1 / 29

Global Authentication: Liberty Alliance Identity Assurance Framework

Brett McDowell, Executive Director, Liberty Alliance brett@projectliberty.org phone: +1.413.652.1248. Global Authentication: Liberty Alliance Identity Assurance Framework. Agenda. Introduction State of the Market Levels of Assurance Assessment Criteria Process Conclusions.

una
Download Presentation

Global Authentication: Liberty Alliance Identity Assurance Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Brett McDowell, Executive Director, Liberty Alliance brett@projectliberty.org phone: +1.413.652.1248 Global Authentication:Liberty AllianceIdentity Assurance Framework

  2. Agenda • Introduction • State of the Market • Levels of Assurance • Assessment Criteria • Process • Conclusions

  3. Why was Liberty Alliance Formed? • Identity is important & complex. We must deliver clarity OR: • industry will become more fractured • governments will intervene • Foster the ubiquitous, open, interoperable, privacy-respecting, identity layer (holistic identity management): • Liberty represents all constituencies toward this objective • (vendors, enterprise, government, universities, SME’s, etc.)‏ • Develop standards-based model to … • Interoperate in heterogeneous environments • Avoid proprietary vendor lock-in • Provide flexible foundation for future growth • Scale to the WWW • Deliver consumer & enterprise confidence that security, privacy and data integrity will be maintained

  4. Management Board Sponsors Liberty’s Global Membership 150 diverse member companies and organizations representing leaders in IT, mobility, government, service provision, system integration and finance working collaboratively to address the technology, business and policy aspects of digital identity management

  5. Liberty Focus Technology Standards and Guidelines Business and Privacy Guidelines Assurance An Ecosystem of Interoperable Products & Services An Ecosystem of Interoperable Products & Services Identity Assurance Framework & Assessors

  6. Some Liberty Achievements • The de-facto standard for Identity Federation (SAML 2.0)‏ • Standard framework for secure Web Services (ID-WSF 2.0)‏ • Publish case studies of successful deployments (17 verticals)‏ • EAP merger & Identity Assurance Framework public draft • GSA joins those requiring Liberty Interoperable™ testing • Concordia Project standards harmonisation demo at RSA • openLiberty.org Web Services Client (Java) beta release • Completed requirements for Strong Authentication (ID-SAFe)‏ • Initiated Identity Governance Framework (IGF) specification • Finalized Advanced Client specification for device provisioning

  7. Agenda • Introduction • State of the Market • Levels of Assurance • Assessment Criteria • Process • Conclusions

  8. Issues Remain to be Solved • World of identity is too complex for its own good….. • Individuals and commercial entities need simplicity in achieving what they want to do securely, privately, and confidently • In order to grow outside the enterprise—federate the federations—identity marketplace needs an open, scalable, trustworthy commercially viable solution

  9. Family/ Friends Commercial Employers Industry Comm. Networks People, Entities, Machines More? Institutions Financial Government The General Ecology Identity Reliance Identity Assertion

  10. Family/ Friends Commercial Employers Industry Comm. Networks People, Entities, Machines More? Institutions Financial Government The General Ecology Getting more complex all the time …

  11. There needs to be a Consistent & Clear Customer Experience

  12. Focus on Identity Assurance

  13. Identity Assurance Expert Group (IAEG)‏ • 2007 formed Identity Assurance Expert Group (IAEG) designed to foster adoption of identity assurance services • Initial contributions from EAP and U.S. E-Authentication Federation • Objective is to create a framework of baseline policies, business rules and commercial terms against which identity assurance services can be assessed and certified • Initial goal is to facilitate broad, uniform, interoperable, trusted identity federation practices across identity service providers – aka credential service providers (CSP’s) • Desired result is operational streamlining of identity service provider certification and accreditation processes for entire industry

  14. Agenda • Introduction • State of the Market • Levels of Assurance • Assessment Criteria • Process • Conclusions

  15. IAF Assurance Levels • Policy Overview • Level of trust associated with a credential measured by the strength and rigor of the identity-proofing process; the inherent strength of the credential and the policy and practice statements employed by the CSP‏. • Four Primary Levels of Assurance • Level 1 – little or no confidence in asserted identity’s validity • Level 2 – Some confidence • Level 3 – High level of confidence • Level 4 – Very high level of confidence • Use of Assurance Level is determined by level of authentication necessary to mitigate risk in the transaction, as determined by the Relying Party (RP) • CSPs are certified by Federation Operators (FO’s) to a specific Level(s)‏

  16. IAF Assurance Levels in Detail • Assurance level criteria as posited by the OMB M-04-04 and NIST Special Publication 800-63: • Level 1 – (e.g. registration to a news website)‏ • Satisfied by a wide range of technologies, including PINs • Does not require use of cryptographic methods • Level 2 – (e.g. change of address by beneficiary)‏ • Single-factor remote network authentication • Claimant must prove control of token through secure authentication protocol • Level 3 – (e.g. online access to a brokerage account)‏ • Multi-factor remote network authentication • Authentication by keys through cryptographic protocol • Tokens can be “soft”, “hard” or “one-time password” • Level 4 – (e.g. distribution of controlled drugs)‏ • Multi-factor remote authentication through “hard” tokens • Transactions are cryptographically authenticated using keys bound to the authentication process

  17. Assurance in Action

  18. Agenda • Introduction • State of the Market • Levels of Assurance • Assessment Criteria • Process • Conclusions

  19. IAF Service Assessment Criteria (SAC)‏ • Common Organization SAC - The general business and organizational conformity of services and their providers • Enterprise maturity; Information Security Mgmt; Operational Infrastructure, etc. • Identity Proofing SAC - The functional conformity of identity proofing services • Identity verification; Verification records • Credential Management SAC - The functional conformity of credential management services and their providers • Operating environment; Issuance; Revocation; Status Mgmt; Validation/Authentication

  20. Assurance Level Example Assessment Criteria -- Organization Assessment Criteria – Identity Proofing Assessment Criteria – Credential Mgmt AL 1 Registration to a news website Minimal Organizational criteria Minimal criteria - Self assertion PIN and Password AL 2 Change of address of record by beneficiary Moderate organizational criteria Moderate criteria - Attestation of Govt. ID Single factor; Prove control of token through authentication protocol AL 3 Access to an online brokerage account Stringent organizational criteria Stringent criteria – stronger attestation and verification of records Multi-factor auth; Cryptographic protocol; “soft”, “hard”, or “OTP” tokens AL 4 Dispensation of a controlled drug or $1mm bank wire Stringent organizational criteria More stringent criteria – stronger attestation and verification Multi-factor auth w/hard tokens only; crypto protocol w/keys bound to auth process Assurance level criteria as posited by the OMB M-04-04 and NIST Special Publication 800-63:

  21. Agenda • Introduction • State of the Market • Levels of Assurance • Assessment Criteria • Process • Conclusions

  22. IAF Business Rules • Focused on the use of credentials for authentication, initially targeting CSP’s • Liberty Alliance Project (LAP) provides accreditation of assessors who will perform certification assessment • Federation Operators will require LAP-accredited assessments • IAF provides guidelines for how all involved parties (relying parties, CSP’s and Federation Operators) may work together • LAP will maintain the Identity Assurance Framework and provide a current list of accredited assessors

  23. IAF Certification Model • Program for assessors to become accredited • Provide candidate CSP’s with guidelines for certifying against IAF • Enables Federation Operators to certify members against common industry framework and assessment practices • Liberty Alliance to define and provide governance over accreditation process • Phase one certification process is for CSP’s as defined in IAF

  24. Agenda • Introduction • State of the Market • Levels of Assurance • Assessment Criteria • Process • Conclusions

  25. Roadmap • Phase One of Certification Program for CSP’s/IDP’s, ratified in Identity Assurance Framework v1.0 FINAL (Q2 2008)‏ • Launch Accreditation Program to enable the Certification model and spur the market (Mid-2008)‏ • Introduce IAF Suite – documentation to support IAF • Scope and define Phase 2 • IAF Version 2.0 to focus on Federation Operators (begins Q3 2008)‏ • Best Practices / Usage Guidelines document for Relying Parties

  26. References (Contributions to IAF standard) • EAP Trust Framework: http://eap.projectliberty.org/docs/Trust_Framework_010605_final.pdf • OMB e-Authentication Guidance (OMB M-04-04): http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • NIST Special Publication 800-63 Version 1.0.1: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf • Authentication Service Component Interface Specifications: http://www.cio.gov/eauthentication/documents/TechApproach.pdf • GSA Credential Assessment Framework, Password CAP, Certificate CAP and Entropy Spreadsheet: http://www.cio.gov/eauthentication/documents/PasswordCAP.pdf • Tscheme http://www.tscheme.org/profiles/index.html • TSCP http://tscp.org/about.htm

  27. Getting Involved • Liberty Alliance Identity Assurance Expert Group (Liberty Alliance membership is required)‏ http://www.projectliberty.org/liberty/membership/become_a_member • Identity Assurance Special Interest Group (Liberty Alliance membership is not required)‏ http://wiki.projectliberty.org/index.php/IASIG • Identity Assurance Framework for Review and Comment http://www.projectliberty.org/liberty/content/download/3736/24651/file/liberty-identity-assurance-framework-v1.0.pdf

  28. Thank YouAny Questions?Please get involved!

More Related