Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new...
Transcript of Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new...
![Page 1: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/1.jpg)
Security and Privacy SIG - Agenda
• The Concept of Tussle – Dave Clark
• Tussle and Identity Management – Robert Temple
• Framework for Digital Rights – Ross Anderson
• Does Tussle work for you – Whiteboard Session
![Page 2: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/2.jpg)
Identity Management: for CFP Security and Privacy SIGRobert TempleChief Security Architect Group CTO
![Page 3: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/3.jpg)
Problem Statement
“On the Internet, nobody knows you’re a dog”
![Page 4: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/4.jpg)
Managing the new complexity
• Open systems and federation of data… but security threats are multiplying
• Multiplicity of roles (family, work, internet)… but more demands for privacy
• Identity recognised as multifaceted… but electronic identities are digitised
• etc
![Page 5: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/5.jpg)
The Confusion
ProvisioningProvisioning
Single Sign OnSingle Sign On
InteroperabilityInteroperability
AuthenticationAuthentication
Authorization
Authorization
PasswordsPasswords
DirectoriesDirectories
![Page 6: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/6.jpg)
Identity Management
authentication usermanagement
accessmanagement
directoryservices
identitymanagement
![Page 7: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/7.jpg)
Authentication
• The procedure through which a user provides sufficient credentials to satisfy access requirements to a service, application or system
![Page 8: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/8.jpg)
Authentication methods include:
• Form based.
• Password.
• Password over SSL.
• Authentication Levels.
• x509v3 certificates.
• Certificates with CRL( certificate revocation lists).
• Smartcards.
• 2 factor tokens– from something you are,– something you have, – something you know.
• Method chaining (m of n).
• Method fallback (x509v3 to password etc.).
• Certificates with OCSP (Online certificate status
protocol).
Ti m
eT
o day
Methods of Trust
![Page 9: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/9.jpg)
User Management
• A set of processes, and a supporting infrastructure, that supports the creation, maintenance and use of digital identities
![Page 10: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/10.jpg)
Access Management
• A set of processes, and a supporting infrastructure, that supports the definition and enforcement of policies and rules governing access to protected, network-accessibleresources
![Page 11: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/11.jpg)
Directory Services
• Secure storage for both user and policy information that is consistent with the identity and authentication policies
![Page 12: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/12.jpg)
Roles
BT Employee
Southwold Prop
![Page 13: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/13.jpg)
What is digital identity – one view
Common Profile Info
Credentials
• Person may have many credentials• Different strengths, different apps• Can change frequently
Personal Identifier
• Subjects/principals • Name, number, other identifier, • Unique in a domain• Persistent, long-lived• May be “pseudonym” or “true name”
Prof
iles -
other
Profiles - Consumer
Profiles - Employer
• Attributes, entitlements, policies• More transient, fluid information• Often specific to apps or sites
Profiles App, Site, or Partner
Source: Burton group
![Page 14: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/14.jpg)
Identity management: Business Drivers•Reducing costs, increasing efficiency
•Faster delivery of new applications & services
•Increasing security, reducing risk
•Enabling new business models
•Protecting intellectual property & privacy.
![Page 15: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/15.jpg)
Identity management: enforcers
• Data Protection legislation– and the concerns of customers and businesses
• Governance
– audits
– tracking compliance with commitments of businesses
![Page 16: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/16.jpg)
Multiple Namespace Exist
AquaUsername: jones..Password: pwd08
Wireless LANUsername: jones..
Password: PIN & token
simon…[email protected]: 802xxxxxx
Password: pwd05
BT OpenworldUsername: simon...Password: pwd01
BT InternetUsername: simon...Password: pwd01
BT ConnectUsername: simon...Password: pwd03
Talk21Username: simon...Password: pwd02
www.bt.comUsername: simon….
Password: pwd04
[email protected]: 802xxxxxx
Password: pwd05
GatekeeperUsername: 802xxxxxx
Password: pwd06
Remote accessUsername: jones..
Password: PIN & token
Rd-MartleshamUsername: jones..Password: pwd07
Personal Role
Business Role
BT AccountAccount: EA120….
www.yahoo.comUsername: simon….
Password: pwd09
Employee DataEIN: 802xxxxxxx
![Page 17: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/17.jpg)
Analysis - Single Identity
AquaUsername: jones..Password: pwd08
Wireless LANUsername: jones..
Password: PIN & token
simon…[email protected]: 802xxxxxx
Password: pwd05
BT OpenworldUsername: simon...Password: pwd01
BT InternetUsername: simon...Password: pwd01
BT ConnectUsername: simon...Password: pwd03
Talk21Username: simon...Password: pwd02
www.bt.comUsername: simon….
Password: pwd04
[email protected]: 802xxxxxx
Password: pwd05
GatekeeperUsername: 802xxxxxx
Password: pwd06
Remote accessUsername: jones..
Password: PIN & token
Rd-MartleshamUsername: jones..Password: pwd07
Personal Role
Business Role
BT AccountAccount: EA120….
www.yahoo.comUsername: simon….
Password: pwd09
Employee DataEIN: 802xxxxxxx
Common Profile Info
Address, etc.
Credentials
Credentials
Unique Identifier
App,
Site,
or P
artne
r Pro
files
Consumer Profiles
Employer Profiles
App, Site, or Partner Profiles
![Page 18: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/18.jpg)
Analysis Summary - Now
End Users
Admin
Contact Centres
AuthenticationAuthorization
ProcessAuthenticationAuthorization
ProcessAuthenticationAuthorization
ProcessAuthenticationAuthorization
Process
ServiceService
ServiceService
Database of user
credentialsDatabase of users
![Page 19: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/19.jpg)
Analysis Summary - Future
End Users
Admin Contact Centres
AuthenticationAuthorization
Process
ServiceService
ServiceService
Database of users
Database of user
credentials
![Page 20: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/20.jpg)
Is This Really what our customers & society want?
• Tussle Concerns which are:– Personal
– Shared
– Communal
– Global
![Page 21: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/21.jpg)
Tussle – Personal Concerns
• Privacy
• Anonymity / Pseudonymity
• Identity Theft
![Page 22: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/22.jpg)
Tussle – Shared Concerns
• Fraud
![Page 23: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/23.jpg)
Tussle – Communal Concerns
• Public expectations around Identity
![Page 24: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/24.jpg)
Tussle – Global Concerns
• Identity Cards Worldwide
• Immigration Controls
• Biometrics
![Page 25: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/25.jpg)
Tussle
Shared
GlobalCommunal
Personal
PrivacyAnonymity /
Pseudonymity
Identity Theft
Fraud
Public expectations
around Identity
Identity Cards
Worldwide
Immigration
ControlsBiometrics
![Page 26: Security and Privacy SIG - Agendacfp.mit.edu/.../Jun04/DDCSecurity_6-04.pdf · Managing the new complexity • Open systems and federation of data … but security threats are multiplying](https://reader036.fdocuments.net/reader036/viewer/2022070723/5f0207407e708231d4023859/html5/thumbnails/26.jpg)
SAML