Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
*
Introduction Overview Importancy Long-term shift to Identity Providers by industry Requirements Key identity challenges Industry work Examples of different approaches The Pieces of the IDM Puzzle IDM Meets SOA Conclusion
What is Identity?
Identity management
The ability of a user to select an Identity Provider (IdP) Supports a multitude of identity-based services to include:
targeted advertising; personalized services based on geo-location and interest;
Authenticated services to decrease fraud and identity theft. Essential for communications, commerce, and just about any
significant societal activity
Open nomadic networks services and content are an enduring strong value proposition Essential for securing the SOA world, WS related resources Because most of professional lives will be spent dealing with it
http://www.itu.int/en/ITU-T/gsi/idm/Pages/default.aspx, 25 september 2011
Shift
Portability and Interoperability The service must use globally unique identifiers in a common interchange format The service must support extensible mapping The service must use a common protocol Extensibility The service and protocol should be based on XML and XML Schemas The service must support global vocabulary definition The service should support distributed local vocabulary definition Negotiated Privacy and Security The service must allow identity owners to control their information The service must use a common a negotiation protocol The protocol must support anonymity and pseudonymity Accountability All identity owners and service providers should agree to common terms The accountability framework should be based on universal legal principles Standard dispute resolution mechanisms
http://www.w3.org/2001/03/WSWS-popa/paper57
Do user entitlements exactly match their needs? Are policies, such as
segregation of duties rules, violated? Do access rights persist after they are no longer needed?
Consistency:
User profile data entered into different systems should be consistent. The fact that each system has its own user profile management system
makes this difficult.
Efficiency:
Enterprises manage user profile data for large numbers of people. Any IDM system used in this environment must scale to support the data
volumes and peak transaction rates produced by large user populations.
o Several
types of technologies are available to manage user identity data across the enterprise.
Higgins
OpenID - is a decentralized single sign-on system. Is a free and easy way to use a single digital identity across the Internet.
Providers
Yahoo!, Blogger, AOL, Live Journal, MyOpenID.com, LinkSafe, etc 60 listed at openiddirectory.com Plaxo, Pibb, Magnolia, Blogger comments, Live Journal, Wordpress, wikis, blogs, etc Many, many more listed at openiddirectory.com Perception Relying Party (business) User Experience Technical
Relying Parties
Challenges
Directories
The storage area for user IDs and passwords. It offers one place for a
company to view system access across the company.
Accessed using the lightweight directory access protocol (LDAP) A directory is just the starting point for identity and access
Meta Directories
Engines that synchronize data about users between different systems. Simplify user administration A middleware used to manage authentication and authorization of users
accessing one or more web-enabled applications.
Password management
Its a way for storing user credentials outside of the various applications E-SSO systems have had limited success in large production environments
User provisioning
An approach to managing entitlements A user has access to an object based on the assigned role. Permissions are defined based on job authority and responsibilities within
a job function.
In SSO system, RBAC grant privileges directly to roles and attach users to
roles
Access Certification
Regulatory compliance requirements and security policies It is a process where business stake-holders are periodically invited to
review entitlements, sign-off on entitlements that appear to be reasonable and flag questionable entitlements for possible removal.
oIdentity management can extend beyond a single organization oFederation enables applications in different domains to share
information about users.
Its The ability to grant system access to parties outside the companys
firewall, such as suppliers and outsourcing partners.
oWhile
SOA promises a new level of IT agility, it also brings security vulnerabilities. Similarly, Web services introduce new security concerns which, if not properly addressed, threaten the success of any SOA project. and authorization
oWeb services are inherently open and easily accessible oWeb services must be protected by authentication
processes
oWeb
service may call other Web services that, in turn, might call multiple other Web services. and other entities.
oThe concept of identity management must be extended Web services, devices oSecuring applications within an SOA environment presents challenges as well.
Typical threats include message integrity, confidentiality, availability, man in the middle attacks and forged claims.
oFurther
complicating matters are the issues unique to the SOA environment itself, such as:
Services arent always user-initiated Unlike applications, services have multiple points of entry Web services operate in heterogeneous environments
oSOA security needs to be part of a centralized, integrated offering oIdentity management functions must deliver set of standard Web services
including:
o the web service can consume and use of thus services to Provides a layers of
protection and management for web services
A consistent set of enterprise wide policies A global view of accounts and access rights Aggregated auditing across the enterprise Enhanced compliance with regulatory legislation such as Sarbanes-Oxley and HIPAA Lower administrative costs
Implementing
effective identity management capabilities essential as they have always been for public infrastructures
are
Anonymity almost disappears; privacy is a value proposition Globalization/nomadicity combined with complexity Immediate
of the infrastructures and applications increase the IdM value proposition priorities include better identity proofing and lifecycle management, trusted identifiers for providers and network objects, discovery and assurance metrics