Transcript Identity Management - Seidenberg School of Computer

Identity & Access Management
DCS 861 Team2
Kirk M. Anne
Carolyn Sher-Decaustis
Kevin Kidder
Joe Massi
John Stewart
The Problem
•
•
•
•
•
•
How do you establish a digital ID?
How do you “guarantee” somebody’s ID?
How do you prevent unauthorized access?
How do you protect confidential ID data?
How do you “share” identities?
How do you avoid “mistakes”?
What is IdM/IAM?
• The Burton Group defines identity
management as follows:
– “Identity management is the set of business
processes, and a supporting infrastructure for the
creation, maintenance, and use of digital
identities.”
Internet2 HighEd IdM model
A more “complete” definition
• An integrated system of business processes,
policies and technologies that enables
organizations to facilitate and control user
access to critical online applications and
resources — while protecting confidential
personal and business information from
unauthorized users.
http://www.comcare.org/Patient_Tracking/IP
TI-Glossary.html
Identity Management
Policy
Confidential
Information
Technology/Infrastructu
re
Uses
Business
Processes
Why is IdM/IAM important?
•
•
•
•
•
•
Social networking
Customer/Employee Management
Information Security (Data Breach laws)
Privacy/Compliance issues
Business Productivity
Crime prevention
Components of IdM/IAM
Identity
Life-Cycle
Management
Access
Management
Directory
Services
Directory Services
• Lightweight Directory Access Protocol (LDAP)
• Stores identity information
– Personal Information
– Attributes
– Credentials
– Roles
– Groups
– Policies
Components of a digital identity
Biographical
Information
(Name, Address)
Biometric Information
(Behavioral, Biological)
Business Information
(Transactions,
Preferences)
Access Management
•
•
•
•
•
•
•
Authentication/Single Sign On
Entitlements (Organization/Federation)
Authorization
Auditing
Service Provision
Identity Propagation/Delegation
Security Assertion Markup Language (SAML)
Access Management
• Authentication (AuthN)
– Three types of authentication factors
• Type 1 – Something you know
• Type 2 – Something you have
• Type 3 – Something you are
• Authorization (AuthZ)
– Access Control
• Role-Based Access Control (RBAC)
• Task-Based Access Control (TBAC)
– Single Sign On/Reduced Sign On
– Security Policies
Levels of Assurance
High
LOA-1
Little or no confidence
identity is accurate
Low
Risk
Impacts individual
Low
LOA-2
LOA-3
LOA-4
Confidence exists
identity is accurate
High confidence
identity is accurate
Very high confidence
identity is accurate
Impacts individual
and organization
Impacts multiple
Impacts indiscriminate
people and organization
populations
Manage My
Benefits
Manage Research
Data
Manage Other’s
Benefits
View My Vacation
Manage Financials
Apply to College
View My Grades
Join a Group
Manage My
Calendar
Give Donations
Take a Test
Buy Tickets
Enroll in a Course
Manage Financial
Aid
Manage Student
Records
Enter Course
Grades
Administer Course
Settings
Data Classification/Privileges
Access to
Biotechnology Lab
High
Identity Life-Cycle Management
•
•
•
•
•
User Management
Credential Management
Entitlement Management
Integration (Authoritative Sources of Record)
Identity Provisioning/Deprovisioning
“Student” Identity Life Cycle
Accepted
Prospective
Paid
Deposit
Leave of
Absence
Graduated
Registered
Withdrawn
Federated Identity Management
• Business Enablement
• Automatically share identities between
administrative boundaries
– Identity Providers (IdP)
– Service Providers (SP)
• Easier access for users (use local credentials)
• Requires trust relationships
Shibboleth
Internet2 HighEd IdM model
Research Areas
• Public Safety
– Identity theft, cybercrime, computer crime, organized crime groups,
document fraud, and sexual predator detection
• National Security
– Cybersecurity and cyber defense, human trafficking and illegal
immigration, terrorist tracking and financing
• Commerce
– Mortgage fraud and other financial crimes, data breaches, ecommerce fraud, insider threats, and health care fraud
• Individual Protection
– Identity theft and fraud
• Integration
– Biometrics, Policy assessment/development, Confidentiality, Privacy