Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.

Published byElizabeth Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee."— Presentation transcript:

1 Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee

2 2005 06 23Digital Identity Management (ISC) Percival 2 Presentation & Discussion Goal to develop a common perspective of Digital Identity Management and resulting strategies, policies and architecture Goal to develop a common perspective of Digital Identity Management and resulting strategies, policies and architecture Overviews Overviews Business/Organizational model Business/Organizational model Implementation issues and strategies Implementation issues and strategies

3 2005 06 23Digital Identity Management (ISC) Percival 3 What is a Digital Identity? A computer object representing representing a real person … we used to call them Computer Accounts … could also represent A device A device An application An application … … D.I.

4 2005 06 23Digital Identity Management (ISC) Percival 4 Digital Id’s… so many of them!  Systems have separate user accounts Systems have separate user accounts Some applications maintain id databases Some applications maintain id databases Some maintain additional personal information to control authorization or personalize service. Some maintain additional personal information to control authorization or personalize service. Maintained by separate administrations Maintained by separate administrations

5 2005 06 23Digital Identity Management (ISC)Percival 5 Dept Server Colleague Library Patron HS Express Human Resources Dept Server Dept Server Dept Server Dept Server Dept Server Dept Server Dept Server Active Directory Central ID Central File Service Dialup Modem “general” “stats” Portal Web Hosting Res Admin ResNet Phones V.Mail Athletics Campus Directory Central eMail WebCT Network Access Bldg Access Bldg Access Bldg Access Bldg Access Bldg Access F R S Purchasing Periodic data sharing OOL D2L Library Patron Library Patron

6 2005 06 23Digital Identity Management (ISC) Percival 6 What is a Digital Identity used for? Authentication Authentication Verifying the user really is who they say they are. Authorization Authorization Determining what the user can and can’t do. Accounting Accounting Having a record to investigate incidents after the fact. Identification Identification Identifying user by unique ID, common name, email address, … Personalization Personalization Making services efficient and effective by knowing the user.

7 2005 06 23Digital Identity Management (ISC) Percival 7 What’s in a Digital Identity? Security information (computer account stuff) Authentication: ID, Password, … Authentication: ID, Password, … Authorization: access control, groups, file permissions Authorization: access control, groups, file permissions Organizational Information Relationship to Org: Dept; status Relationship to Org: Dept; status Organizational Identifiers: Empl.#, Student #; Email addr. Organizational Identifiers: Empl.#, Student #; Email addr. Personal information Name, Email addr., phone#, address, … Name, Email addr., phone#, address, … Personal preferences for services Personal preferences for services

8 2005 06 23Digital Identity Management (ISC) Percival 8 Limitations of local “accounts” Security Security Varying quality of administration Varying quality of administration Controlling exposure: limited scope but slow response Controlling exposure: limited scope but slow response No institutional policy control No institutional policy control Efficiency Efficiency Mange administration points Mange administration points Multiple relationships with information “owners” Multiple relationships with information “owners” Service Service No single sign-on... or complicated process No single sign-on... or complicated process Personalization varies between services Personalization varies between services

9 2005 06 23Digital Identity Management (ISC) Percival 9 Efficiency? Centralization? First Try: Managing identities on many systems is expensive.  Put all the data in one place. Campus Directory! Why isn’t this working well? Technical reasons … But mainly Organizational reasons …

10 2005 06 23Digital Identity Management (ISC) Percival 10 Technical pitfalls Success of Directories for systems and application management Success of Directories for systems and application management Proprietary architecture and designs Proprietary architecture and designs Applications with closed requirements Applications with closed requirements Data must be indifferent formats for different uses Data must be indifferent formats for different uses

11 2005 06 23Digital Identity Management (ISC) Percival 11 Organizational pitfalls Privacy concerns Privacy concerns Security concerns Security concerns Data ownership concerns Data ownership concerns Different interpretations of data Different interpretations of data In-appropriate use In-appropriate use Trusting the data of others Trusting the data of others Silo approach to service management Silo approach to service management

12 2005 06 23Digital Identity Management (ISC) Percival 12 Strategy: deal with Org Issues! Identify the Organizational opportunities Identify the Organizational opportunities Define an Organizational reference model Define an Organizational reference model Create policies and strategies to deal with the organizational pitfalls. Create policies and strategies to deal with the organizational pitfalls.

13 2005 06 23Digital Identity Management (ISC) Percival 13 The Organizational Trust Model Users and Service providers must trust one another Users and Service providers must trust one another and trust a central Digital Identity Management System and trust a central Digital Identity Management System Trust Domain - a collection trusting each other. Trust Domain - a collection trusting each other. Service providers; users; trust and identity management Service providers; users; trust and identity management Can’t trust everyone and everything immediately Can’t trust everyone and everything immediately It takes time to build a trust domain. It takes time to build a trust domain. Overlapping domains create problems Overlapping domains create problems The scope of a domain should match organizational boundaries. The scope of a domain should match organizational boundaries.

14 2005 06 23Digital Identity Management (ISC) Percival 14 Security Management Trust IdentitySystems Communication Trust Management Identity Management Vulnerability Management Threat Management

15 2005 06 23Digital Identity Management (ISC) Percival 15 Trust Policies In an organization trust is managed by successful implementation of appropriate institutional Trust Management Policies Identity Management Policies Security Security Privacy Privacy Appropriate Use - Who and How Appropriate Use - Who and How Involves Involves Persons: faculty, staff, students, temporary, … public Persons: faculty, staff, students, temporary, … public Owner and Steward responsibilities Owner and Steward responsibilities

16 2005 06 23Digital Identity Management (ISC) Percival 16 ROLES Organizations are people with roles Organizations are people with roles Roles define org. relationships  Identity! Roles define org. relationships  Identity! Computer applications define roles for users. Computer applications define roles for users. Org. Role - a key element of a Digital Identity Org. Role - a key element of a Digital Identity Assigning a Role defines Authorization Assigning a Role defines Authorization Need to harmonizing organizational roles to computer application roles. Need to harmonizing organizational roles to computer application roles.

17 2005 06 23Digital Identity Management (ISC) Percival 17 Outside the Trust Domain With the Internet, a Trust Domain is not a closed system. With the Internet, a Trust Domain is not a closed system. Persons outside the trust domain need to access campus services Persons outside the trust domain need to access campus services Where do those services go? Where do those services go? How do we authenticate and authorize those persons? How do we authenticate and authorize those persons? People in our trust domain need to access services at other institutions People in our trust domain need to access services at other institutions  Federated Identity Management

18 2005 06 23Digital Identity Management (ISC) Percival 18 Federated Id. Management UoG Trust Domain Services users UW Trust domain Services users Authen Author Servers Authen Author Servers One Trust relationship Authentication/Authorization Servers are critical components of both trust domains

19 2005 06 23Digital Identity Management (ISC) Percival 19 Implementation

20 2005 06 23Digital Identity Management (ISC) Percival 20 Ideal Architecture - industry target Computer Systems Software IT Services Replace/integrate System/Appl’tn AAA controls Policy Servers “Central Auth. Server” Authentication Authorization Accounting Reliable Datastore DIRECTORY Digital Identity Admin Tools Services have limited Access to DI info A few Policy Servers handle sensitive information One reliable, secured information store All data centrally administered

21 2005 06 23Digital Identity Management (ISC) Percival 21 Directory reality Directories, directories, directories, … Directories, directories, directories, … implementations are intimately linked to systems and applications! implementations are intimately linked to systems and applications! Most Directories do not have appropriate administration and policy management tools Most Directories do not have appropriate administration and policy management tools A Directory is not always the appropriate technology A Directory is not always the appropriate technology

22 2005 06 23Digital Identity Management (ISC) Percival 22 Authen./Author. Imbedded Some applications rely on Operating System control functions Some applications rely on Operating System control functions Many applications have imbedded business rules controlling authentication and authorization Many applications have imbedded business rules controlling authentication and authorization Trust Domain Policies must be implemented in many places. Trust Domain Policies must be implemented in many places. Need common vocabulary and explicit policy implementations Need common vocabulary and explicit policy implementations

23 2005 06 23Digital Identity Management (ISC) Percival 23 Realistic Architecture Digital Identity Admin Tools System #2 Software IT Services Authen Author Account System #1 Software IT Services Authen Author Account DIRECTORY # A System #4 Software IT Services Authen Author Account DIRECTORY # C Authen Author Account System #6 Software IT Services System #3 Software IT Services Authen Author Account DIRECTORY # B System #5 Software IT Services

24 2005 06 23Digital Identity Management (ISC) Percival 24 Centralized vs distributed Collecting all Identity information into one central “longitudinal” record does not work Collecting all Identity information into one central “longitudinal” record does not work Data exists in several places Data exists in several places Central repository (e.g. campus Directory) Central repository (e.g. campus Directory) Shared repositories (e.g. CFS AD) Shared repositories (e.g. CFS AD) Within a single application Within a single application Use a “virtual” Identity Object Model Use a “virtual” Identity Object Model Central design / distributed data Central design / distributed data Centrally administer global/essential data Centrally administer global/essential data Define where other data is stored - Provide key link information Define where other data is stored - Provide key link information Copy data to accessible location Copy data to accessible location Use referral directory lookups (ask one directory) Use referral directory lookups (ask one directory)

25 2005 06 23Digital Identity Management (ISC)Percival 25 Colleague HS Express Human Resources Master Digital Identity Directory Dir. Central Digital Identity Management Service ref: Employee # ref: Student # ref: Express # Data Mngt Central Authentication/ Authorization Service Applications & Services

26 2005 06 23Digital Identity Management (ISC) Percival 26 What’s in the central DI object? Authentication data Authentication data Password, Digital Certificate, fingerprint signature Password, Digital Certificate, fingerprint signature Identity Identity Unique ID, Common names, Unique ID, Common names, Address Address Office, phone#, FAX, email address, … Office, phone#, FAX, email address, … Hyperlink to personal webpage Hyperlink to personal webpage Affiliations Affiliations Org Units, group memberships, … Org Units, group memberships, … Organizational Roles Organizational Roles Who are you; what are you allowed to do? Who are you; what are you allowed to do? Keys to D.I. information in other repositories Keys to D.I. information in other repositories Employee#, Student#, Library barcode, ExpressCard#, … Employee#, Student#, Library barcode, ExpressCard#, …

27 2005 06 23Digital Identity Management (ISC) Percival 27 Summary 1 A good D.I. Mgmt design requires an organization wide model requires an organization wide model recognizes use outside the trust domain recognizes use outside the trust domain starts with policy to build a trust domain starts with policy to build a trust domain Security, privacy and appropriate use of DI data Security, privacy and appropriate use of DI data administered efficiently, timely, accurately administered efficiently, timely, accurately relates Identity to organizational role relates Identity to organizational role

28 2005 06 23Digital Identity Management (ISC) Percival 28 Summary 2 A DI Mgmt system is implemented with multiple distinct Directory Servers multiple distinct Directory Servers authentication and authorization functions authentication and authorization functions Implemented on AAA separate servers, Implemented on AAA separate servers, Instead of being imbedded in systems and applications Instead of being imbedded in systems and applications a virtual DI object defining information in multiple datastores a virtual DI object defining information in multiple datastores A central DI object component which A central DI object component which Provides general Digital Identity information Provides general Digital Identity information Provides keys to other DI information in datastores managed by others. Provides keys to other DI information in datastores managed by others.

29 2005 06 23Digital Identity Management (ISC) Percival 29 First Steps: Develop Org.Trust Model Identify the Organizational opportunities Identify the Organizational opportunities Define an Organizational reference model Define an Organizational reference model Create policies and strategies to deal with the organizational pitfalls. Create policies and strategies to deal with the organizational pitfalls.

Download ppt "Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Understanding Active Directory

Understanding Active Directory
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Similar presentations

Ads by Google