Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Transcription

1 Assuring Identity The Identity Assurance Framework CTST Conference, New Orleans, May-09 Brett McDowell, Executive Director, Liberty Alliance

2 150+ Liberty Alliance Members, including... 2

3 Digital Identity in context of credentials

4 1 credential per application = Identity Silos Joe s Fish Market.Com Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams

5 Digital Identity: ATM Historic Analogy Separate Cards with Each Bank Linked Cards within Bank Networks Seamless Access Across all Networks Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank A ATM Card Bank B ATM Card Bank ATM Network A Bank ATM Network B Bank C ATM Card Bank ATM Network C Bank C ATM Card Bank ATM Network C Individual Accounts with Many Web Sites Federated Accounts within Trust Domain Linkage of Trust Domains

6 Digital Identity Requires Interoperable Assurance Credential Service Provider (CSP) Identity Proofing Credential Lifecycle Management Operational Criteria for Trust Relying Party (RP) Assesses Risk of Application Complies with Best Practices Provisions the Service or Resource Credential Service Provider User gets great experience: safe, simple access from any device to services/resources Relying Parties 6

7 There are Two Problem Areas Technical Interoperability Does the client application I'm using talk to the systems I want to use? (can I type in my PIN on my iphone and have unfettered access to government and commercial services without logging in again?) Does the system that authenticates me (vouches for me) talk to the service provider systems I want to access? (can I login to my bank's site and use that to pay my taxes, book travel, and check my Gmail account?) Operational Interoperability & Assurance Do the government and commercial systems trust each others' systems, operating procedures, vetting practices, etc.? (i.e., understand & accept the distribution of liability when/if something goes wrong)

8 Digital Identity Ecosystem: Technology

9 Assurance Case Study: Citi s Experience Business Case: Drug R&D process Highly regulated and paper-intensive process Competitive landscape demands streamlining Drivers Cost savings, shorten timeframes FDA acceptance of digital signatures Other government entities also adopting SAFE Biopharma common standard for that industry Citi s Perspective SAFE issuer since 2005 currently providing services to two global pharmaceuticals Issuance services complies with EU advanced digital signatures guidelines

10 so why the need for a common standard? 10

11 Digital Identity Ecosystem: Assurance w/iaf Accredited Assessors List Certified Federations List Authentication Technology Credential Service Provider Assessor IAF s Initial Focus Federation Operator Relying Parties End user (subscriber) IAF enabled Inter-Federated Cloud: RP applications trusting [Certified Federations, who enroll & monitor] IAF compliant CSP s, based on Accredited Assessor Assessments Government Applications, Services, Resources 11

12 Identity Assurance Framework What is it? Framework supporting mutual acceptance, validation and lifecycle maintenance across identity federations (i.e. systems that trust each other) Started with EAP Trust Framework, UK tscheme and US e-auth Federation Credential Assessment Framework as baseline Harmonized, best-of-breed industry identity assurance standard Identity credential policy Business procedure and rule set Baseline commercial terms Guideline to foster inter-federation (i.e. inter-trust) on a global scale It consists of 4 parts: Assurance Levels Service Assessment Criteria Accreditation and Certification Scheme Business Rules/Deployment Guidelines 12

13 IAF Assurance Levels Definition: Level of trust associated with a credential measured by the strength and rigor of the identity-proofing process, the inherent strength of the credential and the policy and practice statements employed by the Credential Service Provider (CSP) Four Levels of Assurance Level 1 Little or no confidence in asserted identity s validity Level 2 Some confidence Level 3 Significant level of confidence Level 4 Very high level of confidence Use of Assurance Level is determined by level of authentication necessary to mitigate risk in the interaction, as determined by the Relying Party CSPs are certified by Federation Operators to a specific Level(s)

14 IAF Assurance Levels Illustrated Assurance Level Example Assessment Criteria Organization Assessment Criteria Identity Proofing Assessment Criteria Credential Mgmt AL 1 Registration to a news website Minimal Organizational criteria Minimal criteria - Self assertion PIN and Password AL 2 Change of address of record by beneficiary Moderate organizational criteria Moderate criteria - Attestation of Govt. ID Single factor; Prove control of token through authentication protocol AL 3 Access to an online brokerage account Stringent organizational criteria Stringent criteria stronger attestation and verification of records Multi-factor auth; Cryptographic protocol; soft, hard, or OTP tokens AL 4 Dispensation of a controlled drug or $1mm bank wire Stringent organizational criteria More stringent criteria stronger attestation and verification Multi-factor auth w/hard tokens only; crypto protocol w/keys bound to auth process Note: Assurance level criteria as posited by the OMB M & NIST SP

15 Accreditation & Certification Scheme Oversight by Member Committee Assessor is Accredited based on application of demonstrated expertise CSP service is Certified to LOA based on IAF compliance RP is informed by voluntarily guidelines Federation Operator is certified to Inter- Federation criteria Technology is Certified to be Interoperable User has safe, simple access to services Partners operate under contract: could be based on FIMAC: Federated Identity Model Agreement & Commentary (a collaboration with American Bar Association) Credential Service Provider Relying Parties

16 More Information on IAF... Liberty Alliance Identity Assurance Overview IAF Read Me First Document The Identity Assurance Framework