Identity Management. An overview of the status of some of the key IdM work (plus some thoughts from the sidelines) Mike Harrop The Cottingham Group

Transcription

1 Identity Management An overview of the status of some of the key IdM work (plus some thoughts from the sidelines) Mike Harrop The Cottingham Group International Telecommunication Union

2 Overview Review the context of work on IdM Discuss some of the issues and challenges Report on current status of the IdM standards work Offer a few personal observations

3 Identity and IdM: The context of the work International Telecommunication Union

4 What is Identity? Identity is both a real-world concept and a digital construct In the real world: The individual characteristics by which a thing or person is recognized or known. (Wordnet, Princeton University) Note: A person may have a number of different identities In the digital world: Information about an entity that is sufficient to identify that entity in a particular context. (ITU-T Rec. Y.2720) Digital identity refers to a digital representation of a set of claims made by one party and presented to another party A digital identity can be a set of identity information (e.g., an address), as opposed to real-world concept that is tied with a person s sense of who they are. Note: the concept of digital identity applies to service providers and objects as well as individuals.

5 Identities Exist in Many Forms & Places Smart- phone Cellular PDA Whatever you re using (devices) PC Collaboration Video Whatever you re doing (applications) People have multiple identities Work Family Hobby Volunteer Voice Telephony IM, Web Apps At your Desk Wherever you are (across various access types) ERP In the Air Managed Office At Home In Town On the Road

6 Can we agree on a definition of Identity? There was a lengthy on-line discussion within ITU-T SG 17 on the definition of identity over the summer of But there is currently no international agreement on the definition of identity

7 What is Identity Management? The management of the life cycle of the digital identity of entities during which the digital representation of identity is established, used and disposed of when no longer needed IdM involves technology, processes, functions and capabilities (e.g. administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) in order to: Manage identity information (e.g., identifiers, credentials, attributes); Assure the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects); and Improve the robustness of business and security applications. IdM must be scalable from internal systems to external applications and processes IdM is considered a fundamental requirement for wide-scale, secure and trusted interconnections (such as NGN)

8 Definitions of Identity Management A broad administrative area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity (WhatIS.com) The set of processes, policies and technologies that enable authoritative sources to accurately identify entities; it helps authoritative sources as well as individual entities to facilitate and control the use of identity information in their respective relations. (ISO, 5 th draft IdM Framework, Nov. 2008) The structured creation, capture, syntactical expression, storage, tagging, maintenance, retrieval, use and destruction of identities by means of diverse arrays of different technical, operational, and legal systems and practices. (ITU-T X.1250)

9 Evolving Definition of IdM What is IdM from a carrier, provider, Telecom Perspective? Infrastructure Application Environments Enterprise Edge devices Internal Gateway Hosted Services Other hubs Partner/Suppliers Networks Burton Group 2003 Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities in online spaces Burton Group 2007 Enterprise IdM is the set of business processes, and a supporting infrastructure, that provides Identity-based access control to systems and resources In accordance with established policies

10 IdM Overview (Rec. Y.2720) Identity Ma anagement Identity Information Business and Security Applications including Identity-based Services Federated Services Application Services Access Control (e.g. Multimedia and IPTV) Single Sign-on/Sign-off Role-based Access to Information, Resources and Assets Protection of Personally Identifiable Information Security Protection of Information and Network Infrastructure Enables IdM Functions and Capabilities Identity Lifecycle Management Identity Information Correlation and Binding Identity Information Authentication, Assurance and Assertions Discovery and Exchange of Identity Information Identifiers (e.g. UserID, address, Telephone Number, URI, IP address) Credentials (e.g. Digital Certificates, Tokens, and Biometrics) Attributes (e.g. Roles, Claims, Context, Privileges, Location) Entities Organizations, Business Enterprises, Government Enterprises Users and Subscribers User Devices Network and Service Providers Network Elements and Objects Virtual Objects R055(08)_F01

11 What s changing? - The shift to Identity Providers International Telecommunication Union

12 Legacy Identity Management Wireli ne Current Identity Management Trends Wireline Source FG IDM Tutorial, September 2007, Geneva

13 Perspectives and Challenges on Identity Management International Telecommunication Union

14 The different perspectives on IdM pose some real challenges Security Services & Policing Individual End Users Network Operators & Service Providers Privacy advocates Government & Business users

15 Perspectives and Interests-1 Network operators and service providers Focused on revenue opportunities, infrastructure protection, network management forensics, fraud mitigation Want to offer new applications and services (e.g. NGN, fixed and mobile convergence) including identity based services to subscribers and other service providers Business and government users Looking to minimize costs, support employees, reduce fraud and control/manage inventory and supply chain Want to enable identity assurance services and capabilities, and enhance the level of trust and confidence to support on-line services (e.g. web-based transactions)

16 Perspectives and Interests-2 Government as service provider To help protect the communication infrastructure against cyber security threats To support Public Safety Services (e.g. Emergency 911 services), Emergency Telecommunications Service (ETS), Early Warning Services To enable federated government services National security services and law enforcement To support mandates in infrastructure protection, homeland security, law enforcement (forensics, lawful interceptions etc) To support need for personal identity credentials and biometrics

17 Perspectives and Interests-3 Individual end users Ease and convenience of use Portability of access Confidence in security of transactions Identity theft protection Protection of sensitive private information Reduction in unwanted intrusions Privacy advocates Protection of sensitive personal information Upholding of privacy laws and codes of practice

18 Status of work on IdM

19 Industry/Consortia work Examples of different approaches Higgins - an extensible, platform-independent, identity protocolindependent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information. Cardspace is a system in the Windows Communications Foundation (WCF) of WinFX allows users to manage their digital identities from various identity providers, and employ them in different contexts where they are accepted to access online services. Liberty - allows consumers and users of Internet-based services and e- commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites. OpenID - is a decentralized single sign-on system. On OpenID-enabled sites, Internet users do not need to register and manage a new account for every site before being granted access. Instead, they only need to be previously registered on a website with an OpenID "identity

20 ITU-T motivation for IdM work To provide a general framework that incorporates different perspectives and technologies To address the interplay between cybersecurity and IdM (The main issues are strong authentication, interoperability between IdM systems, and the development of common IdM data models to ensure appropriate exchange of IdM attributes and information) To enable service providers to reduce the cost of managing all the partial identities that exist in the network To facilitate revenue-generating NGN identity-based subscription services e.g. single sign-on, presence, location etc

21 Current ITU-T Approach Joint Coordination Activity on IdM and IdM Global Standards Initiative (GSI) established December 2007 Most IdM work is being done in Study Group 17 (Security) and Study Group 13 (Future Networks, including Mobile and NGN)

22 ITU-T IdM results so far include: IdM focus group established in 2006 was open to all and drew wide interest. Six substantial reports from the FG IdM: Report on Activities Completed and Proposed Report on the Deliverables Report on Identity Management Ecosystem and Lexicon Report on Identity Management Use Cases and Gap Analysis Report on Requirements for Global Interoperable Identity Management Report on Identity Management Framework for Global Interoperability Two workshops & one conference

23 Current status of ITU-T work 1 Recommendations now under Determination SG13 NGN: Y.2720 NGN Identity management framework (Approval expected in January 23 rd 2009) SG17 Security: X.1250 Capabilities for enhanced global identity management trust and interoperability X.1251 A framework for user control of digital identity (Approval of X.1250 & X.1251 expected in February 2009)

24 Current status of ITU-T work 2 Recommendations for future Determination X.idm-ifa: Framework architecture for interoperable identity management systems X.idm-dm: Common Identity Data Model X.rfpg: Privacy guideline for RFID X.idmsg: Security guidelines for identity management systems X.priva: Criteria for assessing the level of protection for personally identifiable information in IdM X.eaa: Entity Authentication Assurance

25 ISO/IEC JTC1 SC 27 Work ISO A Framework for Identity Management (5 th Working Draft) The 6 th WD should be available in February 2009

26 OECD Currently developing a Primer on Identity Management (Internal OECD document - now due March 2009) The primer is intended serve as input to an OECD IdM Policy Framework

27 More information IdM Focus Group T/studygroups/com17/fgidm/index.html Global Standards Initiative for Identity Management (IdM-GSI) Joint Coordination Activity for Identity Management

28 The following Thoughts from the Sidelines are personal observations. They are presented here to stimulate discussion. International Telecommunication Union

29 1. What is identity and what is IdM? It is essential that we have a clear definition and understanding of what is meant by the terms identity and identity management if we are to develop IdM standards. Yet, even as the first standards are near to completion there is no agreement on these terms.

30 What is identity and what is IdM? ctd One reason for the difficulty in getting agreement are the different perspectives e.g. ISO JTC1 SC27 deals largely with protection of identity information in information systems; ITU-T deals with the protection and use of telecommunications infrastructures and services. However, the definitions are not yet consistent even in the draft ITU-T Recommendations. The paper A Relationship Layer for the Web... and for Enterprises, Too, Bob Blakley, the Burton Group, June 2008, illustrates the total lack of world-wide agreement on the definition of identity and associated terms Is it possible to manage something (particularly across multiple domains) if you can t agree what it is?

31 2. Needs are not uniform for all potential IdM users Most on-line transactions, require only authorization information, not evidence of identity. Information requested (credit card, telephone number, address etc) authenticates the user on the basis of having that information. It does not provide irrefutable evidence (or any evidence) of identity. However, positive confirmation of identity is required for law enforcement and security agency activities as well as the granting of some rights such as access rights, right to board an aircraft, or enter a country. Does the broad range of needs mean that the identity information collected must satisfy the needs of those users who require the greatest level of detail?

32 3. Privacy concerns There must be protection against inappropriate collection of information Collecting too much information Collecting when not strictly necessary Collecting without consent Invasiveness of collection And against inappropriate use and disclosure Secondary uses (function creep) The data collected must be properly secured and protected against poor information management & handling procedures and practices

33 Privacy concerns ctd Use of global identifiers poses a risk to privacy Neither personal identifiers, nor the risks they pose to privacy are new. E.g. Canadian & US Social insurance/security numbers (SIN & SSN) predate the Internet, electronic commerce and, to a large extent, data communications. The safeguards associated with the SIN and SSN protect the organization, rather than the individual. They were not designed with the protection of personal information (or the risk of identity theft) in mind. Privacy (like security) should be built-in, not added as an afterthought.

34 Privacy concerns ctd Privacy protection is not (so far) a primary objective of the IdM work While privacy needs are recognized and some issues are beginning to be addressed, most emphasis is still on organizational (service provider) needs, rather than personal privacy. ( The purpose and focus of the ITU-T is also that of telecommunications, rather than the protection of personally identifiable information. Annex A to SG 17 Q6 report, April 2008) Thus, the issue of how personal information used in the context of IdM can be protected needs further consideration. This is not just a standards issue. (There are technical, legal and policy issues to be addressed).

35 4. What happens when something goes wrong? With the shift to identity providers, where will the information be kept? (Off shore?) Who is responsible if information is leaked or stolen (either individually or as part of a mass leak)? Will anyone be held accountable under existing laws? What help will there be to resolve the situation in the event of compromise? What recourse will there be for those whose information is compromised?

36 A closing thought An identity is a model of a person. Only an organization which has a close relationship with an individual knows enough about that individual to build an identity which is an accurate model; the more intimate the relationship is, the more accurate the identity will be. Organizations have only casual relationships with most of the individuals they deal with, so they build inaccurate identities which create risks for individuals and for themselves. Building accurate identities on the Internet will require new relationship technology and a new set of intermediaries who have sufficiently intimate relationships with individuals to construct identities for them. Bob Blakley, Burton Group