150 likes | 262 Views
CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0. George O. Strawn NSF CIO Fall 2006. Outline. What is Identity Management (IdM)? IdM 1.0 Why not IdM 1.0? Why IdM 2.0? Why not IdM 2.0? What is IdM 2.0? Other matters.
E N D
CIO Fall Update for the Advisory Committee for Business and Operations:Identity Management 2.0 George O. Strawn NSF CIO Fall 2006
Outline • What is Identity Management (IdM)? • IdM 1.0 • Why not IdM 1.0? • Why IdM 2.0? • Why not IdM 2.0? • What is IdM 2.0? • Other matters
What is Identity Management? • Organization: The policies, processes, and tools used to “assure” that IT systems and applications are made available only to appropriate persons • Individual: The persons I am working with and the systems I am using really are who they say they are. And no one can impersonate me, or read or change my information
IdM has become important! • Identity Management has greatlyincreased in importance as IT systems and applications are used to perform more and more of the work of society and commerce • For this reason, we’ve got to do a better job of IdM (from IdM 1.0 to IdM 2.0)
IdM 1.0 • IdM is nothing new • we’ve had “user names and passwords” almost forever (in IT terms) • A defining characteristic of IdM 1.0 is that each IT system and application does its own identity management • usually by keeping a list of authorized username/password pairs and checking it at login time
Why not IdM 1.0? • Ineffective: IdM 1.0 does a poor job of assuring privacy and security • Inefficient: IdM 1.0 is expensive to manage and maintain (many separate IdM systems) • Liability: IT and application providers (and their organizations) are now burdened with security and privacy responsibilities • User-unfriendly: Users are now burdened with many username/password pairs • And these are proliferating!
Why IdM 2.0? • Effective: IdM 2.0 can provide a uniformly strong (eg, secure and private) identity management capability for an organization • Efficient: IdM 2.0 can provide a single IdM system for an organization • User-friendly: IdM 2.0 can greatly reduce the number of username/password pairs that a user must remember
Why not IdM 2.0? • IdM 2.0 will require changes to policies, processes, and IT systems • eg, replacing the IdM 1.0 software with the standardized IdM 2.0 software (middleware) • IdM 2.0 is not free • The policies, processes, and IT systems must be developed and maintained • But the benefits will outweigh the costs!
What is IdM 2.0? • A single, standardized solution for an organization to “assure” access to IT systems and applications only to appropriate persons • Requires a “bigger/better” list of persons and it divides IdM into two parts: • authentication of users: Are you who you say you are? • authorization of users: Should you have access to a particular system or application?
A bigger/better list of persons • Often called a directory • Will include all persons in your organization Q: But what about persons in other organizations who need access to your IT systems and applications? A: See next+2nd slide. • Will require as much “care and feeding” as your financial and personnel databases • Will include information to enable authentication and authorization
Authentication • Are you who you say you are? • What you know (eg, a private password) • What you have (eg, a token that generates time-dependent random numbers) • What you are (eg, your fingerprint or retinal scan) • These can be done alone (more or less well), or in (1-, or 2-, or 3-factor) combination
Authorization • Answers the question (for each person): which IT systems and applications are you permitted to use? • Can be based on individuality (eg, Jane Jones is authorized to access the financial system) • And can be based on role (eg, any staff member is authorized to use the internal web)
Beyond the organization • Another major benefit of IdM 2.0 will be that organizations can authenticate their members to other organizations (called “federated identity management”). Eg, • University X authenticates a student, and • College Y authorizes any student at University X to use its library system • Higher Ed, USG, and industry are working hard to do this (eg, InCommon in HE)
In the Federal world • We are working to create a USG-wide “e-authentication” system • We are working (under “HSPD-12”) to create an “intelligent card” for USG-wide physical access and (ultimately) for IT access • NSF intends to move FastLane authentication from IdM 1.0 to IdM 2.0 • Eg, We intend that one could log into FastLane with a university credential if it is an InCommon credential
Creating a Trusting e-Community • Trusted Identity Management is one component of a trusted IT environment (together with secure IT applications and systems, and and digital information that is confidential, integral, and available) • We will not enter the digital promised land until we do all these things better!