Presentation on theme: "Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and."— Presentation transcript:
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and Civil Liberties Office April 2010
2 Presentation Outline Success factors for identity federation and relation to privacy Fair Information Practice Principles for Identity Management Systems Core Information Privacy Concerns Privacy Design Considerations
Identity Federation Goal Enable users to securely access data, systems, or applications of another domain seamlessly and without the need for completely redundant user administration 3
Identity Federation Basis for Success Agreement on root identities Trust Between domains Between domain and individual 5
Root Identity Agreement Identity theft risk Authentication Social Security Number Access control 6
Domain Trust Information sharing agreements Purpose and authorities Training Data correction and deletion Breach notification Baseline security requirements Access credentialing/Access controls Technical safeguards 7
Individual Trust One person, one identity Accuracy and timeliness Controlled information sharing IT Security 8
Fair Information Practice Principles 9 Source: Organization for Economic Cooperation and Development PrincipleDescription Security safeguards Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure. Openness The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information. Individual participation Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights. Accountability Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles.
Fair Information Practice Principles 10 Fair Information Practice Principles for Identity Management Systems PrincipleDescription Diversity and decentralization Resist centralizing identity information or using a single credential for multiple purposes. Proportionality The amount, type, and sensitivity of identity information collected and stored by an identity management system should be consistent with and proportional to the system’s purpose. Privacy by designPrivacy considerations should be incorporated into the identity management system from the outset of the design process.
Core Informational Privacy Concerns Observability The possibility that others (potential observers) will gain information. Linkability The potential to link between data and an individual as well as potential links between different data sets that can be tied together for further analysis. 11