1 / 34

Next Gen Identity Management for Networks: old problems, new challenges

V1.0. Next Gen Identity Management for Networks: old problems, new challenges. Anthony M. Rutkowski mailto:trutkowski@verisign.com Distinguished Fellow, Nunn Center for International Strategy Technology and Policy VP Regulatory Affairs and Standards, VeriSign

kuri
Download Presentation

Next Gen Identity Management for Networks: old problems, new challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. V1.0 Next Gen Identity Managementfor Networks: old problems, new challenges Anthony M. Rutkowski mailto:trutkowski@verisign.com Distinguished Fellow, Nunn Center for International Strategy Technology and Policy VP Regulatory Affairs and Standards, VeriSign Member, ITU High-Level Experts Group on Cybersecurity Editor, Recommendation X.IdMreq, Requirements for Global Interoperable Identity Management, ITU-T Study Group 17 Georgia Tech Information Security Center Seminar, Atlanta, USA, 13 Nov 2007 Disclaimer: these views are personal and do not necessarily represent those of any company or institution with whom I am affiliated

  2. Summary • A significant initiative of almost non-stop global activity over the past year brought together a diverse array of people and communities to explore and map an uncharted new universe of Identity Management • The "map" consists of four reports that attempt to structure a Next Generation Identity Management universe and chart a destiny through a set of requirements and framework(s) • The objective of this endeavor is an essential “grand challenge” for some reasonable level of cybersecurity as well as a broad ensemble of government, business, and consumer needs, including the holy grail of nomadicity - anytime, anywhere, using any device, by any user or provider • Implementation • Essential requirements and methods for viable open, nomadic public network infrastructure were established a hundred years when radio technology emerged • Internetworking requirements and methods were established circa 1975-1995 through the OSI initiatives. What is different? • Identity Management is a core essential • Implementation of open global nomadicity necessitates substantial new international legal, institutional, technical, and cooperative measures

  3. What is Identity Management • Capabilities • By which entities can create, discover, assert exchange, revoke, control, and use identities with some level of assurance over a defined lifecycle • An entity is anything with a distinct existence that can possess identity (person, organization, provider, object, device, software, process, program, etc.) • Identities are any means of authentication, identifiers, attributes, or pattern asserted by or associated with an entity • Use cases, requirements, law, regulation, standards, administration, customer and business needs, and products and services related to these capabilities

  4. Why is Identity Management Important • Essential for communications, commerce, and just about any significant societal activity • Essential for network/cybersecurity and critical infrastructure protection – both preventative and forensic • Especially important for open nomadic networks • In a world where the cost and revenue earning potential of transporting bits is asymptotically approaching zero, providing Identity Management services and content are an enduring strong value proposition • Because most of our professional lives will be spent dealing with it

  5. Identity Management is essential to many public/government needs

  6. Identity Management is essential to many corporate & institutional needs

  7. An expanding, insular Identity Management universe

  8. Long-term shift to Identity Providers by industry Legacy Identity Management Wireline Primary driver is Nomadicity Next Generation Identity Management Wireline

  9. Shift to open Identity client platforms in 2007 OpenID emerged as a large-scale, open, non-proprietary means to implement IdM as • a fully decentralized system • A light cost structure InfoCard emerged as a large-scale, open, proprietary (Microsoft) means to implement IdM on a large-scale with ubiquitous computer/ commercial wireless operating systems

  10. A Challenge: very different perspectives on Identity Management IdentityBridges Users NetworkOperators ApplicationProviders Government

  11. Focus Group on Identity Management • Existed Feb-Sept 2007 • Treated every aspect of Identity Management • All “entities” and all forms of identity, technologies, and provisioning • Broad global participation and outreach • Discovered, analyzed, and in many cases contacted more than 100 different IdM forums within more than 60 different organizations • Met five times on three different continents • Involved 139 different people, 88 different organizations in 22 countries • Basis was 114 input contributions from 41 different companies and organizations • Collaborated also via Wiki: www.ituwiki.com • Produced four major reports as the basis for future standards and new global Identity Management actions • New “flagship” ITU-T standards activities in 2008 and beyond • Comparable activities in most regional and national bodies • Infusion into numerous network/cyber/national security technical activities, public policy making proceedings, and R&D – especially for IMS/NGNs

  12. ITU-T 2007 Forum Meetings 2007Q4 JCA-IdM10-11 Dec Q6/17 6-7 Nov Piscataway IdM JRGWP2/17,IPTV 10-14 Dec TSAG3-7 Dec SG230 Oct-8 Nov FG IPTV30 Oct-8 Nov SG13Q15 Jan Beijing SG13Q15 Sep OECD May Trondheim ISO SC27 WG5 Sep Luzerne Key: JCA-IdM Other ITU Venues are Geneva unless otherwise indicated Focus Group Non-ITU

  13. ITU-T IdM 2008 Meetings 2008Q1 2008Q3 2008Q2 JCA-IdM__ Jan Seoul JCA-IdM Sep JCA-IdM __ May JCA-IdM __ Apr IdM GSI__ Apr IdM GSI__ Jan Seoul IdM GSI__ May IdM GSI__ Sep NGN GSI SG13,11,19,NID14-25 JanSeoul SG177-18 Apr NGN GSI SG2, 4HLEG12-23 May TSAG2-11 Jul IdM JRGNGN GSI1-12 Sep WTSA-0821-30 Oct SG1622 Apr-2May ISO SC27 WG513-14 Feb Berlin Key: JCA-IdM Other ITU Venues are Geneva unless otherwise indicated IdM-GSI Non-ITU

  14. Four Identity Management Deliverablesfor Sep 2007 • 73 requirements and recommendations • First global Identity Management legal and regulatory compendium See Focus Group www.ituwiki.com

  15. Common global ontology and lexicon for Identity Management

  16. Compendium of Identity Management Legal and Regulatory Requirements

  17. Seven Sets of Technical Requirements Identified and Specified

  18. Far reaching architecture requirements IDM Model IDM Plane A common, structured Identity Management Model and IdM Plane

  19. Toward managed “smarter networks” and an IdM Plane • It is time to put the “dumb network” myth to rest • Telecommunication networks achieved security and protection through an “out of band” trusted signalling plane • Intelligent Network signalling requirements established by FCC Computer III Decision & 1996 Communications Act – which drove unbundling and open standards • Signalling plane doubled as the Identity Management plane • Next Generation IP networks must effect a similar trusted signalling plane with common IdM capabilities • IP signalling infrastructure is smart, but “in-band” and vulnerable • Principal recommendations of NSTAC include signalling and Identity Management • Implementation is a core feature of mainstream industry standards work

  20. Identity Management Provisioning Requirements Provision of credential, identifier, attribute, and pattern identity services with known assurance levels to all Entities Interoperable protocols, including objects Assurance/confidence metrics Lifecycle management Improved identity proofing and discovery for public network identifiers in hierarchical assignment identifier structures

  21. Parties that comprise the IdM model • End-User Entities • (Requesting/ Asserting Identities) • Real persons • Legal persons • Institutions • Organizations • Guardians/agents • Group • Objects • Physical • Terminal devices • Network equipment • SIM or Smart Card • Virtual • Software • Geospatial • Content • Relying Parties(Using asserted identities) • Service or resource provider • Alliances • Identity Providers(to End-Users) • Credential provider • Identifier provider • Attribute provider • Pattern/reputation provider • Discovery provider • Identity Bridge provider • Auditing or Policy Enforcement provider • Federations

  22. Provisioning conforms to ontology for Identity Management

  23. Discovery Discovery of authoritative Identify Provider resources, services and federations • 3 requirements/recommendations • Global mechanisms for discovery of asserted forms of identity • Determining source for “authoritative” identities • Interfederation bridging capabilities • Should include characteristics and policies of the interfaces, dynamic registration and de-registration of federation relationships, authentication, permissions, and attributes • Provider business agreements and federation based policies • Likely based on XRI and ITU-ISO based global registry

  24. Interoperability • 7 recommendations • Use of federations and Identity Bridge providers by end users • Support for authentication domains within alliances and federations Interoperability among authorization privilege management platforms, identity providers and provider federations, including Identity Bridge Providers

  25. Security • 13 recommendations • Support for revocation of assertions • Consider adopted global standards in ITU, ISO and other bodies for Identity Assurance and Authentication • Dynamic establishment of time-limited trust mechanisms for transient and changed relationships • Support for terminal device objects (e.g., SIM cards) • Notification of compromised identity resources to affected parties • Support for multi-factor authentication • IdM identity proofing matching different authentication contexts, especially when requested • Provide levels of identity protection, including support for relevant OECD privacy guidelines • Provide end user transparency and notification capabilities relevant to protection of personally identifiable information Security and other measures for reduction of identity threats and risks, including protection of resources and personally identifiable information

  26. Privacy • Term avoided in favor of 3 explicit descriptions below because of significantly different connotations • Europe largely views privacy in terms of controls on private sector rather than government; and conversely expects government to play strong Identity Management roles • U.S. largely holds converse views • Protection of personally identifiable information • Treated as security and compliance capabilities • Protection from unwanted intrusions • Treated as an identity attribute capability • Ability to act anonymously • Treated as an assurance metric, i.e., equivalent to zero assurance level • Largely discouraged • Emphasis also placed on transparency and effective notice combined with user-centric protocol capabilities allowing individual choice to be expressed and shared and associated costs to be known • Lingering uncertainty about object privacy as most jurisdictions do not accord objects any rights

  27. Compliance • 3 requirements/recommendations • Support for use of auditing mechanisms and exchange of information about those mechanisms • Recommended time-stamp accuracy Auditing and compliance, including policy enforcement and protection of personally identifiable information

  28. Robustness and Operational Needs • 3 recommendations • Little developed by anyone; much needs to be done Useability, Scaleability, Performance, Reliability, Availability, Accounting, International-ization, and Disaster Recovery

  29. Object Communications • Most Identity Management capabilities apply equally to all object communications • Some objects that are terminal based (e.g., SIM cards, physical credential readers, geospatial units, and sensors readers) both support and require significant IdM capabilities • Support for autonomous networked object IdM interoperability involves many new issues • How will competing object demands for network resources be prioritized and managed, especially during emergency conditions or network failures • What legal responsibilities and rights are associated with objects and how they expressed globally and discovered

  30. Identity Management Coordination Map

  31. Major ITU-T IdM 2008(9) Deliverables

  32. The past as prologue: radio networks • A new open public network infrastructure with globally nomadic users • Implementations invoked strong international and domestic regimes emerged a hundred years ago by public network operators and government • Basic treaty-norm to take all necessary steps to avoid “harmful interference” (Radio Regulations) • Mandate globally unique device identities • Maintain device-user bindings and query capability • Establish common signalling protocols • Type-accept devices • National government monitoring of use • Compartmentalize network use

  33. The past as prologue: OSI internet • A new open public internetwork infrastructure with globally nomadic users • Implementations invoked strong international and domestic regimes 1975-1995 by public network providers and government • Basic treaty-norm to take necessary steps to avoid “avoid technical harm to the operation of the telecommunication facilities” (International Telecommunication Regulations) • Mandate globally unique and authenticated user, provider, device, software and content identities using OIDs and PKI • Maintain universal device-user bindings and query capability • Establish common signalling protocols

  34. Conclusions • Public IP internet infrastructure that emerged after 1995 is similar to the chaotic days of early radio use • Harm to the public infrastructure and fraud abound and remain as threats • Implementing effective identity management capabilities are essential – as they have always been for public infrastructures • Anonymity almost disappears; privacy is a value proposition • Globalization/nomadicity combined with complexity of the infrastructures and applications increase the IdM value proposition • Primary venues for Identity Management include • Government/intergovernmental actions • Industry/developer initiatives and products • Standards and administrative implementations • Immediate priorities include better identity proofing and lifecycle management, trusted identifiers for providers and network objects, discovery and assurance metrics • Significant, global, rapidly scaling product and personal opportunities

More Related