How the new Password Mgmt Security Guidance relates to MOF Security Administration SMF
In case you haven’t heard, a v1.2 update was released to the Microsoft Identity and Access Management Series, which adds the new Password Mgmt paper.
This documentation highlights the following: “The Password Management paper outlines different approaches to password management and addresses the technical issues that effective password management involves. The paper uses a fictitious organization to illustrate the process of how to determine password policy requirements, carry out step-by-step procedures to enforce a strong password policy, and then manage the organization's passwords through both an intranet and an extranet. Finally, the paper discusses how to validate the password management implementation and perform common operation tasks to maintain it.”
Within MOF, in the Operating Quadrant (see my prior post about the MOF process model here) is a service management function entitled Security Administration. The process flow in the Security Administration SMF includes:
- Identification – Identification is concerned with user names and how users identify themselves to a computer system.
- Authentication – Authentication is concerned with passwords, smart cards, biometrics, and so forth. Authentication is how users demonstrate to the system that they are who they claim to be.
- Access Control – Access control is concerned with access and privileges granted to users so that they may perform certain functions on a computer system.
- Confidentiality – Confidentiality is concerned with encryption. Confidentiality mechanisms help ensures that only authorized people can see data stored on or traveling across the network.
- Integrity – Integrity is concerned with checksums and digital signatures. Integrity mechanisms help ensures that data is not garbled, lost, or changed when traveling across the network.
- Nonrepudiation – Nonrepudiation is a means of providing proof of data transmission or receipt so that the occurrence of a transaction cannot later be denied.
- Auditing – Security auditing is extremely important for any enterprise system as audit logs may give the only indication that a security breach has happened. If the breach is discovered some other way, proper audit settings generate an audit log that contains important information about the breach.
The Password Mgmt paper delves into areas appropriate to the above processes, in particular authentication and auditing. The detail in this documentation could be quickly customized for an organization to provide the documented processes necessary for a more repeatable and predictable environment.
Security Administration within the operating quadrant should not be confused with the Security Management SMF in the Optimizing quadrant. The Security Mgmt SMF focuses more on the management and development side of security, as in security assessment, strategy, policy formation, and encouraging continuous improvement. This compares to the above processes in the Security Administration SMF which is more focused on day to day operations necessary to maintain desired security levels as determined by the policy and strategy defined in the optimizing quadrant process.