evolution of identity management may 15, 2008 for: cips security special interest group presented...
Post on 19-Dec-2015
213 Views
Preview:
TRANSCRIPT
Evolution of Identity Management
May 15, 2008For: CIPS Security Special Interest Group
Presented by: Mike Waddingham, PMPPresident, Code Technology Corp.
2
Security Context Identity Management is only one part of a
broader information security environment which includes: Perimeter security (firewalls, routers, intrusion
detection, etc.) Virus and malware protection Data encryption System management and availability Application and database security Physical information security Business processes and practices
3
Definitions Identity – A set of attributes or claims about an
individual Identity Context – there are legal, professional and
personal contexts personal context most complex with name variations and
changes and a need for psuedo-anonymous identities Identity Management – Identification of users and
their enrolment in a system that is used to manage their electronic identity information
Access Management – Determining a set of authorizations and privileges that a validated identity may possess; controlling entitlement by granting or denying access to resources
4
An Identity Management Model
Business User Store
IdentityStore
Audit / Logging / ReportingSession
Management
Enrolment
Identification
Self RegistrationAuthentication
Strong Authentication Admin Profile
Maintenance
User Self Serve
Business Applications
Bulk Load
Training
Auth’n & AZ Reg, ID & Enroll Admin & Tools
Fine Grained Authorization
Single Sign On
User Stores
CG Authorization
Infrastructure, Support Services, 24/7 Support, Backup/Archive
Diagram courtesy of Alberta Advanced Education
5
IdM Models
There are three primary IdM models in use today: Centralized – e.g. Federal Gov’t ePass, ASAS,
most others Federated – e.g. General Motors and its suppliers User Centric – e.g. BC Gov’t pilot projects (using
Microsoft CardSpace)
6
Centralized IdM
Benefits: One identity solution for users to learn/use All apps use same solution and interfaces Single or Reduced Sign-on can be achieved Common policies can be implemented once A single team can often manage a large system Generally well-understood by users and IT
7
Centralized IdM Shortcomings:
Difficult to scale to large size – imagine GM and its dealers (not just the employees) on one centralized system
Cannot support multiple organizations easily Therefore, it does not reflect the reality of modern
distributed business environments… Users must trust the central org to manage their
information properly Changes can impact all applications
8
Federated IdM
Three types of Federated IdM systems: Ad Hoc – bilateral, org to org Hub-and-Spoke – islands of federation,
dominated by one large organization Federated Identity Networks – based on a
network of members owning an identity platform (e.g. VISA)
9
Federated IdM
An identity network is the only effective means to do so while ensuring that operational, legal, and security obligations are met...
From “Digital Identity”, by Phil Windley
10
Identity Provider
Service Provider
§ A party that, by formal agreement, provides identity services to a defined group of users
§ e.g. a University or College that allows students from a network of schools to have access
§ Any party in the Federated network that controls access to a service
§ E.g. a registration site at a University or College
§ Must have proof the user is who they claim to be before authorizing access
User
Federated Model
11
University of Lethbridge
(Identity Provider)
U of Alberta School of Business
Registration
3
1. User authenticates to their Identity Provider (University of Lethbridge)
2. Identity is verified (university student) and session is established
3. Student attempts to accesses registration site at University of Alberta
6
1
2
4
4. University of Alberta requests confirmation of the student’s identity with University of Lethbridge
5. U of L confirms identity
6. U of A allows access to registration
User
5
Federated Access - Sample Flow
12
Federated Identity Networks Benefits:
SSO across organizational boundaries Can support common policies and standards
across orgs Strong technical standards exist: WS-*,SAML,
SPML, Shibboleth, Liberty Alliance Agreements of members well defined, support
trust, outline consequences of misbehaving Identity information is distributed Automatic “Federated provisioning” an option
13
Federated Identity Networks Shortcomings:
Cost of development and operations need to be shared by orgs (not individual users)
Liability not well understood – what are limits to liability for orgs that are responsible for a breach?
Fed ID Networks not well understood by orgs that need them
Negotiation, setup and enforcement of agreements Difficulty establishing a central, neutral Federation
organization
14
User-Centric IdM
Puts the user in control of their identity Segments the authentication and
authorization processes into three parts: Authoritative Party: vouches for an aspect of the
user’s identity when asked Relying Party: provides resources (e.g. access to
an application) when sufficient credentials are provided
Identity Agent: controlled by the user, acts for the user
16
University of Alberta
(Authoritative Party)
Student Transit Pass
Web Site (Relying
Party)
Student’s Identity Agent
1
1. User requests a student transit pass on the RP site
2. Transit site asks the user for proof that they are a student
3. Student (via IA) asks University (AP) to confirm that they are enrolled in classes
2
3
4
5
*** Student Transit
Pass ***
6
4. University responds with confirmation (encrypted, tamper-proof message)
5. Student’s IA forwards proof to Transit site
6. Transit site allows student pass to be ordered
User-Centric Access - Sample Flow
17
User-Centric IdM
Benefits Supports user privacy principals User is in control of their identity Scales to any size without burden on orgs Well-suited to public sector Being pushed by Microsoft and other vendors Supported by Pan-Canadian initiatives
18
User-Centric IdM Shortcomings
New – not well understood by either users or IT New – not fully implemented, tested or proven Not supported on older operating systems (needs
Vista, XP with add’l software, or Mac Leopard) Not mobile – current implementations have the
Identity Agent on the user’s fixed PC User must have knowledge of Identity Agent tools
and processes
19
User-Centric IdM Gaining momentum with Open ID plus Microsoft
CardSpace and other vendors Pan-Canadian Task Force:
http://www.cio.gov.bc.ca/idm/idmatf/default.htm Critical operating system ‘tipping point’ coming in
the near future – currently approx 20% of desktops can support information cards
Open ID and information card convergence? Kim Cameron thinks so: http://www.identityblog.com/wp-content/images/2008/02/Op
enID/Normal/OpenIDPhish.html
20
What is Next?
Centralized systems continue to be designed and built; strong vendor products available
Federated systems emerging where strong business needs exist AND appropriate agreements can be negotiated
User-Centric getting all the press, and some implementations are being carried out
Which is best?
top related