Identity Centric Architecture Aligning SOA with NGN

1Sun Microsystems, Inc.

Proprietary & ConfidentialInternal Use ONLY

Sun Microsystems, Inc. Proprietary & Confidential

Identity Centric ArchitectureAligning SOA with NGN

Rakesh RadhakrishnanAugust 29, 2007Liberty Alliance Webcast Series

http://identity-centric-architecture.blogspot.com/

Agenda Topics• Identity enabled Sensor Networks• Identity enabled Programmable Networks• Identity enabled WiMAX & Wifi Networks• Identity enabled IMS Network and Network Services• Identity enabled Enterprise Networks (NAC)• Identity enabled IN Services• Identity enabled OAM&P Services (IPSF/ITSM) • Identity enabled Web Services• Identity enabled ESB Services• Identity enabled DRM Services• Identity enabled ILM• Identity enabled User Centric Services

9 Pain Points (Mobility with Security)

- 9 Pain Points to addresses Mobility for SOA – Seamless Integration of different Access Networks– Secure and Controlled integration of external SP– Integrated registration and customer service support– Common view of the static and dynamic data of the

customer– Access control and content filtering– Flexible and convergent charging– Integrated environment for VAS development and

management– Integrated environment for multi-device support– Management of internal and external content and DRM

policy support

9 Step Process (Mobility with Security)

- Step 1: Reputation - Step 2: Rigid Authentication- Step 3: Random numbers/token generation - Step 4: Roles - Roles based Access Control (RBAC) - Step 5: Rules- Step 6: Resources- Step 7: Relationship - Step 8: Regulation- Step 9: Real-time Observe-ability

Identity System

• Relationship. Regulation and RT

Trust Relationships, Auditing and

RT visual

Trust Relationships, Auditing and

RT visual

AuthNConfident-

ialityIntegrity

AuthNConfident-

ialityIntegrity

• Reputation & Rigid AuthN

Distributed Session, AuthN

Session, restrictions

Distributed Session, AuthN

Session, restrictions

• Random No=Token

Includes fine grain

rights mgmt, aligned AuthZ

Includes fine grain

rights mgmt, aligned AuthZ

• Roles, Rules and Resources

Vertical Integration

Access & Sensor Network IDS

Core & Federated Network IDS

Content & Service Centric IDS

User & Device Centric IDSUser ID & ProfileDevice ID & ProfileUser & Device specific Policies

AM Agents for Wifi, WiMAX, BPL, Cable head end, xDSL, RFID/EPC & more

FM integration with OAM, NG IN, HSS, HLR, NAC, FW & more

Integration with ServiceRegistry Repository, ESB,DRM, Service specific Policies, & more.

Identity enabled Sensor Networks

• Connecting Business at the edge• Solution for Warehouse Management• Solution for Physical Asset Tracking• Solution for Drug authentication• Solution for Transportation and Distribution• Solution for Retail Sales• Logical and Physical Authentication• Logical and Physical Authorization & Access Control• Sizzle and ECC enabled Containers• Correlating RFID with product profiles• Product Authentication

Identity enabled Programmable Networks

• Programmable Active Grid Networks• Virtualized Systems & Resources• Provision-able Services & Software• Provisionally Compute, bandwidth and storage

resource• System Service Container• Utility Model• Trusted Network Computing (TCG standard)• Encryption to devices (compute and storage)

Identity enabled Wireless Networks (Wifi/Wimax/4G)

Identity enabled Wireless Networks (Wifi/Wimax)

• Integrated Wifi Access Controllers• Integrated with WiMAX base stations• Access Manager's support for RADIUS• AAA Services (replaced with ID/NAC)• One IDP for 20 WiMAX base stations that is part of a Mesh

(or a Wifi Mesh)• Applicable to BPL as well (broadband over power line• Connectivity after Authentication (Boingo)

Identity enabled IMS Networks/Network Services

• Loose Integration with HSS• HSS could potentially extent to WiMax/4G• Broad NEP Support• Federation and SSO• Integrated Provisioning, SEM and Auditing• ID enabled IMS Services (location, presence, etc.)• Integrated with Telecom SOA & Web Services

Identity enabled Enterprise Networks (NAC)

• Industry Support (CTO) Sean Convery, Identity Engines, Paul Sangster, Symantec, Sanjay Uppal, Caymas Systems, Robin Matherus, Oracle & Jeff Prince, ConSentry Networks

• Weave together the application and network layers of corporate networks

• Trusted Network Technologies• Machine AC and User AC• NAP and NAC (access protection and admission control)• Pre-admission to the network (patch levels, anti-virus and spyware

detection)• Replaces RADIUS and AAA

Identity enabled NG IN Services

• SLEE Container Integration• SBB lookups• JEE Container Integration• Common Security Framework• NG IN Services are device and network agnostic• Device Identities as well (TS 69)• Integrated IN Services (3G, wireline, IP, etc.)• Location, Presence, etc., are NG IN Services

Identity enabled OAM&P Services

• OSS/J Services run on JEE Containers• Additional Modules -PAM• Federation• Session Centric Policies• Manage the Control Plane and the Service Plane• Adopted by NEP's • Integrates with RADIUS, Tacacs, AAA, etc.• Usefull for Outsourcing Models (OAM outsourcing)

Identity enabled ESB Services

• Linking Service Registries• Federation for Choreography• QOS Policies• Authentication Levels• Secure Service Broker-ing• JSR 196 Support• Aligning Identity life-cycle with Service lifecycle• Service Orchestration Aligning with Policy

Execution

Identity enabled DRM Services

• Inter-operable user centric DRM leverages an IDP• Federation for DRM• Content to Service agnostic• Device and Access Network agnostic• Important for IPTV and VOD services• Disintermediation• Adoption by AT&T (SBC) in the US• Proposed at ATIS• Potential for leveraging XACML 3.x

Identity enabled ILM Services

• Harnessing Data Sprawl• Common Anchor of Intelligence (Identity)• Tighter Control makes information accessible• Identity Aware Data• Foundation for ID enabled SOA• Meta Layer – OMG's MDA

Identity enabled UC ID Services

• In the Identity 2.0 space• SXIP, DIX, LID, OpenID, OpenSSO, I-names and more • user centric, • XRI/XDI or URI based, • Distributed identity system for the developer community. • Industry specific identity initiatives as well - such as E-NUM for

Telco, E-HR for Healthcare, and more that uses unique identifiers and industry specific profile (identity schema)

• Identity discovery services such as YADIS • Ruby in Rails on Web Containers for OpenID• OpenID as a SAML assertion

Vertical Integration of ID Services and Systems

Vertical Integration• Device Centric IDS• User Centric IDS• Access Network Centric IDS• Control Network Centric IDS• Enterprise Network Centric IDS (NAC, etc,)• Service Centric IDS• Information/Data Centric IDS• Content Centric IDS (DRM)• And more.

Vertical Integration• Profile Services

• About users (profile and reputation)• About Services (profile and behaviours)• About Devices (profile and context)• About content (profile and drm)• About data (meta-data and ilm)

•This intelligence actually need not be SILO'd, it can be integrated through;

-consolidation (virtual mapping), -federation (linking),-correlation (linking based on policies),-aggregation (using it as a core reusable SBB/IDSP within an EA), and,-trailing (indexing), xri, etc.

Vertical Integration via Standards• TS69• XRI/XDI• GUP/ENUM• iName/iNumber• SAML, XACML• Federation (liberty)• Trusted Network Computing• OSE• DevID• PubID/ConID• RFID/EP• IPSF and ITSM (for QOS and SLA)• ITU-FG and Liberty Concordia

Vertical Integration via Meta Layer• Morpghing into a Multi-M (media/modal/protocol) Meta System

- Actividentity for integrating logical and physical asset security with the Identity System.- Approva for integrating, streamlining and automating compliant provisioning processes with the Identity System.- Bridgestream for integrating roles management solution with the Identity System.- Bonsai Networks for integrating Wifi (& Wimax) Service Managers with the Identity System.- Consul for integrating privileged user monitoring and auditing with the Identity System.- Leapstone for integrating Service Brokering and Subscriber information with the Identity System.- Locationnet platform for GIS engine and location application engine integration with the Identity System.- Lucents VOIP platform integration with Identity (& Directory) System.- Mobicents SLEE and other SLEE platforms integration for policies, profiles, etc., with the Identity System.- Passlogix for integrating simplified enterprise & desktop SSO (non web applications) with the Identity System.- Pronto Networks for integrating wireless SDP (service delivery platform) with the Identity System.- Vaau for integrating role engineering, identity auditing and identity certification with the Identity System.- Verimatrix for integrating with OMC DRM via disintermediation (d15n- implied) with the Identity System.- Virsa for integrating continuous compliance and real time insights with the Identity System.- Nominum for Secure Sharing and Managing ENUM profile (iName and iNumber as well)- Layer 7 for integrating with XML firewall – security co-processing with ESB- IDE NetBeans for integrating with a development tool- Appium for Profile sharing

Vertical Integration

Access & Sensor Network IDS

Core & Federated Network IDS

Content & Service Centric IDS

User & Device Centric IDSUser ID & ProfileDevice ID & ProfileUser & Device specific Policies

AM Agents for Wifi, WiMAX, BPL, Cable head end, xDSL, RFID/EPC & more

FM integration with OAM, NG IN, HSS, HLR, NAC, FW & more

Integration with ServiceRegistry Repository, ESB,DRM, Service specific Policies, & more.

Vertical Integration Target State

Vertical Integration Target StateTo achieve this target state (as depicted in the picture above) an Identity System (with a the 5 integration models) has to be integrated:

● with the User (the "me") : User Centric Identity Systems (URI/XRI based, extensive profile, preferences and policies -defined by the user);● with the Access Devices (such as TS69/OMA): Device Centric Identity Systems (for device profile, machine authentication, virus checks, client side fire wall updates, sensory devices, etc.).,● with the Access Networks (for context, QOS capabilities of access networks, session traversals, mobility, etc.).,● with the Core Network (for controlled invocation, federation, secure choreography, OAM&P, NG IN, Single Sign-off, auditing, etc.).,● with the Service Networks (for NAC, RBAC, Service orchestration, ESB, programmable network elements, service profile, context, etc.).,● and the Content Networks (for disintermediation of DRM, entitlement, content protection, content profile, content context, etc.).

Project Liberty Slides – Business Problem -Structural Changes in the Industry

Project Liberty Slides – Business Problem -Trust, QOE and Secure

Project Liberty Slides – Business Problem -enabler the Business of Government and Enterprise

Project Liberty Slides – Business Problem -Who is Who? What is What? Who gets access to What?

Project Liberty Slides – Business Problem -Aligning with Inter-oprable Standards

Project Liberty Slides – Business Problem -Secure delivery of Content (IPTV, Games, etc.)

Identity Centric Architecture Aligning SOA with NGN

Documents

Transcript of Identity Centric Architecture Aligning SOA with NGN

Aligning IT with Business Goals Through SOA · 2 SOA on your terms and our expertise IBM SOA Architect Summit Agenda SOA in the context of Business Agility and Innovation SOA Enterprise

NGN e IMS II Funcoes Aplicacoes NGN e Arquitetura IMS

NGN Partners

NGN Overview

traduccion NGN

NGN Architecture and main Elements - BME-HITjakab/edu/litr/NGN/Architecture/S3-NGN... · NGN Architecture and main Elements Manila, (Philippines), June 2010 Oscar González Soto ...

2 The Need of SDO Collaboration as an Enabler of SOA in NGN Abbie Barbir, Ph.D. Senior Advisor Strategic Standards Group Ottawa November 29, 2006.

Keynote Presentation: Aligning IT with Business Goals Through SOA

NGN Information Gateway_Issue 1 (What is NGN CPI)

Towards a SOA/Web Services enabled NGN Open Service Environment

NGN Newsletter

NGN Architectures

SOA - Aligning Business and IT?

PTCL Training & Development1 NGN Architecture/Layer description and NGN Trends.

Towards a SOA/WS enabled NGN Open Service …events.oasis-open.org/home/sites/events.oasis-open.org.home/files/... · o IPTV services support capabilities o Enterprise Networks support

NGN Network

NGN- Interconnection

[PPT]NGN Management Specifications - Internet · Web viewAnnex 2 to NGN Management Specification Roadmap NGN Management Specifications Annex 2 to NGNMFG-OD-013-R2, NGN

NGN Internship

CJK 7 th Plenary: NGN-WG (IPv6 based NGN) IPv6 based NGN (NGNv6)