Since different authentication methods meet these requirements to varying degrees, you must craft your authentication policy carefully. The methods used for authentication should be sufficiently robust so as to reduce the risk to information resources in accordance with their business value.

The Relationship Between Authentication and Authorization

Authentication is closely tied with authorization. Authorization is the process of determining if access should be provided to a resource and occurs after authentication -- you must know the identity of someone before deciding if he or she should be given access to a resource. Authorization can be accomplished by using a profile that is associated with the identity that has been authenticated, or via permissions placed upon resources that control access based on identities and groups.

Four areas that need to be accounted for in your authentication policy are the methods of initial authentication for account creation; the value of data and systems being accessed; the method of access; and the privilege level of the account being authenticated.

• You must determine the methods that will be used to authenticate an individual initially. In a corporate setting, where access is limited to internal employees, such authentication usually is accomplished by the human resources department. When someone is hired, he or she is required to provide employment history, social security number, personal references, a home address and other information. Further, most companies do routine background checks on candidates to ensure they are who they say they are and that they are not high risks because of bad credit or criminal histories, for example. You will need policies for initial authentication if you plan to provide services to a client that is unknown until registered. For example, you might be developing an Internet or extranet application for use by a new customer base. Your policy should state what types of information are required for legitimate initial authentication. These requirements might be minimal if the data being accessed is not critical or confidential. However, when providing access to high-value data, multiple information elements -- tax ID, home and/or business address or driver's license number, for example -- should be required so that you can perform some level of verification before creating a new account.

• The requirements for authentication should be directly related to the value of the data and systems being accessed. This ties your authentication policy to another policy area: data-value classification. To determine the requirements for authentication, you must understand the value placed on the data and systems to which you are providing access. For example, you may have lower authentication requirements for access to internal print systems than to business-critical data, such as that produced by finance or HR departments.

• The method used to access the data or systems should be taken into consideration when defining an authentication policy. For example, your authentication requirements for access to a given system may be lower if the system is being accessed from an internal network rather than from an extranet or the Internet. This is to help mitigate the risk associated with a less secure method of access.

• Your requirements for authentication should match the level of access being provided. The requirements for authentication of a regular user account, for instance, might be lower than those for authentication of an administrative account.