Enterprise Privacy and Federated Identity Management

Similar documents
Service-oriented Assurance

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

IBM Identity Mixer. Introduction Deployment Use Cases Blockchain More Features

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Protecting Privacy while Sharing Medical Data between Regional Healthcare Entities

On the Revocation of U-Prove Tokens

A RESTful Approach to Identity-based Web Services

Identity Management Systems An Overview. IST Event 2004 /

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

U-Prove Technology Overview

Thebes, WS SAML, and Federation

ArcGIS Server and Portal for ArcGIS An Introduction to Security

EnterSpace Data Sheet

Canadian Access Federation: Trust Assertion Document (TAD)

Privacy in Browser-Based Attribute Exchange

IBM SmartCloud Engage Security

MCSE Productivity. A Success Guide to Prepare- Core Solutions of Microsoft SharePoint Server edusum.com

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

Trusted Computing: Introduction & Applications

Digital Certificates Demystified

Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Single Sign-On Architectures. Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Federated Identity Management

Securing your Standards Based Services. Rüdiger Gartmann (con terra GmbH) Satish Sankaran (Esri)

Security Information & Policies

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

IRMA: I Reveal My Attributes

Direct Anonymous Attestation

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Course Outline 20742B

Lesson 13 Securing Web Services (WS-Security, SAML)

Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

Windows Server : Configuring Advanced Windows Server 2012 Services R2. Upcoming Dates. Course Description.

Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich

Identity Management. Rolf Blom Ericsson Research

NET EXPERT SOLUTIONS PVT LTD

Introduction to Identity Management Systems

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

CSE 565 Computer Security Fall 2018

COURSE OUTLINE MOC : PLANNING AND ADMINISTERING SHAREPOINT 2016

Identity Management: Setting Context

Deploying Access Control using Extended XACML in Open Web Service Environment

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

SYDNEY FESTIVAL PRIVACY POLICY

Identity, Authentication and Authorization. John Slankas

Configuring Advanced Windows Server 2012 Services

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Enhanced Privacy ID (EPID), 156

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

Kerberos on the Web Thomas Hardjono

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

SWAMID Identity Assurance Level 2 Profile

CERTIFICATE POLICY CIGNA PKI Certificates

Active Directory Services with Windows Server

Canadian Access Federation: Trust Assertion Document (TAD)

Kenex (Electro-Medical) Limited. Privacy Statement. Kenex (Electro-Medical) Limited (Kenex) have been in business for over 40 years and have

Technologies for Securing the Networked Supply Chain. Alex Deacon Advanced Products and Research Group VeriSign, Inc.

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

SLCS and VASH Service Interoperability of Shibboleth and glite

Cisco pxgrid: A New Architecture for Security Platform Integration

Single Sign-On Best Practices

Tracking changes in Hybrid Identity environments with both Active Directory and Azure Active Directory

Novell Access Manager 3.1

Adding value to your MS customers

WHITEPAPER. Security overview. podio.com

SEVENMENTOR TRAINING PVT.LTD

Privacy with attribute-based credentials ABC4Trust Project. Fatbardh Veseli

BT Assure Cloud Identity Annex to the General Service Schedule

The Identity Web An Overview of XNS and the OASIS XRI TC

Authentication with Privacy for Connected Cars - A research perspective -

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

The Impact of SOA Policy-Based Computing on C2 Interoperation and Computing. R. Paul, W. T. Tsai, Jay Bayne

Course 20412: Configuring Advanced Windows Server 2012 Services Duración: 05 Días. Acerca de este curso

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Canadian Access Federation: Trust Assertion Document (TAD)

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Canadian Access Federation: Trust Assertion Document (TAD)

VMware AirWatch Tizen Guide

Use Cases for Argonaut Project -- DRAFT Page

FACTS WHAT DOES FARMERS STATE BANK DO WITH YOUR PERSONAL INFORMATION? WHY? WHAT? HOW? L QUESTIONS?

M20742-Identity with Windows Server 2016

Dissecting NIST Digital Identity Guidelines

SAML-Based SSO Solution

W H IT E P A P E R. Salesforce Security for the IT Executive

IBM IBM IBM Tivoli Federated Identity Manager V6.1. Practice Test. Version

A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures

Canadian Access Federation: Trust Assertion Document (TAD)

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

Identity Deployment and Management in Wireless Mesh Networks

1. Federation Participant Information DRAFT

Canadian Access Federation: Trust Assertion Document (TAD)

TAS 3 Architecture. Sampo Kellomäki Symlabs , ServiceWave, Stockholm

Liferay Security Features Overview. How Liferay Approaches Security

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

IBM dashdb for Analytics

Identity with Windows Server 2016

"Charting the Course... MOC B Active Directory Services with Windows Server Course Summary

Ecological Waste Management Ltd Privacy Policy

Transcription:

Enterprise Privacy and Federated Identity Management Michael Waidner IBM Zurich Research Lab & IBM Privacy Research Institute April 2003

Outline 1. Motivation 2. Enterprise Privacy Management 3. Federated Identity Management 4. Summary Joint work of many people: Paul Ashley, Endre Bangerter, Jan Camenisch, Satoshi Hada, Thomas Gross, Günter Karjoth, Michiharu Kudo, Anna Lysyanskaya, Birgit Pfitzmann, Calvin Powers, Matthias Schunter, Els Van Herreweghen, Michael Waidner.

1. Motivation

What do people think about privacy? Privacy concerns are high, back to pre-9/11 level Consumers have clear preferences [Harris 2002] Security procedures [90%], access control [84%], enforcement [>80% ] Assurance of real privacy practices [91%] Market for enterprise privacy management Until 2002 general focus on client-side technology Strong push for enterprise-side privacy technology Ad-hoc identity management solutions with weak privacy Integration of identity, privacy and access management IBM Tivoli Privacy Manager only complete privacy management product [Steve Hunt, Giga, 02/2003]

Privacy-enhancing technologies Privacy-enabling Infrastructure Client Trusted user device (!?) New processes Local customization Privacy policies Preferences Negotiation Filtering and privacy violation detection Identity management Many pseudonyms Sharing of personal attributes Trust establishment Customer privacy services User interface Communication End-to-end security Anonymity Trust Certified attributes Authentication Identity Convenience SSO Uncertified attributes Payment and delivery Organization Exploration of status quo Process (re-)engineering Data minimization paradigm Anonymization techniques Enterprise privacy policies Creation & maintenance Recording consent & negotiation Authorization and enforcement Identity management Many pseudonyms Sharing of personal attributes Trust establishment Customer privacy services Auditing & violation detection

2. Enterprise Privacy Management Enterprise Privacy Authorization Language (EPAL)

Enterprise Privacy Management Enterprises want better privacy for their customers but need support Making good privacy promises is easy and good for the business, keeping them is difficult but necessary and needs technology Privacy practices implementing the promises must be enforced & controlled from access control to privacy authorization enforcement on enterprise data systems reporting back to data subjects audit by independent third parties Compatibility with laws, regulations, and public promises easy to understand and maintain by non-technical people easy to derive new policies from existing ones (laws, corporate, sector, ) well-defined relation to P3P Requires a new language: EPAL, Enterprise Privacy Authorization Language

Syntactic elements of an EPAL policy EPAL definitions Lists of hierarchies for data user, data category, purpose Lists for action, container, condition, obligation container provides an abstract definition of data to be evaluated by conditions condition use XACML as language; used to check context, consent and other data subject properties EPAL policy is list of rules, sorted by priority default ruling: allow, deny, not-applicable (for: w/in scope, but don t care) Elements of a rule allow (or deny or obligate) data user + du 1, du 2, e.g., borderless-books action + a 1, a 2, e.g., read for purpose p 1, p 2, e.g., book-of-the-month-club on data category + dc 1, dc 2, e.g., email under condition * c1(container X 1, X 2, ), c 2 ( ), e.g., "/CustRecord/Consent/BookClub=True && /CustomerRecord/age>13 yielding obligation * o 1 (), o 2 (), e.g., write audit Plus management and version info, imported policies, scoping, Version 1.0, March 2003: http://www.zurich.ibm.com/security/enterprise-privacy/epal

Semantics of EPAL: Authorization Policy maps any well-defined authorization request (data user, action, purpose, data category, container/s) to decision {allow, deny, not-applicable} + obligations Completion of rule set through inheritance allow inherits down along hierarchies deny inherits up and down Check rules in given order for applicability Decision rule covers request directly / by inheritance (efficiently via hash tables) condition/s are satisfied First applicable deny/allow-rule decides + take rule s obligation/s + all from all obligate-rules on the way If there is none then take default ruling + take all obligations from all obligate-rules

Semantics of EPAL: Authorization EPAL gives abstract policies! We also need deployment descriptions: Policy maps any well-defined authorization request (data user, action, purpose, Storage data category, locations container/s) data category to decision {allow, deny, not-applicable} Storage locations + obligations container Application calls data user, purpose, operation Completion of rule set through inheritance Some operations obligation allow inherits down along hierarchies deny inherits up and down Check rules in given order for applicability Decision rule covers request directly / by inheritance (efficiently via hash tables) condition/s are satisfied First applicable deny/allow-rule decides + take rule s obligation/s + all from all obligate-rules on the way If there is none then take default ruling + take all obligations from all obligate-rules

Enforcement architecture for EPAL (aka Tivoli Privacy Manager-next) Subject Data user Authorization Application EPAL Policies EPAL Engine Consent Obligation log file Access log file Deployment Descr. EPAL Monitor (and cache) Data Privacy Officer Subject Auditor Request + Context

The next step: sticky-policy paradigm across domains Subject App3 AppA App1 App2 Data + EPAL via WS-Privacy Data EPAL Data EPAL Enterprise 2 Enterprise 1 Define privacy boundaries within the infrastructure that encompasses all the places where personal info is stored. It should always be possible to determine the applicable privacy policy that was in force when a particular piece of personal info was collected.

EPAL status and plans Language Specification published March 2003, open for comments Efficient evaluation Formal standardization depends on feedback Enforcement Target: Tivoli Privacy Manager Specific integration with WAS & DB2 (aka Hippocratic Database) Sticky policy paradigm in a Web services context Various extensions Individual-authored policies for collaborative applications Stateful semantics Refinement and composition of EPAL

3. Federated Identity Management: Overview

Federated Identity Management Enterprises want better privacy for their customers but need support Vertical and horizontal integration, across trust domains, requires FIM Federated identity management Get uncertified personal attributes to enterprise B Get certified attributes from enterprise A to B, with user s consent Special case: single sign-on across trust domains Essentially the MS Passport / Liberty space Our goal: Full scalability, provable security, efficient (practical, not just polynomial) Short-term deployable protocol with better privacy (optimal for uncertified attr.): Browser-based Attribute Exchange (BBAE) Mid-term deployable protocol with maximum privacy: Identity Mix (idemix)

Privacy in federated identity management Attributes about P are only given to O, used there, or disclosed to others, with P's informed consent. Fundamental implications Explicit privacy policy (modulo exceptions by law) Avoid unnecessary identification: multiple pseudonyms per person Avoid trust bottlenecks: multiple wallet holders, including local wallets Covers explicit attributes Pseudonym, name, address, salary, blood group, Facts, like regular IBM employee or salary above 100 000 USD Should also cover implicit attributes, as much as possible Traffic patterns (e.g., browsing history) Identifiable representation of non-identifiable attributes (e.g., attribute certificates) Personal writing style

Existing proposals Fully scalable Small federation Single enterprise SAML SSO Liberty 1.0 ec-sso WebSEAL Proxy wallets SAML msg PKI C C Passport C Shibboleth C BBAE Form filler C C idemix IBM Product Other product Proposal / standard Browser-based Local client w/ certified attributes SSO only Attributes Some privacy Full privacy

idemix hypothetical example subscribe access Organization O Patent database Access requires paid subscription Subscription is proven by showing a valid certificate signed by the operator Enables operator to track the queries of each subscriber which many subscribers perceive as a breach of confidentiality

How idemix solves this problem Step 1: Pseudonyms Organizations know individuals by pseudonyms only Step 2: Control attributes Only necessary attributes are shown Step 3: Standardize attributes Effective only if shown attributes don't identify individuals (rather an application requirement...) Step 4: Prove knowledge of cert's Certificates are kept secret, only their possession is shown (zeroknowledge proofs of knowledge)

idemix hypothetical example (cont.) subscribe access Organization O Patent database Only possession of a valid subscription is proven Certificate itself is never sent back to the organization O O does not recognize repeated shows of the same certificate

idemix features Security features Unforgeability of credentials (based on SRSA) Unlinkability of shows (based on DDH) Prevention of credential sharing and pooling (based on DL) Optional features Anonymity revocation Local deanonymization: nym on which credential was issued Global deanonymization: nym of user with a dedicated Root Authority One-show credentials (e.g., for e-cash) Credential revocation Reasonable performance for a PKI

Performance Test system IBM Thinkpad T23 (1.3 MHz Pentium 3) Debian Linux Java 1.3.1 (Blackdown) Further optimizations (overlap of computation): expected speedup x2 options time (sec) RegNym 0.1-0.2 GetCred any 1.0-1.5 ShowCred no 0.9-1.2 ShowCred + one-show +0.2 ShowCred + expir. date +0.2-0.4 ShowCred + local deanonym. +0.3-0.5 ShowCred + global deanonym. +0.3-0.5 ShowCred all options on 1.9-2.4

4. Summary

Summary Privacy is a business issue, in need of policies and technologies Two important areas for the near future: Enterprise privacy management Federated identity management EPAL proposal for fine-grained privacy enterprise policies Federated identity management may become almost mandatory Privacy is important: make it the normal case Efficient, user-friendly protocols possible BBAE as short-term implementable alternative idemix as mid-term full-privacy alternative Compatible with Web services strategy Integration with client-side technology (smartcard, TCPA) possible

For more information How to reach me Notes Michael Waidner/Zurich/IBM@IBMCH email wmi@zurich.ibm.com Web http://www.zurich.ibm.com/~wmi Privacy at IBM IBM privacy products and services (public): http://www.ibm.com/security/privacy IBM Privacy Research Institute (public): http://www.research.ibm.com/privacy Privacy at IBM (internal): http://w3.ibm.com/privacy

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback