Identity Management 2.0 George O. Strawn NSF CIO

Outline Who are we and what are we doing here? What is Identity Management (IdM)? IdM 1.0 Why not IdM 1.0? Why IdM 2.0? Why not IdM 2.0? What is IdM 2.0? Other matters

Who are we? Campus thought leaders (plus one) –One third high tech –One third middle tech –One third low tech/high application My job: to provide a level-setting definition and description of the state-of-the-art of Identity Management to an audience that ranges broadly in IT and IdM background

What are we doing here? Creating a “business plan” outline that could be used by EDUCAUSE member institutions to sell IdM 2.0 to the campus administration Creating a “marketing plan” outline that could be used by EDUCAUSE member institutions to sell IdM 2.0 to the campus

What is Identity Management? Organization: The policies, processes, and tools used to “assure” that IT systems and applications are made available only to appropriate persons Individual: The persons I am working with and the systems I am using really are who they say they are. And no one can impersonate me, or read or change my information

IdM has become important! Identity Management has greatly increased in importance as IT systems and applications are used to perform more and more of the work of society and commerce For this reason, we’ve got to do a better job of IdM (from IdM 1.0 to IdM 2.0)

IdM 1.0 IdM is nothing new –we’ve had “user names and passwords” almost forever (in IT terms) A defining characteristic of IdM 1.0 is that each IT system and application does its own identity management –usually by keeping a list of authorized username/password pairs and checking it at login time

Why not IdM 1.0? Ineffective: IdM 1.0 does a poor job of assuring privacy and security Inefficient: IdM 1.0 is expensive to manage and maintain (many separate IdM systems) Liability: IT and application providers (and their organizations) are now burdened with security and privacy responsibilities User-unfriendly: Users are now burdened with many username/password pairs

Why IdM 2.0? Effective: IdM 2.0 can provide a uniformly strong (eg, secure and private) identity management capability for an organization Efficient: IdM 2.0 can provide a single IdM system for an organization User-friendly: IdM 2.0 can greatly reduce the number of username/password pairs that a user must remember

Why not IdM 2.0? IdM 2.0 will require changes to policies, processes, and IT systems –eg, replacing the IdM 1.0 software with the standardized IdM 2.0 software (middleware) IdM 2.0 is not free –The policies, processes, and IT systems must be developed and maintained But the benefits will outweigh the costs!

What is IdM 2.0? A single, standardized solution for an organization to “assure” access to IT systems and applications only to appropriate persons Requires a “bigger/better” list of persons and it divides IdM divides into two parts: –authentication of users: Are you who you say you are? –authorization of users: Should you have access to a particular system or application?

A bigger/better list of persons Often called a directory Will include all persons in your organization Q: But what about persons in other organizations who need access to your IT systems and applications? A: See next+2 nd slide. Will require as much “care and feeding” as your financial and student record databases Will include information to enable authentication and authorization

Authentication Are you who you say you are? –What you know (eg, a private password) –What you have (eg, a token that generates time- dependent random numbers) –What you are (eg, your fingerprint or retinal scan) These can be done alone (more or less well), or in (1-, or 2-, or 3-factor) combination

Authorization Answers the question (for each person): which IT systems and applications are you permitted to use? Can be based on individuality (eg, Jane Jones is authorized to access the financial system) And can be based on attribute (eg, any student is authorized to use the library system)

Beyond the organization Another major benefit of IdM 2.0 will be that organizations can authenticate their members to other organizations (called “federated identity management”). Eg, –University X authenticates a student, and –College Y authorizes any student at University X to use its library system Higher Ed, USG, and industry are working hard to do this (eg, InCommon in HE)

In my other (the Federal) world We are working to create a USG-wide “e- authentication” system We are working (under the spur of “HSpd- 12”) to create an “intelligent card” for USG- wide physical access and (ultimately) for IT access NSF intends to move FastLane authentication from IdM 1.0 to IdM 2.0

Creating a Trusting e-Community Trusted Identity Management is one component of a trusted IT environment (together with secure IT applications and systems, and and digital information that is confidential, integral, and available) We will not enter the digital promised land until we do all these things better!