Digital Identity Management Strategy, Policies and Architecture

Digital Identity ManagementDigital Identity Management

Strategy, Policies and ArchitectureStrategy, Policies and Architecture

Kent PercivalKent Percival2005 06 232005 06 23

A presentation to the Information Services CommitteeA presentation to the Information Services Committee

2005 06 232005 06 23 Digital Identity Management (ISC)Digital Identity Management (ISC) Percival Percival 22

Presentation & DiscussionPresentation & Discussion

GoalGoalto develop a common perspective of to develop a common perspective of

Digital Identity ManagementDigital Identity Management and resulting and resulting

strategies, policies and architecturestrategies, policies and architecture

OverviewsOverviews Business/Organizational modelBusiness/Organizational model Implementation issues and strategiesImplementation issues and strategies


What is a Digital Identity?What is a Digital Identity?

A computer objectA computer object representing representing a a real personreal person

… … we used to call them we used to call them Computer AccountsComputer Accounts

… … could also representcould also represent A deviceA device An applicationAn application … …

D.I.


Digital Id’s… so many of them! Digital Id’s… so many of them!

Systems have separate user accountsSystems have separate user accounts Some applications maintain id databasesSome applications maintain id databases

Some maintain additional personal information Some maintain additional personal information to control authorization or personalize service.to control authorization or personalize service.

Maintained by separate administrationsMaintained by separate administrations

2005 06 23 Digital Identity Management (ISC) Percival 5Dept

Server

ColleagueLibraryPatron

HSExpress

HumanResources

DeptServer

DeptServer

DeptServer

DeptServerDept

ServerDeptServer

DeptServer

ActiveDirectory

CentralID

CentralFile Service

DialupModem

“general”“stats”Portal

WebHosting

ResAdmin

ResNetPhones

V.Mail

Athletics

CampusDirectory

CentraleMail

WebCT

NetworkAccess

BldgAccessBldg

AccessBldgAccessBldg

AccessBldgAccess

F R SPurchasing

Periodic data sharingOOLD2L

LibraryPatron

LibraryPatron


What is a Digital Identity used for?What is a Digital Identity used for? AuthenticationAuthentication

Verifying the user really is who they say they are.Verifying the user really is who they say they are. AuthorizationAuthorization

Determining what the user can and can’t do.Determining what the user can and can’t do. AccountingAccounting

Having a record to investigate incidents after the fact.Having a record to investigate incidents after the fact.

IdentificationIdentificationIdentifying user by unique ID, common name, email address, …Identifying user by unique ID, common name, email address, …

PersonalizationPersonalizationMaking services efficient and effective by knowing the user.Making services efficient and effective by knowing the user.


What’s in a Digital Identity?What’s in a Digital Identity?

Security information (computer account stuff)Security information (computer account stuff) Authentication: ID, Password, …Authentication: ID, Password, … Authorization: access control, groups, file permissions Authorization: access control, groups, file permissions

Organizational InformationOrganizational Information Relationship to Org: Dept; statusRelationship to Org: Dept; status Organizational Identifiers: Empl.#, Student #; Organizational Identifiers: Empl.#, Student #; Email addr.Email addr.

Personal informationPersonal information Name, Name, Email addr.Email addr., phone#, address, …, phone#, address, … Personal preferences for servicesPersonal preferences for services


Limitations of local “accounts”Limitations of local “accounts” SecuritySecurity

Varying quality of administrationVarying quality of administration Controlling exposure: limited scope but slow responseControlling exposure: limited scope but slow response No institutional policy controlNo institutional policy control

EfficiencyEfficiency Mange administration pointsMange administration points Multiple relationships with information “owners”Multiple relationships with information “owners”

ServiceService No single sign-on ... or complicated processNo single sign-on ... or complicated process Personalization varies between servicesPersonalization varies between services


Efficiency? <–> Centralization?Efficiency? <–> Centralization?

First Try:First Try:Managing identities on many systems is expensive.Managing identities on many systems is expensive.

Put all the data in one place.Put all the data in one place.

Campus Directory!Campus Directory!

Why isn’t this working well?Why isn’t this working well?Technical reasons …Technical reasons …

But mainlyBut mainlyOrganizationalOrganizational reasons … reasons …


Technical pitfallsTechnical pitfalls

Success of Directories for systems and Success of Directories for systems and application managementapplication management

Proprietary architecture and designsProprietary architecture and designs

Applications with closed requirementsApplications with closed requirements Data must be indifferent formats for different usesData must be indifferent formats for different uses


Organizational pitfallsOrganizational pitfalls

Privacy concernsPrivacy concerns Security concernsSecurity concerns Data ownership concernsData ownership concerns Different interpretations of dataDifferent interpretations of data In-appropriate useIn-appropriate use Trusting the data of othersTrusting the data of others Silo approach to service managementSilo approach to service management


StrategyStrategy: deal with Org Issues!: deal with Org Issues!

Identify the Organizational opportunitiesIdentify the Organizational opportunities

Define an Organizational reference modelDefine an Organizational reference model

Create policies and strategies to deal with the Create policies and strategies to deal with the organizational pitfalls.organizational pitfalls.


The Organizational Trust ModelThe Organizational Trust Model Users and Service providers must Users and Service providers must trusttrust one another one another

and and trusttrust a central Digital Identity Management System a central Digital Identity Management System

Trust DomainTrust Domain - a collection trusting each other. - a collection trusting each other. Service providers; users; trust and identity managementService providers; users; trust and identity management

Can’t trust everyone and everything immediatelyCan’t trust everyone and everything immediately

It takes time to build a It takes time to build a trust domaintrust domain.. Overlapping domains create problemsOverlapping domains create problems The scope of a domain should match organizational The scope of a domain should match organizational

boundaries.boundaries.


Security ManagementSecurity Management

Trust

Identity Systems

Communication

Trust Management

IdentityManagement

VulnerabilityManagement

ThreatManagement


Trust <-> PoliciesTrust <-> Policies

In an organization In an organization trusttrust is managed by successful is managed by successful implementation of appropriate institutionalimplementation of appropriate institutional

Trust Management Trust Management PoliciesPoliciesIdentity Management Identity Management PoliciesPolicies

SecuritySecurity PrivacyPrivacy Appropriate Use - Who and HowAppropriate Use - Who and How InvolvesInvolves

PersonsPersons: faculty, staff, students, temporary, … public: faculty, staff, students, temporary, … public OwnerOwner and and StewardSteward responsibilities responsibilities


ROLESROLES

Organizations are people with rolesOrganizations are people with roles Roles define org. relationships Roles define org. relationships Identity! Identity!

Computer applications define roles for users.Computer applications define roles for users.

Org. Role Org. Role - a key element of a Digital Identity- a key element of a Digital Identity Assigning a Role defines AuthorizationAssigning a Role defines Authorization

Need to harmonizing organizational roles to Need to harmonizing organizational roles to computer application roles.computer application roles.


Outside the Trust DomainOutside the Trust Domain

With the Internet, a Trust Domain is not a With the Internet, a Trust Domain is not a closed system.closed system. Persons outside the trust domain need to access Persons outside the trust domain need to access

campus servicescampus services Where do those services go?Where do those services go? How do we authenticate and authorize those persons?How do we authenticate and authorize those persons?

People in our trust domain need to access services People in our trust domain need to access services at other institutionsat other institutions

Federated Identity ManagementFederated Identity Management


Federated Id. ManagementFederated Id. ManagementUoG

Trust Domain

Services

usersusersusers

UWTrust domain

Services

usersusersusers

AuthenAuthorServers

AuthenAuthorServers

One Trustrelationship

Authentication/AuthorizationServers are critical componentsof both trust domains


ImplementationImplementation


Ideal Architecture - industry targetIdeal Architecture - industry target

Computer Systems

Software

IT Services

Replace/integrateSystem/Appl’tn

AAAcontrols

Policy Servers

“CentralAuth.

Server”

Authentication

Authorization

Accounting

ReliableDatastore

DIRECTORY

Digital IdentityAdminTools

Services have limitedAccess to DI info

A few Policy Servershandle sensitiveinformation

One reliable, securedinformation store

All data centrallyadministered


Directory realityDirectory reality

Directories, directories, directories, …Directories, directories, directories, … implementations are intimately linked to systems implementations are intimately linked to systems

and applications!and applications!

Most Directories do not have appropriate Most Directories do not have appropriate administration and policy management toolsadministration and policy management tools

A Directory is not always the appropriate A Directory is not always the appropriate technologytechnology


Authen./Author. ImbeddedAuthen./Author. Imbedded

Some applications rely on Operating System control Some applications rely on Operating System control functionsfunctions

Many applications have imbedded business rules Many applications have imbedded business rules controlling authentication and authorizationcontrolling authentication and authorization

Trust Domain Policies must be implemented in many Trust Domain Policies must be implemented in many places.places. Need common vocabulary and explicit policy Need common vocabulary and explicit policy

implementationsimplementations


Realistic ArchitectureRealistic Architecture

Digital IdentityAdminTools

System #2Software

IT Services

Authen AuthorAccount

System #1Software

IT Services


DIRECTORY# A

System #4Software

IT Services


DIRECTORY# C


System #6Software

IT ServicesSystem #3Software

IT ServicesAuthen Author

AccountDIRECTORY

# B

System #5Software

IT Services


Centralized vs distributedCentralized vs distributed Collecting all Identity information into one central Collecting all Identity information into one central

“longitudinal” record does “longitudinal” record does not worknot work

Data exists in several placesData exists in several places Central repository (e.g. campus Directory)Central repository (e.g. campus Directory) Shared repositories (e.g. CFS AD)Shared repositories (e.g. CFS AD) Within a single applicationWithin a single application

Use a “virtual” Identity Object ModelUse a “virtual” Identity Object Model Central design / distributed dataCentral design / distributed data

Centrally administer global/essential dataCentrally administer global/essential data Define where other data is stored - Provide key link informationDefine where other data is stored - Provide key link information Copy data to accessible locationCopy data to accessible location Use referral directory lookups (ask one directory)Use referral directory lookups (ask one directory)

2005 06 23 Digital Identity Management (ISC) Percival 25

ColleagueHS

ExpressHuman

Resources

MasterDigital Identity

Directory

Dir. Dir. Dir.

CentralDigital IdentityManagement

Service

ref: Employee #

ref: Student #

ref: Express #Data Mngt

CentralAuthentication/Authorization

Service

Applications&

Services


What’s in the central DI object?What’s in the central DI object? Authentication dataAuthentication data

Password, Digital Certificate, fingerprint signaturePassword, Digital Certificate, fingerprint signature IdentityIdentity

Unique ID, Common names, Unique ID, Common names, AddressAddress

Office, phone#, FAX, email address, …Office, phone#, FAX, email address, … Hyperlink to personal webpage Hyperlink to personal webpage

AffiliationsAffiliations Org Units , group memberships, …Org Units , group memberships, …

Organizational RolesOrganizational Roles Who are you; what are you allowed to do?Who are you; what are you allowed to do?

Keys to D.I. information in other repositoriesKeys to D.I. information in other repositories Employee#, Student#, Library barcode, ExpressCard#, …Employee#, Student#, Library barcode, ExpressCard#, …


Summary 1Summary 1

A good D.I. Mgmt designA good D.I. Mgmt design requires an organization wide modelrequires an organization wide model

recognizes use outside the trust domainrecognizes use outside the trust domain starts with policy to build a trust domainstarts with policy to build a trust domain

Security, privacy and appropriate use of DI dataSecurity, privacy and appropriate use of DI data administered efficiently, timely, accuratelyadministered efficiently, timely, accurately relates Identity to organizational rolerelates Identity to organizational role


Summary 2Summary 2

A DI Mgmt system is implemented withA DI Mgmt system is implemented with multiple distinct Directory Serversmultiple distinct Directory Servers authentication and authorization functionsauthentication and authorization functions

Implemented on AAA separate servers,Implemented on AAA separate servers, Instead of being imbedded in systems and applicationsInstead of being imbedded in systems and applications

a virtual DI object defining information in multiple datastoresa virtual DI object defining information in multiple datastores

A central DI object component whichA central DI object component which Provides general Digital Identity informationProvides general Digital Identity information Provides keys to other DI information in datastores managed by others.Provides keys to other DI information in datastores managed by others.


First StepsFirst Steps: : Develop Org .Trust ModelDevelop Org .Trust Model

Identify the Organizational opportunitiesIdentify the Organizational opportunities

Define an Organizational reference modelDefine an Organizational reference model

Create policies and strategies to deal with the Create policies and strategies to deal with the organizational pitfalls.organizational pitfalls.

Documents

Digital Identity Management Strategy, Policies and Architecture