Identity or Transaction

Identity management is one of the most obvious places to focus security attention, but it may not be the most economical. This is especially true for a large corporation that needs to protect shareholder value and may be the object of attack from dozens of unknown sources. Having said that, identity management has experienced a number of improvements in recent years.

I was in the middle of these developments two years ago when I was advising the president of a company that secures communication between the White House and the DOD. This was during the transition between "PKI is too hard to use" and the new approach which is "wrapped PKI in a registration authority software interface". Now, there are a number of identify management solutions that make the process of administering PKI-level identify management as easy as email account administration.

Returning to my first point, there two things to remember: You can never have perfect knowledge of your users' identities, so this will always remain a vulnerability even if it is reduced; and You could have near perfect identity management and still not reduce your company's largest risk. These two facts of life in today's world, suggest identity management is not, as I stated at the outset, the most economical security focus.

So, what is? I continue to believe the it is best to keep the focus on two places and keep it there until it cannot be implemented any better: One, secure the point of the transaction; and two, optimize the three-point implementation of i) maintaining a formal security plan, ii) providing formal governance over that plan, and iii) show progress against that plan. These two points of focus easily provide the greatest security (especially when cost is considered) a corporation can obtain.