Identity HP Labs: Challenges and Opportunities

Identity Management @ HP Labs: Challenges and Opportunities
Marco Casassa Mont Trusted Systems Lab Hewlett-Packard Labs

Overview Identity Management (IdM): Challenges and Opportunities
Enterprise Privacy Management with IdM Solutions Privacy-Aware Access Control Privacy-Aware Information Lifecycle Management Identity Governance Framework (IGF) Initiative Identity Capable Platforms (ICP) and Provisioning Services Device-based Identity Management in Enterprises

Identity Management: A Very Complex Area …
Consolidation of Traditional Identity Management in Enterprises Whole New Set of Initiatives in the Identity Management Space Flow of Identity Information Across Boundaries … Enterprises/ Orgs Users Government Identity Information Stored all Over the Places (Devices, Service Providers, Enterprises/Orgs, Govs Sites, etc.) Old and New Threats 16 April, 2017

Identity Management: Consolidation in the Enterprise …
16 April, 2017

New Trends Impacting Identity Management
- Web 2.0, - Collaborative Networks, - Content Generation & Mash-up, … - Enterprise (Web) 2.0 - Convergence IP/Telco Networks (NGN) - Business-driven IT Management - Risk & Assurance - New Laws and Legislation - … - Mobility, - New types and range of Personal Devices - New Services - Convergence of IP/Telco in Next Generation Networking (NGN)/All-IP/21C Enterprises/ Orgs Users Government - Terrorism, - New Global Threats, - New Legislation, Laws, … 16 April, 2017

Identity Management: A Whole New Set of Initiatives …
Enterprises/ Orgs Identity 2.0 & Web 2.0 for Enterprises: - Content-aware Access Control … Users User-Centric IdM (Identity 2.0) Driven by Web 2.0 & Federated IdM: - Liberty Alliance - OpenId - InfoCard - Sxip - … Government Identity as a Service Business-driven IT Management and Implications for IdM: - ITIL, Cobit, BS7799, … - Federated Identity Assurance National Identity IDs/Cards (biometric IDs, etc.) Device-based Identity Mgmt: - Liberty Alliance Identity-Capable Platforms (ICP) - Next Generation Trusted Computing (TCG) - Network-based Identities … Privacy Laws, Other Legislation (US RealID, etc.) Identity Governance & Compliance to Laws - Role Mining in Complex Orgs/M&As, … 16 April, 2017

Identity Management: Old and New Issues …
Enterprises/ Orgs - Privacy: (pseudo-)anonymity vs. need to disclose - New Potential Risks introduced by Identity 2.0 (e.g. Identity Phishing …) - Identity Thefts and Frauds - Lack of (Digital) Education - Lack of User Control on Data - Lack of Assurance and Trust Users - Too much reliance on Human-based Processes: Lack of Automation of Privacy Management and Compliance Management. … - Lack of IdM + Privacy Standards - Little control given to users over data - Lack of Control, Assurance and Accountability in Outsourced Environments - … Government - New Potential Privacy Threats for Citizens - Cross-Organisations Data Correlations - … 16 April, 2017

IdM: Challenges and Opportunities (Next 5 Years)
Top Challenges 1. Improve Users’ Control on Their Personal Data (within Devices and Orgs) 2. Enterprise Privacy Management: Automation of Privacy Management and Regulatory Compliance in Enterprises 3. Alignment of Enterprise IdM Practices and Solutions to Business-driven IT Management (ITIL, etc.): Identity Governance, Risk and Assurance Mgmt 4. Secure, Privacy-aware and Trustworthy Federated IdM/SSO Interoperability between various Federated IdM/SSO initiatives Standards to enable Data Exchange between Enterprises/Orgs driven by Security and Privacy Policies and Users’ Preferences Exploitation of Web Identity 2.0 in Enterprises/Organisations … Top Opportunities 1. Improve overall Enterprise IdM Practice and User Experience/Control … 2. New Research & Development Opportunities in the Identity Management Area both at the User and Enterprise sides 3. New Business Opportunities in the Identity Management space in terms of IdM Services, Solutions, Products, … 16 April, 2017

(EU Laws, HIPAA, COPPA,SOX, GLB, Safe Harbour, …)
Enterprise: Privacy Management Automation with Identity Management Solutions Privacy Legislation (EU Laws, HIPAA, COPPA,SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Impact on Enterprises and Opportunities Personal Data Applications & Services PEOPLE ENTERPRISE Regulatory Compliance Customers’ Satisfaction Positive Impact on Reputation, Brand, Customer Retention Regulations, Standards, Best Practices Enterprise IT Infrastructure IT Alignment Policy Enforcement Development Transparency Monitoring Reporting Effective Enterprise Privacy depends on Good IT Governance Practices 16 April, 2017

Privacy and Identity Management: Implications
Partnership Outsourcing Data + Policies Data + Policies Data + Policies 16 April, 2017

Automating Policy Deployment and Enforcement
Policy store Personal data Execution engine Encode policies Configure execution engine Policy store Personal data Execution engine Encode policies Configure execution engine Business application Configure IT System Hardware & Software Platforms Configuration store IT System Hardware & Software Platforms 16 April, 2017

Privacy For Personal Data: Core Principles
Rights Permissions Obligations Individual Participation Openness Collection Limitation Security Safeguards Use Data Quality Purpose Specification Privacy OECD Principles Privacy Policies 16 April, 2017

Addressed Problems How to Automate Privacy Management within Enterprises: How to Automate Privacy-Aware Access Control How to Automate Privacy-Aware Information Lifecycle How to Do this in a Systematic Way How to Leverage Current Identity Management Solutions 16 April, 2017

Enterprise Identity Management: Impacted Areas
Privacy-aware Information Lifecycle Management Privacy-Aware Access Control 16 April, 2017

Privacy Automation for Identity Management: Systematic Approach
Access Request To Apps Applications/ Services Web Portal Federated IdM Privacy-aware Queries Users Third Parties Self- Registration: Personal Data & Privacy Preferences Data Settings Employees Privacy Admins Policies Privacy Obligations Consent & Other Prefs. User Provisioning & Account Management Policy Compliance Checking System Privacy-aware Information Lifecycle Management Privacy-aware Information Lifecycle Manager Access Control System Access Control System Identity Management Middleware Events Enterprise Systems Data Repositories ENTERPRISE 16 April, 2017

Privacy-aware Access Control in Enterprises
How to Enforce Privacy Policies within Enterprises when Accessing and Manipulating Personal Data? How to Enforce User Preferences, e.g. Consent? How to Integrate with Identity Management Solutions? HP Labs R&D Work Privacy-Aware Access Control System for Personal Data Prototype Integrated with HP OpenVIew Select Access Plans to Productise it in 2008 Regulations, Standards, Best Practices IT Alignment Policy Enforcement Policy Development Enterprise IT Infrastructure Privacy Policy Enforcement 16 April, 2017

Moving Towards a “Privacy-Aware” Access Control …
Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …” Access Control Privacy Extension Personal Data Purpose Requestor’s Intent Constraints Requestor Actions Rights Owner’s Consent Privacy-Aware Access Control Other… Personal Data Requestor Actions Rights Access Control Traditional Access Control It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … 16 April, 2017

Enterprise Privacy Policies &
Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt Table T1 with PII Data and Customers’ Consent Enterprise Privacy Policies & Customers’ Consent T1 HIV Drug Addicted Rob 2 Hepatitis Contagious Illness Julie 3 Cirrhosis Alcoholic Alice 1 Diagnosis Condition Name uid If role==“empl.” and intent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent) Else If intent == “Research” Then Allow Access (T1.Diagnosis) Else Deny Access T2 2 3 1 Research Marketing Consent x Access Table T1 (SELECT * FROM T1) Intent = “Marketing” Privacy Policy Enforcement Enforcement: Filter data SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES” Hepatitis Contagious Illness - 3 2 Cirrhosis Alcoholism 1 Diagnosis Condition Name uid Filtered data 16 April, 2017

Definition and Enforcement
HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies Privacy Policy Definition and Enforcement Implicit Explicit HP Approach Single solution for explicit management of Privacy Policies on Heterogeneous Data Repositories Privacy Enforcement by Leveraging and Extending Security/ Access Control Framework and easy to use management UI Does not require major changes to Applications/Services or Data Repositories 16 April, 2017

Key Requirements Modeling of Personal data
Explicit Definition, Authoring and Management of Privacy Policies Extensible Privacy Policies Explicit Deployment and Enforcement of Privacy Policies Integration with traditional Access Control Systems Simplicity of Usage Support for Audit 16 April, 2017

Our Model of Privacy-Aware Access Control
Requestor’s Intent + Request to Access Data 1 Privacy Policy Decision Point (PDP) Requestors, Applications, Services, … Access Request 2 Access Control + Privacy Policies (intent, purpose, consent, constraints…) Privacy-aware Decision 3 Accessed Data (it could be a subset of the Requested Data) 5 Data Enforcer Privacy Policy Enforcement Point (PEP) Privacy-aware Access to Data 4 Privacy Policy & Data Authoring Tools (PAP) Personal Data + Data Subjects’ Consent 16 April, 2017 Data Repositories (RDBMS, LDAP, etc.)

HP OpenView Select Access
Access Control System: Definition, Enforcement and Auditing of Access Control Policies 16 April, 2017

AccessControl Policies
Privacy Enforcement in HP OpenView Select Access HPL Plug-ins Privacy Policy Deployment & Decisions Validator (Policy Decision) Policy Builder AccessControl Policies Audit Repository Enforcer Plug - in Access Request Grant/Deny Web Services Personal Data + Owners’ Consent Applications, Services, … Privacy-aware Access to Data HPL Data Enforcer Requestor’s Intent + Request to Access Data Privacy- aware Decision Data Access Privacy- aware Access Request Privacy Policy Enforcement On Personal Data HPL Plug-ins + Privacy Policies (intent, purpose, consent, constraints…) Data Modelling & Privacy Policy Authoring 16 April, 2017

Modelling Data Resources
Data Resources Added to Policy Builder 16 April, 2017

Privacy Policy Authoring [1/2]
16 April, 2017

Privacy Policy Authoring [2/2]
Checking Intent against Purpose Define Data Filtering Criteria 16 April, 2017 Define How to Handle Consent

Demo … 16 April, 2017

Demo: HealthCare Scenario
Web Services Accessing PII Data (SQL) SA Web Enforcer LDAP Directories JDBC Proxy Privacy Plug-ins User’s Web Browser Web Portal SA Validator + Privacy plug-ins SA Data Enforcer Privacy Plug-ins SA Policy Builder Personal Data Database 16 April, 2017

Effect of applying the privacy policy
Prototype: Demo Snapshots The new customer data is not visible as she gave no consent to use her data for Marketing purposes Effect of applying the privacy policy (data filtering) Effect of enforcing customers’ Consent Rule Editor Purpose-based Decision plug-in Data Filtering plug-in Consent Management plug-in Data Expiration plug-in The new customer data is (partially) visible as she gave consent to use her data for Research purposes Effect of enforcing customers’ Consent Effect of applying the privacy policy (data filtering) Give consent to access data For Declared Purposes e.g. Research Data Retention Preferences 16 April, 2017

Privacy-Aware Information Lifecycle Management
Privacy Obligations dictate Duties and Expectations to Enterprises on How to Handle Personal Data. It is about Privacy-aware Information Lifecycle Mgmt: Which Privacy Obligations to Manage? How to Represent them? How to Schedule, Enforce and Monitor Privacy Obligations? How to Integrate with Identity Management Solutions? HP Labs R&D Work Privacy Obligation Management System Prototype Integrated with HP Select Identity Explore its Productisation Research in EU PRIME Project Regulations, Standards, Best Practices IT Alignment Policy Enforcement Policy Development Enterprise IT Infrastructure Enforcement Obligation Privacy Monitoring Reporting Transparency 16 April, 2017

the security and confidentiality of customer information”
Privacy Obligation Refinement: Abstract vs. Refined Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act More refined Privacy Obligations dictate Duties, Expectations and Responsibilities on How to Handle Personal Data: Notice Requirements Enforcement of opt-in/opt-out options Limits on reuse of Information and Information Sharing Data Retention limitations … 16 April, 2017

Privacy Obligations: Common Aspects
Timeframe (period of validity) of obligations Target of an obligation (PII data) Events/Contexts that trigger the need to fulfil obligations Actions/Tasks/Workflows to be Enforced Responsible for enforcing obligations Exceptions and special cases Example of Privacy Obligation Personal Data T1 TARGET: HIV Drug Addicted Rob 2 Hepatitis Contagious Illness Julie 3 Cirrhosis Alcoholic Alice 1 Diagnosis Condition Name uid WHEN CurrentTime>Retention-Time ACTIONS: Notify_User Delete_data ON VIOLATION: … 16 April, 2017

Key Requirements Explicit Modeling and Representation of privacy obligations (Strong) Association of obligations to data Mapping obligations into enforceable actions Compliance of refined obligations to high-level policies Tracking the evolution of obligation policies Dealing with Long-term Obligation aspects Accountability management and auditing Monitoring obligations User involvement Handling Complexity and Cost of instrumenting Apps and Services 16 April, 2017

Obligation Management System (OMS): Model
Framework Obligations Scheduling Enforcement Monitoring Privacy Obligations Privacy Preferences Data Subjects Administrators Personal Data (PII) ENTERPRISE 16 April, 2017

Privacy Obligations: Modelling and Representation
Targeted Personal Data References to stored PII data e.g. Database query, LDAP reference, Files, etc. Privacy Obligation Obligation Identifier Triggering Events One or more Events that trigger different Actions e.g. Event: Time-based events Access-based Context-based On-Going Events Actions: Delete, Notify, … Actions Additional Metadata (Future Extensions) 16 April, 2017

Setting Privacy Obligations
OMS: High Level System Architecture Enforcing Privacy Obligations Applications and Services Data Subjects Privacy-enabled Portal Admins Monitoring Privacy Obligations Setting Privacy Obligations On Personal Data Obligation Monitoring Service Events Handler Monitoring Task Handler Admins Obligation Server Workflows Obligation Scheduler Obligation Enforcer Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data 16 April, 2017

HP OpenView Select Identity: User Provisioning and Account Management
Administrators JCA Connectors Data Repositories Personal Data HP Select Identity Admin GUI Accounts on Systems Users Legacy Applications and Services Web Service Feedback/Updates Agents Services, Roles, Entitlements Descr. Provisioning Workflows Centralised Management of Identities in an Organisation Support for Self Registration and User Provisioning Account Management and Provisioning across Platforms, Applications and Corporate Boundaries 16 April, 2017

OMS Integration with HP Select Identity
Explicit Management, Enforcement and Monitoring of Privacy Preferences and Constraints associated to Personal Data and Digital Identities: Turning privacy preferences into Privacy Obligations Personal Data + Privacy Preferences Self Registration And User Account Management HP Select Identity Obligation Management System Connectors Audit Logs Data Subject Privacy Obligation Enforcement & Monitoring Web Service API User Provisioning Enterprise Data Repositories 16 April, 2017

Enterprise Privacy Management with IdM Solutions Privacy-Aware Access Control Privacy-Aware Information Lifecycle Management Identity Governance Framework (IGF) Initiative Identity Capable Platforms (ICP) and Provisioning Services Device Based Identity Management in Enterprises

Identity Governance Initiative (IGF)
Liberty Alliance Initiative ( Industry Framework aiming at helping organizations to Meet Regulatory Requirements such as the European Data Protection Directive, Gramm-Leach-Bliley Act, PCI Security Standard and Sarbanes-Oxley. Establish a Standard way of Defining Enterprise-level Policies for Organizations to Share Sensitive Personal Information securely and confidently between Applications and diverse Identity Sources while helping ensure security and privacy Various participants, including: Oracle, HP/HP Labs, NTT, France Telecom/Orange, NEC, Fugen Solutions, CA, Liberty Alliance Current Status: Use-case IGF document, Open Source initiative, … Business Objectives Operational Risk Mgmt Regulatory Compliance Governance Management Identity Proactive Security Trusted Infrastructure 16 April, 2017

Identity Governance Initiative (IGF): What is this about?
Identity Information is Exchanged across Departmental, Organizational, and Jurisdictional Boundaries. Contracts, Policy and Audit Trails, between Consumers and Producers of Identity-related Data are critical to documenting the Use of Identity Information and its Secure Exchange. IGF adds Policy Enforcement to systems that produce and consume identity data in order to help all parties manage the risks and to provide a level of assurance to users that their privacy is being maintained by the parties to whom they are entrusting with their information or who otherwise have access to this information. 16 April, 2017

IGF is structured to support a layered approach to Identity Governance. At the Foundational Layer are Privacy Properties, User Consent data and Business Agreement References. Privacy properties include information such as for how long data is to be retained or whether it has to be used only for a single session. At the Next Layer are Declarative Statements by both Consumers (e.g., applications, services, third parties, etc.) and Custodians (e.g., attribute authorities, identity providers, etc.) of identity data. 16 April, 2017

Client Attribute Requirement Markup Language (CARML): a declarative “contract document” defined by application developers that informs deployment managers and service providers of the attribute usage requirements of an application; Attribute Authority Policy Markup Language (AAPML): a set of policy rules regarding the use of identity-related information from an identity source. AAPML allows identity sources (e.g. identity custodians) to specify constraints on use of data provided by the source; CARML API: an API that makes it easy for developers to write applications that consume and use identity-related data in a way that conforms to policy set around the use of such information; Identity Attribute Service: a policy-enforced service (driven by AAPML-based policies) for accessing identity related data from multiple identity sources. 16 April, 2017

Current Status: Liberty Alliance, Identity Governance Framework (IGF) Liberty Alliance MRD Document, “Id Governance - Identity Privacy and Access Policy Marketing Requirements Document Use Cases” openLiberty (Open Source Initiative) 16 April, 2017

Identity Capable Platforms (ICP) and Federated Provisioning Services
Liberty Alliance Initiative ( Focus on Federated Identity Management, involving Identity Providers (IdP) and Service Providers (SPs) Aiming at specifying: Identity Capable Platforms (ICP)to allow users to engage in a safe and transparent way into federated IdM. Store “Identity Tokens” in a secure and trustworthy environment Provisioning Services: extend Liberty Alliance Federated IdM Standards to safely delegate and provision “Identity Tokens” to ICP Technology Pilot: HP/HP Labs, BT, Intel Current Status: Full working prototype and demonstrator (PoCv1) shown at RSA 2007. Moving towards a PoCv2 and technology trial. 16 April, 2017

Evolution of Liberty Alliance Clients
IdP Passive Client (Web Browser) User authenticates to IdP over network IdP delivers authentication assertions to relying parties Active Client (Client Application) Client authenticates to IdP over network on behalf of user IdP delivers authentication assertions to client Client delivers assertions to relying parties Advanced Client (Trusted Module) User authenticates to trusted module Trusted module authenticates user to relying parties on behalf of IdP Must be provisioned by IdP! 1 2 Passive Client SP IdP 1 2 Active Client SP 3 1 Advanced Client 2 SP 3 IdP 16 April, 2017

The Identity Capable Platform (ICP): basis for Advanced Client
A trusted environment An Identity Manager (IDMgr) One or more Manageable Identities (iMID) Full lifecycle support for Manageable Identities Provision, update, delete Activate, deactivate Serialize/deserialize Portability Over the wire/air as well as physical provisioning Policy controlled access and operations Which user can access which iMID What can be done with each iMID Identity Capable Platform 16 April, 2017

Provisioning an Identity in the ICP
Device/Computer The Identity Provider registers the Identity to be provisioned at the Provisioning Service The Identity Provider sends a reference to the identity to the browser with instructions to send the reference to the Identity Manager. The browser submits the identity reference to the Identity manager The Identity manager dereferences the identity at the Provisioning service and gets back the Identity The Identity Manager instantiates the Identity within the ICP. Operating System Identity Provider 2 Browser+ 1 3 App(s) Secure Partition Identity Capable Platform 4 Identity Manager Build Slide – walks through the big-picture provisioning steps 5 Registration Service + Provisioning Service iMID 16 April, 2017

ICP Provisioning: HP Software/HPL Contributions
HP Provisioning Service used to provision a new ICP device (Based on HP OpenView Select Federation) User making request from client device is authenticated by IdP Registration Service called to create Provisioning Data for user’s device and store it with Provisioning Service Provisioning Handle returned to client device (references Provisioning Data stored in Provisioning Service) Provisioning Handle is de-referenced to obtain Provisioning Data and initialize Advanced Client Note: Advanced Client software could be preinstalled on device or downloaded on demand Registration Application could run on client device HP Federated IdM Services Client IdP/SP 1 Browser Registration Service 3 Prov Hdl 2 ICP Several deployment models for provisioning advanced clients. This is the one we’ll be showing in the demo, where a browser client is used to provision an advanced client. 4 Provisioning Service Prov Data 16 April, 2017

Enterprise Identity Management: Impacted Areas
Federated Provisioning Service 16 April, 2017

HP OpenView Select Federation
Model, Automate and Manage Identity Federation Standards-based integration of identity systems across company boundaries Secure exchange of user data with external partners through Web SSO and Web Services Support for all major federation protocols Lower helpdesk and admin costs for external users End-user focused Privacy Management Privacy-controlled data sharing User controlled privacy preferences with Opt-in/Opt-out policies Architected for business continuity, scale and growth 100% J2EE architecture Audit & Compliance Integrated with Select Audit to track user activity across provisioning, access and federation infrastructures Avoid liabilities and audit costs of storing external user data in your IT infrastructure ID HR Portal ID Directory Liberty Federated Network Select Federation ID 401 K 1. Select federation is a multi-protocol federation server that supports all major federaed web sso and web service protocols. 2. Sits on the edge of your network allowing you to integrate with your business partners over standard protocols, no matter what your internal identity management architecture is. 3. Supports both identity provider and service provider roles. Supports end-user privacy management. Scalable, robust, full auditing. SAML ADFS ID ID Expenses Travel 16 April, 2017

Pilot PoCv1: BT / HP / Intel Demo
An existing BT customer subscribes to BT’s WiFi service from a wired notebook PC in their home and then uses the instantly provisioned credentials to access BT’s wireless service Intel-based Client w/Identity Capable Platform 1. User Registers 3. Identity Provisioned Browser+ Provisioning Server Authentication Server Registration Server & Credential Generator 21C Network 2. Credentials created & distributed Identity Capable Platform Intel Identity Manager Trusted Environment Trusted Modules Here’s the demo setup: Intel-based client with Identity Capable Platform HP provisioning service integrated with BT 21st century network - Shows how we can combine existing Liberty Protocols and the ID Web Services Framework with HP’s provisioning services and Intel’s Identity capable platforms to remotely provision a customer with new credentials. - Could use this same process with a wide variety of devices to remotely enable uniform access to many different services on a converged network. 16 April, 2017

Pervasiveness of Devices
Multiple Types of Devices: Laptops, PDAs, Phones, Smartphones, … Used in Multiple Contexts: Private, Personal Contexts Work Contexts (Enterprise, etc.) Device Ownership: Personal devices, owned by the individuals Enterprise devices, lent to employees to perform their jobs 16 April, 2017

Device Usage and Related Risks
“Mixed” Usage of Devices: Same devices (either personal or enterprise owned) are used both at work and for personal matters REASON: avoid duplication of tools and devices. Keep information in one place. Avoid to bring around multiple devices Enterprise Devices: If used for personal matters they might be exposed to further threats and risks the enterprise has to deal with Device integrity and trustworthiness risks Personal Devices: If used at work they might expose unnecessary personal data and private information Their security standards (patching, upgrades, etc.) could not match Enterprise security requirements: security risks for Enterprise 16 April, 2017

Focus on Enterprise Scenarios
Devices owned by Enterprises Used for work related matters Potentially used also for personal matters Applications & Services Access Control Current Security Solutions Protection of Enterprise Applications and Services by means of “Middleware” Access Control Systems mainly based on “Human-Identities” Issues “Device-Identities” are generally not managed, if not by strongly coupling them to “Human-Identity” Trust and Assurance is required about authenticity, validity and integrity of devices Dealing with Device Identities and their association to humans is not trivial Losing important contextual information about the device identity (and its properties) that could be used during access control processes Information & Data ENTERPRISE 16 April, 2017

+ Problem Space How to Manage Device Identity in Enterprises?
How to Balance “Human Identities” with “Device Identities”? How to deal with Identity Management and Access Control at the Enterprise Application/Service Level? Need to leverage Enterprise Identity Management Solutions also to deal with Device Identities Do not focus only at the “Network Level” (approach followed by most of related work) + 16 April, 2017

Requirements Need to Model and Explicitly Represent a Device Identity
“Assess” and “Certify” a Device Identity (dealing with trust issues) Securely Store and Protect a Device Identity Be able to Associate Users’ Identities to Devices’ Identities Be able to Provision Devices’ Identities (along with users’ identities) within enterprise systems and IT security systems, such as access control systems Deal with the Lifecycle Management (inclusive of modification and disposal) of Devices’ Identities, in addition to the Lifecycle Management of traditional Users’ Identities Define and Manage Fine-grained Access Control Policies that can keep into account any combination of Users’ Identities, Devices’ Identities, Device Properties and other Contextual Information 16 April, 2017

Our Analysis Analysis based on the Enterprise Context, taking into account Requirements and current Enterprise Identity Management Solutions. Three key Aspects have been Investigated: Enterprise Processes for Device-based Identity Management B. Modelling, Representation and Storage of Device Identity C. Fine-grained Access-Control Policies involving Device Identity and User Identity 16 April, 2017

Enterprise Processes for Device-based Identity Management
Creation and Certification Identity Provisioning in Enterprise Systems and Solutions Access Control Settings and Policy Definition Identity and Policy Lifecycle Mgmt: Updates Disposal The management of Device Identities in Enterprises has to comply with current Enterprises Identity Management processes, specifically the ones used to deal with User/Human Identities. These processes operate at the enterprise “middleware” level. 16 April, 2017

B. Modeling, Representation and Storage of Device Identity [1/3]
Device Identity consists of Set of Information that “Uniquely” Identify the Device: Device unique identifier Logical name Manufacturing properties of the device “Expected” location (in case of static device) Intended usage and business purpose Potential list of device’s owners/legitimate users … NOTE: there is currently no agreement in the industry of what exactly a “Device Identity” is … ? 16 April, 2017

Requirements include: Representation of Device Identity Safe Storage of this Identity Usage of this Identity for Authentication, Authorization, etc. Main Options to Represent Device Identities: “Uncertified” Device Identity Just a collection of identity attributes No assessment of certification by third part  Open to tampering “Certified” Device Identity Certified collection of attributes Potential usage of digital certificates, XML-signed files, PKI, etc. Further trust if certification is made by a “trusted” party (e.g. the Enterprise). ? Storage of Digital Identities: Required both for Certified and Uncertified Device Identities In case of “Certified Device Identities” need also to store a Secret (e.g. cryptographic private key) ? 16 April, 2017

Role of Trusted Platform Modules (TPM): TPM specified by Trusted Computing Group (TCG) TPM provides tamper-resistant cryptographic module Currently available in most laptops and PCs Can be used to generate a Cryptographic Key in a secure way Provides assurance that the key can only be used on the device it was provisioned, to represent the device identity TPM ships with a built-in Endorsement Credential installed by the manufacturer This Endorsement Credential can be used to support a device identity provisioning solution to remotely check the device has appropriated trusted computing capabilities to protect the device identity wit hardware and bind it to device (via TPM) 16 April, 2017

C. Fine Grained Access-Control Involving Device Identities and User Identities [1/4]
Device Identities, along with User/Human Identities can be used to define Enterprise Access Control Policies (by enterprise administrators) Access Control Policies are used for Authentication and Authorisation aspects to protect Enterprise Resources (applications, services, etc.) Traditional User-based Access Control Policies are conceptually represented by means of a “Resources x Users” Matrix: Users: Known Users Unknown/Anonymous Users Protected Resources Access Rights: - Allow/Deny rights - Complex Constraints (e.g. time based, …) 16 April, 2017

This “Resources x Users” Matrix is potentially a good starting point to explore how to factor-in Device Identities … Two related Models have been investigated in our analysis: 1. Representations of Devices as a “Special Type” of User: Known/Unknown Devices for Known/Unknown Users Hierarchies of Devices and Resources Access control keeping into account either’s user identities or device identities Fine-grained access constraints/rules can be expressed in the intersection of user/device and resource Rules can define join authentication (AND) of both a user and a device: - check users and/or device properties - check for TPM presence on device … 16 April, 2017

2. Representations of Devices as Resources: Devices are listed (either separately or within hierarchies) as Resources A Device can be described by its own Identity Cons: How to deal with Unknown Devices? It would be an unknown resource … How to Manage the Association of Access Control Policies? In this model devices are just resources – there is still the need to enable access to other resources purely based on their device identities - Unknown Users - Known Users User1 User 2 User 3 … -- Protected Resources -- Devices 16 April, 2017

Limitation of these Models: In both Models Users and Devices are represented in the same “Matrix”: Access constraints applies to user identity AND device identity (unless one of them is unknown) No easy way to represent with the same model a constraint either on “user identity AND device identity” or “user identity OR device identity” Alternative Models under Investigation: Usage of multiple Access Control Matrices: “Resources x Users” and “Resources x Devices” Usage of “three-dimensional” matrices Usage of “Tree of Matrices” …  All these models have Limitations in terms of Complexity in defining them and Managing Associated Information Most realistic and feasible approach (at the current stage) is Model 1 i.e. Devices as “Special Types” of Users 16 April, 2017

Our Approach to Device-based Identity Management [1/3]
Pragmatic Approach: Leverage state-of-the-art Enterprise Identity Management solutions to deal with Identity Provisioning and Access Control of User Identities and Extend them to manage Device Identities Recommended Usage of Trusted Computing components (TPMs) to: Protect Device Identity Address need for Certification and Trust Assurance of this Identity Work in Progress … 16 April, 2017

Current Proposed Solution based on: a. Explicit Certification and Protection of Devices’ Identities by means of: - Trusted Platform Module (TPM) - Enterprise “Identity Certification Service” (…) Association of Human Identities and Devices’ Identities Explicit Provisioning and Management of the lifecycle of Devices’ Identities in Enterprise Identity Management Systems Support Fine-grained, Policy-driven Access Control Policies on Enterprise Resources based on Model 1 (Devices as Special Types of Users) and Contextual Information e. Enterprise Device Identities configured by Enterprise Administrators 16 April, 2017

Device-based Identity Properties: Managed Devices might or might not have TPM modules In both cases, a key-pair is associated to a device A device identity is in the form of a signed certificate AND certified by an “Identity Certification Service” Identity Certification Service: It is a “Certification Authority” run by the Enterprise (or TTP) Can check (and keep track), when issuing identity certificates, if: Device is TPM enabled (key generation and stronger protection) Device is not TPM enabled Self-Registration Web Service: Authenticate Enterprise Administrators (or potentially device owners …) Collect Identity Attributes Start the process of generating device identity (via Identity Cert. Service) Start the Provisioning Process and Access Control configuration … 16 April, 2017

Device-Identity Management Model
CA1(TPM) CA2(No TPM) Identity Certification Service Enterprise User Provisioning Solution 3. Provisioning 2. Certificate signature 4. Update Certificate Info Policy & Config. Database Self-Registration Web page 10. Response 200 / 403 Enterprise Access Control Solution 8 Policy Check 1. Key creation 7. Certificate verification 5. Resource request PEP PDP Inside TPM 9. Allow / Deny TMP Mgmt. Solution 6. Certificate Authentication Web Server + Web Apps Administrator: Set Access Control Policies User Device 16 April, 2017

Current Status: Full Working Prototype
CA1(TPM) CA2(No TPM) Identity Certification Service Enterprise User Provisioning Solution HP OpenView Select Identity 3. Provisioning 2. Certificate signature 4. Update Certificate Info Policy & Config. Database Self-Registration Web page HP OpenView ProtectTools 10. Response 200 / 403 Enterprise Access Control Solution 8 Policy Check 1. Key creation 7. Certificate verification 5. Resource request PEP PDP Inside TPM MS CSP 9. Allow / Deny TMP Mgmt. Solution HP OpenView Select Access 6. Certificate Authentication Web Server + Web Apps Administrator: Set Access Control Policies User Device 16 April, 2017

Demonstrator 16 April, 2017

Related Work & Open Issues
The concept of Device Identity is not new: see MAC address, IP address, etc. Multiple initiatives to Standardise Device Identities (not clear how they evolve) Solutions already available to securely protect data in devices: TPM, Hardware Security Modules (HSMs)  However most solutions focus on locally protecting device identities, NOT really how to provision them and deal with access control for Applications and Services at the enterprise “middleware” Relevant work done in the context of Liberty Alliance Project, with the Identity Capable Platforms (ICP) & Provisioning Services  We are involved in this initiative Other work on Device Identities and their management is at the Network Level (bottom-up approach). NOT really linked to Enterprise IdM middleware Open Issue: gap between top-down approach (ours) and existing bottom-up approaches (e.g. network-based) 16 April, 2017

Next Steps Further refine out approach and technology along with expressiveness of related access control policies Further explore alternative model to represent device-identities in access control policies R&D about the full-lifecycle management of Device Identities Explore how to reconcile network-based with application-based management of Device Identities 16 April, 2017

R&D on Identity Management and Privacy: Additional Material
HPL Projects and Documents on Research on Privacy and Identity Management: My Blogs on “Research on Identity Management”: 16 April, 2017

Any Question? 16 April, 2017

Identity HP Labs: Challenges and Opportunities

Similar presentations

Presentation on theme: "Identity HP Labs: Challenges and Opportunities"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Identity HP Labs: Challenges and Opportunities

Similar presentations

Presentation on theme: "Identity HP Labs: Challenges and Opportunities"— Presentation transcript:

Similar presentations

About project

Feedback