched to each vendor’s smart card on each user’s desktop utilizing smart card services. If required, the deployment of smart card middleware must be considered as part of smart card roll-out and adoption strategy. BaseCSP compliant cards will reduce this burden significantly.
Geographic Distribution – IT Analysts that have deployed PKI technologies in the past understand that the secure distribution of certificates to users can be a significant challenge. This challenge increases with the number of users and the geographic disparity of the sites where the technology will be deployed. Distribution of certificates can be further complicated by the intended use of the certificate. For example if you are deploying certificates that will be used for digital signatures, you need to ensure that a user’s identity is validated before a credential is issued to them.
Integration with an Overall Identity Management Framework or System – Certificate and smart card management systems must integrate within an overall identity management framework within an enterprise environment. It is important that API’s, identity repositories and information stores are based on common technology infrastructures so that they can integrate with and leverage other identity management systems that are currently in place.
Managing Certificates used for Encryption – Certificates can be stored on smart cards or locally on computers where users log on. Certificates that are used to encrypt data such as when Encrypted File System (EFS) is configured to use certificates need to have a management solution for key recovery.
Simplifying Strong Authentication with FIM CM
The release of FIM CM provides enterprise IT environments with the rich management tools that enable customers to address a range of business and technical challenges associated in deploying digital certificate and smart card based strong authentication solutions including those listed above.
The certificate and smart card management capabilities of FIM CM were inherently designed to reduce the cost and complexities of deploying strong authentication technologies such as smart cards and digital certificates within a single integrated lifecycle management solution.
The following sections of this document are intended to provide a technical overview of FIM CM and how customers can use FIM CM to support a range of strong authentication deployment scenarios across the enterprise. The benefits of using a FIM CM based approach to deploying strong authentication solutions are summarized in the section Benefits of a FIM CM Approach.