S 3.63 Training users on authentication with the help of directory services

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Supervisor

Authentication is an essential aspect in the secure operation of a directory service. Here, the client should authenticate itself to the directory service system, and the user should authenticate himself to the client. In some operational scenarios for directory services, the client should authenticate itself to the user and the server should authenticate itself to the client as well in order to guarantee a mutual trust relationship. If authentication is successful, then the user automatically has access to the objects and services he/she is allowed to access (this is referred to as background authentication). A single sign-on is carried out in this manner, for example.

Since a single sign-on (SSO) procedure based on a directory service is primarily implemented in connection with tokens, smart cards, magnetic strip cards, or systems for fingerprint, iris, or facial recognition, the following points provide an overview of the contents of the training programme required for this area.

The following points summarise the content of the training programme for the users. These contents should be addressed in terms of their relation to secure authentication with the help of directory services:

• Introduction to the subject of "identification and authentication" as it relates to security, explanations of the definitions of terms like knowledge, ownership, and property
• Raising the awareness of the users in terms of handling authentication features such as passwords and PINs
• The correct use of other options available for performing authentication such as the use of tokens, smart cards, or magnetic strip cards, or biometric methods of authentication such as fingerprint recognition, iris recognition, facial recognition, etc.
• Handling of reading and recognition devices, e.g. the detection of security-related changes to a smart card readers
• General aspects of and information on authorisation management
• Overview of possible end user privileges
• General legal aspects of data protection when using directory services (e.g. presenting the problems related to data protection, publication of real names, legal aspects of directory services, and employee data in directory services)
• Requirements placed on the application environment of the directory service product used, for example the requirements on the user workstations
• Overview of the security functions of the directory service product used
• Overview of the responsibilities the users must assume to ensure the secure operation of a directory service product
• Overview of potential error messages that could be important for the end users

The contact person for all questions related to directory services in the organisation should also be introduced to the users during training. The users should also be informed that they are allowed to view and correct the entries in the directory service.

Review questions:

• Did the users receive training on directory services?