Digital Identity Management Strategy, Policies and Architecture by hgw50780

VIEWS: 13 PAGES: 29

									Digital Identity Management

 Strategy, Policies and Architecture



                                                     Kent Percival
                                                      2005 06 23

    A presentation to the Information Services Committee
             Presentation & Discussion
   Goal
    to develop a common perspective of
             Digital Identity Management
    and resulting
             strategies, policies and architecture

   Overviews
        Business/Organizational model
        Implementation issues and strategies
2005 06 23            Digital Identity Management (ISC)   Percival 2
             What is a Digital Identity?
A computer object
  representing                                          D.I.

a real person

… we used to call them Computer Accounts

… could also represent
    A device
    An application
    …

2005 06 23          Digital Identity Management (ISC)      Percival 3
Digital Id’s… so many of them! 
   Systems have separate user accounts
   Some applications maintain id databases

   Some maintain additional personal information
    to control authorization or personalize service.

   Maintained by separate administrations

2005 06 23        Digital Identity Management (ISC)   Percival 4
                                                                                         HS
  FRS               Athletics               Colleague                                  Express
                                                                  Library
Purchasing                                                         Library
                                                                  Patron
                                                                     Library
                                                                    Patron
                              Res                                    Patron
                                                                                      Bldg
                             Admin                                                     Bldg
     Human                                                                           Access
                                                                                         Bldg
    Resources                                                                         Access
                                                                                           Bldg
                                                                                        Access
                                                                                            Bldg
                                 Periodic data sharing                                   Access
                                                                                           Access
                                                                             OOL
                                                                             D2L

                  ResNet
                                                                                       Phones
    WebCT                             Central                 Active
                                        ID                   Directory
                   Web                                                                   V.Mail
                                                                Central
                  Hosting
                                                             File Service
                    Central      Campus “general”
                     eMail       Directory “stats”                                 Dept     Dept
   Portal
                                                                      Dept        Server Server
                            Network      Dialup              Dept Server Dept           Dept
                             Access     Modem                          Dept
                                                            Server         Server
                                                                               Dept    Server
                                                                      Server
     2005 06 23                     Digital Identity Management (ISC)         Server Percival 5
What is a Digital Identity used for?
   Authentication
             Verifying the user really is who they say they are.
   Authorization
             Determining what the user can and can’t do.
   Accounting
             Having a record to investigate incidents after the fact.


   Identification
             Identifying user by unique ID, common name, email address, …
   Personalization
             Making services efficient and effective by knowing the user.

2005 06 23                  Digital Identity Management (ISC)           Percival 6
         What’s in a Digital Identity?
Security information (computer account stuff)
        Authentication: ID, Password, …
        Authorization: access control, groups, file permissions

Organizational Information
        Relationship to Org: Dept; status
        Organizational Identifiers: Empl.#, Student #; Email addr.

Personal information
        Name, Email addr., phone#, address, …
        Personal preferences for services
2005 06 23              Digital Identity Management (ISC)    Percival 7
      Limitations of local “accounts”
   Security
        Varying quality of administration
        Controlling exposure: limited scope but slow response
        No institutional policy control

   Efficiency
        Mange administration points
        Multiple relationships with information “owners”

   Service
        No single sign-on ... or complicated process
        Personalization varies between services
2005 06 23              Digital Identity Management (ISC)    Percival 8
    Efficiency? <–> Centralization?
First Try:
Managing identities on many systems is expensive.
    Put all the data in one place.
                  Campus Directory!

Why isn’t this working well?
             Technical reasons …
                        But mainly
                                   Organizational reasons …
2005 06 23             Digital Identity Management (ISC)   Percival 9
                        Technical pitfalls
   Success of Directories for systems and
    application management
                Proprietary architecture and designs



   Applications with closed requirements
                Data must be indifferent formats for different uses




2005 06 23                   Digital Identity Management (ISC)     Percival 10
             Organizational pitfalls
   Privacy concerns
   Security concerns
   Data ownership concerns
   Different interpretations of data
   In-appropriate use
   Trusting the data of others
   Silo approach to service management

2005 06 23        Digital Identity Management (ISC)   Percival 11
    Strategy: deal with Org Issues!
   Identify the Organizational opportunities

   Define an Organizational reference model

   Create policies and strategies to deal with the
    organizational pitfalls.



2005 06 23        Digital Identity Management (ISC)   Percival 12
 The Organizational Trust Model
   Users and Service providers must trust one another
        and trust a central Digital Identity Management System

   Trust Domain - a collection trusting each other.
        Service providers; users; trust and identity management

   Can’t trust everyone and everything immediately

        It takes time to build a trust domain.
        Overlapping domains create problems
        The scope of a domain should match organizational
         boundaries.
2005 06 23              Digital Identity Management (ISC)    Percival 13
               Security Management
                        Trust
                     Management



                          Trust
  Identity                                             Vulnerability
Management
               Identity              Systems           Management

                  Communication
                        Threat
                      Management
  2005 06 23       Digital Identity Management (ISC)        Percival 14
                  Trust <-> Policies
In an organization trust is managed by successful
   implementation of appropriate institutional
             Trust Management Policies
            Identity Management Policies

   Security
   Privacy
   Appropriate Use - Who and How
   Involves
        Persons: faculty, staff, students, temporary, … public
        Owner and Steward responsibilities
2005 06 23              Digital Identity Management (ISC)   Percival 15
                           ROLES
   Organizations are people with roles
        Roles define org. relationships                   Identity!
   Computer applications define roles for users.

   Org. Role - a key element of a Digital Identity
        Assigning a Role defines Authorization

   Need to harmonizing organizational roles to
    computer application roles.
2005 06 23            Digital Identity Management (ISC)                 Percival 16
             Outside the Trust Domain
   With the Internet, a Trust Domain is not a
    closed system.
        Persons outside the trust domain need to access
         campus services
                 Where do those services go?
                 How do we authenticate and authorize those persons?
        People in our trust domain need to access services
         at other institutions
              Federated Identity Management
2005 06 23                 Digital Identity Management (ISC)            Percival 17
              Federated Id. Management
                  UoG              One Trust                           UW
              Trust Domain                                        Trust domain
                                   relationship



Services        Authen                                             Authen
                Author                                             Author          Services
                Servers                                            Servers




                 users       Authentication/Authorization users
                 users       Servers are critical components users
                 users       of both trust domains           users

 2005 06 23                   Digital Identity Management (ISC)                  Percival 18
             Implementation




2005 06 23     Digital Identity Management (ISC)   Percival 19
     Ideal Architecture - industry target
                          A few Policy Servers
                          handle sensitive                               Computer Systems
                          information        Policy Servers
                                                                             Software
                                                   “Central
                                                                            IT Services
                 One reliable, secured              Auth.
                 information store                 Server”
All data centrally
administered                                    Authentication          Replace/integrate
                         Reliable
   Digital              Datastore                                        System/Appl’tn
                                                 Authorization
   Identity                                                                   AAA
    Admin                                         Accounting
     Tools            DIRECTORY
                                                                            controls

                                              Services have limited
                                              Access to DI info
    2005 06 23                      Digital Identity Management (ISC)          Percival 20
                  Directory reality
   Directories, directories, directories, …
        implementations are intimately linked to systems
         and applications!

   Most Directories do not have appropriate
    administration and policy management tools

   A Directory is not always the appropriate
    technology
2005 06 23            Digital Identity Management (ISC)   Percival 21
             Authen./Author. Imbedded
   Some applications rely on Operating System control
    functions
   Many applications have imbedded business rules
    controlling authentication and authorization

   Trust Domain Policies must be implemented in many
    places.
        Need common vocabulary and explicit policy
         implementations


2005 06 23             Digital Identity Management (ISC)   Percival 22
                Realistic Architecture
System #6 System #5           System #4                   System #2
                                                                      System #3
 Software    Software          Software                    Software
                                                                       Software
IT Services IT Services       IT Services                 IT Services
                                                                      IT Services
                                                                    Authen Author
                          Authen Author               Authen Author
                                                                       Account
                             Account                     Account
   Authen Author
                                                              DIRECTORY
      Account
                                                                 #B

                 DIRECTORY
                    #C                                                  System #1
                                                                         Software
Digital                                                                 IT Services
Identity
 Admin                                                              Authen Author
  Tools                                                                Account
                                                                        DIRECTORY
                                                                           #A
 2005 06 23               Digital Identity Management (ISC)                 Percival 23
                 Centralized vs distributed
   Collecting all Identity information into one central
    “longitudinal” record does not work

   Data exists in several places
        Central repository (e.g. campus Directory)
        Shared repositories (e.g. CFS AD)
        Within a single application

   Use a “virtual” Identity Object Model
        Central design / distributed data
                Centrally administer global/essential data
                Define where other data is stored - Provide key link information
                Copy data to accessible location
                Use referral directory lookups (ask one directory)

2005 06 23                       Digital Identity Management (ISC)                  Percival 24
 Human                                          HS
Resources             Colleague               Express



       Dir.                                           Dir.
                             Dir.


      Data
      Mngt
                                                                            Applications
                                                                                 &
       Central                                                               Services
   Digital Identity
    Management
       Service

                              Master                          Central
                                                          Authentication/
                          Digital Identity                 Authorization
                             Directory                        Service

2005 06 23                  Digital Identity Management (ISC)               Percival 25
    What’s in the central DI object?
   Authentication data
                Password, Digital Certificate, fingerprint signature
   Identity
        Unique ID, Common names,
   Address
        Office, phone#, FAX, email address, …
        Hyperlink to personal webpage
   Affiliations
        Org Units , group memberships, …
   Organizational Roles
        Who are you; what are you allowed to do?
   Keys to D.I. information in other repositories
        Employee#, Student#, Library barcode, ExpressCard#, …

2005 06 23                       Digital Identity Management (ISC)      Percival 26
                     Summary                         1
A good D.I. Mgmt design
 requires an organization wide model
        recognizes use outside the trust domain
   starts with policy to build a trust domain
        Security, privacy and appropriate use of DI data
   administered efficiently, timely, accurately
   relates Identity to organizational role

2005 06 23            Digital Identity Management (ISC)   Percival 27
                          Summary 2
A DI Mgmt system is implemented with
 multiple distinct Directory Servers

 authentication and authorization functions
        Implemented on AAA separate servers,
        Instead of being imbedded in systems and applications

   a virtual DI object defining information in multiple datastores

   A central DI object component which
        Provides general Digital Identity information
        Provides keys to other DI information in datastores managed by others.



2005 06 23                 Digital Identity Management (ISC)           Percival 28
                   First Steps:
             Develop Org .Trust Model
   Identify the Organizational opportunities

   Define an Organizational reference model

   Create policies and strategies to deal with the
    organizational pitfalls.



2005 06 23         Digital Identity Management (ISC)   Percival 29

								
To top