leveraging identity management for privacy, security, and...
TRANSCRIPT
![Page 1: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/1.jpg)
1
Leveraging Identity Management for Privacy, Security, and Compliance
Linda Hilton, Chief Information Officer, Vermont State Colleges &
Christopher Misra, Information Security Officer, University of Massachusetts
![Page 2: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/2.jpg)
For ref. only – remove for printing • Access control is a critical component of a standards-based information
security program. It helps safeguard IT assets by controlling access to information, information processing facilities, and business processes according to business and security requirements. Access control also serves to protect our community members’ privacy by preventing unauthorized access to information held in application systems. Although institutions may have similar security goals, institutional type, size, and context will present unique implementation challenges. This seminar will explore how diverse institutions can bridge issues in technology, policy, and process related to security and identity management to achieve shared institutional goals and ensure compliance.
![Page 3: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/3.jpg)
3
What We Will Focus On
• An overview of identity management • How identity management can help improve
security, protect privacy, and ensure compliance
• IdM as a component of an information security program
• Bridging policy, process and technology
![Page 4: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/4.jpg)
Identity Management Overview
• Some definitions • Core components • IdM drivers • Why “do” IdM? • How is IdM used in Higher Ed?
![Page 5: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/5.jpg)
5
IdM: definitions
• What do we mean by Identity Management? – California State University definition - An identity
management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information.
![Page 6: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/6.jpg)
6
Analyze this Definition • Infrastructure - software and hardware • Collection - not just technology • Technology and policy – policy plays a critical role and is
an essential element of the solution • Networked computer systems - implies distributed
technology systems communicating over a network • Access - Who am I • Authorized - What can I do • Protecting - limiting access and protecting information
![Page 7: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/7.jpg)
7
Idm: definitions The Burton group defines Identity Management as : “A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.”
– Integrates data sources and manages bio-demo information about people and devices
– Establishes electronic identity of users and devices – Issues and validates identity credentials – Uses organizational data and management tools to
assign affiliation attributes – …and gives permission to use services based on
those attributes
![Page 8: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/8.jpg)
8 4 4
Core IdM Components
• People and Relationships • identity and trust
• Account Creation, Management, and Deletion
• Technology, business process, resources
• Access management • Assignment of privilege, groups and roles, IdM and application-level
security
![Page 9: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/9.jpg)
9 5 5
Core components: People and Relationships
• Different types of affiliations – Formal vs. Casual
• Multiple affiliations and multiple roles • Affiliation life-cycles
![Page 10: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/10.jpg)
10 6 6
Core components: Creation & Management of Identities
• These are the IdM business processes • Vetting – collection and validation of identity information • Proofing – aligning collected data and matching to an
actual person with some degree of certainty • Issuance of credentials
– ID/password pair – ID card – 2nd factor token
• Managing – providing assurance that the credential and the entity stay linked
![Page 11: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/11.jpg)
11 7 7
Core components: Access Management
• Connecting people to data and services • Authentication decisions • Authorization decisions
– Affiliation type, status, level of assurance, roles and other attributes.
• Rule of least privilege
![Page 12: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/12.jpg)
Core components: Access Management
• Assignment of privilege • Groups and roles • IdM and application-level security
![Page 13: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/13.jpg)
13 8 8
IdM Business Needs
• Support increased collaboration and
innovation • Improve customer service • Increase efficiency • Improve security of digital assets and
mitigation of risk
![Page 14: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/14.jpg)
14 8 8
What are IdM drivers? • Traditional forms of authentication and authorization are
no longer sufficient for needs of modern internet-based applications
• Application security is becoming increasingly onerous – multiple applications, multiple enterprises, and multiple user
roles in multiple contexts • New regulations dictate more stringent identity
management processes – HIPAA (Health Information Privacy) – FERPA (Educational Records Privacy) – Sarbanes Oxley (Financial Disclosures) – Gramm-Leach-Bliley Act (Financial Information Privacy) – Red Flag rules (Identity Theft Prevention)
![Page 15: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/15.jpg)
15
Why Do Identity Management? • Centralize directory services
– One authoritative source for applications – One stop shopping for students and employees!
• Single sign-on – reduce control gates for access to data • Standardized posture makes adding new apps easier • Remote access • Inter-institutional access • Lifecycle issues: “from cradle to grave” • Enhance privacy of personal information • Improve security and safeguarding of information • Comply with federal and state laws and regulations
![Page 16: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/16.jpg)
16
How Identity Management Is Used in Higher Education
• Students – Learning resources (course management systems, library, etc.) – Online student systems
• Staff – Employee directory – Online human resources systems (timesheets, payroll, benefits, etc.)
• Faculty and Researchers – Online course materials and library resources – Federal research agencies, funding, and data resources
• Alumni and Donors – Email for life – Alumni directories and services
• All – Student/Employee directory – Emergency notification systems
• External Access – Contractors, guests, visiting faculty, donors, volunteers
![Page 17: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/17.jpg)
17
Emerging IdM Uses
• Building Access Controls • Federal Government Agencies
– NIH • National Student Loan Clearinghouse • Workflow
![Page 18: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/18.jpg)
18
Creating an IdM Infrastructure
• A strategic approach to IdM • Solve problems – pick low hanging fruit • Create awareness • Develop a roadmap • Address the gaps and challenges • Offer education
![Page 19: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/19.jpg)
Tailoring IdM to the environment
• Operational – governance, org structure • Cultural • Resource levels • Process maturity - “it’s an IT issue” • Scale differences • Budgets and resources
![Page 20: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/20.jpg)
Case studies
• Vermont State Colleges: Security and IdM • University of Massachusetts
![Page 21: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/21.jpg)
Case Studies
• Each campus has unique experiences with deploying Identity Management and middleware.
• We will review each of our school’s approach to providing these services.
![Page 22: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/22.jpg)
University of Massachusetts Amherst IdM
• Context – 45,000+ accounts – 25,000+ students
• Deployment – ERP based provisioning and account
management (Peoplesoft) – OpenLDAP – Kerberos authentication backend
![Page 23: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/23.jpg)
Case Study: UMass Background
• Active LDAP project initiated in 2003 • Existing account management system
circa 1993 • Started with account management system
rewrite – Deployed as a custom app within our
Peoplesoft environment – Campus ERP is System of Record
![Page 24: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/24.jpg)
Case Study: UMass Guiding Principles
• (T)hese processes of identification, registration, authentication, and authorization that are uniquely separate processes that should be tightly linked and controlled in order to have a trusted and robust identity and privilege management system. Understanding the underlying processes and the differences in the processes is critical to managing these types of integrated systems.
• From NMI authentication roadmap
![Page 25: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/25.jpg)
Case Study: UMass IdM and Security
• Segmented authentication and white pages functionality – FERPA drivers
• Tighter control over authenticating LDAP – Understanding and controlling where we
expose our credentials • Relying heavily on WebISO
– Where appropriate and feasible
![Page 26: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/26.jpg)
Case Study: UMass Protecting Privacy
• Everyone has their own application, – and thus have a need for access control
• Per-app IdM increases exposure of personal data – What one can do vs. is permitted to do
• Assigned privileges may be sensitive • Roles and groups that map to courses
require FERPA protections
![Page 27: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/27.jpg)
Case Study: UMass Compliance
• Having a consistent IdM tied to ERP permits identification of user activity – DMCA, PCI-DSS, etc
• Accurate de-provisioning is critical to internal audit – University Policy
• Application enrollment – Logical next step from asset inventory
![Page 28: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/28.jpg)
Break
![Page 29: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/29.jpg)
Security, privacy, compliance overview
• IdM and security • Managing and protecting privacy • Incident trends
![Page 30: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/30.jpg)
30
Identity Management and Security • Identity management system is a integral component of
the organization’s overall security strategy and architecture.
• In higher education, IdM has often been developed and managed more as a business enabler than as part of the security strategy.
• Looking at IdM success factors we see how much overlap there is with security.
![Page 31: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/31.jpg)
31
Managing and Protecting Privacy
• Security services traditionally focus on preventing badness – protective, defensive and reactive tools and
techniques. • IdM provides a set of infrastructure
services that enhance security – identification, authentication, and
authorization.
![Page 32: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/32.jpg)
Security Threat Environment
• The security environment is changing. The focus should be on the behavior that we don’t understand or manage well – Everyone wants their own application – Those who operate these applications
frequently do not have a strong security background
– Assignment of privilege is decentralized and often poorly managed
![Page 33: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/33.jpg)
33
What are the tangible risks • Data loss is a principle driver for many campus
Information Security organizations • Many of the incidents revolve around individuals having
access to data that had sensitive information (NPI) and not taking adequate security procedures.
• Data management – knowing who has access to sensitive data, and then taking appropriate measures, is a key aspect of protecting that data.
• Large incidents often revolve ancillary business systems that are run outside of central IT.
![Page 34: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/34.jpg)
Data privacy legal issues
• “Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. “ http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
![Page 35: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/35.jpg)
35
Broader Privacy Issues • Increasingly through either state laws or as a result of
the European Union privacy efforts we are going to have to manage varying rules for what is private information and how to manage that information based on the relevant jurisdiction of the individual.
• Additionally, as the EU rules take hold we will need to recognize what outside groups we can share information with and what attributes can be released on individuals to different entities.
![Page 36: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/36.jpg)
IdM: bringing the pieces together
![Page 37: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/37.jpg)
37
What Does IdM Involve? Technology • Standards • Practices • Products • Authentication and Authorization
Mechanisms • Enterprise Directories
Resources • Business processes • Applications • Budget • Project Management • Staff / Skill Expertise
Policy and Governance • Institutional Goals • Drivers • Constituent Requirements • Policies • Regulations & Laws
….And • New TRUST relationships • Federations
![Page 38: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/38.jpg)
38
Identity Management Drivers
Project Management
Technology
Policy & Governance & Business Process
Institutional Goals Constituent
Requirements
Standards
Practices
Products
Budget
Staff Skills/Expertise
Identity Management
Resources
Legal & regulatory
![Page 39: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/39.jpg)
39 Identity and Access Management (IAM) Model
![Page 40: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/40.jpg)
40
Technology
![Page 41: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/41.jpg)
41
Technology: an architecture for Identity Management
• Identity management systems aggregate information across disparate systems. Requirements include: – High performance – these systems drive all web-
facing customer applications and customers (or employees) won’t wait.
– High reliability – these systems often provide all authentication and authorization services. When down, nothing can occur.
– High security – these systems may maintain a large number of person attributes, sometimes including personally protected information.
![Page 42: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/42.jpg)
42
Technology: Enterprise Directory
• The core of an identity management system. • Metadirectory is usually the IdM database schema that is updated by the core data sources. • Physical directories, called LDAP, provide an interface to services. • For auditors, understanding how to validate that the business rules are implemented and followed is essential.
![Page 43: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/43.jpg)
43
Technology & Business Process: Identifying Authoritative Data Sources • Authoritative data feeds for the Identity Management system may come in real time or batch from your CRM and/or ERP systems. • Often you have special population groups kept in systems outside of the ERP or CRM. • Some systems may provide periodic, or asynchronous updates or be polled for new information. • For auditors, understanding what data sources are used and the lag time to updating the IDMS system is essential to enforcing policy.
![Page 44: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/44.jpg)
44
Technology & Business Process: Applications and Services
• Applications and services are the consumers of an IDMS. Examples include:
– Authentication - Who am I? – Authorization services – What can I do? – Portals are often a common application
• Services may reside locally or be provided by off-campus providers through Software-as-a-Service (SaaS) or Service Oriented Architecture (SOA) methods. • Audit issue is how you validate partners are meeting service requirements and managing data appropriately?
![Page 45: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/45.jpg)
45
Resources: Business Process • Leveraging IdM for managing roles and security • Universities are complex – we have systems for student
housing, finance, human resources, grants management, student records, admissions, alumni, and library – often to name just a few of the major systems.
• It is very rare to have a single vendor provide solutions to all of these areas and so we have many different vendors. In many cases we have a different vendor for each major system.
• In addition, application security is getting much more complex making it staff intensive and difficult to audit for compliance.
![Page 46: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/46.jpg)
46
Resources: Business Process
• Multiple roles at the same institution can add to the complexity
• Multiple institutions sharing identities can be even more complex
• We need workflows for role changes that are accurate and timely (can be critical to application security)
![Page 47: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/47.jpg)
47
U.S. Federal Government eAuthentication Initiative
http://www.cio.gov/eauthentication/
![Page 48: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/48.jpg)
Federations
• Federations – “A federation is an association of
organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions”
http://www.incommonfederation.org/docs/guides/faq.cfm
![Page 49: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/49.jpg)
Federations
• Fundamentally a policy construct ‒ Combined with a technical toolset
• Often implemented with the Shibboleth toolset in R&E networks
• Provides access to local campus resources to users from remote institutions
![Page 50: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/50.jpg)
50
Benefits of Federations • Organizations without a federation needing to share
information must enter into bilateral agreements. These agreements are difficult to achieve and greatly complicate the work of insuring compliance if each has slightly different terms.
• Individuals without a federation must establish a relationship with each organization, often providing duplicate information to multiple organizations.
![Page 51: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/51.jpg)
51
Federations and Identity Management
• Federations – definition – Dictionary.com - a federated body formed by a
number of nations, states, societies, unions, etc., each retaining control of its own internal affairs.
– Incommon.org -A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions.
![Page 52: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/52.jpg)
52
State Agency A
State Agency B
Benefits
e-Learning
e-Learning
Library
Online Application
= Credentialing / Authentication = Authorization = User Credential
Traditional Identity Management
![Page 53: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/53.jpg)
53
Federation
State Agency A
State Agency B
Benefits
SIRS
e-Learning
Library
Texas Online
= Credentialing / Authentication = Authorization = User Credential
Federated Identity Concept
![Page 54: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/54.jpg)
54
• InCommon Federation – Higher Education & Research Emphasis – http://www.incommonfederation.org/
• UT System Identity Management Federation – Business Emphasis
• State of California Federated IdM Vision (http://www.cio.ca.gov/stateIT/pdf/California_SOA_and_IDM_Vision_122007.pdf)
• State of New York IdM Model (https://www.oft.state.ny.us/Policy/G07-001/) Trust Model (http://www.oft.state.ny.us/OFT/PrinciplesoftheNYSEnterpriseIdMArchitecture.pdf)
• State of Nebraska Federated Services (http://www.nitc.state.ne.us/events/conferences/egov/2004/files/345_UserAuthentication_Hartman-FedID.ppt)
Federations
![Page 55: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/55.jpg)
55
InCommon Federation – An Example
• Presently about 123 members, approximately 81 higher education institutions, 5 government agencies or non-profit laboratories, and 33 corporations (public and non-profit) representing 1.7 million individuals.
• Entities agree to a common participation agreement that allows each to inter-operate with the others.
• InCommon sets basic practices for identity providers and service providers. The primary focus has been technical and focuses on campus identity management procedures and attributes.
![Page 56: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/56.jpg)
56
What Does Security Involve? Technology • Standards • Practices • Products
Resources • Business processes • Applications • Budget • Project Management • Staff / Skill Expertise
Policy and Governance • Institutional Goals • Constituent Requirements • Policies • Regulations & Laws
….But Most Importantly
![Page 57: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/57.jpg)
57
Security standards • The evolution of security processes and procedures
from ISO 27002 provides a strong foundation for risk management and developing strong internal controls as these pertain to security.
• While much of the ISO 27002 program is helpful to building a strong identity management function it was not necessarily written for this function. – As the IDMS becomes a key business driver we should see the
framework evolve.
• Working with audit may help us bridge some of these gaps while the policy approaches are resolved.
![Page 58: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/58.jpg)
Security Standards • Governance and Organization of Information Security • Risk Assessment and Management • Policy • Asset Tracking and Management • Human Resources Security • Physical Security • Communications and Operations Management • Access Control • IT Systems Acquisition, Development, Maintenance • Incident Response and Management • Business Continuity/Disaster Recovery • Compliance
![Page 59: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/59.jpg)
Security Standards: IdM
• Access Controls is a component of most security programs
• From ISO27002, the need for access control is roughly defined as: ”Logical access to IT systems, networks and
data must be suitably controlled to prevent unauthorized use.”
• This aligns well with our definition of IdM
![Page 60: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/60.jpg)
60
ISO 27002: Access Control • Business requirement for access control
– Access Control Policy • User access management
– User registration – Privilege management – User password management – Review of user access rights
• User responsibilities – Password use – Unattended user equipment – Clear desk and clear screen policy
![Page 61: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/61.jpg)
61
ISO 27002: Access Control (cont’d)
• Network access control – Policy on use of networked services – User authentication for external connections – Equipment identification in networks – Remote diagnostic and configuration port
protection – Segregation in networks – Network connection control – Network routing control
![Page 62: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/62.jpg)
62
ISO 27002: Access Control (cont’d)
• Operating system access control – Secure log-on procedures – User identification and authentication – Password management system – Use of system utilities – Session time-out – Limitation of connection time
• Application and information access control – Information access restriction – Sensitive system isolation
![Page 63: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/63.jpg)
63
Level of Assurance in IDMS • IDMS systems have often been business enablers for
connecting customers or external business partners. • Questions?
– Do all account holders have access to all services and generate the same level of risk?
– Do you have the same level of confidence that the identity associated with an account is who they purport to be for all your account holders?
• If you answered no, you might look at integrating level of assurance into your IDMS.
![Page 64: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/64.jpg)
64
Overview of Level of Assurance in IDMS
• Two distinct uses 1. For a service provider, the level of risk to the
application or organization if an incorrectly identified user is allowed to access the application or perform a transaction. This can happen if someone compromises an account password.
2. For an identity provider, the risk that the person is not who they claim to be – in this case the person has legitimate credentials that they acquired frauduantly
• Organizations often perform both functions and must look at both risks.
![Page 65: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/65.jpg)
65
• A combination of assurance that the person presenting their credentials is who they say they are AND they are the person presenting the credentials.
– The degree of confidence in the vetting process; and – The degree of confidence that the person presenting the
credential is the person you issued the credential too
• Level 1 – little or no assurance • Level 2 – some confidence • Level 3 – high confidence • Level 4 – very high confidence
Assurance as an Identity Provider
![Page 66: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/66.jpg)
66
Assurance as an Identity Provider • eAuthentication guidelines require that everyone is
identity proofed. • We define another group – level 0. Level 0 has no
assurance the person is who they say they are. These are guests that assert their identity and want a portal account. We have no way of verifying they are who they say they are
• Audit plays an important role in assessing and validating the procedures for initial identity proofing. We do this when issuing our ID card.
![Page 67: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/67.jpg)
67
Assurance of Credentials • The second component of assurance is the assurance of
the credential as presented by the person it was issued too.
• Traditional authentication focuses on password management. Level 2 is the highest assurance a text-based password can achieve.
• For level 3 or 4 assurance eAuthentication requires two-factor authentication. The second factor must be some token that is issued to the user. The US government is moving to smart ID-cards under the auspices of HSPD-12.
![Page 68: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/68.jpg)
68
Credential Assurance NIST 800-63 guide provides excellent framework for managing credentials. The entropy spreadsheet is a great tool for reviewing password practices and looking at how subtle variations in policy practices change the strength of the credentials. This is a great tool for auditors!
![Page 69: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/69.jpg)
69
An Example – Password Resets • Forgotten passwords are often among the most common
call to the helpdesk. • Creating a self-service method to reset your password
often is essential for improving customer service and reducing helpdesk costs.
• However, this creates an opening for attacks to compromise accounts. We are integrating level of assurance into our process.
– The 10% of total account holders that have LOA of 2 have a different process than the 90% with LOA of 1.
![Page 70: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/70.jpg)
70
Assurance for Service Providers • Service providers follow traditional risk management
approaches such as NIST 800-30 to assess the risk associated with an authentication error:
• The potential harm or impact, and • The likelihood of such harm or impact.
– Potential categories of harm include: reputation, financial loss, organization harm, release of sensitive information, risk to personal safety, and criminal or civil violations.
– Ratings use values of low, moderate, or high.
![Page 71: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/71.jpg)
71
Setting Level of Service Assurance
![Page 72: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/72.jpg)
Idm Solutions
• No slides on Shib? Ask Ann
![Page 73: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/73.jpg)
73
Current Status of Signet • MACE/I2 has suspended work on Signet and are now working with
the community to refocus the requirements for privilege management and will move forward accordingly. This may mean evolving Signet or adding functionality to Grouper Groups Management Toolkit or other options. Stay tuned.
• Some of the outcomes of this effort may take the form of practice recommendations. For instance, one of early requests was for approaches and tools for growing a campus authz infrastructure ---from groups to privilege management---and starting with a lower risk approach. The CAMP in June 2009 will be addressing this very issue.
• MACE/I2 is also in discussions with Kuali about working together on IdM.
![Page 74: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/74.jpg)
74
More Information
Linda Hilton, Chief Information Officer, Vermont State Colleges
Phone – 802.626.6394 Email – [email protected]
Chris Misra, Information Security Officer, University of Massachusetts, Amherst
Phone – Email –
![Page 75: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/75.jpg)
75
Questions?
![Page 76: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/76.jpg)
What did you think?
• Your input is important to us!
• Click on “Evaluate This Session” on the Mid-Atlantic Regional program page.
![Page 77: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/77.jpg)
Slide parking lot
• Other slides below that may or may not fit
![Page 78: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/78.jpg)
78
Kim Cameron’s Laws of Identity Whitepaper
Seven Laws of Identity 1. User control and consent 2. Minimal disclosure for a constrained use 3. Limit relationships to justifiable parties 4. Control over who can see my identifier, directed identity 5. Pluralism of operators and technologies 6. Human integration 7. Consistent experience across contexts
![Page 79: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/79.jpg)
79
Dick Hardt’s Identity 2.0 Presentation at OSCON
• One of the best presentations on identity management is by Dick Hardt at OSCON 2005.
• This is a good overview of looking at how identity management may evolve. In 15 minutes he gives a great presentation.
• http://www.identity20.com/media/OSCON2005/
![Page 80: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/80.jpg)
80
IDMS – Managing Roles and Application Security
• Internet2 has launched a project called Signet to allow security roles to be managed centrally and have these update the application security.
• The process is define a security model, assign roles and responsibilities in the IDMS for functions (e.g. approve payroll) and then have a specially developed connector update the security in the application based on changes in the IDMS.
• The benefit is that as an employees status changes you can make the change in one place and propagate to all systems.
![Page 81: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/81.jpg)
81
Key Elements of SIGNET • Provide a single point for managing authorization without
consolidating control. Business owners have a web interface for managing who has access.
• Allows centralized IDMS services to be leveraged for business applications and security, such as when a person leaves the organization or changes roles.
• Helps enable business groups and users through a consistent approach to security
![Page 82: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/82.jpg)
82
Web Services – Service Oriented Architecture
• Service oriented architecture (SOA) leverages the web to provide services. The goal of SOA is that as the web becomes the application delivery platform there will be components done elsewhere that you want to integrate into your application.
• There are a set of standards (multiple) that define how web services will interoperate and manage authorization and access to these web services.
• Ultimately, for the promise of web services to be realized there will need to be solutions that reside outside of the application as part of an overarching IDMS system.
![Page 83: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/83.jpg)
83
![Page 84: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/84.jpg)
84
Longer Term Approaches • The WWW consortium (W3C) is working on standards
for autonomous policy engines that take policy heuristics in an XML format and exchange and manage them across independent groups.
• There seems to be momentum in moving to SOA and that will ultimately drive standards and direction as applications emerge that support business innovation.
• Companies may initially have two approaches, one for internal desktop applications and the other for extranet applications.
![Page 85: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/85.jpg)
Leveraging IdM: overview
• How can IdM practices and policies improve security?
• Intersections: policy frameworks • Intersections: technical frameworks • What is a standards-based information
security program?
![Page 86: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/86.jpg)
Resources
![Page 87: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/87.jpg)
More information: CAMP • CAMP: Practical Building Blocks for Access Management JUNE 15–17,
2009 Philadelphia • Institutions small and large interested in getting a handle on authorization • Case studies of business and academic challenges from around the
institution • Discussions how to incrementally build authz to reduce risk and ensure
success • Practical approaches for integrating standard authorization components • Strategies of how these approaches help with compliance, security, and
service provisioning and support business objectives • www.educause.edu/camp092 (website available early March)
![Page 88: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/88.jpg)
88 02/10/2008
www.incommonfederation.org
![Page 89: Leveraging Identity Management for Privacy, Security, and ...blogs.umass.edu/cmisra/files/2010/12/SecIdmNC09... · 7 Idm: definitions The Burton group defines Identity Management](https://reader033.vdocuments.net/reader033/viewer/2022042121/5e9b64fbcba4e5544e13520e/html5/thumbnails/89.jpg)
89
InCommon Collaborative Projects/Efforts
https://spaces.internet2.edu/display/InCCollaborate/Home
• InC Student • InC Library • InC SharePoint • TeraGrid • InCommon Inter-federation • InCommon - NIH • InCommon Research • InC Apple • Dreamspark