Transcript European_Identity_Strategy – Nicole Harris

EUROPEAN IDENTITY STRATEGY
NICOLE HARRIS
e-Infrastructure Summer Workshops,
Federated Identity Technology
1
EU DIRECTIVES / REGULATIONS
HELPFUL DISTINCTION:
A Directive
shall be binding, as to the result to be achieved, upon
each Member State to which it is addressed, but shall
leave to the national authorities the choice of form and
methods.
A Regulation
shall have general application. It shall be binding in its
entirety and directly applicable in all Member States.
2
DATA PROTECTION
Currently:
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND
OF THE COUNCIL of 24 October 1995 on the protection
of individuals with regard to the processing of personal data
and on the free movement of such data
Moving to:
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
on the protection of individuals with regard to the processing
of personal data and on the free movement of such data
(General Data Protection Regulation).
3
4
“People have really gotten comfortable not only sharing
more information and different kinds, but more openly
and with more people….That social norm is just
something that has evolved over time.”
Mark Zuckerberg, January 2011
http://www.guardian.co.uk/technology/2010/jan/11/fac
ebook-privacy
5
http://www.oxfordmartin.ox.ac.uk/downl
oads/A%20New%20Privacy%20Paradox%
20April%202014.pdf
6
“It is clear that the cord connecting technology and democracy
has been severed. This is bad for democracy and bad for
technology and it will not be easy to stitch the two back
together,”
Neelie Kroes, European Commission, March 2014.
http://thenextweb.com/eu/2014/03/10/need-stronger-datasafeguards-snowdens-wake-call-says-european-commissioner/
7
WHAT IS NEW IN DP REGULATION?
• A single set of rules on data protection, valid across the EU.
• Increased responsibility and accountability for those processing personal
data.
• Consent has to be given explicitly, rather than assumed.
• Easier access to their own data and be able to transfer personal data
from one service provider to another more easily (right to data
portability).
• A ‘right to be forgotten’ will help people better manage data protection
risks online: people will be able to delete their data if there are no
legitimate grounds for retaining it.
• EU rules must apply if personal data is handled abroad by companies
that are active in the EU market and offer their services to EU citizens.
8
IDENTITY
Currently:
DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 13 December 1999 on a Community framework for electronic signatures.
Moving to:
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on electronic identification and trust services for electronic transactions in the internal
Market.
9
WHAT’S NEW?
10
REFEDS Goals
Forum for R&E Federations Operators and other parties:
 To develop best practise to facilitate inter-federations;
 Following the model: do it once, use it multiple times.
Hopefully to offer a place for user-communities to put forward
their requirements/complaints.
11
Last update May 2014
31 Production Federations
17 Pilot Federations
12
REFEDS RESOURCES
• DISCOVERY GUIDE (SEE NEXT SLIDE)
• FEDERATION POLICY GUIDELINES WITH GEANT
• FEDERATION OPERATIONAL BEST PRACTICE
• ENTITY CATEGORIES TO SUPPORT DATA RELEASE
• STANDARDS AND SPECIFICATIONS:
• METADATA QUERY PROTOCOL
• SAML ENTITY CATEGORIES
• SERVICES
13
DISCOVERY.REFEDS.ORG
14
HOW??
http://www.terena.org/publications/files/2012
-AAA-Study-report-final.pdf
15
AARC CALL
› GÉANT preparation is on-going:
› Horizon
› Led heavily
2020 by
callNRENs
on AAI:
›› Open
Calls and
Enabling
usersand
helpe-Researchers
support
Consortium
with
both NRENs
use-cases
› community
Good opportunity
to work together as a team
›› Horizon
call on
Some of2020
the work
willAAI:
take place in REFEDS
› Consortium
with both NRENs and e-Researchers
but
funded
› Good opportunity to work together as a team
› Main topics:
› Some
of the
work response,
will take place
in REFEDS
› LoA,
Incident
training
and
but funded
outreach, attribute authorities
16
REFEDS
EINFRA Call
Policy
Best Practises
Operational
Practises
LoA
Federation
Harmonisation
Training on policies
Identity
Harmonisation
Services
eduGAIN
Proof of Concepts
Pilot Services
Outreach
Support for R&E
communities
GÉANT
Supporting Tools
Guest IdPs
Moonshot
eduroam
Research Work
Enabling Users
17
Research use-cases, tools and services
NICOLE HARRIS
e-Infrastructure Summer Workshops, Federated Identity Technology
18
FIM4R: Federated Identity
Management for Researchers
• Includes photon & neutron facilities, social science & humanities, high
energy physics, climate science, life sciences and ESA
• Aim: define common vision, requirements and best practices
• Vision and requirements paper
published:https://cdsweb.cern.ch/record/1442597
“A common policy and trust framework for Identity Management based on
existing structures and federations either presently in use by or available to
the communities.
This framework must provide researchers with unique electronic identities
authenticated in multiple administrative domains and across national
boundaries that can be used together with community defined attributes to
authorize access to digital resources.”
19
What do Researchers Want?
• A log-in!
• Everyone of their researcher partners to have a log-in.
• Personally Identifiable Information (PII) to be released – where they need
it.
• Attributes from multiple sources.
• To be able to have a higher level of trust (assurance).
• Non-web login.
• Great user interface.
• Unicorns.
20
30+ Research Infrastructures in Europe
Countless more “long tail” users
Attribute
aggregation
User
friendliness
Credential
translation
Attribute
release
Levels of
Assurance
Homeless
users
Bridging
Communitie
s
Non-webbrowser
Three Collaborative Pilots –
User communities and GÉANT
“A connected
network of people,
information, tools,
and methodologies
for investigating,
exploring and
supporting work
across the broad
spectrum of the
digital humanities.”
“Basic life science
information constitutes
a testament of human
and natural evolution
and advancement. As
such, this wealth of
knowledge should be
freely available for all
to access, study and
process”
“Umbrella is the
Federated Identity
Solution of the
Photon and
Neutron
Community,
enabling user
initiated transfacility access.”
22
DARIAH EXPERIENCE
eduGAIN is the best approach to pan European
AAI for DARIAH but some time is needed to fulfil
all needs
DARIAH would like to see more entities available in
eduGAIN and reasonable attributes available
DARIAH has been able to meet many requirements
• Distributed user and privilege administration
• Policies that allow for integration into DFNAAI and eduGAIN
Combination of eduGAIN and community specific
• DARIAH homeless-IdP and attribute authority
23
ELIXIR EXPERIENCE
Next phase of AAI in ELIXIR – blueprint for
discussion
• External IdPs via eduGAIN
• ELIXIR specific services for
authorisation (REMS), non web,
homeless users and community
management
Federated identity cross sector
collaboration:
REMS to be used by FI-CLARIN & FICESSDA
A pan-European approach to LoA would be
appreciated/necessary in the future
• Minimise ELIXIR-specific customisation
24
UMBRELLA Experience
More opportunities for NREN/Research
Infrastructure Collaboration
• Security analysis discussion at FIM4R
Piloting with a wider community has benefits
• JANET/Diamond Light in UK
Moonshot Pilot
Confidentiality aspects critical for Umbrella high competition, especially structural
biology
• Authorisation is delegated to the
systems participating in Umbrella
25
WORK TO DO
Attributes - Release, consistency,
community specific and
harmonisation
Levels of
Assurance
A long term issue
to be broken down
Understanding
security and
incident
response
Progress can be
slow initially
More experience,
work faster
Non web –
Early pilot not
novice user but
evolving more
Many other research communities
developing AAI requirements and
work
26
Opportunities
FIM4R /RDA
T&I Committee
Increased EC/public awareness of
security
Federations looking to do more
• Support of GÉANT Code of
Conduct
• Emerging ‘opt-out’ pilots for
eduGAIN
• REFEDs Federation Operator Best
Practicecommunities services
Research
appearing in national federations and
eduGAIN
• Knowledge gained with these
pilots helps support other
communities & plan service
27
FIM: THE BUSINESS CASE
NICOLE HARRIS
e-Infrastructure Summer Workshops, Federated Identity Technology
28
WHY?
Developing a business case forces a wellconsidered decision that assesses a range of
options.
Managing a business case throughout an
undertaking supports successful implementation
by keeping activities "on course" for the desired
outcome.
29
EXAMPLES – UK FEDERATION
• PILOT FEDERATION: 2003 – 2006.
• Development programmes with institutions including “early adopter”
funding.
• FULL FEDERATION from 2006.
• 1997 Entites with the federation.
• 953 Identity Providers.
•
1047 Service Providers.
30
31
32
33
34
SECTIONS OF A BUSINESS CASE
STRATEGIC FIT
OPTIONS APRAISAL
AFFORDABILITY
ACHIEVABILITY
35
STRATEGIC FIT
36
STRATEGIC FIT – THE QUESTIONS
• Are access management requirements currently being met?
• Why do we have to change and does it have to be done now?
• What internal and external strategic drivers are there for change?
• Does the change fit with institutional strategy?
• What is our approach to open-source and community-supported
technology?
• To what extent should identity information be controlled within the
institution?
• How many services should be brought together under a single access
management infrastructure?
37
(NOT) THE KILLER APP
38
STRATEGIC DRIVERS - EXAMPLES
39
STRATEGIC DRIVERS – INFLUENCES (1)
INTERNAL DRIVERS
EXTERNAL DRIVERS
40
STRATEGIC DRIVERS – INFLUENCES (2)
INTERNAL DRIVERS
EXTERNAL DRIVERS
41
STRATEGIC DRIVERS – INFLUENCES (3)
INTERNAL DRIVERS
EXTERNAL DRIVERS
42
OPTIONS APPRAISAL
43
OPTIONS APPRAISAL – THE QUESTIONS
• What options are there?
• Is the range of options under consideration sufficiently broad?
• Have innovative options and/or collaboration with others been
considered?
• What are the option criteria?
• Are all benefits, costs, risks and timescales covered?
• Are all business needs, requirements and characteristics covered?
• Would other stakeholders agree with the option criteria?
• Are criteria weightings necessary?
• What benefits, costs, risks and timescales are associated with each
option?
• What option has the optimum balance of cost, benefit and risk?
• What trade-offs need to be made? (eg foregoing some of the
benefits to keep costs within budget)
44
STRATEGIC CHOICES
DO NOTHING
DEPLOY A LIMITED SOLUTION
DEPLOY A SINGLE SSO SOLUTION
45
DEPLOYMENT CHOICES
OPEN SOURCE SOFTWARE
IN-HOUSE
COMMUNITY SUPPORT
OPEN SOURCE SOFTWARE
IN-HOUSE
PAID-FOR SUPPORT
COMMERCIAL SOFTWARE /
MANAGED SERVICE
COMMERICAL / MANAGED
SERVICE SUPPORT
DO IT YOURSELF
NOT RECOMMENDED!
46
Hub and Spoke?
Mesh Federation?
Edugate JAGGER
47
COST / BENEFITS ANALYSIS:
BENEFITS
48
COST / BENEFITS ANALYSIS:
COST
• UPFRONT PROJECT COSTS: pre-requisites, development effort, direct
costs (hardware etc.), training, legal advice.
• ONGOING SERVICE COSTS: membership fees?, support costs,
administrative costs, hardware replacement, audit and compliance.
• OPPORTUNITY COSTS: what other projects or initiatives could be
undertaken if the budget or staff allocated required for the option could
be freed up?
WE CANNOT TELL YOU HOW MUCH THIS IS GOING TO COST TO DEPLOY,
SORRY
49
AFFORDABILITY
50
Affordability
• Is the required budget available to deliver the whole project?
−
−
−
−
What budget(s) will be used?
Is this capital or operating expenditure, or both?
It the funding available and secure?
Is there any contingency?
• If not, can the budget be obtained?
− Can the scope be reduced or delivered over a longer period?
− Could funding be sought from other sources?
• What is the cost of not pursuing the preferred cost of action?
• What other plans and activities are dependent on it?
51
Cost of an IdP
52
ACHIEVABILITY
53
ACHIEVABILITY QUESTIONS (1)
• Is the organisation ready for the change?
− Are the pre-requisites in place and dependencies being managed?
− If not, what needs to be done?
• Can the change be achieved with current capability and capacity?
− Are the necessary skills and experience available to assign to the
project?
− Is the organisation able to manage and achieve a technology-enabled
change project?
− Is there a successful track record of such projects?
− Is there an appetite and organisation culture for the required
change?
− Is there senior management leadership and commitment for the
change?
− Is the project sponsor fully committed and are the stakeholders
“on board”?
− Is there an understanding of and agreement on what will
constitute success?
54
ACHIEVABILITY QUESTIONS (2)
If no:
• How can the required capability and capacity be acquired?
• Can the risks be managed?
− Are stakeholders content with the residual risk?
− Can another option be implemented if the preferred option fails?
• Does the scope or timescale need to be changed?
55
56
TITLE
57
TITLE
58
TITLE
59