Presentation is loading. Please wait.

Presentation is loading. Please wait.

Observations The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common.

Published byDulcie Doyle Modified over 5 years ago

Similar presentations

Presentation on theme: "Observations The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common."— Presentation transcript:

1 Observations The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common

2 Next Year at CAMP

3 The things we didn’t get to this year at CAMP
Archery Braiding lanyards Head lice

4 For next year’s camp The new newbies The Enterprise Frontiers
Framing the new world order for stakeholders Bronze and Silver, Signing, roles, auditors The User Experience Discovery uApprove, privacy managers and informed consent Collaboration management New Technologies and their Implications Access control and domestication Interfederation, Non-web applications The Attribute Ecosystem

5 The new newbies It’s still early in the federation roll-out
From early adopters to early majority It’s still early in the application adoption phase We’ll see more outsourcing of identity operations, more variety of software used, etc. Adjacent verticals – K-12, medical centers, financials

6 Talking the Enterprise Walk
Framing discussions with stakeholders Bronze and Silver Certificates and Signing Roles Auditors

7 Framing the discussions with stakeholders
A common model and vocabulary A handle on risk assessment A handle on attributes and access control The art of shaping the technology to fit the policy

8 A Common Vocabulary Identity and identifiers “Credentials”
Acts of authentication Acts of identity proofing Services Sources of authority Provides definitive attribute values to identities May have a delegated authority

9 A Handle on Risk Assessment
NIST guidelines on risk assessment – Somewhat dated, somewhat abstract, somewhat not relevant App owners tend to overestimate risk; users tend to underestimate Weak link applications can expose data if not credentials

10 Attributes and access control
Getting stakeholders to think of themselves in specific roles As sources of authority As vetters of identity The emergence of roles for scaling The limits of gestalt semantics and the “value” of regulation

11 The art of “teching” a policy
Policy is soft; code is hard Forcing the policy discussions Where to store attributes At the SoA or at the IdP or at the RP Where to authorize at the IdP (compute an entitlement) at the RP (pass attributes) Who should issue credentials versus issue attributes Identity linking/crosswalking – strategies and exposures

12 InCommon Bronze and Silver
Revisions as time goes by Particularly in privacy Gold The apps? The technical options Certs SMS as a second factor Others

13 Certificate Services National, flexible arrangement with Comodo, a commercial CA in all web browsers Unlimited SSL and personal certs for a flat fee, based on the size of the institution or system; typically saves campus 30-50% Limited to .edu affiliated; requires InCommon membership The personal certs are the prize in the crackerjack box SSL certs saves significant money and allows campus security to be improved Personal certs introduces powerful capabilities for signed docs/ and two factor authentication

14 Signing A long-term Holy Grail
Signing and docs; not encryption for key escrow issues A lot easier than it was: better clients, rooted certs, federation to leverage, revocation processes Still really hard: enterprise deployment issues, LOA, including attributes and roles

15 New InCommon Initiative in Signing
Several phases Enterprise deployment issues – clients, mobility, desktop, discovery, LOA Innovation – inter-institutional, signing roles and attributes Business leveraging – working with the verticals- Registrars, financial offices, legal, etc. Campus-driven with I2 flywheels and collab support services; watch incommon-participants for info International and other verticals coordination

16 Roles are mostly roll-ups of permission sets
The key ingredient to scaling, to inter-realm work, to audit and compliance Roles are mostly roll-ups of permission sets With qualifiers, pre-requisites, etc Roles are mostly group information but… Regulation or federation can help define roles

17 How much auditing – Kantara and reality
Auditors How much auditing – Kantara and reality Institutional leverage to get engagement Finding the righteous auditors and training the rest Visibility of audit results

18 Talking User experience
Discovery Privacy Managers Collaboration Management

19 Discovery The process of directing an unauthenticated user back to an organization to be authenticated (happens at new browser launch, not at new window, etc.); already authenticated users are taken directly to the resource A non-scalable aspect, especially as the number of federations and IdP’s grows exponentially An issue to be addressed by an SP Today done by the federation WAYF; users can set cookies to default to IdP, good for up to a year. The future is much better – see

20 Privacy managers Translating geek to English
Translating English into other languages Bundles of commonly used attributes The collab package (eppn + display name) The privacy package (epTId + nickname) ??

21 The Emergence of Collaboration Management
IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

22 Collaboration Platforms
Integrated set of collaboration apps (wikis, listprocs, CVS, file share, calendaring, etc) Integration of at least identity and access control via group memberships Extends consistent identity and access controls to domain apps Repackages successful enterprise technologies for a collaborative/project/VO setting Federated identity, group management, directories, and security token services (aka credential convertors) Allows integration of VO and enterprise IdM

23 Examples of Collaborative Platforms
COmanage Commercial offerings – Sharepoint, Adobe Connect, Google Sites, Google Wave, Google Apps Can be integrated with enterprise IdM Don’t integrate with domain apps

24 Dashboard (including invitation/registration)
COManage Elements Dashboard (including invitation/registration) Shib SP Grouper STS Shib IdP LdapPC / SPML provisioning Data Store Applications

25 What’s in a COmanage data store
Enterprise Attributes Project/VO attributes Federated Id PI groups Enrolled classes Wiki editing permissions Display name Instrument permissions Citizenship VO certificates Enterprise affiliation

26 Flows of attributes - 1 Relying Party Data Store Project comanage
Enterprise Project comanage Data Store Enterprise

27 Talking new technologies
Interfederation Thinking beyond the web The Attribute Ecosystem and the Tao of Attributes

28 Interfederation Connecting autonomous federations
Critical for global scaling, accommodating state and local federations, integration across vertical sectors Has technical, financial and policy dimensions Elegant technical solution (MDX) being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Kantara, Terena

29 MDX – metadata exchange protocol
Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

30 Thinking beyond the web
All those mobile devices All those infrastructure elements – routers, firewalls Lots of apps want to leverage federated identity Several approaches at work Using Oauth to pass a token from web to app Project Moonshot effort in Europe to extend basic IETF protocols (GSSAPI, EAP, etc) to provide a broad set of app opportunities

31 The Attribute Ecosystem
Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of the Internet

32 Attribute use cases are rapidly emerging
Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

33 The Tao of Attributes workshop 属性之道
Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at Twittered at TAOA

34 Back to Ann With much thanks to her, the Internet2 and InCommon staff who helped And much thanks to the program committee And great thanks to you with your great problems and your willingness to talk about them

Download ppt "Observations The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common."

Similar presentations

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.

Drive-By Dialogues. Presenter’s Name Topics The Long Strange Trip of I2 – NLR Merger A Brief Comment on Optical Networking Middleware Developments Security.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Updates on Internet Identity. Topics Consumer marketplace update The big consumer players – OIX - and the other big consumer players.

Updates on Internet Identity. Topics Consumer marketplace update The big consumer players – OIX - and the other big consumer players.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
11-July-2011, SURFnet Heather Flanagan, COmanage Project Coordinator Benn Oshrin, COmanage Developer Scott Koranda, U. Wisconsin – Milwaukee and LIGO.

11-July-2011, SURFnet Heather Flanagan, COmanage Project Coordinator Benn Oshrin, COmanage Developer Scott Koranda, U. Wisconsin – Milwaukee and LIGO.
Identity Ecosystem for Scientific Collaboration and some related thoughts Michael Helm on behalf of Jim Basney, Greg Bell, Irwin Gaines, Dhiva Muruganantham,

Identity Ecosystem for Scientific Collaboration and some related thoughts Michael Helm on behalf of Jim Basney, Greg Bell, Irwin Gaines, Dhiva Muruganantham,
Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security.

Federated Identity: What It Brings to Open Government Dr Ken Klingenstein Director, Internet2 Middleware and Security.
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

Similar presentations

Ads by Google