next gen identity management for networks old problems new challenges l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Next Gen Identity Management for Networks: old problems, new challenges PowerPoint Presentation
Download Presentation
Next Gen Identity Management for Networks: old problems, new challenges

Loading in 2 Seconds...

play fullscreen
1 / 34

Next Gen Identity Management for Networks: old problems, new challenges - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

V1.0. Next Gen Identity Management for Networks: old problems, new challenges. Anthony M. Rutkowski mailto:trutkowski@verisign.com Distinguished Fellow, Nunn Center for International Strategy Technology and Policy VP Regulatory Affairs and Standards, VeriSign

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Next Gen Identity Management for Networks: old problems, new challenges' - kuri


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
next gen identity management for networks old problems new challenges

V1.0

Next Gen Identity Managementfor Networks: old problems, new challenges

Anthony M. Rutkowski

mailto:trutkowski@verisign.com

Distinguished Fellow, Nunn Center for International Strategy Technology and Policy

VP Regulatory Affairs and Standards, VeriSign

Member, ITU High-Level Experts Group on Cybersecurity

Editor, Recommendation X.IdMreq, Requirements for Global Interoperable Identity Management, ITU-T Study Group 17

Georgia Tech Information Security Center

Seminar, Atlanta, USA, 13 Nov 2007

Disclaimer: these views are personal and do not necessarily represent those of any company or institution with whom I am affiliated

summary
Summary
  • A significant initiative of almost non-stop global activity over the past year brought together a diverse array of people and communities to explore and map an uncharted new universe of Identity Management
  • The "map" consists of four reports that attempt to structure a Next Generation Identity Management universe and chart a destiny through a set of requirements and framework(s)
  • The objective of this endeavor is an essential “grand challenge” for some reasonable level of cybersecurity as well as a broad ensemble of government, business, and consumer needs, including the holy grail of nomadicity - anytime, anywhere, using any device, by any user or provider
  • Implementation
    • Essential requirements and methods for viable open, nomadic public network infrastructure were established a hundred years when radio technology emerged
    • Internetworking requirements and methods were established circa 1975-1995 through the OSI initiatives. What is different?
    • Identity Management is a core essential
    • Implementation of open global nomadicity necessitates substantial new international legal, institutional, technical, and cooperative measures
what is identity management
What is Identity Management
  • Capabilities
    • By which entities can create, discover, assert exchange, revoke, control, and use identities with some level of assurance over a defined lifecycle
      • An entity is anything with a distinct existence that can possess identity (person, organization, provider, object, device, software, process, program, etc.)
      • Identities are any means of authentication, identifiers, attributes, or pattern asserted by or associated with an entity
  • Use cases, requirements, law, regulation, standards, administration, customer and business needs, and products and services related to these capabilities
why is identity management important
Why is Identity Management Important
  • Essential for communications, commerce, and just about any significant societal activity
  • Essential for network/cybersecurity and critical infrastructure protection – both preventative and forensic
  • Especially important for open nomadic networks
  • In a world where the cost and revenue earning potential of transporting bits is asymptotically approaching zero, providing Identity Management services and content are an enduring strong value proposition
  • Because most of our professional lives will be spent dealing with it
long term shift to identity providers by industry
Long-term shift to Identity Providers by industry

Legacy Identity Management

Wireline

Primary driver is Nomadicity

Next Generation Identity Management

Wireline

shift to open identity client platforms in 2007
Shift to open Identity client platforms in 2007

OpenID emerged as a large-scale, open, non-proprietary means to implement IdM as

  • a fully decentralized system
  • A light cost structure

InfoCard emerged as a large-scale, open, proprietary (Microsoft) means to implement IdM on a large-scale with ubiquitous computer/ commercial wireless operating systems

a challenge very different perspectives on identity management
A Challenge: very different perspectives on Identity Management

IdentityBridges

Users

NetworkOperators

ApplicationProviders

Government

focus group on identity management
Focus Group on Identity Management
  • Existed Feb-Sept 2007
  • Treated every aspect of Identity Management
    • All “entities” and all forms of identity, technologies, and provisioning
  • Broad global participation and outreach
    • Discovered, analyzed, and in many cases contacted more than 100 different IdM forums within more than 60 different organizations
    • Met five times on three different continents
    • Involved 139 different people, 88 different organizations in 22 countries
    • Basis was 114 input contributions from 41 different companies and organizations
    • Collaborated also via Wiki: www.ituwiki.com
  • Produced four major reports as the basis for future standards and new global Identity Management actions
    • New “flagship” ITU-T standards activities in 2008 and beyond
    • Comparable activities in most regional and national bodies
    • Infusion into numerous network/cyber/national security technical activities, public policy making proceedings, and R&D – especially for IMS/NGNs
itu t 2007 forum meetings
ITU-T 2007 Forum Meetings

2007Q4

JCA-IdM10-11 Dec

Q6/17

6-7 Nov

Piscataway

IdM JRGWP2/17,IPTV

10-14 Dec

TSAG3-7 Dec

SG230 Oct-8 Nov

FG IPTV30 Oct-8 Nov

SG13Q15

Jan

Beijing

SG13Q15

Sep

OECD

May

Trondheim

ISO SC27 WG5

Sep

Luzerne

Key:

JCA-IdM

Other ITU

Venues are Geneva unless otherwise indicated

Focus Group

Non-ITU

itu t idm 2008 meetings
ITU-T IdM 2008 Meetings

2008Q1

2008Q3

2008Q2

JCA-IdM__ Jan Seoul

JCA-IdM Sep

JCA-IdM __ May

JCA-IdM __ Apr

IdM GSI__ Apr

IdM GSI__ Jan

Seoul

IdM GSI__ May

IdM GSI__ Sep

NGN GSI

SG13,11,19,NID14-25 JanSeoul

SG177-18 Apr

NGN GSI

SG2, 4HLEG12-23 May

TSAG2-11 Jul

IdM JRGNGN GSI1-12 Sep

WTSA-0821-30 Oct

SG1622 Apr-2May

ISO SC27 WG513-14 Feb

Berlin

Key:

JCA-IdM

Other ITU

Venues are Geneva unless otherwise indicated

IdM-GSI

Non-ITU

four identity management deliverables for sep 2007
Four Identity Management Deliverablesfor Sep 2007
  • 73 requirements and recommendations
  • First global Identity Management legal and regulatory compendium

See Focus Group

www.ituwiki.com

far reaching architecture requirements
Far reaching architecture requirements

IDM Model

IDM Plane

A common, structured Identity Management Model and IdM Plane

toward managed smarter networks and an idm plane
Toward managed “smarter networks” and an IdM Plane
  • It is time to put the “dumb network” myth to rest
  • Telecommunication networks achieved security and protection through an “out of band” trusted signalling plane
    • Intelligent Network signalling requirements established by FCC Computer III Decision & 1996 Communications Act – which drove unbundling and open standards
    • Signalling plane doubled as the Identity Management plane
  • Next Generation IP networks must effect a similar trusted signalling plane with common IdM capabilities
    • IP signalling infrastructure is smart, but “in-band” and vulnerable
    • Principal recommendations of NSTAC include signalling and Identity Management
    • Implementation is a core feature of mainstream industry standards work
identity management provisioning requirements
Identity Management Provisioning Requirements

Provision of credential, identifier, attribute, and pattern identity services with known assurance levels to all Entities

Interoperable protocols, including objects

Assurance/confidence metrics

Lifecycle management

Improved identity proofing and discovery for public network identifiers in hierarchical assignment identifier structures

parties that comprise the idm model
Parties that comprise the IdM model
  • End-User Entities
  • (Requesting/ Asserting Identities)
  • Real persons
  • Legal persons
    • Institutions
    • Organizations
    • Guardians/agents
    • Group
  • Objects
    • Physical
      • Terminal devices
      • Network equipment
      • SIM or Smart Card
    • Virtual
      • Software
      • Geospatial
      • Content
  • Relying Parties(Using asserted identities)
  • Service or resource provider
  • Alliances
  • Identity Providers(to End-Users)
  • Credential provider
  • Identifier provider
  • Attribute provider
  • Pattern/reputation provider
  • Discovery provider
  • Identity Bridge provider
  • Auditing or Policy Enforcement provider
  • Federations
discovery
Discovery

Discovery of authoritative Identify Provider resources, services and federations

  • 3 requirements/recommendations
    • Global mechanisms for discovery of asserted forms of identity
    • Determining source for “authoritative” identities
    • Interfederation bridging capabilities
        • Should include characteristics and policies of the interfaces, dynamic registration and de-registration of federation relationships, authentication, permissions, and attributes
    • Provider business agreements and federation based policies
    • Likely based on XRI and ITU-ISO based global registry
interoperability
Interoperability
  • 7 recommendations
    • Use of federations and Identity Bridge providers by end users
    • Support for authentication domains within alliances and federations

Interoperability among authorization privilege management platforms, identity providers and provider federations, including Identity Bridge Providers

security
Security
  • 13 recommendations
    • Support for revocation of assertions
    • Consider adopted global standards in ITU, ISO and other bodies for Identity Assurance and Authentication
    • Dynamic establishment of time-limited trust mechanisms for transient and changed relationships
    • Support for terminal device objects (e.g., SIM cards)
    • Notification of compromised identity resources to affected parties
    • Support for multi-factor authentication
    • IdM identity proofing matching different authentication contexts, especially when requested
    • Provide levels of identity protection, including support for relevant OECD privacy guidelines
    • Provide end user transparency and notification capabilities relevant to protection of personally identifiable information

Security and other measures for reduction of identity threats and risks, including protection of resources and personally identifiable information

privacy
Privacy
  • Term avoided in favor of 3 explicit descriptions below because of significantly different connotations
    • Europe largely views privacy in terms of controls on private sector rather than government; and conversely expects government to play strong Identity Management roles
    • U.S. largely holds converse views
  • Protection of personally identifiable information
    • Treated as security and compliance capabilities
  • Protection from unwanted intrusions
    • Treated as an identity attribute capability
  • Ability to act anonymously
    • Treated as an assurance metric, i.e., equivalent to zero assurance level
    • Largely discouraged
  • Emphasis also placed on transparency and effective notice combined with user-centric protocol capabilities allowing individual choice to be expressed and shared and associated costs to be known
  • Lingering uncertainty about object privacy as most jurisdictions do not accord objects any rights
compliance
Compliance
  • 3 requirements/recommendations
    • Support for use of auditing mechanisms and exchange of information about those mechanisms
    • Recommended time-stamp accuracy

Auditing and compliance, including policy enforcement and protection of personally identifiable information

robustness and operational needs
Robustness and Operational Needs
  • 3 recommendations
  • Little developed by anyone; much needs to be done

Useability, Scaleability, Performance, Reliability, Availability, Accounting, International-ization, and Disaster Recovery

object communications
Object Communications
  • Most Identity Management capabilities apply equally to all object communications
  • Some objects that are terminal based (e.g., SIM cards, physical credential readers, geospatial units, and sensors readers) both support and require significant IdM capabilities
  • Support for autonomous networked object IdM interoperability involves many new issues
    • How will competing object demands for network resources be prioritized and managed, especially during emergency conditions or network failures
    • What legal responsibilities and rights are associated with objects and how they expressed globally and discovered
the past as prologue radio networks
The past as prologue: radio networks
  • A new open public network infrastructure with globally nomadic users
    • Implementations invoked strong international and domestic regimes emerged a hundred years ago by public network operators and government
    • Basic treaty-norm to take all necessary steps to avoid “harmful interference” (Radio Regulations)
    • Mandate globally unique device identities
    • Maintain device-user bindings and query capability
    • Establish common signalling protocols
    • Type-accept devices
    • National government monitoring of use
    • Compartmentalize network use
the past as prologue osi internet
The past as prologue: OSI internet
  • A new open public internetwork infrastructure with globally nomadic users
    • Implementations invoked strong international and domestic regimes 1975-1995 by public network providers and government
    • Basic treaty-norm to take necessary steps to avoid “avoid technical harm to the operation of the telecommunication facilities” (International Telecommunication Regulations)
    • Mandate globally unique and authenticated user, provider, device, software and content identities using OIDs and PKI
    • Maintain universal device-user bindings and query capability
    • Establish common signalling protocols
conclusions
Conclusions
  • Public IP internet infrastructure that emerged after 1995 is similar to the chaotic days of early radio use
  • Harm to the public infrastructure and fraud abound and remain as threats
  • Implementing effective identity management capabilities are essential – as they have always been for public infrastructures
  • Anonymity almost disappears; privacy is a value proposition
  • Globalization/nomadicity combined with complexity of the infrastructures and applications increase the IdM value proposition
  • Primary venues for Identity Management include
    • Government/intergovernmental actions
    • Industry/developer initiatives and products
    • Standards and administrative implementations
  • Immediate priorities include better identity proofing and lifecycle management, trusted identifiers for providers and network objects, discovery and assurance metrics
  • Significant, global, rapidly scaling product and personal opportunities