Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assuring Identities in an Open Trust Framework The Identity Assurance Framework Kantara Initiative 10-22-2009 Presentation to the Kantara Healthcare Identity.

Published byDennis Cummings Modified over 8 years ago

Similar presentations

Presentation on theme: "Assuring Identities in an Open Trust Framework The Identity Assurance Framework Kantara Initiative 10-22-2009 Presentation to the Kantara Healthcare Identity."— Presentation transcript:

1 Assuring Identities in an Open Trust Framework The Identity Assurance Framework Kantara Initiative 10-22-2009 Presentation to the Kantara Healthcare Identity Assurance Work Group

2 Identity in the Physical World

3 Today’s Collection of Identity Silos Joe’s Fish Market.Com Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams

4 What the User wants… Simplified online experience Get rid of the need for multiple user-ids and passwords Fewer clicks Protected personal information Reduce my risk from fraud Better product & service offerings Web 2.0 and/or “smart phone” data service integration

5 A solution that didn’t work… Centralized Model Identity and user information in single repository Centralized control Single point of failure Central Provider

6 What we learned Open Federated Model User information is already in various locations No centralized control No single point of failure The user can use their credentials to receive services anywhere the credential is accepted Provider

7 ATM Historic Analogy Seamless Access Across all Networks Linkage of Trust Domains.com Bank ATM Network A Bank ATM Network B Bank ATM Network C Bank A ATM Card Bank B ATM Card Bank C ATM Card Separate Cards with Each Bank Individual Accounts with Many Web Sites.com Bank A ATM Card Bank B ATM Card Bank C ATM Card Linked Cards within Bank Networks Federated Accounts within Trust Domain.com Bank ATM Network A Bank ATM Network B Bank ATM Network C

8 8 Effective Identity Requires Interoperable Assurance Credential Service Provider (CSP) – Identity Proofing – Credential Lifecycle Management – Operational Criteria for Trust Relying Party (RP) – Assesses Risk of Application – Complies with Best Practices – Provisions the Service or Resource User gets great experience: safe, simple access from any device to services/resources Credential Service Provider Relying Parties

9 There are Two Problem Areas  Technical Interoperability  Does the client application I'm using “talk” to the systems I want to use? (can I type in my PIN on my iPhone and have unfettered access to services without logging in again?)  Does the system that authenticates me (vouches for me) “talk” to the service provider systems I want to access? (can I login to my bank's site and use that to pay my taxes, book travel, and check my Gmail account?)  Operational Interoperability & Assurance  Do the commercial and government systems “trust” each others' systems, operating procedures, vetting practices, etc.? (i.e., understand & accept the distribution of liability when/if something goes wrong) We’ll focus today on the Operational Interoperability & Assurance Aspects

10 Federated Cloud: RP applications trusting Federations, who enroll & monitor CSP’s compliant w/FO policies, based on Assessor Assessments Identity Ecosystem: Trust End user (subscriber) Federation Operator Assessor Government Applications, Services, Resources Authentication Technology Credential Service Provider Relying Parties

11 …so why the need for a common standard? Identity Assurance Framework

12 IAF enabled Inter-Federated Cloud: RP applications trusting [Certified Federations, who enroll & monitor] IAF compliant CSP’s, based on Accredited Assessor Assessments Identity Ecosystem: Trust after IAF End user (subscriber) Federation Operator Assessor Government Applications, Services, Resources Accredited Assessors List IAF’s Initial Focus Authentication Technology Certified Federations List Credential Service Provider Relying Parties

13 13 End Goal The end goal of this activity is to provide public and private sector organizations with a uniform means of relying on digital credentials issued by a variety of identity assurance providers (credential service providers) in order to advance trusted identity and facilitate public access to online services and information. Interoperability of e-authentication systems, mutual acceptance of rules, policies and supporting business processes is critical to the cost-effective operation of safe and secure systems that perform essential electronic transactions and tasks across industry lines.

14 Identity Assurance Framework  What is it?  Framework supporting mutual acceptance, validation and lifecycle maintenance across identity federations (i.e. systems that trust each other)  Started with EAP Trust Framework, UK tScheme and US e-Auth Federation Credential Assessment Framework as baseline  Harmonized, best-of-breed industry identity assurance standard  Identity credential policy  Business procedure and rule set  Baseline commercial terms  Guideline to foster inter-federation (i.e. inter-trust) on a global scale  It consists of 4 parts:  Assurance Levels  Service Assessment Criteria  Assurance Assessment Scheme and Certification Program  Business Rules/Deployment Guidelines

15 IAF Assurance Levels  Definition: Level of trust associated with a credential measured by the strength and rigor of the identity-proofing process, the inherent strength of the credential and the policy and practice statements employed by the Credential Service Provider (CSP, aka “IDP”, aka “OP”, aka “Claims Provider”)  Four Primary Levels of Assurance  Level 1 – Little or no confidence in asserted identity’s validity  Level 2 – Some confidence  Level 3 – Significant level of confidence  Level 4 – Very high level of confidence  Use of Assurance Level is determined by level of authentication necessary to mitigate risk in the interaction, as determined by the Relying Party  CSPs are certified by Assessors to a specific Level(s)

16 Note: Assurance level criteria as posited by the OMB M-04-04 & NIST SP 800-63 IAF Assurance Levels Illustrated Multi-factor auth; Cryptographic protocol; “soft”, “hard”, or “OTP” tokens Stringent criteria – stronger attestation and verification of records Stringent organizational criteria Access to an online brokerage account AL 3 Multi-factor auth w/hard tokens only; crypto protocol w/keys bound to auth process More stringent criteria – stronger attestation and verification Stringent organizational criteria Dispensation of a controlled drug or $1mm bank wire AL 4 Single factor; Prove control of token through authentication protocol Moderate criteria - Attestation of Govt. ID Moderate organizational criteria Change of address of record by beneficiary AL 2 PIN and PasswordMinimal criteria - Self assertion Minimal Organizational criteria Registration to a news website AL 1 Assessment Criteria – Credential Mgmt Assessment Criteria – Identity Proofing Assessment Criteria – Organization Example Assurance Level

17 Sample Criteria from IAF AL2_CO_SER#010 Security event logging Maintain a log of all security-relevant events concerning the operation of the service, together with a precise record of the time at which the event occurred (time-stamp), and such records must be retained with appropriate protection, accounting for service definition, risk management requirements, and applicable legislation. AL2_CO_ISM#050 Configuration Management Demonstrate a configuration management system that at least includes: a) version control for software system components. b) timely identification and installation of all applicable patches for any software 531 used in the provisioning of the specified service.

18 Assurance Assessment Scheme & Certification Program Oversight by Member Committee (ARB) Assessor is Accredited based on application of demonstrated expertise CSP service is Certified to LOA(s) based on IAF compliance Technology is Certified to be Interoperable User has safe, simple access to services Credential Service Provider Relying Parties

19 Assurance Review Board Assurance Review Board (ARB): effects oversight and processes all applications Comprised of representatives of the identity marketplace ecosystem, and currently includes representatives from the following communities: Credential Service Provider (CSPs) Relying Party (RP) Auditor Federation Operator “Interested Party”—ie. an entity that stands to benefit from such a program, but does not have an offering to put through the program Current ARB appointees include Mark Coderre, Aetna; Nigel Tedeschi, BT; David Temoshok, GSA; Nathan Faut, KPMG; and Leif Johansson, SUNET/NORDUnet

20 20 The Result – Identity Ecosystem Commercial Social Networks Financial Government Institutions Industry Employers Family/ Friends People, Entities, Machines... Ubiquitous interoperability Minimize or Eliminate “Token Necklace” Customer Convenience Consistent User Experience Plain Language Simplified On-boarding Low-to-No Cost Ease of Service Selection Clear Risk & Liability

21 More Information on IAF and the Assurance Certification Program http://kantarainitiative.org/confluence/display/ certification/Identity+Assurance+Certification +Program If you are interested in participating in the Certification pilot, please contact Britta Glade (britta@kantarainitiative.org)

Download ppt "Assuring Identities in an Open Trust Framework The Identity Assurance Framework Kantara Initiative 10-22-2009 Presentation to the Kantara Healthcare Identity."

Similar presentations

Achieving online trust through Mutual Authentication.

Achieving online trust through Mutual Authentication.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
TFTM 01-06 Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, 2014 1-14-2014IDESG TFTM Committee1.

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
Kantara Initiative Identity Assurance Framework Overview and Value Proposition March 8, 2011.

Kantara Initiative Identity Assurance Framework Overview and Value Proposition March 8, 2011.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
August 2004 Providing Industry-wide Security and Identity Management Solutions.

August 2004 Providing Industry-wide Security and Identity Management Solutions.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.

Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.
Security Controls – What Works

Security Controls – What Works
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Similar presentations

Ads by Google