Post on 12-Jan-2016
Identity Governance Framework (“IGF”)
Overview and Status
Phil Hunt and Prateek Mishra
Agenda
Introduction Use Cases Standardization Path Q&A
Liberty Alliance
Standards development organization focused around enterprise use-cases
enable a networked world based on open standards
Range of activitiies around assurance, federation, privacy Standards developed include ID-FF (precursor to
SAML 2.0), ID-WSF, Identity Assurance frameworks
http://www.projectliberty.org
Observations about Identity Data Names, home addresses, phone numbers, social
security number, rank, e-mail address,… Essential to enterprises and web sites providing
services to customers Business applications cannot function without
identity information Multiple sources of data (attribute authorities)
Enterprise View: HR, CRM, Partners, IT Directory, Departmental Systems, …
Internet View: Portals, users, banks, employers, governments, retail, identity processors (background and credit checks)
Concerns about identity data Increasing legal and regulatory focus
Privacy concerns: HIPAA, SB 1386, theft Compliance: SOX, GLB, EU legislation Industry vertical regulations: credit bureaus, credit-card
processors (PCI standard)
With each new heist or problem, new regulation or best practice model There are going to be more issues in the future
How can the enterprise reduce risk associated with storing and using identity data? Lock it all up! With each new regulation conduct forensic scanning and analysis of
systems Invest in an architecture that supports a governance model for identity
Identity Governance Framework
• Open architecture that addresses governance of identity related information within the enterprise• Standards development ongoing at the Liberty
Alliance• Open source implementation being created at
http://www.openliberty.org• Addresses gap between high-level assurance and
regulatory requirements and lower-level protocols and architecture• Privacy aware architecture that can express
many different constraints and requirements• Overlays on existing infrastructure at enterprises
Assurance
Liberty IAF,PCI,Privacy LegislationBest Practices
Requirements that an enterprise or group of enterprises should meet to obtain certification.
Governance
IGFXACMLAudit Standard?
Policy creation and update, policy enforcement, audit, decision explanation
Run-timeProtocols
SQL, SAML 2.0WS-*, LDAP
Run-time protocols and wire representations.
impacts
impacts
IGF Focus
How to reduce the risk associated with creation, maintenance and use of identity data? Who has access to my social security number or account
number, and, under what conditions? Declarative statements (aka policies) published by
consumers (applications, services) and sources of identity data (attribute authorities) Enterprises can audit and implement governance
against these policies
Observations on Key Roles
Users Capture what agreements the user accepted Reflect consent and purpose of data use But IGF does not directly address interactions with users
Application developers are not identity experts How can they express application identity requirements? Tools and frameworks for developers are a key focus for IGF
Identity Administrators Identity-related data is distributed & web based User consent must be supported and enforced Enable owners of identity data to express use constraints
Agenda
Introduction Components and Use Cases Standardization Path Q&A
IGF Components
CARML – Defines application identity requirements what identity information an application needs and how the application will use it.
AAPML – Defines identity use policies (XACML) Constraints on user and application access to personal data obligations and conditions under which data is to be released
Attribute Service – Links applications to identity data
Developer APIs/Tools – Developers can express identity requirements at a business level at development time Key to IGF adoption/use
Components
CARML (“kaar-mull”): Client Attribute Requirements Markup Language Declarative model for identity interactions by
applications List of required/optional attributes and types, other
properties Includes some support for update of identity data
Developers focus on app business requirements for identity-related data
Developers and deployers express privacy rules followed by application
Will the data be stored by the app? For how long? What purpose is it being used for?
CARML Use-Case
Application developer lists their identity requirements in CARML file Last four digits of user social security number User home address Office location in which user is employed None of this data is stored or forwarded to other applications
Application is delivered to customers WidgetFactory, Inc. uses AD for employment level and office
location, Oracle database for social security numbers AcmeCo uses MySQL database for office location, employment
level, proprietary application for social security number.
Administrators review CARML file and connect to appropriate back-end resources Ensure that enterprise privacy constraints are met by applications
Components
Attribute Authorities AAPML (“aap-mull”): Attribute Authority Policy Markup
Language Describes constraints on use of attribute data
Declarative policy model for authorities that provide attributes Contextual rule support – who is asking for the data? On whose
behalf? For what purpose? User-consent support Direct enforcement policy Obligations & declarations
Proposed as XACML Profile
Sample AAPML Rules
Users can update only their own contact information and personal data List of attributes: telephone number, contact information, mailing address,
emergency information Authorized Subjects: Application “SelfService”, authenticated user Target Records: must match the authenticated user context. Auth Requirements: Proof of application authentication required Rights: Read + Write Consent: Not required
Marketing applications can access certain user attributes provided explicit user-consent is available List of attributes: name, address, e-mail Authorized Subjects: Any authenticated user with attribute “employee”, Any
application in marketing Auth Requirements: None Target Records: any Rights: Read Consent: consent record based on agreement of Dec 10, 2006 must be
available
Components
Identity Service: Many possible realizations or implementations Could be client integrated, middleware server, or source-
server integrated based service Read/Write attributes from many different sources using
various protocols
Sample Architecture
Run-Time InteractionsAdmin Deploy Time Interactions
StandardComponents
Legend
Authority1End-User(s)
Authority2ExternalPartners
Authority3HR Systems
Authority4Departmental Systems
Authority5EnterpriseDirectory
Identity Sources
Delivery/Gateway/Enforcement
Identity ServiceIdentity Policy
Engine
Existing or non-specifiedAdmin Deploy & Run-Time Interactions
LDAP, ODBC, SAML Query, SAML Assertions, …
AAPML :Attribute Use Policy
AAPML :Attribute Use Policy
AAPML :Attribute Use Policy
Admins reconcile sources and policies with client CARML requirements to create “views”
View A View B
Optional:LDAP, legacy protocolsWS-Trust STS
Query ProtocolSAML / ID-WSF /SPML
CARML :Attribute Requirements
CARML :Attribute Requirements
CARML :Attribute Requirements
CARML :Attribute Requirements
Applications APIApplications Applications API
Java .NET Perl
Existing ApplicationsClient Apps API
IGF Part 1: Foundations
Multi-protocol (LDAP, SQL, SAML, ID-WSF, ..)Focus on producers and consumers of identity data
IGF Part 2: AAPML
Many distributed authorities, each capable of expressing constraints on use of identity data
IGF Part 3: Declarative Applications
Applications publish requirements for identity data
IGF Part 4: App Developer and Enterprise Administrators
Application Developer Identity needs of business applications expressed at a
high-level Application developers lack identity middleware expertise
Declarative model is preferred Ability to express identity requirements at a business-
level without regard to sources Enterprise Administrators
Support for deployment-time binding to specific identity architectures which vary over time and between enterprises
Declarative approach simplifies compliance and configuration
IGF Lifecycle
Agenda
Introduction Use Cases Standardization Path Q&A
Nov 2006: Oracle Announces IGF
1. Open-vendor initiative to address handling of identity related information within enterprise lead by Oracle
2. Released key draft specifications CARML and AAPML Sample CARML API Announced intention to submit to a standards org
3. Key vendors supported initiative CA, Layer 7, HP, Novell, Ping Identity, Securent, Sun
Microsystems
1H2007: Liberty Alliance
Start of broader review on gathering expanded use-cases and market requirements Oracle makes IGF “straw-man” specifications available
royalty-free Participation from:
Computer Associates, France Telecom/Orange, Fugen, HP, Intel, NEC, New Zealand, NTT, Oracle
IGF Market Requirements Document Released July 2007 Use-cases, Scenarios, End-to-End Examples www.projectliberty.org/index.php/liberty/
strategic_initiatives/identity_governance
Next Steps (2007-2008)
Two parts - Development of open source components at
www.openliberty.org Anticipate release of some components in 1H08
Technical work – specifications and profiles – to continue at Liberty Alliance and complete in 2H-2008 Follows successful completion and publication of IGF Market
Requirements Document within Liberty Alliance Anticipate release of some working drafts in 1H08
Supported by HP, CA, NEC, NTT, Novell, SUN and other partners
Open Source
Hosted at www.openLiberty.com Based upon Apache 2.0 license Create software libraries aimed at developers Aligned with open source ecosystem (Higgins, Bandit)
Re-use existing components wherever possible In parallel with creation of Liberty final specification drafts Draft of CARML-compliant Attribute Services API
available today
Summary
Identity Governance Framework Open initiative for identity governance across enterprise
systems Key draft specifications provide initial policy components
CARML, AAPML Intent to ratify as full standards at an existing standards
body Under Liberty Alliance Leadership
Broad input and support in an open standards process Legal community review IP clearances - open standards for everyone to use
Learn More
www.projectliberty.org/index.php/liberty/strategic_initiatives/identity_governance
IGF Overview Whitepaper FAQ Use Cases (MRD) Links to Oracle draft specifications:
CARML, AAPML, Client API
Inquiries to Mail: phil.hunt@oracle.com &
prateek.mishra@oracle.com Blog: blogs.oracle.com/identityprivacy
Q &A