Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of...
-
Upload
clinton-gallagher -
Category
Documents
-
view
214 -
download
1
Transcript of Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of...
![Page 1: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/1.jpg)
Identity ManagementWhat is it?
Why?Responsibilities?
Bill WeemsAcademic Computing
University of Texas Health Science Center at Houston
![Page 2: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/2.jpg)
Increasingly, people must easily and securely exchange
information in cyberspace among "known" individuals and to securely access restricted
resources they “know” can be trusted without having to struggle
with numerous and onerous security processes.
![Page 3: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/3.jpg)
• How do you prove you are who you say you are?
• How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong?
• If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you?
• It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication.
• Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace.
Identity and Authentication by Simon Rogerson
![Page 4: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/4.jpg)
Ideally, individuals would each like a single digital credential that
can be securely used to authenticate his or her identity
anytime authentication of identity is required to secure any
transaction.
![Page 5: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/5.jpg)
UTHSC-H: An Identity Provider (IdP)
It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with
digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific
responsibilities and liabilities.
![Page 6: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/6.jpg)
Ideally, a digital credential must
• positively identify a person,
• positively identify the certifying authority - i.e. the identity provider (IdP),
• be presentable only by the person it authenticates,
• be tamper proof, and
• be accepted by all systems.
![Page 7: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/7.jpg)
Issuing a Digital Credential
• Individual appears before an Identity Provider (IdP) which accepts the responsibility to – positively determine and catalog a person's uniquely
identifying physical characteristics (e.g. picture, two fingerprints, DNA sample),
– assign a unique, everlasting digital identifier to each person identified,
– issue each identified person a digital credential that can only be used by that person to authenticate his or her identity,
– maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals.
![Page 8: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/8.jpg)
Identity Provider(IdP)
uth.tmc.edu
Person
IdP ObtainsPhysical
Characteristics
Identity Vetting & Credentialing
IdentifierPermanently
Bound
AssignsEverlasting
Identifier
Digital Credential
IssuesDigital
Credential
Person Only Activation
PermanentIdentity
Database
![Page 9: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/9.jpg)
Identity Provider(IdP)
uth.tmc.edu
PersonIdentifier Digital CredentialPermanently
Bound
AssignsEverlasting
Identifier
IssuesDigital
CredentialIdP Obtains
PhysicalCharacteristics
Person Only Activation
Identity Vetting & CredentialingPKI Digital ID & Strong Two Factor Authentication
PermanentIdentity
Database
![Page 10: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/10.jpg)
Identity Provider(IdP)
uth.tmc.edu
PersonIdentifier Digital CredentialPermanently
Bound
AssignsEverlasting
Identifier
IssuesDigital
CredentialIdP Obtains
PhysicalCharacteristics
Person Only Activation
Identity Vetting & CredentialingUTHSC-H Two Factor Authentication
PermanentIdentity
Database
?
?
![Page 11: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/11.jpg)
Identity Provider(IdP)
uth.tmc.edu
PersonIdentifier Digital CredentialPermanently
Bound
AssignsEverlasting
Identifier
IssuesDigital
CredentialIdP Obtains
PhysicalCharacteristics
Person Only Activation
Using NetworkUsernamePassword
Identity Vetting & CredentialingUTHSC-H Username/Password Authentication
PermanentIdentity
Database
???????
?
![Page 12: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/12.jpg)
Two Categories of Identity• Physical Identity – Body Identity - Authentication
– Facial picture,– Fingerprints– DNA sample
• Identity Attributes – Authorization Attributes– Common name,– Address,– Institutional affiliations - e.g. faculty, student, staff, contractor.– Specific group memberships– Birth date– City of Birth– Etc.
![Page 13: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/13.jpg)
Critical Identity Issues
• Is a person positively identified?• Is person’s digital credential valid?• Is person currently affiliated with the
university?– i.e. does UTHSC-H accept responsibility for this
person’s Identity?
• Is person’s authorization attributes valid – i.e. can they be “trusted”?– Are a person’s authorizations for specific
applications appropriate?
![Page 14: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/14.jpg)
Identity Provider LiabilityInternal & External Services
• Institution provides IdP services only for internal uses.– UTHSC-H personnel (LRAAs) responsible for
identity vetting & credentialing – subject to audit.– Contracts with external organizations to provide
vetting for their personnel having affiliations with UTHSC-H – defined as UTHSC-H Guests
• Contract likely not auditable.
• Institution provides IdP services to relying parties – e.g. U.T. System Federation members.– IdP services to relying parties should not be
provided for “Guests”.
![Page 15: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/15.jpg)
Identity & Authentication Attributes
• Identity Vetting– Basic Trust Level– Medium Trust Level– High Trust Level
• Credential Strength– Two-factor PKI Biometric Token– Two-factor PKI Password Token– One-factor Network Username/Password
![Page 16: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/16.jpg)
UTHSC-H Strategic Authentication Goals
• Two authentication mechanisms.– Single university ID (UID) and password.– Digital ID (DID)
• Digital ID can be used to set password for UTHSC-H user ID– No one but “owner” ever knows UID password.– When password of UID is “aged” say every 90
days, user can use DID to reset the password. User never has to contact help desk; thus, freeing help desk to do other tasks!
![Page 17: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/17.jpg)
Policy and procedures associated with identifying, credentialing and
authenticating employees, students and residents are reasonably appropriate at the
university. However, another group of individuals such as contractors, research
collaborators and others having legitimate, professional affiliations with the university do not have digital credentials issued by identity providers having relying partying
agreements with UTHSC-H.
![Page 18: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/18.jpg)
Currently, the university accepts the legal responsibility of identifying these
individuals, designated as guests, and issuing them digital credentials which they
can use to authenticate their university certified identity to others. Individuals in this group are designated as “guests”.
![Page 19: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/19.jpg)
Because of the extremely varied circumstances associated with how
“guest” affiliations arise and terminate, it is difficult to determine the current status of
“guest” affiliations and associated levels of “trust”. To ensure that appropriate
assurance levels can be asserted by UTHSC-H as an identity provider, special
policies exist for identity proofing and credentialing of persons sponsored by
individual university personnel.
![Page 20: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/20.jpg)
One such policy is the requirement that individuals being considered for an extension of their guest status for
an additional year must have their identity formally re-vetted by the
university, and their sole control of their digital credentials re-affirmed. It has been requested that this policy be
reviewed.
![Page 21: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/21.jpg)
UTHSC-H requires individuals requesting an extension of their “Guest” status have their physically identity annually re-vetted and sign a statement attesting they:
• are affiliated with the university as described by their sponsor,
• have maintained and will maintain sole control of their digital credentials,
• will immediately notify UTHSC-H if such control is comprised or if they are no longer affiliated with the university, and
• their contact information, as presented, is correct.
![Page 22: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/22.jpg)
Individuals wanting to extend their “Guest” status and having a UTHSC-H digital ID/token can digitally sign a reaffirmation stating they
• are affiliated with the university as described by their sponsor,
• have maintained and will maintain sole control of their digital credentials,
• will immediately notify UTHSC-H if such control is comprised or if they are no longer affiliated with the university, and
• assert their contact information, as presented, is correct.
![Page 23: Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.](https://reader036.fdocuments.in/reader036/viewer/2022062715/56649daf5503460f94a9d353/html5/thumbnails/23.jpg)
Inter-institutional Identity Reconciliation
• Problem:– Multiple identity providers (IdPs) in a Federation.
– Individuals with multiple digital credentials issued by different IdPs.
• Example:– Jane Doe is provisioned into Application A with
UTMDACC credentials.
– Moves to BCM & obtains new credentials.
– How does application A handle this change of identity?