Marco Casassa Mont - Web Page - HP Labs

This project focuses on the management of device-based identities within enterprises. This is a key requirement in enterprises where the identities of platforms and devices have become as important as the identities of humans to grant access to enterprise resources.

In this context, access control systems need to understand which devices with what properties are being used to access resource, by whom and in which contexts. Trust in managed devices’ identities is an important first step to enable this. No effective commercial solution is currently available.

We have investigated requirements and related issues. We have introduced an initial approach to: model devices’ identities; enable their provisioning in heterogeneous enterprise systems; provide support for making and enforcing related access control decisions; leverage trusted computing capabilities of modern devices to deal with aspects of trust management.

We implemented a related solution where access control is based on policies that take into account: device identities in addition to traditional human-based identities; protected resources; additional constraints on contextual information. A working prototype (proof-of concept) has been fully implemented by HP Labs by leveraging and extending HP OpenView Identity Management solutions and using trusted computing-enabled devices. This is work in progress.

Here are a few snapshots of our prototype, showing the provisioning of device-based identity in an enterprise and  its usage for access control:

Further information and details about this project can be found in the following HPL Technical Report:

• HPL-2007-53 Marco Casassa Mont, Boris Balacheff - On Device-based Identity Management in Enterprises - HPL-2007-53, 2007