Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis [email protected] (760) 632-0294 January 09, 2007.

Click to edit Master title style

HEALTH INFORMATION

1

Identity & Access Management

Presenter:Presenter:

Mike DavisMike Davis

[email protected]

(760) 632-0294(760) 632-0294

January 09, 2007January 09, 2007

Click to edit Master title style

HEALTH INFORMATION

2

Definitions

• IdM: Identity management (IdM) is comprised of the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities within a legal and policy context. - BurtonGroup™ 2003

• IAM: Identity and access management (IAM) is comprised of the set of services to include authentication, user provisioning (UP), password management, role matrix management, enterprise single sign-on, enterprise access management, federation, virtual and metadirectory services, and auditing. - Gartner

Click to edit Master title style

HEALTH INFORMATION

3

More Definitions

• Provisioning: Provisioning of user access control credentials refers to the creation, maintenance, correlation, synchronization and deactivation of user-objects and user-attributes, as they exist in one or more systems, directories or applications, in response to an automated or interactive business processes. Provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. Provisioning is typically a subsystem or function of an identity management system that is particularly useful within organizations where users may be represented by multiple user objects on multiple systems. - EDE IPT

• The process of managing attributes and accounts within the scope of a defined business process or interaction. Provisioning an account or service may involve the Creation, modification, deletion, suspension, restoration of a defined set of accounts or attributes. –OASIS SPML

Click to edit Master title style

HEALTH INFORMATION

4

Yet More Definitions

• Single Sign-on: (SSO) Any user authentication system permitting users to access multiple data sources through a single point of entry.  Part of an integrated access management framework.

• At present, there is no “universal” definition of SSO, no agreement on whether it is really possible and no understanding of what is considered true SSO. - Pistolstar

Click to edit Master title style

HEALTH INFORMATION

5

Identity Mgt Attributes

(1of 2)

PIV

E-Authn VHA (MPI/PS)

OneVA IdM

Identity Management X X X X Identity proofing X X Background screening X Initial identity verification X X Ongoing integrity checking X X Provisioning X Integrated user provisioning X Biometric capture and enrollment

X

Credential personalization and issuance

X

Management of identity lifecycle

X X

Create, suspend, and delete user accounts

X X X

Automated provisioning/de-provisioning

X

Modify user privileges X X Approval of provisioning workflow

X X

Centralized policy management X Integration of identity data X X Organizational role and group management

X X

Delegated administration X Federation X Web form workflow support X Automated business process Workflow

X

Click to edit Master title style

HEALTH INFORMATION

6

More Identity Mgt Attributes PIV

E-Authn VHA

(MPI/PS) OneVA IdM

Identity Management (Cont)

X X X X

Identification/enumeration for all VA persons of interest: patients, beneficiaries, employees, dependence, IT users, etc.

Only Employees, Contractors

Only Citizens

X X

Maintenance and history of identifier and track changes

X X

Duplicate (false-negative) and mismatch (false positive) prevention

X X

Duplicate detection and resolution

X X X

Mismatch detection and resolution

X X X

Correlation management X X X Facilitation of identifier and trait change maintenance

X X X

Facilitation for information sharing and identity management amongst internal identity domains

X X

Facilitation for information sharing with external identity domains

X X

User self-service X X Self-registration X X Update demographic information

(2of 2)

Click to edit Master title style

HEALTH INFORMATION

7

PIV

E-Authn VHA (MPI/PS)

OneVA IdM

Access Management X X X Access control X X Authorization Service X X Role-based authorization X X Rule-based authorization X Access Control Integration X Authentication Service X X Single sign-on X X X Multiple strong authentication methods

X X

Physical and logical access control

X

Management of access to protected resources

X

Management and enforcement of access policies

X

Localized enforcement of centrally manage security policy's using roles or business rules

Audit Service X Security Transaction Logging X X Security Event Notification X Reporting X E-Signature X X

Access Mgt Attributes

OneVA Identity Management IPT, December 19, 2005OneVA Enterprise Identity Management White Paper, v1.3, October 12, 2006

Click to edit Master title style

HEALTH INFORMATION

8

Authentication Services

• Centralized authentication services reduces complexity

– PIV (HSPD12, NIST FIPS PUB 201) – MS NAS (AD Kerberos)

• Applications should accept trusted third party credential…applications do not authenticate users directly– Kerberos, X509, SAML– CCOW– Security token services (STS)

• SSO is intrinsic– SSO is now expected– SSO is now technically feasible

Click to edit Master title style

HEALTH INFORMATION

9

WS Trust scenario

• A client sends a SOAP message (Request) to a SOAP based application Server.

• The original client request is intercepted at a SOAP gateway and redirected (based on Policy) to the IP/STS.

• The SOAP gateway and STS will use WS-Trust messages to enable interoperable processing of the more fundamental WS-Security protected SOAP message sent between the client and the service.

Click to edit Master title style

HEALTH INFORMATION

10

IDM…Whose Identity is It?• VHA Problem Statement: How does Security IdM portion of IAM fit with

traditional ownership of IdM controlled by administrative, demographic, payroll and HR functions.

IdM (Admin)

Registration request

Payroll, HR, Demographics, MPI, Etc.

In-Person Proofing Event

IAM (Security)

Security manages its own information base. CA is responsible for authenticity of Information on certificates

PIV IdM, Authorization DB Link back to Admin Idm base but Security not dependent upon it.

Solution: Need standards for IdM and for IAM. Consistent vocabularies. Clear differentiation of role/ ownership Id data used for different purposes.Oracle Identity Governance Framework is setting the initial definitions in this area prior to vetting in standards organization (TBD). Identity Governance Framework http://www.oracle.com/technology/tech/standards/idm/igf/index.html

Click to edit Master title style

HEALTH INFORMATION

11

IAM Technology Viewpoint

Assertions

Advice

Implications

Obstacles

•IAM (PIV) transforms future SOA security infrastructures •Centralization reduces complexity of authn/authz administration•Web Services provide the key underlying standards/technology•Application security (end-end) replaces castle and moat paradigm•SSO is assumed/expected

•Lack of consistent approach (Different goals, views, vendors)•Immature/incomplete industry technology/few solutions•Developer experience/confidence/ in solutions…resistance to change

•Projects will use existing/closed solutions to avoid risk•Projects will not be able to adapt to coming centralized infrastructure•Project schedules will limit time to innovate in security•Security will continue to lag

Implement/innovate/adopt:• SOA Architecture• CCOW, Kerberos SSO/TTP Authn•HL7 RBAC/ASIS XACML•Implement Web Services•Manage globally, enforce locally•Pilot a SOA Security Application