NIST Authentication Guidelines Recognize Managed Services Model
Business organizations should be aware of the revised guidelines that have emerged from the National Institutes of Standards and Technology regarding electronic authentication methods. Special publication 800-63-1 explains how both government agencies and private entities such as business can use web-based technologies for verifying the identity of the people who use their networks and systems. This publication is an update of the 2006 guidelines and reflects how the information technology world has evolved over the course of the past five years.
"Changes made to the document reflect changes in the state of the art," commented Tim Polk, who works as a Cryptographic Technology manager at NIST. "There are new techniques and tools available….and this provides them more flexibility in choosing the best authentication methods for their individual needs, without sacrificing security."
The new guidelines explicitly recognize the rise of managed services as an important part of any authentication system. Whereas a decade ago almost all authentication procedures would be performed in-house, now it is common to outsource these to specialist providers who can help organizations develop IT solutions that are managed remotely and are much more robust because they leverage the power of the cloud computing.
Federal agencies can use outside providers for authentication and identity verification as long as those providers’ systems have been certified by the Trust Framework Provider Adoption Process managed by the Federal Chief Information Council. Private businesses have no specific parallel requirement, but can contract with IT companies who can guide them through a selection process.