An identity authentication or authorization system should make decisions based on data other than that of the identity
In todays modern enterprise and internet facing environments, security and privacy decision making can no longer be confined to linear data models.
Complex decision making requires context. For example, at authentication time, it is no longer sufficient to validate a username or password. Those details could be stolen or compromised. By adding in basic risk measures such as checking the device, IP address and time of day the credentials are being used, can help reduce poor decision making.
At authorization time, policy information points should be used to gain as much static and run time information as possible before validating an access request.
It is likely, information pertaining to authX decision making, will not reside within the identity information system itself, but require integration.
© Copyright 2016. All Rights Reserved.
8901 Marmora Road,
Glasgow, D04 89GR