Presentation on theme: "DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?"— Presentation transcript:
DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?
What will we talk about today? A brief introduction to me A quick look at recent history of shared authentication in the UK A glance at the pressure points from the world around us now An overview of the PSIIF An example scenario walkthrough What can you do?
Lord of the tokens EAS Sponsored at the time by DCSF (ContactPoint), aimed to establish a trust-framework for registration, and an authentication infrastructure based on 2FA It also provided a shared IdP for LAs that did not want to establish their own 2FA device in the hands of all public sector employees accessing central applications What did the local authorities really want? Cost efficient CoCo compliance Freja – “One token to rule them all”
Real life World-wide financial crisis 2008 onwards Government change 2009 ContactPoint was discontinued Concerns about Government Gateway performance in conjunction with LAs A failure, or?
Positive Legacy ContactPoint was discontinued – EAS uptake was low. But… Wider public sector agreement on trust framework agreement Especially registration of user/reuse of credentials Governance and assurance approach for distributed user registration Flexible IdP implementation model Body of best practice for LA registration Newham & Salford Regional hub projects kickoff Principles of collaboration DWP/HMRC/E&H/Police working together
Today’s challenges Remote workforce PSN compliance is getting tougher and tougher More workers are working remotely a greater portion of time CO2 footprint reduction Escalating costs or not so secure solution What if one could locally issue strong, 2FA for remote workers with a potentially zero-cost authentication device? Cloud services are exploding Most with own – password based – identity systems Often complicated directory integration What if one could reuse locally issued, strong 2FA for authenticating users to such systems i.e. cloud based services with ground based authentication?
Today’s challenges, cont’d Need to collaborate with neighbours Shared services amongst boroughs are a real need But who authenticates an individual? Directory federation is difficult to setup and manage What if one could reuse locally issued, strong 2FA across partnerships? Increase internal efficiency Bringing new applications online is expensive What if one could reuse locally issued, strong 2FA for plug-and-play integration of new applications? Still need to access central government services The applications may have changed, the basic need still remains What if one could reuse locally issued, strong 2FA for accessing applications hosted by or on behalf of central government?
PSIIF – a 180 turn Not a “top-down” approach PSIIF - Standards based infrastructure on top of PSN defining exchanges between IdPs Hubs Service Providers Allows re-use of (conformant) credentials for accessing “external” services including G-Cloud, central government or services hosted by regional partners on the PSN
Information highway needs vehicles An infrastructure is only good if it is put to use Imagine if you could decide whom and how you want to collaborate with: Your employees to access G-Cloud services while retaining identity issued by you Employees of regional partners to access your systems without issuing a separate authenticator to their employees Your employees access central government services Request attributes from or release attributes to parties you select
G-Cloud service example User G-Cloud Service Freja IdP Freja SSP Freja IdP Freja SSP Freja Registration & Provisioning Where are your from? Please authenticate this user Do I recognize the service? Convince me who you are What do I know about you? How much information should I/can I release to the service? Sign an assertion Do I trust the assertion issuer? OK, what can this user do here
SSO User Cloud Service Freja IdP Freja SSP Freja IdP Freja SSP Freja Click on link to service 2 Please authenticate this user Do I recognize the service? Do I have a valid session? How much information should I/can I release to this service? Sign an assertion Do I trust the assertion issuer? OK, what can this user do here Cloud Service 2
What can you do? You get to chose whether you want to act as SP, IdP, AP or any combination thereof – no mandate A lot of software you own already supports SAML 2 integration – you can act as SP straight away A lot of G-Cloud services already support SAML 2 (or are rapidly adapted to do so) IdP functionality can be plugged into your existing authentication infrastructure with practically no disruption
Why would you? Standards-based, loosely coupled architecture – no vendor tie-in Potential for better services, to larger audiences An identity need not be established times and times again Better control of identity, better control of data access, better control of information release (please search for TheEllenShow, “Out of your password minder” on YouTube) Easier to audit