Assuring Identities in an Open Trust Framework

Interoperability and Connectivity: Privacy, Security and Trust in Health Information Exchange - 5th Annual WHIT Congress – 11/10/2009

The Identity Assurance FrameworkKantara Initiative

Pete PalmerCo-Chair - Kantara Healthcare Identity Assurance Work Group

Disclaimer

Provider

This presentation is the result of work developed by volunteers of the Electronic Authentication Partnership, the Liberty Alliance, and the Kantara Initiative and is not a work product of Surescripts.

Kantara Overview Founded: April 20, 2009 Trustees: AOL, BT, CA, Fidelity, Intel, Internet

Society, Liberty Alliance, Neustar, Novell, NRI, NTT, Oracle, PayPal and Sun

( see: http://kantarainitiative.org/confluence/display/GI/Current+Members )

Purpose: To bridge and harmonize identity community efforts To ensure secure online interactions To enhance personal privacy To assure interoperability between OpenID, Liberty,

InfoCard and other identity management solutions.

Kantara Healthcare Work Group Founded: August, 2009 History: Was Liberty Alliance Health Care Work Group Purposes:

Implement patient access to their medical information and health care providers system using open source solutions

Implement simplified health care worker identity management Review/Endorse identity assurance framework to support health information

exchanges (HIEs) and the US nationwide health information network (NHIN) Review/endorse patient identification standards for on-line and card identifiers Work with vendors to help foster interoperability

Current co-chairs: John Fraser, MEDNETWorld.com, Pete Palmer, Surescripts, and Rick Moore, eHealth Ohio.

Home Page: http://kantarainitiative.org/confluence/display/healthidassurance/Home

Full Charter is at: http://kantarainitiative.org/confluence/display/healthidassurance/Charter

Identity in the Physical World

Today’s Collection of Identity Silos

Joe’s Fish Market.Com

Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams

What the User wants…

Simplified online experience Get rid of the need for multiple

user-ids and passwords Fewer clicks

Protected personal information Reduce my risk from fraud

Better product & service offerings Web 2.0 and/or “smart phone”

data service integration

There are Two Problem Areas Technical Interoperability

Does the client application I'm using “talk” to the systems I want to use? (can I type in my PIN on my iPhone and have unfettered access to services without logging in again?)

Does the system that authenticates me (vouches for me) “talk” to the service provider systems I want to access? (can I login to my bank's site and use that to pay my taxes, book travel, and check my Gmail account?)

Operational Interoperability & Assurance Do the commercial and government systems “trust” each

others' systems, operating procedures, vetting practices, etc.? (i.e., understand & accept the distribution of liability when/if something goes wrong)

We’ll focus today on the Operational Interoperability & Assurance Aspects

…so why the need for a common standard?

Identity Assurance Framework

ATM Historic Analogy

Seamless Access Across all Networks

Linkage of Trust Domains

.com .com

.com.com

.com.com

.com .com

.com.com

.com.com.com .com

.com.com

.com.com

Bank ATMNetwork A

Bank ATMNetwork B

Bank ATMNetwork C

Bank AATM Card

Bank BATM Card

Bank CATM Card

Separate Cards with Each Bank

Individual Accounts with Many Web Sites

.com

.com

.com

Bank AATM Card

Bank BATM Card

Bank CATM Card

Linked Cards within Bank Networks

Federated Accounts within Trust Domain

.com

.com

.com

.com

.com

.com

Bank ATMNetwork A

Bank ATMNetwork B

Bank ATMNetwork C

Federated Cloud:RP applications trusting

Federations, who enroll & monitor CSP’s compliant w/FO policies,

based on Assessor Assessments

Identity Ecosystem: Trust

End user (subscriber)

Federation OperatorAssessor

Government Applications,

Services, Resources

Authentication Technology

Credential Service Provider

RelyingParties

Identity Assurance Framework What is it?

Framework supporting mutual acceptance, validation and lifecycle maintenance across identity federations (i.e. systems that trust each other)

Started with EAP Trust Framework, UK tScheme and US e-Auth Federation Credential Assessment Framework as baseline

Harmonized, best-of-breed industry identity assurance standard Identity credential policy Business procedure and rule set Baseline commercial terms

Guideline to foster inter-federation (i.e. inter-trust) on a global scale It consists of 4 parts:

Assurance Levels Service Assessment Criteria Assurance Assessment Scheme and Certification Program Business Rules/Deployment Guidelines

IAF enabled Inter-Federated Cloud:RP applications trusting [Certified Federations, who enroll & monitor]

IAF compliant CSP’s, based on Accredited Assessor Assessments

Identity Ecosystem: Trust after IAF

End user (subscriber)

Federation OperatorAssessor

Government Applications,

Services, Resources

Accredited Assessors List

IAF’s Initial Focus

Authentication Technology

Certified Federations

List

Credential Service Provider

RelyingParties

IAF Assurance Levels

Four Primary Levels of Assurance Level 1 – Little or no confidence in asserted identity’s validity Level 2 – Some confidence Level 3 – Significant level of confidence Level 4 – Very high level of confidence

CSPs are certified by Assessors to a specific Level(s)

Note: Assurance level criteria as posited by the OMB M-04-04 & NIST SP 800-63

IAF Assurance Levels Illustrated

Multi-factor auth; Cryptographic protocol; “soft”, “hard”, or “OTP” tokens

Stringent criteria – stronger attestation and verification of records

Stringent organizational criteria

Access to an online brokerage account3

Multi-factor auth w/hard tokens only; crypto protocol w/keys bound to auth process

More stringent criteria – stronger attestation and verification

Stringent organizational criteria

Dispensation of a controlled drug or $1mm bank wire4

Single factor; Prove control of token through authentication protocol

Moderate criteria - Attestation of Govt. ID

Moderate organizational criteria

Change of address of record by beneficiary2

PIN and PasswordMinimal criteria - Self assertion

Minimal Organizational criteria

Registration to a news website1

Assessment Criteria – Credential Mgmt

Assessment Criteria – Identity Proofing

Assessment Criteria – Organization

ExampleAssurance

Level

Assurance Assessment Scheme & Certification Program Oversight by Member Committee

(ARB) Assessor is Accredited based on

application of demonstrated expertise

CSP service is Certified to LOA(s) based on IAF compliance

Technology is Certified to be Interoperable

User has safe, simple access to services

Credential Service Provider

RelyingParties

17

The Result – Identity Ecosystem

Commercial

SocialNetworks

Financial

Government

Institutions

Industry

Employers

Family/Friends

People, Entities,

Machines...

•Ubiquitous interoperability

•Minimize or Eliminate “Token Necklace”

•Customer Convenience

•Consistent User Experience

•Plain Language

•Simplified On-boarding

•Low-to-No Cost

•Ease of Service Selection

•Clear Risk & Liability

PHR

Hospitals

Clinics

Payors

Health Information Exchange - HIE

RLSRLS

EMR

EMR

Interoperability forInteroperability for• Patient LookupPatient Lookup• Clinical Document ExchangeClinical Document Exchange• Privacy and SecurityPrivacy and Security

Goal: Health care simplified authenticationGoal: Health care simplified authentication

Simplified Sign Ons

HIEMemberUsers

Simplified Sign Ons: to Clinics, Google Health, MS HealthVault, etc, or via iPhone or similar smartphone apps

Patient Logins

Health Information Systems – Clinics, Hospitals, etc

Patients Healthcare Workers

HIE Gateway

HIE Gateway

HIE Gateway

HIE Gateway

HIE Gateway

HIE Gateway

HIE Gateway

HIE Gateway

NHIN Gateway

NHIN Gateway

More Information on IAF and the Assurance Certification Program

http://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Certification+Program

Thank You! pete.palmer@surescripts.com