Presentation is loading. Please wait.

Presentation is loading. Please wait.

We Make The Net Work Identity and Trust Management for Web and Portal Services Dr.rer.nat. Hellmuth Broda Chief Technology Officer EMEA Member, Sun Vision.

Similar presentations


Presentation on theme: "We Make The Net Work Identity and Trust Management for Web and Portal Services Dr.rer.nat. Hellmuth Broda Chief Technology Officer EMEA Member, Sun Vision."— Presentation transcript:

1 We Make The Net Work Identity and Trust Management for Web and Portal Services Dr.rer.nat. Hellmuth Broda Chief Technology Officer EMEA Member, Sun Vision Council Hellmuth.Broda@Sun.COM Pan European Portal Conference 2003 Genève 23--25.4.03

2 Agenda ● Sun's vision and strategy in a nutshell ● What are the issues today ● Our world of silos ● A word on open source software ● Identity and trust management ● The Liberty Alliance Project ● How to reduce complexity

3 Anywhere Anyone Anything Any Time Always On Sun’s Vision (The Network Is Still the Computer)

4 Sun's Vision Entered the Pop Culture: “Whenever, wherever We're meant to be together I'll be there and you'll be near And that's the deal my dear Thereover, hereunder, You'll never have to wonder We can always play by ear and that's the deal my dear” Shakira

5 NetworkComputing Our Strategy End-to-End, Javacard -> J2EE Partners Integrated & “Integrate-able” Open public API's Focus: no printers, no cameras Scale Choice Innovation Value Security

6 We Provide Infrastructure for Network Computing Core Competence

7 Proliferation of the Network An Internet of Computers An Internet of Things That Embed Computers An Internet of Things 10 8 10 11 10 14

8 Network Computing Wins 10M 1B 10B 1T 100B 1990200020102020 ComputersPeopleEver ything Cost to Connect Things Connected $100 $1 1¢1¢ Everything on (RFID)

9 Mobility Community Self Service Digitization Anyone Anywhere Any device Anytime How the Network Evolves

10 Lower costs, increase utilization, reduce complexity Build proven, open web services to deliver information reliably at minimal risk Mobility with ironclad security Lower costs, increase utilization, reduce complexity

11 with competitive advantage through... Mobility with security Java & XML for proven, open Web services Cost, utilization, simplicity Edge Storage Datacenter Web Services Infrastructure solution practices... to deliver industry-leading network computing solutions... Sun's Answer

12 The Provisioning Model Web Server Tier App Server Tier Back Office Tier Client Tier Identity Tier N1

13 The Developer Model Web Server Tier App Server Tier Back Office Tier Client Tier Identity Tier Sun ONE

14 Sun Microsystems ● Over 20 years of staying power ● Global Reach, 35000 employees ● $5.2B cash and marketable securities ● $1.9B R&D budget ● Multi-Billion dollar technology powerhouse – 112 on Fortune 500 ● 50 on 2002 Fortune “Best Places to Work”

15 Commerce on the Internet What are we missing? What are the customers' concerns? Know who you are talking to (identity crisis) Globally accepted and secure payment systems Trust management Privacy concerns

16 E-Business Drives Cold Sweat on IT Managers' Foreheads 100'000's of users access business critical applications with diverse access rights through portals to Data bases, CRM apps., ERP,... Access from multiple end devices and platforms with little security consistency Can only be mastered with sophisticated identity and role management systems ❑ Single sign-on, authentication, authorization ID-Mgmt: fast growing market (IDT) Source: ComputerZeitung 16/2003

17 Web Services in the Future ● Getting to Heathrow from a meeting in downtown London ● Concert of your favourite musician ● Planning a meeting of 15 executives from different companies ● Family vacations...

18 How Can We Get There? ● The biggest obstacle is lack of interoperability ● Without standards interoperability is not achievable ● Web Services offer standards for heterogeneous SW/HW environments ● Architecture needed for integrateability

19 Service --- How Do You Spell That? ● Very limited understanding of the service concept in general --- Example: Logistics provider in Europe – After 25 min of selecting connections and giving all details for payment, upon final submission the system explains the user that sending the tickets will take 8 business days --- too late. Option: call service center – Service center line busy --- no wait loop: call later – Finally got through. Ticket arrives next day (!)

20 Where Are We Today? ● Services only for humans (For Your Eyes Only --- not other services) ● Application silos make cooperation impossible ● Identity silos fragment user information

21 How We Have Been Building Systems

22 Our World of Application Silos DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART DARTDART D ata A pplication R eport T ransactio ns

23 Future Architectures (Sun ONE) Application and Web Servers Identity and Communicatio ns Portal Operating Environment Service s Creation Integration Server CUSTOM BUSINESS LOGIC Development Environment Directory

24 The Vision, the Architecture, the Platform and the Expertise to build Web Services Sun™ ONE Http://sun.com/software/sunone

25 Is „Free“ SW Really Free? Is a free puppy really free of charges? – It is wise to consider the total costs The spirit of Free Software – Free not like in free of charge – Rather free like in free from chains and fetter

26 Identity and Trust Management

27 Today’s Collection of Net Identity Silos Joe’s Fish Market.Com Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams

28 Privacy Concerns Kill Or Delay Projects Swiss EasyRide ❑ Delayed also due to consumer concerns on the privacy of the location and time information Benetton RFID tags in clothes' labels ❑ Public consumer group pressure led Benetton to abandon plans Consumers Against Supermarket Privacy Invasion and Numbering delay Prada store RFID project ❑ Project is for up-to-date inventory Source (2,3): Wired News 8 Apr 03

29 Identity Theft – Fastest Growing Crime Fed. Trad Commission is worried Today, solutions offered only for parts of the problem Ebay examples

30 Identity is the most basic element in a high- value relationship with customers, employees or business partners

31 There is a Growing Awareness of the Strategic Importance of Network Identity Management ● Customers and employees are insisting their identities be maintained in a “trusted” manner ● Systems that manage identities poorly impact the effectiveness of employees ● There is competitive advantage by using identity management to “add value” to customer and employee services ● Becoming adept at managing the identity of our customers increases customer satisfaction Source: Burton Group

32 The Layers of Trust A combinationof business and technology practices which define how a relationshipis conducted and services performed A set of rules governing decisions about access to information, services or resources Assertion of validity of a set of credentials - “A Yes/No answer...” Policy Authorization Authentication Digitally speaking... Log on with a UID/PW, token, certificate, biometrics etc. Match credentials against profiles, ACLs, policy Business practices to manage risk, enforce security/privacy, provide auditability. User, customer preferances, history Identity Basic set of information that creates a “unique” entity (a name with a corresponding set of attributes) User, customer, device “facts”, e.g., name, address, ID, DNA, keys,... Security Management Identity Management

33 How Trust Can Be Managed ● Key to perceived trust is policy management and perceived security of user token and interface ● Today, everybody stresses security technology---but higher encryption does not yield user trust ● Managed policy provides for all involved transparency on how violations of the rules will be handled (whose „throat gets choked“ and who „goes to jail“) ● Managed policy will only be trusted with trustable third party audits

34 How People Will Trust Policies  Policy and its audit are guaranteed and certified by a approved public or private agency (federal data protection agency; TÜV; Chamber of Commerce, Postal Service or other basic service provider,...)  Policies and their transactions are insured. Insurances cover for possible policy violations and fraud  Liability and non-repudiation solved  Trust is based on policies and the audit of those -- not just on security

35 Privacy Enabled Trusted Third Party Transactions ?32179 Han s ### Hans Request Token Clearing Bank Logistics Partner

36 How To Manage Identity Attributes? Federated Attributes RETAILER INSURANCE PORTALYOU AIRLINE TELCOM BANK Single Identity Operator Centralized Attributes MerchantsConsumers Pro: Enforce common service Pro: Common auditability Con: Privacy controlled by one operator Con: Single point of failure Con: Easy to “misuse” attributes Pro: User better controls sharing Pro: Suppliers retain control of their data Con: Impossible without interoperability standards Con: No common service model

37 Linkage of Trust Domains.com Bank ATM Network A Bank ATM Network B Bank ATM Network C Bank A ATM Card Bank B ATM Card Bank C ATM Card Individual Accounts with Many Web Sites.com Bank A ATM Card Bank B ATM Card Bank C ATM Card Federated Accounts within Trust Domain.com Bank ATM Network A Bank ATM Network B Bank ATM Network C Federated Model Analogous to ATM Networks Separate Cards with Each Bank Linked Cards within Bank Networks Seamless Access Across all Networks

38 Partner G “Circle of Trust” Model Partner A Partner D Partner C Partner B Partner F Partner E Partner H Identity Service Provider (IdP) (e.g. Financial Institution, HR) Trusted entity Authentication infrastructure Maintains Core Identity attributes Offers value-added services (optional) like Single-sign-on, Authorization services, Policy enforcement and audits Affiliated Service Providers Maintain extended user attributes Offer complimentary services Don't (necessarily) invest in authentication and authorization infrastructure

39 Pragmatic Evolution of Federated Identity Identity Silos Federated Linked Accounts John Smith J Smith John Smith J Smith Johnny Circle of Trust Linkage of Multiple Circles of Trust Bank Airline Bank Airline Car Hire Bank Car Hire Airline Car Hire Bank Airline Hotel

40 Examples of Trust Domains TreasuryDebtEquity Commercial Banking Credit Clearing House B2B – Financial Services SuppliersDealers Transport Agencies Manufacturers FinancingFleet B2B - Automotive Car Rental Hotel Partner Airlines AirlineLivery Cruise Line B2C – Travel Industry 401k 3d Party Providers Employee Purchase Plans Dental Insurance Health Insurance Company Intranet B2E – Employee Intranet

41 Communities or Role Identification Parent Employee Golfer Gourmet Customer Traveler

42 Federated Network Identity WORK profile HOME profile ENTERPRISE Circle of Trust CONSUMER Circle of Trust Identity Provider (My Company) Identity Provider (e.g. My Bank) Name: Joe Self Name: Joe Self Accts Payable App Calendar NI Enabled Merchants NI Enabled Services Family & Friends Notification Supplier B Supplier A Supplier C Supply Chain Aggregator News Source News Source News Source NI Service Aggregator SERVICE PROVIDERS

43 The Solution ❐ Create an open standard for identity, authentication and authorization that will lower costs, accelerate commercial opportunities, and increase customer satisfaction. ❐ Establish a federated standard that will enable every business to: ❐ Maintain their own customer/employee/device data ❐ Tie data to an individual’s or business’s identity ❐ Share data with partners according to its business objectives, and the customer’s preferences... The Liberty Alliance

44 Liberty Alliance Overview

45 Enable a broad range of platform neutral identity-based products and services. Deliverable is a set of specifications. Enable commercial and non-commercial organizations to realize new revenue and cost saving opportunities Enable businesses and consumers to better manage their data on their own business terms, not somebody else’s. 32 A Business Alliance to establish an open standard for federated network identity.

46 Working Assumptions & Philosophy of the Liberty Alliance  Delivery of meaningful services requires knowing who the recipient is, as well as their context  Value in a company lies with knowing the customer; value is diluted when customer profiles are fragmented  Retaining customers/employees requires knowing all aspects of their interaction & relationships  Policy-based identity management is efficient, flexible and extensible  Trust is a derivative of policy, not of technology

47 The Liberty Alliance: What's it's Business Value? Technical & cost barriers to interoperability (e.g. Development costs) are no longer an issue Context-sensitive, gradient levels of authentication – and therefore of risk management – is now possible Robust standards-based data and profile exchange is possible Multi-vendor availability: Agree on standards, compete on implementations

48 Liberty Specifications: What do you get? Permissions-based attribute sharing Schema/protocols for core identity profile service Trust Circle Interoperability Delegation of authority to federate identities/accounts Interoperability for Network Identity enables services (e.g. calendar, presence, geo-location,alerts…) Federated Network Identity enabled Commerce Transactions Payment Services Future Versions Version 1.0 Federated network identity B2B, B2C, B2E application support Opt-in account linking Simplified sign-on Security built across all the features and specifications Interoperability between existing legacy ID systems Authentication context Global log out Fixed and Wireless device support Easy incremental adoption

49 Liberty Alliance Membership Management Board [closed] 1.An initially named set of Sponsors 2.Significant financial commitment 3.Two or Three Year Terms 4.Voting rights on governance & technology Sponsor: $10K/mo [open] 1.Full voting rights in all working groups 2.$10K fee is maximum cost, each company will be assessed actual operating costs<< each quarter 3.Can hold offices in working groups 4.Can run for open management board seats 5.Designate representatives to all sub-groups Associate: $1K/yr [Open] 1.Review, Comment and Access to specification when published for review 2.No voting rights 3.Ongoing Web access to Liberty activities 4.Attend Semi-Annual Conferences Affiliate: Gratis [Open] 1.Same benefits/rights as Associates but for non-commercial organizations only. 2.Government Agencies 3.Education 4.Non-profit Organizations

50 Management Structure Management Board Public Policy Expert Group Marketing Expert Group Technology Expert Group Advise on privacy, security, and other public policy issues Liaison to privacy groups and government agencies Subgroups: Education and Advocacy Guidelines Develops technical architecture and engineering requirements Develops technical specifications Subgroups: Architecture Services Security & Trust Conformance and Interoperability Develops marketing requirements and use cases Responsible for membership, press relations, and marketing communications Subgroups: Requirements Marcom Consists of 16 founding sponsors Responsible for overall governance and maintenance Final voting authority for specifications and other output

51 The Liberty Roadmap: Interoperability Framework Phase One Phase Two Phase Three –Interoperable Authentication for web-based services –Federated Data Exchange –Extensibility –PKI/crypto security –Introduction of Web Services as endpoints –Transactional support –Non-repudiation –Full Web Services end- points (devices, individuals, services) Delivered!

52 Sun & Partner Roadmap: Full Network Identity Solutions 1H 2002 – NI Infrastructure 2H 2002 – Identity- based services 2003 – Full federation –Liberty Federated Identity –Interoperable, cross- domain web Authentication –Web Authentication Session Failover –Enhanced conditional, rules based policies –Kerberos V5 network authentication –Integrated certificate authority –SAML-based Web Authentication –Federated authentication, transactions and non- repudiation through XML signatures –Attribute exchange based on privacy policy Delivered!

53 Network Identity Business Opportunities B to Employee Unify disparate corporate ID systems Enforce authorized access to resources and information Provide partners with regulated access to corporate apps Provide Single-Sign-On to all corporate applications B to Consumer Unify ID systems across multiple web properties Provide Single-Sign-On to federated applications Federated affinity programs across business partners Consumer controlled sharing of information between vendors B to Business Enable sale & delivery of new identity-based services Create “friends-and-family” identity-based services Create high-value chain integrated services

54 Liberty Founders

55 Liberty Sponsors

56 Liberty Associates (as of 4/'03)

57 Liberty Affiliates (04/’03) ● Canada Post Corporation ● Center of Democracy and Technology ● CIO Office of the Austrian Government ● Computer&Comm Ind. Ass. ● Engineering Partnership in Lancashire ● Financial Services Technology Consortium ● Fraunhofer Institute for Experimental Software Engineering ● Healthcare Financial Management Association (HFMA) ● Helsinki Institut of Physics ● International Security, Trust and Privacy Alliance ● Internet2 ● International Security, Trust and Privacy Alliance ● Java Wireless Competency Centre (JWCC) ● National Institute of Urban Search and Rescue ● Newspaper Association of America ● PAM Forum ● Radicchio Consortium ● Singapore Inst. Manuf. Techn. ● Software & Information Industry Association ● The Open Group ● TRUSTe ● University of Hamburg ● U.S. Dept. of Defense ● U.S. General Services Admin.

58 To Join Liberty: www.projectliberty.org

59 Who Does What? Business Opportunities (1) ● Identity Service Provider (national, international) ● Business Relationship Management inside a Circle of Trust (national, international) ● Management of relationships between Circles of Trust (national, international)

60 Business Opportunities (2) ● Trusted Third Party Services (incl. Logistics) (national, international) ● Policy audit and seal of approval (national, international) ● Web page seal (international) ● Clearing ● International payment systems for small amounts

61 Outlook ● Identity Management will be as ubiquitous as TCP/IP ● Needed: Definition of secure, auditable and certifiable infrastructures to run Identity Services ● Needed: Definition of well documented and auditable business processes which can be certified

62 Five Years from Today? ● Will we still be able to manage our systems? ● Are enough system administrators on the Indian subcontinent? ● First large installations in free fall?

63 This Is How We Used to Build Systems

64 Deutsch’s Seven Fallacies ● The network is reliable and homogeneous ● The network is secure ● Latency is zero ● Bandwidth is infinite ● There is (exactly) one administrator ● Membership on the network is stable ● The network topology doesn’t change

65 This Is What We Might Have to Do in the Future

66 Who Is Building Tent Cities? ● Decentralization of systems into services ● Project N1 achieves abstraction from the component and systems level: The Network Is The Computer ● Jini — reliable networks from unreliable parts ● Jxta — clients talking to each other without intermediate servers ● Grid computing...

67 Service Driven Network Platform Services Users TM Sun ONE

68 May The Force (of Solaris) Be With You...

69 We Make The Net Work Dr. Hellmuth Broda Hellmuth.Broda@Sun.CO M


Download ppt "We Make The Net Work Identity and Trust Management for Web and Portal Services Dr.rer.nat. Hellmuth Broda Chief Technology Officer EMEA Member, Sun Vision."

Similar presentations


Ads by Google