Digital Identity Digital Identity Management Management Strategy, Policies and Strategy, Policies and Architecture Architecture Kent Percival Kent Percival 2005 06 23 2005 06 23 A presentation to the Information Services A presentation to the Information Services Committee Committee
29
Embed
Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Digital Identity ManagementDigital Identity Management
Strategy, Policies and ArchitectureStrategy, Policies and Architecture
Kent PercivalKent Percival
2005 06 232005 06 23
A presentation to the Information Services CommitteeA presentation to the Information Services Committee
Digital Id’s… so many of them! Digital Id’s… so many of them!
Systems have separate user accountsSystems have separate user accounts Some applications maintain id databasesSome applications maintain id databases
Some maintain additional personal information Some maintain additional personal information to control authorization or personalize service.to control authorization or personalize service.
Maintained by separate administrationsMaintained by separate administrations
2005 06 23 Digital Identity Management (ISC) Percival 5
Organizational InformationOrganizational Information Relationship to Org: Dept; statusRelationship to Org: Dept; status Organizational Identifiers: Empl.#, Student #; Organizational Identifiers: Empl.#, Student #; Email addr.Email addr.
Personal informationPersonal information Name, Name, Email addr.Email addr., phone#, address, …, phone#, address, … Personal preferences for servicesPersonal preferences for services
Limitations of local “accounts”Limitations of local “accounts”
SecuritySecurity Varying quality of administrationVarying quality of administration Controlling exposure: limited scope but slow responseControlling exposure: limited scope but slow response No institutional policy controlNo institutional policy control
EfficiencyEfficiency Mange administration pointsMange administration points Multiple relationships with information “owners”Multiple relationships with information “owners”
ServiceService No single sign-on ... or complicated processNo single sign-on ... or complicated process Personalization varies between servicesPersonalization varies between services
Success of Directories for systems and Success of Directories for systems and application managementapplication management
Proprietary architecture and designsProprietary architecture and designs
Applications with closed requirementsApplications with closed requirements Data must be indifferent formats for different usesData must be indifferent formats for different uses
Privacy concernsPrivacy concerns Security concernsSecurity concerns Data ownership concernsData ownership concerns Different interpretations of dataDifferent interpretations of data In-appropriate useIn-appropriate use Trusting the data of othersTrusting the data of others Silo approach to service managementSilo approach to service management
The Organizational Trust ModelThe Organizational Trust Model
Users and Service providers must Users and Service providers must trusttrust one another one another and and trusttrust a central Digital Identity Management System a central Digital Identity Management System
Trust DomainTrust Domain - a collection trusting each other. - a collection trusting each other. Service providers; users; trust and identity managementService providers; users; trust and identity management
Can’t trust everyone and everything immediatelyCan’t trust everyone and everything immediately
It takes time to build a It takes time to build a trust domaintrust domain.. Overlapping domains create problemsOverlapping domains create problems The scope of a domain should match organizational The scope of a domain should match organizational
In an organization In an organization trusttrust is managed by successful is managed by successful implementation of appropriate institutionalimplementation of appropriate institutional
Organizations are people with rolesOrganizations are people with roles Roles define org. relationships Roles define org. relationships Identity! Identity!
Computer applications define roles for users.Computer applications define roles for users.
Org. Role Org. Role - a key element of a Digital Identity- a key element of a Digital Identity Assigning a Role defines AuthorizationAssigning a Role defines Authorization
Need to harmonizing organizational roles to Need to harmonizing organizational roles to computer application roles.computer application roles.
With the Internet, a Trust Domain is not a With the Internet, a Trust Domain is not a closed system.closed system. Persons outside the trust domain need to access Persons outside the trust domain need to access
campus servicescampus services Where do those services go?Where do those services go? How do we authenticate and authorize those persons?How do we authenticate and authorize those persons?
People in our trust domain need to access services People in our trust domain need to access services at other institutionsat other institutions
Directories, directories, directories, …Directories, directories, directories, … implementations are intimately linked to systems implementations are intimately linked to systems
and applications!and applications!
Most Directories do not have appropriate Most Directories do not have appropriate administration and policy management toolsadministration and policy management tools
A Directory is not always the appropriate A Directory is not always the appropriate technologytechnology
Some applications rely on Operating System control Some applications rely on Operating System control functionsfunctions
Many applications have imbedded business rules Many applications have imbedded business rules controlling authentication and authorizationcontrolling authentication and authorization
Trust Domain Policies must be implemented in many Trust Domain Policies must be implemented in many places.places. Need common vocabulary and explicit policy Need common vocabulary and explicit policy
Centralized vs distributedCentralized vs distributed
Collecting all Identity information into one central Collecting all Identity information into one central “longitudinal” record does “longitudinal” record does not worknot work
Data exists in several placesData exists in several places Central repository (e.g. campus Directory)Central repository (e.g. campus Directory) Shared repositories (e.g. CFS AD)Shared repositories (e.g. CFS AD) Within a single applicationWithin a single application
Use a “virtual” Identity Object ModelUse a “virtual” Identity Object Model Central design / distributed dataCentral design / distributed data
Centrally administer global/essential dataCentrally administer global/essential data Define where other data is stored - Provide key link informationDefine where other data is stored - Provide key link information Copy data to accessible locationCopy data to accessible location Use referral directory lookups (ask one directory)Use referral directory lookups (ask one directory)
2005 06 23 Digital Identity Management (ISC) Percival 25
What’s in the central DI object?What’s in the central DI object?
Authentication dataAuthentication data Password, Digital Certificate, fingerprint signaturePassword, Digital Certificate, fingerprint signature
IdentityIdentity Unique ID, Common names, Unique ID, Common names,
AddressAddress Office, phone#, FAX, email address, …Office, phone#, FAX, email address, … Hyperlink to personal webpage Hyperlink to personal webpage
AffiliationsAffiliations Org Units , group memberships, …Org Units , group memberships, …
Organizational RolesOrganizational Roles Who are you; what are you allowed to do?Who are you; what are you allowed to do?
Keys to D.I. information in other repositoriesKeys to D.I. information in other repositories Employee#, Student#, Library barcode, ExpressCard#, …Employee#, Student#, Library barcode, ExpressCard#, …
A good D.I. Mgmt designA good D.I. Mgmt design requires an organization wide modelrequires an organization wide model
recognizes use outside the trust domainrecognizes use outside the trust domain starts with policy to build a trust domainstarts with policy to build a trust domain
Security, privacy and appropriate use of DI dataSecurity, privacy and appropriate use of DI data administered efficiently, timely, accuratelyadministered efficiently, timely, accurately relates Identity to organizational rolerelates Identity to organizational role
A DI Mgmt system is implemented withA DI Mgmt system is implemented with multiple distinct Directory Serversmultiple distinct Directory Servers authentication and authorization functionsauthentication and authorization functions
Implemented on AAA separate servers,Implemented on AAA separate servers, Instead of being imbedded in systems and applicationsInstead of being imbedded in systems and applications
a virtual DI object defining information in multiple datastoresa virtual DI object defining information in multiple datastores
A central DI object component whichA central DI object component which Provides general Digital Identity informationProvides general Digital Identity information Provides keys to other DI information in datastores managed by others.Provides keys to other DI information in datastores managed by others.