Post on 05-Jun-2020
Identity Management
An overview of the status of some of the key
International
Telecommunication
Union
An overview of the status of some of the key
IdM work
(plus some thoughts from the sidelines)
Mike Harrop
The Cottingham Group
Overview
� Review the context of work on IdM
� Discuss some of the issues and challenges
ETSI Security Workshop 2009
challenges
� Report on current status of the IdM standards work
� Offer a few personal observations
Identity and IdM:The context of the work
International
Telecommunication
Union
The context of the work
What is Identity?� Identity is both a “real-world” concept and a digital construct
� In the real world:
� The individual characteristics by which a thing or person is recognized or known. (Wordnet, Princeton University)
� Note: A person may have a number of different identities
� In the digital world:
ETSI Security Workshop 2009
� Information about an entity that is sufficient to identify that entity in a particular context. (ITU-T Rec. Y.2720)
� Digital identity refers to a digital representation of a set of claims made by one party and presented to another party
� A digital identity can be a set of identity information (e.g., an address), as opposed to real-world concept that is tied with a person’s sense of who they are.
� Note: the concept of digital identity applies to service providers and objects as well as individuals.
Identities Exist in Many Forms & Places
Whatever IM,Email
Collaboration
Voice Telephony
PCPDA
Smart -phone Whatever
Video
People have multiple “identities”• Work – me@company.com• Family – me@smith.family• Hobby – me@icedevils.team• Volunteer – me@association.org
ETSI Security Workshop 2009
At your Desk
Managed Office
you’re doing(applications)
In the Air
On the Road
ERP
In Town
Cellular
phone
Wherever you are(across various access types)
Whatever you’re using(devices)
At Home
Web Apps
Can we agree on a definition of Identity?
� There was a lengthy on-line discussion within
ITU-T SG 17 on the definition of identity over
the summer of 2008.
ETSI Security Workshop 2009
� But there is currently no international
agreement on the definition of identity
What is Identity Management?
� The management of the life cycle of the digital identity of entities during which the digital representation of identity is established, used and disposed of when no longer needed
� IdM involves technology, processes, functions and capabilities (e.g. administration, management and maintenance, discovery, communication exchanges, correlation and binding, policy enforcement, authentication and assertions) in order to:
ETSI Security Workshop 2009
� Manage identity information (e.g., identifiers, credentials, attributes);
� Assure the identity of an entity (e.g., users/subscribers, groups, user devices, organizations, network and service providers, network elements and objects, and virtual objects); and
� Improve the robustness of business and security applications.
� IdM must be scalable from internal systems to external applications and processes
� IdM is considered a fundamental requirement for wide-scale, secure and trusted interconnections (such as NGN)
Definitions of Identity Management
� A broad administrative area that deals with identifying individuals in a system and controlling their access to resources within that system by associating user rights and restrictions with the established identity (WhatIS.com)
� The set of processes, policies and technologies that enable
ETSI Security Workshop 2009
� The set of processes, policies and technologies that enable authoritative sources to accurately identify entities; it helps authoritative sources as well as individual entities to facilitate and control the use of identity information in their respective relations. (ISO, 5th draft IdM Framework, Nov. 2008)
� The structured creation, capture, syntactical expression, storage, tagging, maintenance, retrieval, use and destruction of identities by means of diverse arrays of different technical, operational, and legal systems and practices. (ITU-T X.1250)
Evolving Definition of IdM
Enterprise
Edge devices
InfrastructureInternalGateway
Application Environments
HostedServices
Partner/SuppliersNetworks
Other hubs
What is IdM from a carrier, provider,
Telecom Perspective?
ETSI Security Workshop 2009
Environments
Burton Group 2003• Identity management is the set of business processes, and a supporting
infrastructure, for the creation, maintenance, and use of digital identities in online spaces
Burton Group 2007• Enterprise IdM is the set of business processes, and a supporting
infrastructure, that provides• Identity-based access control to systems and resources • In accordance with established policies
IdM Overview (Rec. Y.2720)
IdM Functions and Capabilities
Federated Services
Application Services Access Control (e.g. Multimedia and IPTV)
Single Sign-on/Sign-off
Role-based Access to Information, Resources and Assets
Protection of Personally Identifiable Information
Security Protection of Information and Network Infrastructure
Business and Security Applications including Identity-based Services
dent
ity M
anag
emen
t
Enables
ETSI Security Workshop 2009
Users and Subscribers
Organizations, Business Enterprises, Government Enterprises
User Devices
Network Elements and
Objects
Network and Service Providers
Virtual Objects
Entities
Identity Lifecycle Management
Identity Information Correlation and Binding
Identity Information Authentication, Assurance and Assertions
Discovery and Exchange of Identity Information
IdM Functions and Capabilities
Identifiers
(e.g. UserID, Email address, Telephone
Number, URI, IP address)
Credentials
(e.g. Digital Certificates, Tokens, and Biometrics)
Attributes
(e.g. Roles, Claims, Context, Privileges,
Location)
Identity InformationId
entit
y M
anag
emen
t
R055(08)_F01
What’s changing? - The shift to Identity Providers
International
Telecommunication
Union
to Identity Providers
Wireline
Legacy Identity Management
ETSI Security Workshop 2009
Wireline
Current Identity Management Trends
Source FG IDM Tutorial, September 2007, Geneva
Perspectives and Challenges on Identity Management
International
Telecommunication
Union
on Identity Management
The different perspectives on IdM pose some real challenges
Security Security Services Services
&&PolicingPolicing
NetworkNetworkOperators Operators & Service & Service IndividualIndividual
End UsersEnd Users
ETSI Security Workshop 2009
PolicingPolicing& Service & Service ProvidersProviders
GovernmentGovernment& Business& Businessusersusers
Privacy Privacy advocatesadvocates
End UsersEnd Users
Perspectives and Interests-1
� Network operators and service providers� Focused on revenue opportunities, infrastructure protection, network management forensics, fraud mitigation
� Want to offer new applications and services (e.g. NGN, fixed and mobile convergence) including identity based services to subscribers and other service providers
ETSI Security Workshop 2009
services to subscribers and other service providers
� Business and government users� Looking to minimize costs, support employees, reduce fraud and control/manage inventory and supply chain
� Want to enable identity assurance services and capabilities, and enhance the level of trust and confidence to support on-line services (e.g. web-based transactions)
Perspectives and Interests-2� Government as service provider
� To help protect the communication infrastructure against cyber security threats
� To support Public Safety Services (e.g. Emergency 911 services), Emergency Telecommunications Service (ETS), Early Warning Services
� To enable federated government services
ETSI Security Workshop 2009
� To enable federated government services
� National security services and law enforcement� To support mandates in infrastructure protection, homeland security, law enforcement (forensics, lawful interceptions etc)
� To support need for personal identity credentials and biometrics
Perspectives and Interests-3
� Individual end users� Ease and convenience of use � Portability of access� Confidence in security of transactions � Identity theft protection� Protection of sensitive private information
ETSI Security Workshop 2009
� Protection of sensitive private information� Reduction in unwanted intrusions
� Privacy advocates� Protection of sensitive personal information� Upholding of privacy laws and codes of practice
Status of work on IdM
ETSI Security Workshop 2009
Status of work on IdM
Industry/Consortia workExamples of different approaches
� Higgins - an extensible, platform-independent, identity protocol-independent, software framework to support existing and new applications that give users more convenience, privacy and control over their identity information.
� Cardspace – is a system in the Windows Communications Foundation (WCF) of WinFX allows users to manage their digital identities from various identity providers, and employ them in different contexts where they are
ETSI Security Workshop 2009
identity providers, and employ them in different contexts where they are accepted to access online services.
� Liberty - allows consumers and users of Internet-based services and e-commerce applications to authenticate and sign-on to a network or domain once from any device and then visit or take part in services from multiple Web sites.
� OpenID - is a decentralized single sign-on system. On OpenID-enabled sites, Internet users do not need to register and manage a new account for every site before being granted access. Instead, they only need to be previously registered on a website with an OpenID "identity”
ITU-T motivation for IdM work
� To provide a general framework that incorporates different perspectives and technologies
� To address the interplay between cybersecurity and IdM (The main issues are strong authentication, interoperability between IdM systems, and the development of common IdM data models to ensure
ETSI Security Workshop 2009
development of common IdM data models to ensure appropriate exchange of IdM attributes and information)
� To enable service providers to reduce the cost of managing all the partial identities that exist in the network
� To facilitate revenue-generating NGN identity-based subscription services e.g. single sign-on, presence, location etc
Current ITU-T Approach
� Joint Coordination Activity on IdM and IdM Global Standards Initiative (GSI) established December 2007
ETSI Security Workshop 2009
� Most IdM work is being done in Study Group 17 (Security) and Study Group 13 (Future Networks, including Mobile and NGN)
ITU-T IdM results so far include:� IdM focus group established in 2006 was open to all and drew wide interest.
� Six substantial reports from the FG IdM:� Report on Activities Completed and Proposed
� Report on the Deliverables
� Report on Identity Management Ecosystem and
ETSI Security Workshop 2009
� Report on Identity Management Ecosystem and Lexicon
� Report on Identity Management Use Cases and Gap Analysis
� Report on Requirements for Global Interoperable Identity Management
� Report on Identity Management Framework for Global Interoperability
� Two workshops & one conference
Current status of ITU-T work – 1Recommendations now under Determination
� SG13 NGN:
� Y.2720 NGN Identity management framework
(Approval expected in January 23rd 2009)
ETSI Security Workshop 2009
� SG17 Security:
� X.1250 Capabilities for enhanced global identity management trust and interoperability
� X.1251 A framework for user control of digital identity
(Approval of X.1250 & X.1251 expected in February 2009)
Current status of ITU-T work – 2Recommendations for future Determination
� X.idm-ifa: Framework architecture for interoperable identity management systems
� X.idm-dm: Common Identity Data Model
ETSI Security Workshop 2009
� X.rfpg: Privacy guideline for RFID
� X.idmsg: Security guidelines for identity management systems
� X.priva: Criteria for assessing the level of protection for personally identifiable information in IdM
� X.eaa: Entity Authentication Assurance
ISO/IEC JTC1 SC 27 Work
� ISO 24760 – A Framework for Identity Management (5th
Working Draft)
ETSI Security Workshop 2009
� The 6th WD should be available in February 2009
OECD
� Currently developing a Primer on Identity Management
(Internal OECD document - now due March 2009)
ETSI Security Workshop 2009
� The primer is intended serve as input to an OECD IdM
Policy Framework
More information
� IdM Focus Group
�http://www.itu.int/ITU-T/studygroups/com17/fgidm/index.html
� Global Standards Initiative for Identity
ETSI Security Workshop 2009
� Global Standards Initiative for Identity Management (IdM-GSI)
�http://www.itu.int/ITU-T/gsi/idm/
� Joint Coordination Activity for Identity Management
�http://www.itu.int/ITU-T/jca/idm/
The following Thoughts from the
Sidelines are personal observations.
International
Telecommunication
Union
They are presented here to stimulate
discussion.
1. What is identity and what is IdM?
� It is essential that we have a clear definition
and understanding of what is meant by the
terms identity and identity management if we
are to develop IdM standards.
ETSI Security Workshop 2009
� Yet, even as the first standards are near to
completion there is no agreement on these
terms.
What is identity and what is IdM? ctd
� One reason for the difficulty in getting agreement are the different perspectives e.g. ISO JTC1 SC27 deals largely with protection of identity information in information systems; ITU-T deals with the protection and use of telecommunications infrastructures and services. However, the definitions are not yet consistent even in the draft ITU-T Recommendations.
ETSI Security Workshop 2009
even in the draft ITU-T Recommendations.
� The paper A Relationship Layer for the Web . . . and for Enterprises, Too, Bob Blakley, the Burton Group, June 2008, illustrates the total lack of world-wide agreement on the definition of identity and associated terms
� Is it possible to manage something (particularly across multiple domains) if you can’t agree what it is?
2. Needs are not uniform for all potential IdM users
� Most on-line transactions, require only authorization information, not evidence of identity. Information requested (credit card, telephone number, address etc) authenticates the user on the basis of having that information. It does not provide irrefutable evidence (or any evidence) of identity.
ETSI Security Workshop 2009
� However, positive confirmation of identity is required for law enforcement and security agency activities as well as the granting of some rights such as access rights, right to board an aircraft, or enter a country.
� Does the broad range of needs mean that the identity information collected must satisfy the needs of those users who require the greatest level of detail?
3. Privacy concerns
� There must be protection against inappropriate collection of information� Collecting too much information
� Collecting when not strictly necessary
� Collecting without consent
� Invasiveness of collection
ETSI Security Workshop 2009
� Invasiveness of collection
� And against inappropriate use and disclosure� Secondary uses (function creep)
� The data collected must be properly secured and protected against poor information management & handling procedures and practices
Privacy concerns ctd
� Use of global identifiers poses a risk to privacy
� Neither personal identifiers, nor the risks they pose to privacy are new.
� E.g. Canadian & US Social insurance/security numbers
ETSI Security Workshop 2009
� E.g. Canadian & US Social insurance/security numbers (SIN & SSN) predate the Internet, electronic commerce and, to a large extent, data communications.
� The safeguards associated with the SIN and SSN protect the organization, rather than the individual. They were not designed with the protection of personal information (or the risk of identity theft) in mind.
� Privacy (like security) should be built-in, not added as an afterthought.
Privacy concerns ctd
� Privacy protection is not (so far) a primary objective of the IdM work
� While privacy needs are recognized and some issues are beginning to be addressed, most emphasis is still on organizational (service provider) needs, rather than personal privacy. (“The purpose and focus of the ITU-T is also that of telecommunications, rather
ETSI Security Workshop 2009
the ITU-T is also that of telecommunications, rather than the protection of personally identifiable information.” Annex A to SG 17 Q6 report, April 2008)
� Thus, the issue of how personal information used in the context of IdM can be protected needs further consideration. This is not just a standards issue. (There are technical, legal and policy issues to be addressed).
4. What happens when something goes wrong?
� With the shift to identity providers, where will the information be kept? (Off shore?)
� Who is responsible if information is leaked or stolen (either individually or as part of a mass
ETSI Security Workshop 2009
stolen (either individually or as part of a mass leak)? Will anyone be held accountable under existing laws?
� What help will there be to resolve the situation in the event of compromise? What recourse will there be for those whose information is compromised?
A closing thought
“An identity is a model of a person.
Only an organization which has a close relationship with an individual knows enough about that individual to build an identity which is an accurate model; the more intimate the relationship is, the more accurate the identity will be.
Organizations have only casual relationships with most of the
ETSI Security Workshop 2009
Organizations have only casual relationships with most of the individuals they deal with, so they build inaccurate identities which create risks for individuals and for themselves.
Building accurate identities on the Internet will require new relationship technology and a new set of intermediaries who have sufficiently intimate relationships with individuals to construct identities for them.”
Bob Blakley, Burton Group