Embed Size (px)
Citation preview
Security and Privacy SIG - Agenda
• The Concept of Tussle – Dave Clark
• Tussle and Identity Management – Robert Temple
• Framework for Digital Rights – Ross Anderson
• Does Tussle work for you – Whiteboard Session
Identity Management: for CFP Security and Privacy SIGRobert TempleChief Security Architect Group CTO
Problem Statement
“On the Internet, nobody knows you’re a dog”
Managing the new complexity
• Open systems and federation of data… but security threats are multiplying
• Multiplicity of roles (family, work, internet)… but more demands for privacy
• Identity recognised as multifaceted… but electronic identities are digitised
• etc
The Confusion
ProvisioningProvisioning
Single Sign OnSingle Sign On
InteroperabilityInteroperability
AuthenticationAuthentication
Authorization
Authorization
PasswordsPasswords
DirectoriesDirectories
Identity Management
authentication usermanagement
accessmanagement
directoryservices
identitymanagement
Authentication
• The procedure through which a user provides sufficient credentials to satisfy access requirements to a service, application or system
Authentication methods include:
• Form based.
• Password.
• Password over SSL.
• Authentication Levels.
• x509v3 certificates.
• Certificates with CRL( certificate revocation lists).
• Smartcards.
• 2 factor tokens– from something you are,– something you have, – something you know.
• Method chaining (m of n).
• Method fallback (x509v3 to password etc.).
• Certificates with OCSP (Online certificate status
protocol).
Ti m
eT
o day
Methods of Trust
User Management
• A set of processes, and a supporting infrastructure, that supports the creation, maintenance and use of digital identities
Access Management
• A set of processes, and a supporting infrastructure, that supports the definition and enforcement of policies and rules governing access to protected, network-accessibleresources
Directory Services
• Secure storage for both user and policy information that is consistent with the identity and authentication policies
Roles
BT Employee
Southwold Prop
What is digital identity – one view
Common Profile Info
Credentials
• Person may have many credentials• Different strengths, different apps• Can change frequently
Personal Identifier
• Subjects/principals • Name, number, other identifier, • Unique in a domain• Persistent, long-lived• May be “pseudonym” or “true name”
Prof
iles -
other
Profiles - Consumer
Profiles - Employer
• Attributes, entitlements, policies• More transient, fluid information• Often specific to apps or sites
Profiles App, Site, or Partner
Source: Burton group
Identity management: Business Drivers•Reducing costs, increasing efficiency
•Faster delivery of new applications & services
•Increasing security, reducing risk
•Enabling new business models
•Protecting intellectual property & privacy.
Identity management: enforcers
• Data Protection legislation– and the concerns of customers and businesses
• Governance
– audits
– tracking compliance with commitments of businesses
Multiple Namespace Exist
AquaUsername: jones..Password: pwd08
Wireless LANUsername: jones..
Password: PIN & token
simon…[email protected]: 802xxxxxx
Password: pwd05
BT OpenworldUsername: simon...Password: pwd01
BT InternetUsername: simon...Password: pwd01
BT ConnectUsername: simon...Password: pwd03
Talk21Username: simon...Password: pwd02
www.bt.comUsername: simon….
Password: pwd04
[email protected]: 802xxxxxx
Password: pwd05
GatekeeperUsername: 802xxxxxx
Password: pwd06
Remote accessUsername: jones..
Password: PIN & token
Rd-MartleshamUsername: jones..Password: pwd07
Personal Role
Business Role
BT AccountAccount: EA120….
www.yahoo.comUsername: simon….
Password: pwd09
Employee DataEIN: 802xxxxxxx
Analysis - Single Identity
AquaUsername: jones..Password: pwd08
Wireless LANUsername: jones..
Password: PIN & token
simon…[email protected]: 802xxxxxx
Password: pwd05
BT OpenworldUsername: simon...Password: pwd01
BT InternetUsername: simon...Password: pwd01
BT ConnectUsername: simon...Password: pwd03
Talk21Username: simon...Password: pwd02
www.bt.comUsername: simon….
Password: pwd04
[email protected]: 802xxxxxx
Password: pwd05
GatekeeperUsername: 802xxxxxx
Password: pwd06
Remote accessUsername: jones..
Password: PIN & token
Rd-MartleshamUsername: jones..Password: pwd07
Personal Role
Business Role
BT AccountAccount: EA120….
www.yahoo.comUsername: simon….
Password: pwd09
Employee DataEIN: 802xxxxxxx
Common Profile Info
Address, etc.
Credentials
Credentials
Unique Identifier
App,
Site,
or P
artne
r Pro
files
Consumer Profiles
Employer Profiles
App, Site, or Partner Profiles
Analysis Summary - Now
End Users
Admin
Contact Centres
AuthenticationAuthorization
ProcessAuthenticationAuthorization
ProcessAuthenticationAuthorization
ProcessAuthenticationAuthorization
Process
ServiceService
ServiceService
Database of user
credentialsDatabase of users
Analysis Summary - Future
End Users
Admin Contact Centres
AuthenticationAuthorization
Process
ServiceService
ServiceService
Database of users
Database of user
credentials
Is This Really what our customers & society want?
• Tussle Concerns which are:– Personal
– Shared
– Communal
– Global
Tussle – Personal Concerns
• Privacy
• Anonymity / Pseudonymity
• Identity Theft
Tussle – Shared Concerns
• Fraud
Tussle – Communal Concerns
• Public expectations around Identity
Tussle – Global Concerns
• Identity Cards Worldwide
• Immigration Controls
• Biometrics
Tussle
Shared
GlobalCommunal
Personal
PrivacyAnonymity /
Pseudonymity
Identity Theft
Fraud
Public expectations
around Identity
Identity Cards
Worldwide
Immigration
ControlsBiometrics
SAML
