1 / 33

Identity Management Concepts

Identity Management Concepts. Secure and Trusted Practices. Presentation Overview. Importance Definitions Implications for NU service units Procedural issues Infrastructure requirements. Importance of Identity Management.

andie
Download Presentation

Identity Management Concepts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management Concepts Secure and Trusted Practices

  2. Presentation Overview • Importance • Definitions • Implications for NU service units • Procedural issues • Infrastructure requirements

  3. Importance of Identity Management • Without robust Identity Management, we can never be confident of our security • Without confidence in security, data stewards will not be willing to expose information • Without current information, responsible decisions are difficult – hence shadow systems • The University should change its culture to make information available to those with proper authorization by default

  4. Definitions

  5. Digital Identity “Digital identity comprises electronic records that represent network principals, including people, machines, devices, applications, and services.” 1

  6. Identity Management “Identity Management (IdM) comprises the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities within a legal and policy context.” 1

  7. Identification • The act of assigning a unique marker or a token to a principal, such that principals can be distinguished from one another.2 A key step in this process is validation of the principal. • “John Doe, having verified your identity claim through two forms of documentation, we are assigning you username...” • Methods: Personal interviews, shared secrets

  8. Authentication • Validating that the principal producing a token is that exact principal to whom the token was assigned.2 • “You say you are the authentic John Doe. Please prove that claim within a level of confidence we define.” • Methods: password, ID cards, biometrics

  9. Authorization • The act of ensuring that an authenticated principal is given access to only the services and data required to support allowed tasks, either explicitly or implicitly through group or role memberships.2 • “John Doe, your request for access to that data/service is granted/denied.” • Methods: Entitlements by role, rule, or identity.

  10. Accountability • Appropriate administration of Identification, Authentication, and Authorization, ensuring that only the authorized principal can exercise its individual authority.2 • With strong accountability, principals can be held responsible for actions. • Methods: policies, strong authentication

  11. Business Process Implications

  12. Fundamental Concepts • Service providers must have confidence in Identification and Authentication services. • Service providers determine the authentication strength required for their applications and data. • Application software must recognize central identity and support definition of local entitlements and access rules. • Digital identities should be derived from authoritative sources.

  13. Current Practices 1. Service providers must have confidence in Identification and Authentication services. • Applications provide service-specific databases of identifiers and passwords • Service units create and manage identifiers under their own processes within the applications

  14. Current Practices 2. Service providers determine the authentication strength required for their applications and data. • Frequency of required password changes • Periodic re-application for identity

  15. Current Practices 3. Application software must recognize central identity and support definition of local entitlements and access rules. • Connecting permissions and rights to the application-specific identities is common in administrative systems • Access may also be restricted by network address or domain

  16. Current Practices 4. Digital identities should be derived from authoritative sources. • NetIDs are derived from authoritative sources. • Applications with local identity management may not reflect accurate status for the principal.

  17. Current Practice Issues • Separate identity databases lead to multiple usernames and passwords for each principal. This increases security risk. • Without ties to authoritative sources, changes in the status of a principal have delayed effect on authorizations. • Disjoint systems make common role/rule authorizations impossible

  18. Future Practices 1. Service providers must have confidence in Identification and Authentication services. • Central identity infrastructure (Registry) should hold authentication and authorization entitlements • Service units can manage entitlements • “Level of trust” will give increased confidence and options to service providers

  19. Future Practices 2. Service providers determine the authentication strength required for their applications and data. • Single strong password gives first line of defense against brute-force attacks • Central services can support second password, smart card, USB token, or biometrics for any application

  20. Future Practices 3. Application software must recognize central identity and support definition of local entitlements and access rules. • Applications must accept authority of registry for identities as exposed through LDAP, AD, eDirectory, etc. • Permissions and rights can be managed within an application or be centrally role-based or identity-based.

  21. Future Practices 4. Digital identities should be derived from authoritative sources. • All security and access control will flow from the Registry through standard access methods. • Business rules must be written to define what takes place when the status of a principal changes.

  22. Consequences • School/Division/Department system administration must be linked to central identity services • Systems with secure information must be themselves secure • Maintenance of authentication will be more distributed and less convenient for higher-security systems

  23. Flexibility • Role-based default entitlements (e.g., student, department chair) • Distributed control of entitlements to grant access to protected resources (e.g., research host, SES functions) • Hierarchical directory tiers for local store of application information

  24. Entitlement-Defined Business Processes

  25. Trust Levels 1 Auto/Manual 2 Role-based configuration

  26. Infrastructure

  27. IdM Infrastructure “IdM infrastructure consists of directory services, authentication, access management, and user management capabilities such as provisioning, delegated administration, and self-service administration.” 2

  28. IdM Infrastructure Includes… • Hardware and software • Databases and secure access methods • Business processes within authoritative sources • Business processes for exceptions • User management processes that preserve authentication accountability • Behavior of principals to protect their identities

  29. Current IdM Structure

  30. Future IdM Structure

  31. LDAP Cluster IT Computing Services SNAP SES HRIS Extraction Replication Replication Load balancing Load balancing directory.northwestern.edu registry.northwestern.edu White Pages Registry Note: schematic – not an engineering representation

  32. How Will NUIT Assist? • NUIT will assist by • Creating Web sites with technical information • Publishing specifications and code examples • Holding seminars for developers • Advising departments on governance issues • Publishing timelines for service retirements

  33. End Notes / Attributions 1 “Enterprise Identity Management: It’s About the Business”, V1, July 2, 2003, Burton Group Research Overview 2 “Identity and Access Management and Security in Higher Education”, EDUCAUSE Quarterly, Number 4, 2003

More Related