Identification Requirements

Definitions

An identification requirement is any access control requirement that specifies a required amount of the security quality subfactor identification.

Objectives

The typical objectives of a identification requirement are to:

• Ensure that all of the important externals are identified before they are allowed access.

Measurements

Identification requirements are typically specified in terms of the following measurements:

• Minimum percentage of valid users [by role] identified.
• Maximum percentage of invalid users [by role] identified (false positive).

Examples

General Examples

The following are typical examples of identification requirements:

• “The system shall allow [members of user class X | client application Y] to perform [list of actions Z] before being successfully identified.”
• “The system shall not allow [members of user class X | client application Y] to perform [any | list of actions Z] before being successfully identified.”
• “When under attack, the system shall [detect | prevent] the use of forged identification data.”
• “When the system detects the use of forged identification data, then the system shall [list of actions X].”
• “The system shall [detect | prevent] the reuse of identification data.”
• “The system shall not require [members of user class X | client application Y] to be reidentified multiple times during a single session (i.e., single signon).”
• “The system shall reidentify [members of user class X | client application Y] under [list of conditions].”
• “The system shall only provide the following feedback to [members of user class X | client application Y] during and as a result of identification.”
• “The data center shall identify all personnel before allowing them to enter.”
• “The name of the employee in the official human resource and payroll databases shall exactly match the name printed on the employee’s social security card.”
  Rationale: This is an official requirement of the United States Social Security Administration.

The following are typical examples of identification constraints:

• “The system shall support [list of identification mechanisms].”
• “The system shall identify [user class X] according to [list of identification processes].”

The preceding examples are written as absolutes and are therefore theoretically not feasible because no system is 100% effective against security attacks. To make the requirement more feasible and testable, a minimum success threshold can be added as follows:

• “A minimum of 99.9% of the time, the system shall allow [members of user class X | client application Y] to perform [list of actions Z] before being successfully identified.”

Specific Examples

The following are examples of identification requirements from the Global Personal Marketplace (GPM) system, a global Web-based marketplace bringing together private individuals and small companies to buy and sell all manner of items:

• Accountant— “A minimum of 99.999% of the time, the GPM shall identify the accountant before permitting him or her to perform the following accountant use cases:
  • Accountant Generates Financial Reports
  • Accountant Updates Fee Schedule
  • Accountant Updates User Restrictions.”
• Buyer— “A minimum of 99.99% of the time, the GPM shall identify the buyer before permitting him or her to perform the following buyer use cases:
  • Buyer Reviews Personal History
  • Buyer Registers Feedback About Seller
  • Buyer Registers for Notification of Future Sales
  • Buyer Places Bid On Item
  • Buyer Modifies Bid On Item
  • Buyer Buys Item At Direct Sale
  • Buyer Places Sealed Offer At Decreasing Price Sale
  • Buyer Modifies Sealed Offer”

Guidelines

The following guidelines have been found to be useful when producing identification requirements:

• The scope of an identification requirement can be:
  • A business enterprise
  • An application
  • A component
  • A center
• Many identification requirements can be identified and specified in term of the following parameters:
  
  

  Component of Requirement	Possibile Values
  External Identified	Various Types of Users Various Types of External Systems Various Senders of Messages
  State	Normal Processing Degraded Mode Under Attack
  Identification Type	Repeated Sign-on Single Sign-on
  Prior to Execution of	User Task Use Case Transaction Interaction
  Measurement	Percent of valid users identified Percent of invalid users not identified

  
  
• Identification requirements are typically insufficient by themselves, but they are necessary prerequisites for authentication requirements.
• Do not analyze and specify identification mechanisms with essential use cases. A very common requirements mistake is to specify the use of user identifiers and associated passwords using design-level logon use cases.
• Identification requirements must be consistent with privacy requirements, which may require the anonymity of users.
• A lack of agreement on organizationwide identification requirements is a common cause of public key infrastructure (PKI) failures.
• Identification requirements should not be specified in terms of the types of security architecture mechanisms that are typically used to implement them:
  • Who You Say You Are:
    • Name, user identifier, or national identifier (e.g., social security number).
  • What You Have:
    • Digital possessions such as a digital certificate or token.
    • Physical possessions such as an employee ID card, a hardware key, or a smart card enabled with a public key infrastructure (PKI).
  • Who You Are:
    • Physiological traits (e.g., finger print, hand print, face recognition, iris recognition, and retina scan).
    • Behavioral characteristics (e.g., voice pattern, signature style, and keystroke dynamics).