*

Presented by : Mebratu Tsehayu & Mismaku Hiruy mets1000@miun.se mite0901@miun.se

06 October, 2011

*
Introduction Overview Importancy Long-term shift to Identity Providers by industry Requirements Key identity challenges Industry work Examples of different approaches The Pieces of the IDM Puzzle IDM Meets SOA Conclusion

What is Identity?

o Identity is both a real-world concept and a digital construct

In the real world:

oThe individual characteristics by which a thing or person is

recognized or known. In the digital world:

oInformation about an entity that is sufficient to identify that entity

in a particular context.

o Digital representation of a set of claims made by one party and

presented to another party

oA digital identity can be a set of identity information

Identity management

o Broad administrative area that deals with identifying individuals in a

system and controlling their access to resources within that system by associating user rights and restrictions with the established identity.  eg. The driver licensing system

oThe set of processes, policies and technologies that enable

authoritative sources to accurately identify entities.(ISO, 5th draft IdM
Framework, Nov. 2008)

o The structured creation, capture, syntactical expression, storage,

tagging, maintenance, retrieval, use and destruction of identities by means of diverse arrays of different technical, operational, and legal systems and practices. (ITU-T X.1250)

It provides assurance of identity information in a manner that

supports: secure, trusted access control.

The ability of a user to select an Identity Provider (IdP) Supports a multitude of identity-based services to include:
targeted advertising; personalized services based on geo-location and interest;

Authenticated services to decrease fraud and identity theft. Essential for communications, commerce, and just about any
significant societal activity

Essential for network/cybersecurity and critical infrastructure

protection both preventative and forensic

 Open nomadic networks services and content are an enduring strong value proposition Essential for securing the SOA world, WS related resources Because most of professional lives will be spent dealing with it
http://www.itu.int/en/ITU-T/gsi/idm/Pages/default.aspx, 25 september 2011

 Primary driver is Nomadicity

Shift

Portability and Interoperability The service must use globally unique identifiers in a common interchange format The service must support extensible mapping The service must use a common protocol Extensibility The service and protocol should be based on XML and XML Schemas The service must support global vocabulary definition The service should support distributed local vocabulary definition Negotiated Privacy and Security The service must allow identity owners to control their information The service must use a common a negotiation protocol The protocol must support anonymity and pseudonymity Accountability All identity owners and service providers should agree to common terms The accountability framework should be based on universal legal principles Standard dispute resolution mechanisms

Distributed Registration and certification Authority

The service should support both hierarchical and peer-to-peer registration and certification models In the hierarchical model, common standards and protocols should apply to all registration and certification authorities Registrations should be portable
Certification standards should support multiple trust levels Certification standards should be extensible to new attributes

Independent Governing Authority

The governing authority should be chartered as an international non-profit organization It should set both technical and operational standards for the service, It should manage global vocabulary development for universal identity attributes and global protocol control structures. It should set the accountability terms for all agents, including registration and certification authorities. It should serve as an impartial root authority for hierarchical registration or certification models.

http://www.w3.org/2001/03/WSWS-popa/paper57

IDM presents several challenges in most organizations: Security:

Do user entitlements exactly match their needs? Are policies, such as
segregation of duties rules, violated? Do access rights persist after they are no longer needed?

Consistency:

User profile data entered into different systems should be consistent. The fact that each system has its own user profile management system
makes this difficult.

Efficiency:

Setting a user to access multiple systems is repetitive.

Usability Reliability Scalability:

 Enterprises manage user profile data for large numbers of people.  Any IDM system used in this environment must scale to support the data
volumes and peak transaction rates produced by large user populations.

o Several

types of technologies are available to manage user identity data across the enterprise.

o Focus on streamlining the identity management process and managing data

consistently across multiple systems. an extensible, platform-independent, identity protocol independent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information.

Higgins

Cardspace is a system in the Windows Communications. (WCF) of WinFX

Foundation allows users to manage their digital identities from various identity providers, and employ them in different contexts

Liberty - allows consumers and users of Internet-based services to

authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites.

OpenID - is a decentralized single sign-on system. Is a free and easy way to use a single digital identity across the Internet.

Providers

Yahoo!, Blogger, AOL, Live Journal, MyOpenID.com, LinkSafe, etc 60 listed at openiddirectory.com Plaxo, Pibb, Magnolia, Blogger comments, Live Journal, Wordpress, wikis, blogs, etc Many, many more listed at openiddirectory.com Perception Relying Party (business) User Experience Technical

 Relying Parties

Challenges

Directories

The storage area for user IDs and passwords. It offers one place for a
company to view system access across the company.

Accessed using the lightweight directory access protocol (LDAP) A directory is just the starting point for identity and access
Meta Directories

Engines that synchronize data about users between different systems. Simplify user administration A middleware used to manage authentication and authorization of users
accessing one or more web-enabled applications.

A WebSSO system intercepts initial contact by the user's web browser to a

web application and either verifies or else redirects the user to an authentication page,

WebAM component of the system controls the user's access to application

functions and data.

A WebSSO / WebAM product uses an LDAP directory as a back-end repository, to

identify all users

Password management

Combination of password synchronization between systems and

applications and self-service password reset.

Users to maintain a single password, subject to a single security policy,

across multiple systems.

Effective mechanism for addressing password management problems on

an enterprise network

Enterprise single sign-on

Its a way for storing user credentials outside of the various applications E-SSO systems have had limited success in large production environments
User provisioning

Shared IT infrastructure which is used to externalize the management of

users, identity attributes and entitlements from individual systems and applications.

Intended to make the creation, management and deactivation of login

Role Based Access Control (RBAS)

An approach to managing entitlements A user has access to an object based on the assigned role. Permissions are defined based on job authority and responsibilities within
a job function.

In SSO system, RBAC grant privileges directly to roles and attach users to
roles

Access Certification

Regulatory compliance requirements and security policies It is a process where business stake-holders are periodically invited to
review entitlements, sign-off on entitlements that appear to be reasonable and flag questionable entitlements for possible removal.

There are several components to access certification

Authorization management

A system for managing user access to resources by user, group or role

Beyond the enterprise

oIdentity management can extend beyond a single organization oFederation enables applications in different domains to share
information about users.

Its The ability to grant system access to parties outside the companys
firewall, such as suppliers and outsourcing partners.

Federation requires that software at one site can communicate basic

information to software at another site

Different organizations use different software products for their

management

To interoperate, different software products rely on standard

protocols

Standards regarding federation:

Liberty Alliance ID-FF and ID-WSF. Security Assertions Markup Language (SAML). WS-Federation.

oWhile

SOA promises a new level of IT agility, it also brings security vulnerabilities. Similarly, Web services introduce new security concerns which, if not properly addressed, threaten the success of any SOA project. and authorization

oWeb services are inherently open and easily accessible oWeb services must be protected by authentication
processes

oWeb

service may call other Web services that, in turn, might call multiple other Web services. and other entities.

oThe concept of identity management must be extended Web services, devices oSecuring applications within an SOA environment presents challenges as well.
Typical threats include message integrity, confidentiality, availability, man in the middle attacks and forged claims.

oFurther

complicating matters are the issues unique to the SOA environment itself, such as:

Services arent always user-initiated Unlike applications, services have multiple points of entry Web services operate in heterogeneous environments

oSOA security needs to be part of a centralized, integrated offering oIdentity management functions must deliver set of standard Web services
including:

Authentication Authorization Identity administration Account provisioning Auditing and reporting

o the web service can consume and use of thus services to Provides a layers of
protection and management for web services

oThis method provides all the benefits of a central identity management

system, including:

A consistent set of enterprise wide policies A global view of accounts and access rights Aggregated auditing across the enterprise Enhanced compliance with regulatory legislation such as Sarbanes-Oxley and HIPAA Lower administrative costs

 Implementing

effective identity management capabilities essential as they have always been for public infrastructures

are

Anonymity almost disappears; privacy is a value proposition Globalization/nomadicity combined with complexity Immediate

of the infrastructures and applications increase the IdM value proposition priorities include better identity proofing and lifecycle management, trusted identifiers for providers and network objects, discovery and assurance metrics

Primary venues for Identity Management include

 Government/intergovernmental actions  Industry/developer initiatives and products  Standards and administrative implementations Identity management is a class of technologies intended to streamline the management of user identity information both inside and outside an enterprise.