Evolution of Identity Management May 15, 2008 For: CIPS Security Special Interest Group Presented by: Mike Waddingham, PMP President, Code Technology Corp.

2 Security Context Identity Management is only one part of a broader information security environment which includes:  Perimeter security (firewalls, routers, intrusion detection, etc.)  Virus and malware protection  Data encryption  System management and availability  Application and database security  Physical information security  Business processes and practices

3 Definitions Identity – A set of attributes or claims about an individual Identity Context – there are legal, professional and personal contexts  personal context most complex with name variations and changes and a need for psuedo-anonymous identities Identity Management – Identification of users and their enrolment in a system that is used to manage their electronic identity information Access Management – Determining a set of authorizations and privileges that a validated identity may possess; controlling entitlement by granting or denying access to resources

4 An Identity Management Model Diagram courtesy of Alberta Advanced Education

5 IdM Models There are three primary IdM models in use today:  Centralized – e.g. Federal Gov’t ePass, ASAS, most others  Federated – e.g. General Motors and its suppliers  User Centric – e.g. BC Gov’t pilot projects (using Microsoft CardSpace)

6 Centralized IdM Benefits:  One identity solution for users to learn/use  All apps use same solution and interfaces  Single or Reduced Sign-on can be achieved  Common policies can be implemented once  A single team can often manage a large system  Generally well-understood by users and IT

7 Centralized IdM Shortcomings:  Difficult to scale to large size – imagine GM and its dealers (not just the employees) on one centralized system  Cannot support multiple organizations easily Therefore, it does not reflect the reality of modern distributed business environments…  Users must trust the central org to manage their information properly  Changes can impact all applications

8 Federated IdM Three types of Federated IdM systems:  Ad Hoc – bilateral, org to org  Hub-and-Spoke – islands of federation, dominated by one large organization  Federated Identity Networks – based on a network of members owning an identity platform (e.g. VISA)

9 Federated IdM An identity network is the only effective means to do so while ensuring that operational, legal, and security obligations are met... From “Digital Identity”, by Phil Windley

10 Federated Model

11 Federated Access - Sample Flow

12 Federated Identity Networks Benefits:  SSO across organizational boundaries  Can support common policies and standards across orgs  Strong technical standards exist: WS-*,SAML, SPML, Shibboleth, Liberty Alliance  Agreements of members well defined, support trust, outline consequences of misbehaving  Identity information is distributed  Automatic “Federated provisioning” an option

13 Federated Identity Networks Shortcomings:  Cost of development and operations need to be shared by orgs (not individual users)  Liability not well understood – what are limits to liability for orgs that are responsible for a breach?  Fed ID Networks not well understood by orgs that need them  Negotiation, setup and enforcement of agreements  Difficulty establishing a central, neutral Federation organization

14 User-Centric IdM Puts the user in control of their identity Segments the authentication and authorization processes into three parts:  Authoritative Party: vouches for an aspect of the user’s identity when asked  Relying Party: provides resources (e.g. access to an application) when sufficient credentials are provided  Identity Agent: controlled by the user, acts for the user

15 User-Centric Model

16 User-Centric Access - Sample Flow

17 User-Centric IdM Benefits  Supports user privacy principals  User is in control of their identity  Scales to any size without burden on orgs  Well-suited to public sector  Being pushed by Microsoft and other vendors  Supported by Pan-Canadian initiatives

18 User-Centric IdM Shortcomings  New – not well understood by either users or IT  New – not fully implemented, tested or proven  Not supported on older operating systems (needs Vista, XP with add’l software, or Mac Leopard)  Not mobile – current implementations have the Identity Agent on the user’s fixed PC  User must have knowledge of Identity Agent tools and processes

19 User-Centric IdM Gaining momentum with Open ID plus Microsoft CardSpace and other vendors Pan-Canadian Task Force: Critical operating system ‘tipping point’ coming in the near future – currently approx 20% of desktops can support information cards Open ID and information card convergence? Kim Cameron thinks so:  content/images/2008/02/OpenID/Normal/OpenIDPhish.html content/images/2008/02/OpenID/Normal/OpenIDPhish.html

20 What is Next? Centralized systems continue to be designed and built; strong vendor products available Federated systems emerging where strong business needs exist AND appropriate agreements can be negotiated User-Centric getting all the press, and some implementations are being carried out  Which is best?

21 Questions?

22 Thank You For more information, visit codetechnology.ca