Identity management is a key initiative for 2004 and 2005, according to IT executives participating in Nemertes Research’s upcoming “Securing the Enterprise” research benchmark. Digital “identity” refers to the traits, attributes and preferences upon which one may receive personalized services. Identity traits could include government-issued IDs, corporate user accounts and biometric information. Two user “attributes” which may be associated with identity are presence and location.

Identity, presence and location are three characteristics that lie at the core of some of the most critical emerging technologies in the market today: real-time communications (including VoIP, instant messaging and mobile communications), collaboration and identity-based security.

“Presence” is a particularly hot issue, with upwards of 70% of participants in the upcoming benchmark saying they anticipate presence technologies to become pervasive in their organizations within the next 12 months. Presence - most often associated with real-time communications systems such as IM - describes the state of a user’s interaction with a system: which computer they are accessing, whether they are idle or working, and perhaps also which task they are currently performing (reading a document, composing e-mail etc.).

“Location” refers to the user’s physical location - typically, it includes latitude, longitude and (sometimes) altitude. Location is most often associated with GPS-enabled mobile devices.

Though presence and location are not often discussed in an information security context, they can contribute to the security of the enterprise in quite surprising ways.

Authentication and authorization mechanisms generally focus on determining the “who” aspect of identity. But knowing “where” (location) and “what” (presence) can assist in user authentication/authorization through:

* Consistency checking. If a user is attempting to access a company’s network from an IP address in China, while the user’s GPS device locates them in San Jose, the system can raise a red flag and refuse access.

* Selective access. If a user is connecting from a location that is not included in a pre-determined set of locations (home, office, branch) then the authorization system may request additional authentication mechanisms such as two-factor authentication.