Evolution of Identity Management

May 15, 2008For: CIPS Security Special Interest Group

Presented by: Mike Waddingham, PMPPresident, Code Technology Corp.

2

Security Context Identity Management is only one part of a

broader information security environment which includes: Perimeter security (firewalls, routers, intrusion

detection, etc.) Virus and malware protection Data encryption System management and availability Application and database security Physical information security Business processes and practices

3

Definitions Identity – A set of attributes or claims about an

individual Identity Context – there are legal, professional and

personal contexts personal context most complex with name variations and

changes and a need for psuedo-anonymous identities Identity Management – Identification of users and

their enrolment in a system that is used to manage their electronic identity information

Access Management – Determining a set of authorizations and privileges that a validated identity may possess; controlling entitlement by granting or denying access to resources

4

An Identity Management Model

Business User Store

IdentityStore

Audit / Logging / ReportingSession

Management

Enrolment

Identification

Self RegistrationAuthentication

Strong Authentication Admin Profile

Maintenance

User Self Serve

Business Applications

Bulk Load

Training

Auth’n & AZ Reg, ID & Enroll Admin & Tools

Fine Grained Authorization

Single Sign On

User Stores

CG Authorization

Infrastructure, Support Services, 24/7 Support, Backup/Archive

Diagram courtesy of Alberta Advanced Education

5

IdM Models

There are three primary IdM models in use today: Centralized – e.g. Federal Gov’t ePass, ASAS,

most others Federated – e.g. General Motors and its suppliers User Centric – e.g. BC Gov’t pilot projects (using

Microsoft CardSpace)

6

Centralized IdM

Benefits: One identity solution for users to learn/use All apps use same solution and interfaces Single or Reduced Sign-on can be achieved Common policies can be implemented once A single team can often manage a large system Generally well-understood by users and IT

7

Centralized IdM Shortcomings:

Difficult to scale to large size – imagine GM and its dealers (not just the employees) on one centralized system

Cannot support multiple organizations easily Therefore, it does not reflect the reality of modern

distributed business environments… Users must trust the central org to manage their

information properly Changes can impact all applications

8

Federated IdM

Three types of Federated IdM systems: Ad Hoc – bilateral, org to org Hub-and-Spoke – islands of federation,

dominated by one large organization Federated Identity Networks – based on a

network of members owning an identity platform (e.g. VISA)

9

Federated IdM

An identity network is the only effective means to do so while ensuring that operational, legal, and security obligations are met...

From “Digital Identity”, by Phil Windley

10

Identity Provider

Service Provider

§ A party that, by formal agreement, provides identity services to a defined group of users

§ e.g. a University or College that allows students from a network of schools to have access

§ Any party in the Federated network that controls access to a service

§ E.g. a registration site at a University or College

§ Must have proof the user is who they claim to be before authorizing access

User

Federated Model

11

University of Lethbridge

(Identity Provider)

U of Alberta School of Business

Registration

3

1. User authenticates to their Identity Provider (University of Lethbridge)

2. Identity is verified (university student) and session is established

3. Student attempts to accesses registration site at University of Alberta

6

1

2

4

4. University of Alberta requests confirmation of the student’s identity with University of Lethbridge

5. U of L confirms identity

6. U of A allows access to registration

User

5

Federated Access - Sample Flow

12

Federated Identity Networks Benefits:

SSO across organizational boundaries Can support common policies and standards

across orgs Strong technical standards exist: WS-*,SAML,

SPML, Shibboleth, Liberty Alliance Agreements of members well defined, support

trust, outline consequences of misbehaving Identity information is distributed Automatic “Federated provisioning” an option

13

Federated Identity Networks Shortcomings:

Cost of development and operations need to be shared by orgs (not individual users)

Liability not well understood – what are limits to liability for orgs that are responsible for a breach?

Fed ID Networks not well understood by orgs that need them

Negotiation, setup and enforcement of agreements Difficulty establishing a central, neutral Federation

organization

14

User-Centric IdM

Puts the user in control of their identity Segments the authentication and

authorization processes into three parts: Authoritative Party: vouches for an aspect of the

user’s identity when asked Relying Party: provides resources (e.g. access to

an application) when sufficient credentials are provided

Identity Agent: controlled by the user, acts for the user

15

User-Centric Model

16

University of Alberta

(Authoritative Party)

Student Transit Pass

Web Site (Relying

Party)

Student’s Identity Agent

1

1. User requests a student transit pass on the RP site

2. Transit site asks the user for proof that they are a student

3. Student (via IA) asks University (AP) to confirm that they are enrolled in classes

2

3

4

5

*** Student Transit

Pass ***

6

4. University responds with confirmation (encrypted, tamper-proof message)

5. Student’s IA forwards proof to Transit site

6. Transit site allows student pass to be ordered

User-Centric Access - Sample Flow

17

User-Centric IdM

Benefits Supports user privacy principals User is in control of their identity Scales to any size without burden on orgs Well-suited to public sector Being pushed by Microsoft and other vendors Supported by Pan-Canadian initiatives

18

User-Centric IdM Shortcomings

New – not well understood by either users or IT New – not fully implemented, tested or proven Not supported on older operating systems (needs

Vista, XP with add’l software, or Mac Leopard) Not mobile – current implementations have the

Identity Agent on the user’s fixed PC User must have knowledge of Identity Agent tools

and processes

19

User-Centric IdM Gaining momentum with Open ID plus Microsoft

CardSpace and other vendors Pan-Canadian Task Force:

http://www.cio.gov.bc.ca/idm/idmatf/default.htm Critical operating system ‘tipping point’ coming in

the near future – currently approx 20% of desktops can support information cards

Open ID and information card convergence? Kim Cameron thinks so: http://www.identityblog.com/wp-content/images/2008/02/Op

enID/Normal/OpenIDPhish.html

20

What is Next?

Centralized systems continue to be designed and built; strong vendor products available

Federated systems emerging where strong business needs exist AND appropriate agreements can be negotiated

User-Centric getting all the press, and some implementations are being carried out

Which is best?

21

Questions?

22

Thank You

For more information, visit

codetechnology.ca