By selectively opening up online access to internal resources to authorized users, enterprises can cut costs and improve productivity. Today, enterprises in all major market sectors rely on identity and access management (I&AM) solutions for their core business functioning. Conventional I&AM solutions enable enterprises to extend their corporate network to enterprise representatives and to enterprise-provisioned external parties (such as contractors, business partners, suppliers, and auditors). In addition, federated I&AM solutions enable enterprises to extend online access to users whose identities are managed and authenticated by other organizational domains.

As an enterprise lets in more and more authorized users from increasingly diverse user populations, its security needs go up dramatically. Currently available enterprise I&AM solutions (both centralized and federated) provide no answer to many of the new challenges.

The U-Prove™ technology has been designed to address the following emerging enterprise I&AM requirements:

• Non-intrusive federation: By relying on the identity services of an external identity provider, the enterprise (1) is subjected to impersonation attacks originating from insiders of the identity provider (including hackers and viruses), (2) looses its autonomy over access control decisions to the identity provider, which can falsely cause denial-of-access or may be unavailable, and (3) enables the identity provider to monitor, in real time, which users request access at what time. The U-prove technology enables the elimination of these unwanted powers of identity providers in federated settings.
• Secure electronic access tokens: With the opening up of resources to increasing numbers of authorized users, the need to protect access tokens against misuse by their own users goes up dramatically. The U-Prove technology enables the protection of electronic access tokens against cloning, lending, pooling, discarding, and other unauthorized uses, with unprecedented security. In particular, any number of secure electronic access tokens can be bound at issuing time to a previously issued low-cost tamper-resistant user device (such as a Trusted Computing chip or a smart card).
• Fine-grained access control: Coarse-grained access control mechanisms allow authorized resource users to do more with resources than they strictly need to. The U-Prove technology enables enterprises to electronically provide authorized users with privileges and entitlements in protected form, allowing for fine-grained access control decisions; users can store these in long-lived form and selectively disclose only the minimal information needed to gain access.
• Offline access: For mobile resources, geographically distributed resources, and peer-to-peer file applications (such as instant messaging and file sharing) it may be costly or burdensome to involve a central identity server for every authorization decision. Uur technology enables enterprises to securely give access on the basis of identity and attribute information that authorized resource users themselves pull out of directory servers on an as-needed basis.
• User-authenticated audit trails: An increasing number of auditing regulations address growing security and privacy concerns, in response to accounting scandals, identity theft, the growing number of online services, and extra-territorial outsourcing. The U-Prove technology enables enterprise administrators and auditors to collect user-authenticated transcripts that prove every access request. Transcripts can prove not merely which resources have been accessed but also what actions have been performed following access. At the same time, enterprises can hide competitive intelligence (such as the identities of their resource users) from third-party auditors, by censoring the transcripts prior to forwarding them.