Upload
elizabeth-edwards
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
Digital Identity ManagementDigital Identity Management
Strategy, Policies and ArchitectureStrategy, Policies and Architecture
Kent PercivalKent Percival
2005 06 232005 06 23
A presentation to the Information Services CommitteeA presentation to the Information Services Committee
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 22
Presentation & DiscussionPresentation & Discussion
GoalGoalto develop a common perspective of to develop a common perspective of
Digital Identity ManagementDigital Identity Management and resulting and resulting
strategies, policies and architecturestrategies, policies and architecture
OverviewsOverviews Business/Organizational modelBusiness/Organizational model Implementation issues and strategiesImplementation issues and strategies
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 33
What is a Digital Identity?What is a Digital Identity?
A computer objectA computer object representing representing a a real personreal person
… … we used to call them we used to call them Computer AccountsComputer Accounts
… … could also representcould also represent A deviceA device An applicationAn application … …
D.I.
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 44
Digital Id’s… so many of them! Digital Id’s… so many of them!
Systems have separate user accountsSystems have separate user accounts Some applications maintain id databasesSome applications maintain id databases
Some maintain additional personal information Some maintain additional personal information to control authorization or personalize service.to control authorization or personalize service.
Maintained by separate administrationsMaintained by separate administrations
2005 06 23 Digital Identity Management (ISC) Percival 5
DeptServer
Colleague
LibraryPatron
HSExpress
HumanResources
DeptServer
DeptServer
DeptServer
DeptServerDept
ServerDeptServer
DeptServer
ActiveDirectory
CentralID
CentralFile Service
DialupModem
“general”“stats”Portal
WebHosting
ResAdmin
ResNetPhones
V.Mail
Athletics
CampusDirectory
CentraleMail
WebCT
NetworkAccess
BldgAccessBldg
AccessBldgAccessBldg
AccessBldgAccess
F R SPurchasing
Periodic data sharingOOLD2L
LibraryPatron
LibraryPatron
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 66
What is a Digital Identity used for?What is a Digital Identity used for?
AuthenticationAuthenticationVerifying the user really is who they say they are.Verifying the user really is who they say they are.
AuthorizationAuthorizationDetermining what the user can and can’t do.Determining what the user can and can’t do.
AccountingAccountingHaving a record to investigate incidents after the fact.Having a record to investigate incidents after the fact.
IdentificationIdentificationIdentifying user by unique ID, common name, email address, …Identifying user by unique ID, common name, email address, …
PersonalizationPersonalizationMaking services efficient and effective by knowing the user.Making services efficient and effective by knowing the user.
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 77
What’s in a Digital Identity?What’s in a Digital Identity?
Security information (computer account stuff)Security information (computer account stuff) Authentication: ID, Password, …Authentication: ID, Password, … Authorization: access control, groups, file permissions Authorization: access control, groups, file permissions
Organizational InformationOrganizational Information Relationship to Org: Dept; statusRelationship to Org: Dept; status Organizational Identifiers: Empl.#, Student #; Organizational Identifiers: Empl.#, Student #; Email addr.Email addr.
Personal informationPersonal information Name, Name, Email addr.Email addr., phone#, address, …, phone#, address, … Personal preferences for servicesPersonal preferences for services
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 88
Limitations of local “accounts”Limitations of local “accounts”
SecuritySecurity Varying quality of administrationVarying quality of administration Controlling exposure: limited scope but slow responseControlling exposure: limited scope but slow response No institutional policy controlNo institutional policy control
EfficiencyEfficiency Mange administration pointsMange administration points Multiple relationships with information “owners”Multiple relationships with information “owners”
ServiceService No single sign-on ... or complicated processNo single sign-on ... or complicated process Personalization varies between servicesPersonalization varies between services
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 99
Efficiency? <–> Centralization?Efficiency? <–> Centralization?
First Try:First Try:Managing identities on many systems is expensive.Managing identities on many systems is expensive.
Put all the data in one place.Put all the data in one place.
Campus Directory!Campus Directory!
Why isn’t this working well?Why isn’t this working well?Technical reasons …Technical reasons …
But mainlyBut mainly
OrganizationalOrganizational reasons … reasons …
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1010
Technical pitfallsTechnical pitfalls
Success of Directories for systems and Success of Directories for systems and application managementapplication management
Proprietary architecture and designsProprietary architecture and designs
Applications with closed requirementsApplications with closed requirements Data must be indifferent formats for different usesData must be indifferent formats for different uses
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1111
Organizational pitfallsOrganizational pitfalls
Privacy concernsPrivacy concerns Security concernsSecurity concerns Data ownership concernsData ownership concerns Different interpretations of dataDifferent interpretations of data In-appropriate useIn-appropriate use Trusting the data of othersTrusting the data of others Silo approach to service managementSilo approach to service management
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1212
StrategyStrategy: deal with Org Issues!: deal with Org Issues!
Identify the Organizational opportunitiesIdentify the Organizational opportunities
Define an Organizational reference modelDefine an Organizational reference model
Create policies and strategies to deal with the Create policies and strategies to deal with the organizational pitfalls.organizational pitfalls.
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1313
The Organizational Trust ModelThe Organizational Trust Model
Users and Service providers must Users and Service providers must trusttrust one another one another and and trusttrust a central Digital Identity Management System a central Digital Identity Management System
Trust DomainTrust Domain - a collection trusting each other. - a collection trusting each other. Service providers; users; trust and identity managementService providers; users; trust and identity management
Can’t trust everyone and everything immediatelyCan’t trust everyone and everything immediately
It takes time to build a It takes time to build a trust domaintrust domain.. Overlapping domains create problemsOverlapping domains create problems The scope of a domain should match organizational The scope of a domain should match organizational
boundaries.boundaries.
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1414
Security ManagementSecurity Management
Trust
Identity Systems
Communication
Trust Management
IdentityManagement
VulnerabilityManagement
ThreatManagement
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1515
Trust <-> PoliciesTrust <-> Policies
In an organization In an organization trusttrust is managed by successful is managed by successful implementation of appropriate institutionalimplementation of appropriate institutional
Trust Management Trust Management PoliciesPoliciesIdentity Management Identity Management PoliciesPolicies
SecuritySecurity PrivacyPrivacy Appropriate Use - Who and HowAppropriate Use - Who and How InvolvesInvolves
PersonsPersons: faculty, staff, students, temporary, … public: faculty, staff, students, temporary, … public OwnerOwner and and StewardSteward responsibilities responsibilities
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1616
ROLESROLES
Organizations are people with rolesOrganizations are people with roles Roles define org. relationships Roles define org. relationships Identity! Identity!
Computer applications define roles for users.Computer applications define roles for users.
Org. Role Org. Role - a key element of a Digital Identity- a key element of a Digital Identity Assigning a Role defines AuthorizationAssigning a Role defines Authorization
Need to harmonizing organizational roles to Need to harmonizing organizational roles to computer application roles.computer application roles.
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1717
Outside the Trust DomainOutside the Trust Domain
With the Internet, a Trust Domain is not a With the Internet, a Trust Domain is not a closed system.closed system. Persons outside the trust domain need to access Persons outside the trust domain need to access
campus servicescampus services Where do those services go?Where do those services go? How do we authenticate and authorize those persons?How do we authenticate and authorize those persons?
People in our trust domain need to access services People in our trust domain need to access services at other institutionsat other institutions
Federated Identity ManagementFederated Identity Management
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1818
Federated Id. ManagementFederated Id. ManagementUoG
Trust Domain
Services
usersusersusers
UWTrust domain
Services
usersusersusers
AuthenAuthorServers
AuthenAuthorServers
One Trustrelationship
Authentication/AuthorizationServers are critical componentsof both trust domains
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 1919
ImplementationImplementation
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2020
Ideal Architecture - industry targetIdeal Architecture - industry target
Computer Systems
Software
IT Services
Replace/integrateSystem/Appl’tn
AAAcontrols
Policy Servers
“CentralAuth.
Server”
Authentication
Authorization
Accounting
ReliableDatastore
DIRECTORY
Digital IdentityAdminTools
Services have limitedAccess to DI info
A few Policy Servershandle sensitiveinformation
One reliable, securedinformation store
All data centrallyadministered
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2121
Directory realityDirectory reality
Directories, directories, directories, …Directories, directories, directories, … implementations are intimately linked to systems implementations are intimately linked to systems
and applications!and applications!
Most Directories do not have appropriate Most Directories do not have appropriate administration and policy management toolsadministration and policy management tools
A Directory is not always the appropriate A Directory is not always the appropriate technologytechnology
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2222
Authen./Author. ImbeddedAuthen./Author. Imbedded
Some applications rely on Operating System control Some applications rely on Operating System control functionsfunctions
Many applications have imbedded business rules Many applications have imbedded business rules controlling authentication and authorizationcontrolling authentication and authorization
Trust Domain Policies must be implemented in many Trust Domain Policies must be implemented in many places.places. Need common vocabulary and explicit policy Need common vocabulary and explicit policy
implementationsimplementations
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2323
Realistic ArchitectureRealistic Architecture
Digital IdentityAdminTools
System #2Software
IT Services
Authen AuthorAccount
System #1Software
IT Services
Authen AuthorAccount
DIRECTORY# A
System #4Software
IT Services
Authen AuthorAccount
DIRECTORY# C
Authen AuthorAccount
System #6Software
IT Services
System #3Software
IT ServicesAuthen Author
Account
DIRECTORY# B
System #5Software
IT Services
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2424
Centralized vs distributedCentralized vs distributed
Collecting all Identity information into one central Collecting all Identity information into one central “longitudinal” record does “longitudinal” record does not worknot work
Data exists in several placesData exists in several places Central repository (e.g. campus Directory)Central repository (e.g. campus Directory) Shared repositories (e.g. CFS AD)Shared repositories (e.g. CFS AD) Within a single applicationWithin a single application
Use a “virtual” Identity Object ModelUse a “virtual” Identity Object Model Central design / distributed dataCentral design / distributed data
Centrally administer global/essential dataCentrally administer global/essential data Define where other data is stored - Provide key link informationDefine where other data is stored - Provide key link information Copy data to accessible locationCopy data to accessible location Use referral directory lookups (ask one directory)Use referral directory lookups (ask one directory)
2005 06 23 Digital Identity Management (ISC) Percival 25
ColleagueHS
ExpressHuman
Resources
MasterDigital Identity
Directory
Dir. Dir.Dir.
CentralDigital IdentityManagement
Service
ref: Employee #
ref: Student #
ref: Express #Data Mngt
CentralAuthentication/Authorization
Service
Applications&
Services
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2626
What’s in the central DI object?What’s in the central DI object?
Authentication dataAuthentication data Password, Digital Certificate, fingerprint signaturePassword, Digital Certificate, fingerprint signature
IdentityIdentity Unique ID, Common names, Unique ID, Common names,
AddressAddress Office, phone#, FAX, email address, …Office, phone#, FAX, email address, … Hyperlink to personal webpage Hyperlink to personal webpage
AffiliationsAffiliations Org Units , group memberships, …Org Units , group memberships, …
Organizational RolesOrganizational Roles Who are you; what are you allowed to do?Who are you; what are you allowed to do?
Keys to D.I. information in other repositoriesKeys to D.I. information in other repositories Employee#, Student#, Library barcode, ExpressCard#, …Employee#, Student#, Library barcode, ExpressCard#, …
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2727
Summary 1Summary 1
A good D.I. Mgmt designA good D.I. Mgmt design requires an organization wide modelrequires an organization wide model
recognizes use outside the trust domainrecognizes use outside the trust domain starts with policy to build a trust domainstarts with policy to build a trust domain
Security, privacy and appropriate use of DI dataSecurity, privacy and appropriate use of DI data administered efficiently, timely, accuratelyadministered efficiently, timely, accurately relates Identity to organizational rolerelates Identity to organizational role
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2828
Summary 2Summary 2
A DI Mgmt system is implemented withA DI Mgmt system is implemented with multiple distinct Directory Serversmultiple distinct Directory Servers authentication and authorization functionsauthentication and authorization functions
Implemented on AAA separate servers,Implemented on AAA separate servers, Instead of being imbedded in systems and applicationsInstead of being imbedded in systems and applications
a virtual DI object defining information in multiple datastoresa virtual DI object defining information in multiple datastores
A central DI object component whichA central DI object component which Provides general Digital Identity informationProvides general Digital Identity information Provides keys to other DI information in datastores managed by others.Provides keys to other DI information in datastores managed by others.
2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 2929
First StepsFirst Steps: : Develop Org .Trust ModelDevelop Org .Trust Model
Identify the Organizational opportunitiesIdentify the Organizational opportunities
Define an Organizational reference modelDefine an Organizational reference model
Create policies and strategies to deal with the Create policies and strategies to deal with the organizational pitfalls.organizational pitfalls.