1 / 20

IdM Identity Proofing & Registration

IdM Identity Proofing & Registration. Gary Chapman David Millman September 2006. Agenda. Context: IdM elements & processes Definitions How things are mostly done today Internal & external drivers for change How to approach next gen designs Relationship to other IdM concepts

glenna
Download Presentation

IdM Identity Proofing & Registration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IdMIdentity Proofing & Registration Gary Chapman David Millman September 2006

  2. Agenda • Context: IdM elements & processes • Definitions • How things are mostly done today • Internal & external drivers for change • How to approach next gen designs • Relationship to other IdM concepts • Sample documents

  3. Context • Identification and Registration are basic components of an overall IdM system. • They are fundamental at the beginning of bringing people into a community, but their role continues… • Other IdM functions rely on Identification and Registration processes and data. • Goal: provide trustworthy electronic and physical credentials to members of a community

  4. Overview of IdM Elements

  5. We digress… a couple comments on that diagram… Has some good aspects… e.g. the common understanding we have today that authentication is something to be largely handled outside an app, and is something different from authorization But still misses many very important aspects of Identity Management, e.g. Directory Services Federation Policy and Governance Data structures, including roles and groups Recurrent / cyclical processes Devilish details!

  6. Definitions Identification is the process by which information about a person is gathered and used to provide some level of assurance that the person is who they claim to be. Generally, this identity verification takes place within the office (e.g. Human Resources or Student Services) that first encounters the individual and creates their record within the institutional system(s) of record. The next step is Registration. Registration (credentialing) is the process whereby users are given electronic credentials, leveraging the identification process above to ensure that they are coupled with the correct electronic identity information. For example, many campuses use a web-based mechanism to reset an initial password and establish a permanent one, ensuring a correct mapping by requiring the user to enter additional information validated against that which is contained in their record. It is important for institutions to establish rules that govern the processes used by the department or office that assigns and distributes credentials. (from the NMI-Edit Authentication Roadmap)

  7. Current Methods - BPR Analysis

  8. Current Methods - BPR Analysis

  9. Some medical “special” cases • Dr’s, repeated credentialing • Require updated certification • Significant credentialing infrastructure • QC dependency on IT • Credentialing tools (nurses can check Dr’s certifications) • Students • Can recommend tests & drugs • Short rotations (month-ish) • 50% visiting students • Become Residents (hospital employees x 2) • Then become Attending (univ employees x 2) • “Vendors” • Medical secretaries in private practice offices

  10. Drivers for Change • Security: identification and registration are foundational -- the rest of “the system” is only as strong as its foundation • Challenge: increasingly diverse community - increasingly seeing new populations with varying identification characteristics • Challenge: increasingly diverse applications to support having different security requirements • Challenge: both internal and external applications to support

  11. Guiding Concepts • Risk management • In relation to a given system, how serious is a compromise or a data spill relating to inappropriate/unauthorized access? • The greater the risk, the greater the requirement for confidence that a person accessing the system is who they claim to be • Levels of assurance • Increasingly common to characterize systems as requiring credentials which provide a high (or low) “level of assurance” • Identification and registration processes may be geared to provide higher or lower levels of assurance • The more rigorous the identification and registration processes in effect, the higher the level of assurance provided by issued credentials • But, of course, not all credentials are equally good (e.g. username/password versus two-factor authentication token) • So: roughly, reliability of a credential = Rigor of Process + Credential characteristics

  12. Levels of Assurance NIST SP 800-63 example, Token-types allowed at each assurance level

  13. Levels of Assurance NIST SP 800-63 example, Required protections

  14. Ties to other IdM issues • Certificate Authorities (levels of assurance in Federal PKI Certificate Policies) • Document authenticity (diplomatics)

  15. Where to go for ideas, guidance? • In evaluating your identification and registration processes, take a look at • InCommon Federation Participant Operational Practices document -- filled out by participating institutions to describe institutional policies and practices http://www.incommonfederation.org/docs/policies/incommonpop.pdf • FIPS 201 standard -- federal standard for “Personal Identity Verification (PIV) of Federal Employees and contractors” (http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf)

  16. InCommon POP • Your community - how do you define set of people who are eligible to receive credentials? • Your credentials - what is the administrative process used to establish electronic identities? What is (are) the office(s) of record for this purpose? What technologies are used for your identity credentials? Ever transmitted in plain text across your network? • Your identifiers - everlasting or re-used? • Maintaining and updating information - how is information in your identity datase acquired and updated? How can update? Any self-service? (Surprisingly, doesn’t seem to ask about registration processes, credential distribution methods, credential de-provisioning…)

  17. FIPS 201 standard • Describes the very elaborate processes and procedures deemed appropriate post-911 to control access to federal facilities and electronic resources… the bar is set high! (And so presents many excellent points of comparison with existing or desired practices at one’s home institution.) • Goal: issue credentials -- secure and reliable forms of identification - • based on sound criteria for verifying employee’s identity • are strongly resistant to identify fraud, tempering, counterfeiting • Can be rapidly validated electronically • Issued by accredited providers • Having graduated criteria (from least secure to most) to ensure flexibility in selecting the appropriate level of security for each application • Rigorous processes, e.g. --

  18. The process shall begin with initiation of a National Agency Check with Written Inquiries… • The applicant must appear in-person at least once before the issuance of a PIV credential. • During identity proofing, the applicant shall be required to provide two forms of identity source documents in original form… • The PIV identity proofing, registration and issuance process shall adhere to the principle of separation of duties to ensure that no single individual has the capability to issue a PIV credential without the cooperation of another authorized person. • The PIV Sponsor shall complete a PIV Request for a particular Applicant, and submit the PIV Request to the PIV Registrar and the PIV Issuer. The PIV Request shall include the following: • Name, organization, and contact information of the PIV Sponsor • Name, date of birth, position, and contact information of the Applicant • Name and contact information of the designated PIV Registrar • Name and contact information of the designated PIV Issuer • Signature of the PIV Sponsor • Etc etc etc etc etc

  19. Further Reading • The Enterprise Authentication Implementation Roadmap (nmi-edit) • EDUCAUSE/I2 Risk Assessment Framework • eAuthentication, password credential assessment (cio.gov) • Electronic Authentication Guideline (NIST SP 800-63)

  20. Conclusion • Not simple. • Cannot be done in isolation. • Many contexts to consider simultaneously. • One size does Not fit all.

More Related