View
157
Download
1
Embed Size (px)
Citation preview
A match made in heaven or is hell freezing over? Bram van Pelt
Identity 3.0 and Oracle
Who Am I
• Bram van Pelt• Expert lead Security• Security Consultant
What will we be covering
Agenda• The evolution of the identity
• Identity 3.0
• Oracle POC implementation
Definitions
• Account
• Identity
• User
The history of digital Identity
Identity 1.0
• Jericho Forum
• De-perimeterisation
• COA Framework
COA Framework
• Technologies – Endpoint security
– Secure communications
– Secure data (DRM)
COA Framework
• Processes – People Lifecycle Management – Risk Management – Information Lifecycle Management – Device Lifecycle Management – Enterprise Lifecycle Management
COA Framework
• Services – Identity management and federation – Policy Management – Information Classification – Information Asset Management – Audit
Identity 2.0
• Securely collaborating in clouds• Identity, Entitlement & Access Management Commandments
Identity, Entitlement & Access Management Commandments
• 14 Guidelines on how to secure an identity
• An Entity can have multiple, separate Persona (Identities) and related unique identifiers
• The source of the attribute should be as close to the authoritative source as possible
• A resource owner must define Entitlement (Resource Access Rules)
Identity 3.0
• Bring your own identity• Using identity to enhance privacy• “We believe that with a single global identity eco-system all this is
possible.”
Identity 3.0 definitions
• External identifierA provider for attributes other than the user.
• Core identifierThe “bring your own identity” attribute provider
• PersonaA mix of attributes which are provided by the core identifier and optionally external identifiers
Identity 3.0 principles: Risk
• Decisions around identity are taken by the entity that is assuming the risk; with full visibility of the identity and attributes of all the entities in the transaction chain.
• Attributes of an Identity will be signed by the authoritative source for those attributes.
Identity 3.0 principles: Privacy
• Every entity shall need only one identity which is unique and private unto the entity; there will be no body issuing or recording identities.
• The Identity ecosystem will be privacy enhancing; attributes will be minimised, asserting only such information that is relevant to the transaction.
• Entities will only maintain attributes for which they are the authoritative source.
Identity 3.0 principles: Functionality
• The digital representation and function of an entity type will be indistinguishable from another entity type, and will be interchangeable in operation.
• The Identity ecosystem will operate without the need for identity brokers, CA of last resort or other centralized infrastructure.
• Identity shall be (as much as possible) invisible to the end user; identity and attribute verification and exchange should be a background operation until such time that increased levels of user verification is required.
The inner workings
Inner workings
• Personas• One way trust
Persona’s
19
[Entity: Organization]Government
[Entity: Person]Yourself
Citizen Persona with authoritative(cryptographically) signed
attributes
Date of Birth = 01 Jan 2000Place of Birth = London, UKSex at Birth = MaleName at Birth = John DoeCitizenship = Full BritishIssued = 01 Jan 2015Revalidation = gid.citizen.gov.uk
Trust
One way trust
• I trust you, so you can access my resources
• Does not mean you can access unauthenticated
How does this work?
• Site demands identity• You give your attrbutes• Your login to the External identifier
How does this work?
• Reusable• Web of identities
Why would you want this
• No more user storage• Personalisation options• Transparancy to end users• Enhanced privacy
How would we build this?
• Ingredients:– The core identity and identifier– The persona’s implementation– The external identifier / authenticators
The core identity and Identifier
• This is a personal device which you have on you, if possible…• Phones • Dyn-dns via browsers• Personal component
The Persona implementation
• Basically an “identity cookbook”• Trusts to identifiers• One way cryptographic trust
– Signed attributes
The external identifier / authenticator
• Basically an external identification source
• Chosen by the application
How would we build this?
• Oracle Weblogic Server– SAML Trust to an access manager
• Oracle Access Manager– Key retrieval using dyndns– External authentication (Using SAML or OAuth2)
• Personal authenticators…– Todo…
Let’s picture it
What do we need
• Oracle:– Authentication modules to authenticate using DYNDNS / IPV6– Personal authenticators– Expanded control over authentication chains
YOU
Special Thanks
• Global Identity Foundation• Jericho Forum
• Bram van Pelt• Twitter: @BramPelt• LinkedIn: http://linkedin.com/in/bram-van-pelt-
77a15021