Halifax, 31 Oct – 3 Nov 2011 Brian K. Daly, Director, Core Standards AT&T ATIS Identity Management (IdM) Standards Development Document No: GSC16-PLEN-93 Source: ATIS Contact: Brian Daly, GSC Session: PLENARY Agenda Item: 6.4

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Identity Management (IdM) Use Cases and Requirements for Service Provider Identity (SPID) –Describes use cases to illustrate service scenarios where SPID is utilized, including assumptions on security, authentication, and discovery. SPID requirements are derived from these Use Cases. –Existing mechanisms and encoding formats are being examined for applicability and gaps. –Target Date: 4Q 2011 Identity Management (IdM) Mechanisms for NGN –Describes a set of IdM mechanisms and suites of options that should be used to satisfy the ATIS IdM Requirements Standard (see next slide). –Gaps in existing mechanisms are identified in order to meet the requirements. –Target Date: 4Q ATIS’ Packet Technologies and Systems Committee (PTSC) is actively developing the following IdM-related standards: Highlight of Current Activities (1)

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Identity Management (IdM) Requirements and Use Cases Standard Provides IdM example use cases and requirements for the NGN and its interfaces. IdM functions and capabilities are used to increase confidence in identity information and support and enhance business and security applications including identity- based services. The requirements provided in this standard are intended for NGN (i.e., managed packet networks) as defined in ATIS , NGN Architecture, and ITU-T Recommendation Y Completed as ATIS PTSC recently completed: Highlight of Current Activities (2)

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Define value added use cases that will derive requirements Continue to support government services (e.g., ETS, e-commerce) Support the National Strategy for Trusted Identities in Cyberspace (NSTIC) which addresses two central problems impeding economic growth online: –Passwords are inconvenient and insecure –Individuals are unable to prove their true identity online for significant transactions Leverage User-Centric solutions where possible, while identifying deltas to meet the needs of NGN providers –NGN service providers need to address both real-time and near-real time applications –Solution for real-time applications (e.g., exchange of IdM information for SIP communication sessions) would be distinct Provide structured and standard means to discover and exchange identity information across network domains/federations –Bridge different technology dependent systems including existing network infrastructure systems (e.g., use of existing resources such as Line Information DataBase (LIDB) where appropriate) –Address new and emerging applications and services (e.g., IPTV and convergence) –IPTV Downloadable Security, including key management, certificate authority, and authorization –Address unique security needs 4 Strategic Direction

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Identify theft, phishing scams, etc., are becoming continually more sophisticated, and increasing IdM education is a necessity. Un-trusted identity information as a result of migration to IP packet networks, emergence of new service providers (e.g., 3 rd party providers) and other changes over the past decade (e.g., smart terminals, and an open internet environment) –Historically, trusted information was provided by closed and fixed network environment operating under regulatory conditions –Changes to the trust model are resulting in operations, accounting, settlements, security and infrastructure protection problems Overcoming silo solutions –User-centric model focusing on web services and electronic commerce –Available standards focus mainly on web services (e.g., OASIS, WS*, Liberty, SAML) and human identities –Vendor specific solutions/products (e.g., Microsoft Cardspace, PayPal, iNames) –Impact of Kantara Initiative needs to be assessed 5 Challenges

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Continue to leverage User-Centric IdM solutions –Avoid duplication and redundancy Leverage, use, enhance and adapt existing work and technology solutions where appropriate managed networks Enhance and customize existing IP/web services capabilities and work of other industry groups (e.g., Liberty Alliance, Kantara, OASIS, 3GPP, ITU-T) as appropriate –Allow for the use of existing (e.g., LIDB) and new (e.g., IPTV) resources and capabilities Continue to solicit IdM Use Case/Requirements inputs from all ATIS committees Contribute ATIS IdM requirements and mechanisms to the ITU-T to obtain global solutions Collaborate with the White House initiative on National Strategy for Trusted Identities in Cyberspace (NSTIC) to improve the privacy, security, and convenience of sensitive online transactions 6 Next Steps/Actions

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 ATIS supports the reaffirmation of the existing IdM Resolution: –GSC-15/04: Identity Management 7 Proposed Resolution

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 8 Supplemental Slides

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Identity Management (IdM) involves secure management of the identity life cycle and the exchange of identity information (e.g., identifiers, attributes and assertions) based on applicable policy of entities such as: Users/groups Organizations/federations/enterprise/service providers Devices/network elements/systems Objects (Application Process, Content, Data) 9 Identity Management (IdM)

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 ID Theft and Online Fraud: By the Numbers Identity theft is costly, inconvenient and all-too common –In 2010, 8.1 million U.S. adults were the victims of identity theft or fraud, with total costs of $37 billion. –The average out-of-pocket loss of identity theft in 2008 was $631 per incident. –Consumers reported spending an average of 59 hours recovering from a “new account” instance of ID theft. Phishing continues to rise, with attacks becoming more sophisticated –In 2008 and 2009, specific brands or entities were targeted by more than 286,000 phishing attacks, all attempting to replicate their site and harvest user credentials. –A 2009 report from Trusteer found that 45% of targets divulge their personal information when redirected to a phishing site, and that financial institutions are subjected to an average of 16 phishing attacks per week, costing them between $2.4 and $9.4 million in losses each year. Managing multiple passwords is expensive –A small business of 500 employees spends approximately $110,000 per year on password management. That’s $220 per user per year. Passwords are failing –In December 2009, the Rockyou password breach revealed the vulnerability of passwords. Nearly 50% of users’ passwords included names, slang words, dictionary words or were extremely weak, with passwords like “123456”. Maintenance of multiple accounts is increasing as more services move online –One federal agency with 44,000 users discovered over 700,000 user accounts, with the average user having individual accounts. Improving identity practices makes a difference –Implementation of strong credentials across the Department of Defense resulted in a 46% reduction in intrusions. –Use of single sign-on technologies can reduce annual sign-in time by 50 hours/user/year. 10

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Value Added for NGN Provider Dynamic/automatic IdM means between multiple partners (e.g., end users, visited and home networks) reduce costs (compared to pair-wise arrangements) compared to pair-wise arrangements to –Establish service arrangements –Exchange identity information –Exchange policy information and enforce policy Enabler of new applications and services (e.g., IPTV and convergence) including identity services Leverage existing and expanding customer base Common IdM infrastructure enables support of multiple applications and services Enables –standard API and data schema for application design –multi-vendor/platforms solutions –inter-network/federations interoperability –Security protection of application services, network infrastructure and resources 11

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Privacy/user control –Protection of Personal Identifiable Information [PPII] –Ability to control who is allowed access (i.e., providing consent) to personal information and how it is used Ease of use and single sign-on / sign-off (multiple application/services across multiple service providers/federations) Enabler of Social Networking Security (e.g., confidence of transactions, and Identity (ID) Theft protection) 12 Value Added for the User

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All GSC16-PLEN-93 Infrastructure Protection (i.e., against cyber threats) Protection of Global Interests (e.g., business and commerce) Provide assurance capabilities (e.g., trusted assertions about digital identities [credentials, identifiers, attributes and reputations]) to enable National Security/Emergency Preparedness (NS/EP) Early Warning Services Electronic Government (eGovernment) Services (e.g., web-based transactions) Public Safety Services (e.g., Emergency 911 services) Law Enforcement Services (e.g., Lawful Interceptions) National/Homeland Security Intelligence Services 13 Government Motivations

DocumentScopeIssue DescriptionTarget Date ATIS NGN IdM Framework Standard [PTSC Issue S0058] Framework for NGN IdM  Framework for handling identities in a secured and authenticated manner in a multi-network, multiple service provider environment Published as ATIS ATIS IdM Requirements and Use Cases [PTSC Issue S0059] IdM Use Case examples for NGN  Develop Use Cases illustrating IdM applications in a multi-network, multiple service provider environment defined by the ATIS NGN architecture  Requirements for handling identities in a secured and authenticated manner in a multi-network, multiple service provider environment  Harmonized approach to address IdM issues in the ATIS NGN architecture Published as ATIS ATIS IdM Mechanisms Standard [PTSC Issue S0060] NGN IdM Mechanisms and Procedures  Develop IdM mechanisms (e.g., registration, authorization, authentication, attribute sharing, discovery) to be used in a harmonized approach for the ATIS NGN architecture 4Q 2011 ATIS Service Provider Identity (SPID) [PTSC Issue S0067] Define ATIS Use Cases and Requirements for SPID  Develop an ATIS NGN SPID standard that derives requirements from Use Cases applicable to managed NGN deployments. These requirements will be used to define industry solutions. 4Q Note: parallel documents exist in ITU-T SG13, Q15 ATIS PTSC IdM Documents