1 / 23

Adaptive Identity Management: Vision and Technology Development Overview

Adaptive Identity Management: Vision and Technology Development Overview. Trusted Systems Laboratory Hewlett-Packard Labs, Bristol, UK. Marco Casassa Mont ( marco_casassa-mont@hp.com) Pete Bramhall (pete_bramhall@hp.com). Identity Management Landscape.

jackgood
Download Presentation

Adaptive Identity Management: Vision and Technology Development Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adaptive Identity Management: Vision and Technology Development Overview Trusted Systems Laboratory Hewlett-Packard Labs, Bristol, UK Marco Casassa Mont (marco_casassa-mont@hp.com) Pete Bramhall (pete_bramhall@hp.com)

  2. Identity Management Landscape Identity Management is a Core Aspect in many different Contexts, but … Enterprise & Business Integration E-Commerce Different Competing Aspects and Perspectives: Web Service Frameworks Government & Legislation • enterprise focus vs. consumer focus • mobility vs. centralisation • legislation vs. self-regulation • owners’ control vs. organisations’ control • privacy vs. free market • … Identity Management Privacy, Trust, Security Mobility Appliances, Devices No One Size Fits All … Policies Adaptive Identity Management - Technologies Overview

  3. Identity Aspects [1] • Identity Information • Multiple Attributes • Multiple Views • Multiple Contexts • and Stakeholders • Distributed Control • Different degrees • of Awareness Multiple Identities Associated to Entities (people, devices, services, etc.) Adaptive Identity Management - Technologies Overview

  4. Identity Aspects [2] Complexity of Identity Information Identity Information is Subject to Changes, over time Adaptive Identity Management - Technologies Overview

  5. Smart Cards PKI Liberty Biometrics IBE SAML RBAC Web Services EPAL P3P Trusted Platforms NGSCB XML TCPA/TCG … Current Identity Management • Identity Management is • Part of a Complex Ecosystem • Many Technology, Products, • Solutions … • Lack of Flexibility, Interoperability • and Management Integration Adaptive Identity Management - Technologies Overview

  6. Emerging Trends and Issues Trends • On Demand, Adaptive Infrastructures • Ubiquitous and Pervasive Computing • Trusted Platforms and Systems • Digital Rights Management • … Issues • Privacy • Identity Thefts and Frauds • Lack Of Control • Accountability • Complexity • … Adaptive Identity Management - Technologies Overview

  7. Emerging Requirements • Integration • Rationalisation • Flexibility • Context Awareness • Privacy Management • Control Over Identity Flow • Delegation Of Control • Accountability Management • Simplicity\Usability Adaptive Identity Management - Technologies Overview

  8. Our Vision Adaptive Identity Management Adaptive Identity Management - Technologies Overview

  9. Vision: Adaptive Identity Management (AIM) Core Properties • Integrated and • Collaborative • Management of • Identity Management • Tasks • Policy-Driven • Management • Context • Awareness Adaptive Identity Management - Technologies Overview

  10. Vision: Adaptive Identity Management (AIM) • Open API • Standardisation • Management Proxies • Cooperation at different • Levels of Abstraction • Policy Languages • Integration of Identity, • Trust, Privacy, Security • Aspects • Delegation of • Policy Refinement • Scalability Across • Boundaries and • Domains Adaptive Identity Management - Technologies Overview

  11. Moving Towards AIM: Accountable Identity and Privacy Management [1] • Privacy Protection via High-Level, • Sticky Policies • Accountability Enforcement via TTPs • User Control • Leverage IBE to Enforce • Sticky Policies • Leverage Trusted Platforms • Leverage Tagged OS • Leverage HSA Adaptive Identity Management - Technologies Overview

  12. Moving Towards AIM: Accountable Identity and Privacy Management [2] Integration of Multiple Constraints at Different Levels of Abstraction via Sticky Policies Authoring of Sticky Policies based on Templates and Policy Wizard Adaptive Identity Management - Technologies Overview

  13. Technology Development Overview Adaptive Identity Management - Technologies Overview

  14. App Control policy Hardware Security Appliance (HSA) Concept Systems can be subverted HSA Other Processes Worm Virus Hacker App Process HSA Service API System Server Administrator Adaptive Identity Management - Technologies Overview

  15. HSA – Trust Domains IT Infrastructure HSA Based Service Service API Service (Key use, Authentication, Authorisation, Audit.... Management Policies Service Identity Management Interface (Constrained by Policy) Signed Chain of Management events Network System Administrators Domain Service Administrator Adaptive Identity Management - Technologies Overview

  16. National Atmel Infineon TCPA/TCG - Implementation Status • Trusted Platform Modules (TPM) based on 1.1b specification available • Atmel • Infineon • National Semiconductor • Compliant PC platforms shipping now • HP-Protect Tools Embedded Security available on D530 business desktops • IBM ThinkPad notebooks and NetVista desktops • Increasing application support • RSA Secure ID, Checkpoint VPN, Verisign PTA Note: Modules shown are for test & debug. Actual system implementation may vary. Adaptive Identity Management - Technologies Overview

  17. Secure Data Tagging • Data comes with tags that reflect policies • All data is tagged; the tag specifies how to handle data whether it is private, confidential, sensitive etc • Works with standard applications • Policy is enforced by the OS kernel irrespective of application behaviour • Even a compromised application can’t leak your confidential data - a virus might send emails on your behalf, but it can’t send any confidential data in them (it’ll be encrypted or never sent, depending on policy) • Transparent and automatic application of policy to data • No action is needed by users or applications for this to happen and there need be no change application or user behaviour Adaptive Identity Management - Technologies Overview

  18. Policy Creation and Translation System policies created in dflow compiler Policy distribution and enforcement Policy File in Internal Format • Every tagging-aware device to be governed by a data usage policy In the ideal business environment, standard policies are published from a central location and dynamically propagated to policy aware devices Control Enforcement Tagged Data Decision Policy evaluation engine Flow causing operation yes, no, more checks Adaptive Identity Management - Technologies Overview

  19. What is Identifier-based Encryption (IBE)? • It is an Emerging Cryptography Technology • HP Approach based on Elliptic-Curve Crypography • Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) • Same Strength as RSA • Usage: for Encryption/Decryption, Signatures, Role-based Applications, Policy Enforcement, etc. Adaptive Identity Management - Technologies Overview

  20. IBE Core Properties • 1st Property: Any Kind of “String” (or Sequence of Bytes) Can Be Used as an IBE Encryption Key: for example a Role, Terms and Conditions, an e-Mail Address, a Picture, a Disclosure Time • 2nd Property: The Generation of IBE Decryption Keys Can Be Postponed in Time, even Long Time After the Generation of the Correspondent IBE Encryption Key • 3rd Property: Reliance on at Least a Trust Authority (Trusted Third Party) for the Generation of IBE Decryption Key Adaptive Identity Management - Technologies Overview

  21. Alice Bob 4 3 2 5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority. 2. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source 5 6 3. Alice chooses an appropriate Encryption Key. She encrypts the message: Encrypted message = {E(msg, N, encryption key)} 6. The Trust Authority issues an IBE Decryption Key corresponding to the supplied Encryption Key only if it is happy with Bob’s entitlement to the Decryption Key. It needs the Secret to perform the computation. Trust Authority 1 1. Trust Authority - Generates and protects a Secret - Publishes a Public Detail N 4. Alice Sends the encrypted Message to Bob, along with the Encryption Key IBE Three-Player Model Adaptive Identity Management - Technologies Overview

  22. Active Digital Credentials Active Digital Credential: Up-to-Date Certified Information Integration of Procedures Within Digital Credentials to Retrieve Certified Up-to-Date Information along with its Trust Evaluation Adaptive Identity Management - Technologies Overview

More Related