NEWS AT SEI
This library item is related to the following area(s) of work:Tools & Methods
This article was originally published in News at SEI on: September 1, 2003
How can the U.S. government determine how far it should go to ensure that the people using its Internet sites are who they say they are? On which sites should the government use the most sophisticated and expensive technology to authenticate users? On which sites can it employ simpler solutions?
A technique developed by an SEI team enables organizations to analyze their own authentication risks and requirements for their Internet sites, without having to call in authentication experts.
The technique, called e-RA, was developed for the General Services Administration’s Office of Electronic Government by an SEI team consisting of Rich Caralli, Audrey Dorofee, Eileen Forrester, Bill Wilson, Bradford Willke, and Erin Whiteman. The term “e-RA” is short for “e-authentication risk and requirements assessment.” It is a technique to elicit requirements for authentication for transaction-based systems, based on the risks to those systems and to users. The purpose of e-RA is to guide the selection of an appropriate level of authentication that will enable the system to resist threats to data, users, and organizations that could result from unauthorized system transactions.
Common technology-centric approaches--such as, “just use public key infrastructure” or “user id and password should do it”--may be either too much or too little. A solution that is too much for the risks involved could be costly and tough to implement, manage, and maintain. It could also present an unnecessary barrier for intended users. However, a solution that is too little will not provide enough protection, resulting in dire consequences for the organization, and possibly users.
The government could have approached the problem in a number of ways, the SEI’s Caralli says. “You could look at the available authentication technologies and just apply one or more of them, which might require that each and every user get a $20 certificate and install it on his or her computer.” Instead, the SEI team developed an approach to discover the risks of unauthorized use in a range of scenarios covering 22 electronic-government, or “e-government,” initiatives comprising government-to-government, government-to-business, government-to-citizen, and internal government transactions. Examples of transactions include government travel processing, inquiries about social security benefits, and filing grant applications.
After conducting the assessment, organizations can say accurately, “this is what we need to avoid, and it takes this level of authentication to avoid it,” Caralli says. “They can make decisions based on risk, then decide which technology is the most cost effective.”
Or, the organization might decide to change the Web site, says Mark Liegey, a program analyst with the U.S. Department of Agriculture (USDA). Liegey was the team lead for risk assessment for the e-government e-authentication initiative, which is part of the President’s Management Agenda and promotes the reuse of credentials across government. “The e-RA approach gives us the opportunity to think about whether there are other ways to reduce risk than with an expensive solution,” Liegey says. “If the e-RA approach shows that a transaction exposes a user’s social security number, we might ask whether we even need to ask for the social security number.”
An e-RA assessment is usually performed by using the e-RA database for data collection and analysis. Organizations perform four major activities in an e-RA assessment. They
Risk-tolerance criteria are benchmarks or measures against which the organization can evaluate the consequences of unauthorized transactions. The same consequence could mean different things to different organizations. The organization develops its own weighting factors to describe what is important and to determine the consequences and impacts that it most wants to avoid.
Transactions are the vehicle for creating system data, inquiring on it, modifying it, or deleting it. After conducting an e-RA assessment, a system owner has a mapping of each transaction to an authentication level. This mapping can be used to develop authentication requirements and to then choose and implement technical and other operational solutions for authentication.
Each type of transaction (create, inquire, modify, and delete) usually maps to a specific type of undesired outcome if an unauthorized user executes it:
The USDA’s Liegey says the government got a better-codified and simpler solution than anyone expected. “We originally wanted the SEI to figure out a technique for doing authentication assessments and then teach us to do the assessments. So it started out being very expert-driven. But every time we did a pilot, we streamlined the process and realized it didn’t have to rely on hands-on expertise from the SEI for every assessment. Instead, the SEI experts could provide us with a tool to automate the process. From a transition point of view, that’s one of the most exciting things about this project. We got to something suitable for broad use in the federal government, and we got more than we expected.” Liegey expects that the e-RA technique will become a recommended best practice for federal agencies.
The e-RA tool and the e-Authentication Risk and Requirements Assessments Guide are available for download from the government's e-Authentication Web site.
Forrester says the team plans to study the technique to see if a similar risk-based approach can be used for requirements other than authentication. The team will be writing a technical report to describe how e-RA was developed. The e-RA team welcomes inquiries about e-RA, the technical report, or the potential for other risk-based approaches to requirements elicitation.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.