TheCottinghamGroup Harrop...

Identity Management

An overview of the status of some of the key

International

Telecommunication

Union

An overview of the status of some of the key

IdM work

(plus some thoughts from the sidelines)

Mike Harrop

The Cottingham Group

Overview

� Review the context of work on IdM

� Discuss some of the issues and challenges

ETSI Security Workshop 2009

challenges

� Report on current status of the IdM standards work

� Offer a few personal observations

Identity and IdM:The context of the work

International

Telecommunication

Union

The context of the work

What is Identity?� Identity is both a “real-world” concept and a digital construct

� In the real world:

� The individual characteristics by which a thing or person is recognized or known. (Wordnet, Princeton University)

� Note: A person may have a number of different identities

� In the digital world:


� Information about an entity that is sufficient to identify that entity in a particular context. (ITU-T Rec. Y.2720)

� Digital identity refers to a digital representation of a set of claims made by one party and presented to another party

� A digital identity can be a set of identity information (e.g., an address), as opposed to real-world concept that is tied with a person’s sense of who they are.

� Note: the concept of digital identity applies to service providers and objects as well as individuals.

Identities Exist in Many Forms & Places

Whatever IM,Email

Collaboration

Voice Telephony

PCPDA

Smart -phone Whatever

Video

People have multiple “identities”• Work – [email protected]• Family – [email protected]• Hobby – [email protected]• Volunteer – [email protected]


At your Desk

Managed Office

you’re doing(applications)

In the Air

On the Road

Email

ERP

In Town

Cellular

phone

Wherever you are(across various access types)

Whatever you’re using(devices)

At Home

Web Apps

Can we agree on a definition of Identity?

� There was a lengthy on-line discussion within

ITU-T SG 17 on the definition of identity over

the summer of 2008.


� But there is currently no international

agreement on the definition of identity

What is Identity Management?

� The management of the life cycle of the digital identity of entities during which the digital representation of identity is established, used and disposed of when no longer needed

� IdM involves technology, processes, functions and capabilities (e.g. administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) in order to:


� Manage identity information (e.g., identifiers, credentials, attributes);

� Assure the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects); and

� Improve the robustness of business and security applications.

� IdM must be scalable from internal systems to external applications and processes

� IdM is considered a fundamental requirement for wide-scale, secure and trusted interconnections (such as NGN)

Definitions of Identity Management

� A broad administrative area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity (WhatIS.com)

� The set of processes, policies and technologies that enable


� The set of processes, policies and technologies that enable authoritative sources to accurately identify entities; it helps authoritative sources as well as individual entities to facilitate and control the use of identity information in their respective relations. (ISO, 5th draft IdM Framework, Nov. 2008)

� The structured creation, capture, syntactical expression, storage, tagging, maintenance, retrieval, use and destruction of identities by means of diverse arrays of different technical, operational, and legal systems and practices. (ITU-T X.1250)

Evolving Definition of IdM

Enterprise

Edge devices

InfrastructureInternalGateway

Application Environments

HostedServices

Partner/SuppliersNetworks

Other hubs

What is IdM from a carrier, provider,

Telecom Perspective?


Environments

Burton Group 2003• Identity management is the set of business processes, and a supporting

infrastructure, for the creation, maintenance, and use of digital identities in online spaces

Burton Group 2007• Enterprise IdM is the set of business processes, and a supporting

infrastructure, that provides• Identity-based access control to systems and resources • In accordance with established policies

IdM Overview (Rec. Y.2720)

IdM Functions and Capabilities

Federated Services

Application Services Access Control (e.g. Multimedia and IPTV)

Single Sign-on/Sign-off

Role-based Access to Information, Resources and Assets

Protection of Personally Identifiable Information

Security Protection of Information and Network Infrastructure

Business and Security Applications including Identity-based Services

dent

ity M

anag

emen

t

Enables


Users and Subscribers

Organizations, Business Enterprises, Government Enterprises

User Devices

Network Elements and

Objects

Network and Service Providers

Virtual Objects

Entities

Identity Lifecycle Management

Identity Information Correlation and Binding

Identity Information Authentication, Assurance and Assertions

Discovery and Exchange of Identity Information

IdM Functions and Capabilities

Identifiers

(e.g. UserID, Email address, Telephone

Number, URI, IP address)

Credentials

(e.g. Digital Certificates, Tokens, and Biometrics)

Attributes

(e.g. Roles, Claims, Context, Privileges,

Location)

Identity InformationId

entit

y M

anag

emen

t

R055(08)_F01

What’s changing? - The shift to Identity Providers

International

Telecommunication

Union

to Identity Providers

Wireline

Legacy Identity Management


Wireline

Current Identity Management Trends

Source FG IDM Tutorial, September 2007, Geneva

Perspectives and Challenges on Identity Management

International

Telecommunication

Union

on Identity Management

The different perspectives on IdM pose some real challenges

Security Security Services Services

&&PolicingPolicing

NetworkNetworkOperators Operators & Service & Service IndividualIndividual

End UsersEnd Users


PolicingPolicing& Service & Service ProvidersProviders

GovernmentGovernment& Business& Businessusersusers

Privacy Privacy advocatesadvocates

End UsersEnd Users

Perspectives and Interests-1

� Network operators and service providers� Focused on revenue opportunities, infrastructure protection, network management forensics, fraud mitigation

� Want to offer new applications and services (e.g. NGN, fixed and mobile convergence) including identity based services to subscribers and other service providers


services to subscribers and other service providers

� Business and government users� Looking to minimize costs, support employees, reduce fraud and control/manage inventory and supply chain

� Want to enable identity assurance services and capabilities, and enhance the level of trust and confidence to support on-line services (e.g. web-based transactions)

Perspectives and Interests-2� Government as service provider

� To help protect the communication infrastructure against cyber security threats

� To support Public Safety Services (e.g. Emergency 911 services), Emergency Telecommunications Service (ETS), Early Warning Services

� To enable federated government services


� To enable federated government services

� National security services and law enforcement� To support mandates in infrastructure protection, homeland security, law enforcement (forensics, lawful interceptions etc)

� To support need for personal identity credentials and biometrics

Perspectives and Interests-3

� Individual end users� Ease and convenience of use � Portability of access� Confidence in security of transactions � Identity theft protection� Protection of sensitive private information


� Protection of sensitive private information� Reduction in unwanted intrusions

� Privacy advocates� Protection of sensitive personal information� Upholding of privacy laws and codes of practice

Status of work on IdM


Status of work on IdM

Industry/Consortia workExamples of different approaches

� Higgins - an extensible, platform-independent, identity protocol-independent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information.

� Cardspace – is a system in the Windows Communications Foundation (WCF) of WinFX allows users to manage their digital identities from various identity providers, and employ them in different contexts where they are


identity providers, and employ them in different contexts where they are accepted to access online services.

� Liberty - allows consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites.

� OpenID - is a decentralized single sign-on system. On OpenID-enabled sites, Internet users do not need to register and manage a new account for every site before being granted access. Instead, they only need to be previously registered on a website with an OpenID "identity”

ITU-T motivation for IdM work

� To provide a general framework that incorporates different perspectives and technologies

� To address the interplay between cybersecurity and IdM (The main issues are strong authentication, interoperability between IdM systems, and the development of common IdM data models to ensure


development of common IdM data models to ensure appropriate exchange of IdM attributes and information)

� To enable service providers to reduce the cost of managing all the partial identities that exist in the network

� To facilitate revenue-generating NGN identity-based subscription services e.g. single sign-on, presence, location etc

Current ITU-T Approach

� Joint Coordination Activity on IdM and IdM Global Standards Initiative (GSI) established December 2007


� Most IdM work is being done in Study Group 17 (Security) and Study Group 13 (Future Networks, including Mobile and NGN)

ITU-T IdM results so far include:� IdM focus group established in 2006 was open to all and drew wide interest.

� Six substantial reports from the FG IdM:� Report on Activities Completed and Proposed

� Report on the Deliverables

� Report on Identity Management Ecosystem and


� Report on Identity Management Ecosystem and Lexicon

� Report on Identity Management Use Cases and Gap Analysis

� Report on Requirements for Global Interoperable Identity Management

� Report on Identity Management Framework for Global Interoperability

� Two workshops & one conference

Current status of ITU-T work – 1Recommendations now under Determination

� SG13 NGN:

� Y.2720 NGN Identity management framework

(Approval expected in January 23rd 2009)


� SG17 Security:

� X.1250 Capabilities for enhanced global identity management trust and interoperability

� X.1251 A framework for user control of digital identity

(Approval of X.1250 & X.1251 expected in February 2009)

Current status of ITU-T work – 2Recommendations for future Determination

� X.idm-ifa: Framework architecture for interoperable identity management systems

� X.idm-dm: Common Identity Data Model


� X.rfpg: Privacy guideline for RFID

� X.idmsg: Security guidelines for identity management systems

� X.priva: Criteria for assessing the level of protection for personally identifiable information in IdM

� X.eaa: Entity Authentication Assurance

ISO/IEC JTC1 SC 27 Work

� ISO 24760 – A Framework for Identity Management (5th

Working Draft)


� The 6th WD should be available in February 2009

OECD

� Currently developing a Primer on Identity Management

(Internal OECD document - now due March 2009)


� The primer is intended serve as input to an OECD IdM

Policy Framework

More information

� IdM Focus Group

�http://www.itu.int/ITU-T/studygroups/com17/fgidm/index.html

� Global Standards Initiative for Identity


� Global Standards Initiative for Identity Management (IdM-GSI)

�http://www.itu.int/ITU-T/gsi/idm/

� Joint Coordination Activity for Identity Management

�http://www.itu.int/ITU-T/jca/idm/

The following Thoughts from the

Sidelines are personal observations.

International

Telecommunication

Union

They are presented here to stimulate

discussion.

1. What is identity and what is IdM?

� It is essential that we have a clear definition

and understanding of what is meant by the

terms identity and identity management if we

are to develop IdM standards.


� Yet, even as the first standards are near to

completion there is no agreement on these

terms.

What is identity and what is IdM? ctd

� One reason for the difficulty in getting agreement are the different perspectives e.g. ISO JTC1 SC27 deals largely with protection of identity information in information systems; ITU-T deals with the protection and use of telecommunications infrastructures and services. However, the definitions are not yet consistent even in the draft ITU-T Recommendations.


even in the draft ITU-T Recommendations.

� The paper A Relationship Layer for the Web . . . and for Enterprises, Too, Bob Blakley, the Burton Group, June 2008, illustrates the total lack of world-wide agreement on the definition of identity and associated terms

� Is it possible to manage something (particularly across multiple domains) if you can’t agree what it is?

2. Needs are not uniform for all potential IdM users

� Most on-line transactions, require only authorization information, not evidence of identity. Information requested (credit card, telephone number, address etc) authenticates the user on the basis of having that information. It does not provide irrefutable evidence (or any evidence) of identity.


� However, positive confirmation of identity is required for law enforcement and security agency activities as well as the granting of some rights such as access rights, right to board an aircraft, or enter a country.

� Does the broad range of needs mean that the identity information collected must satisfy the needs of those users who require the greatest level of detail?

3. Privacy concerns

� There must be protection against inappropriate collection of information� Collecting too much information

� Collecting when not strictly necessary

� Collecting without consent

� Invasiveness of collection


� Invasiveness of collection

� And against inappropriate use and disclosure� Secondary uses (function creep)

� The data collected must be properly secured and protected against poor information management & handling procedures and practices

Privacy concerns ctd

� Use of global identifiers poses a risk to privacy

� Neither personal identifiers, nor the risks they pose to privacy are new.

� E.g. Canadian & US Social insurance/security numbers


� E.g. Canadian & US Social insurance/security numbers (SIN & SSN) predate the Internet, electronic commerce and, to a large extent, data communications.

� The safeguards associated with the SIN and SSN protect the organization, rather than the individual. They were not designed with the protection of personal information (or the risk of identity theft) in mind.

� Privacy (like security) should be built-in, not added as an afterthought.

Privacy concerns ctd

� Privacy protection is not (so far) a primary objective of the IdM work

� While privacy needs are recognized and some issues are beginning to be addressed, most emphasis is still on organizational (service provider) needs, rather than personal privacy. (“The purpose and focus of the ITU-T is also that of telecommunications, rather


the ITU-T is also that of telecommunications, rather than the protection of personally identifiable information.” Annex A to SG 17 Q6 report, April 2008)

� Thus, the issue of how personal information used in the context of IdM can be protected needs further consideration. This is not just a standards issue. (There are technical, legal and policy issues to be addressed).

4. What happens when something goes wrong?

� With the shift to identity providers, where will the information be kept? (Off shore?)

� Who is responsible if information is leaked or stolen (either individually or as part of a mass


stolen (either individually or as part of a mass leak)? Will anyone be held accountable under existing laws?

� What help will there be to resolve the situation in the event of compromise? What recourse will there be for those whose information is compromised?

A closing thought

“An identity is a model of a person.

Only an organization which has a close relationship with an individual knows enough about that individual to build an identity which is an accurate model; the more intimate the relationship is, the more accurate the identity will be.

Organizations have only casual relationships with most of the


Organizations have only casual relationships with most of the individuals they deal with, so they build inaccurate identities which create risks for individuals and for themselves.

Building accurate identities on the Internet will require new relationship technology and a new set of intermediaries who have sufficiently intimate relationships with individuals to construct identities for them.”

Bob Blakley, Burton Group

TheCottinghamGroup Harrop...

Documents

Transcript of TheCottinghamGroup Harrop...