1 / 29

Digital Identity Management Strategy, Policies and Architecture

Digital Identity Management Strategy, Policies and Architecture. Kent Percival 2005 06 23 A presentation to the Information Services Committee. Presentation & Discussion.

marcy
Download Presentation

Digital Identity Management Strategy, Policies and Architecture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Digital Identity ManagementStrategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee

  2. Presentation & Discussion • Goalto develop a common perspective of Digital Identity Managementand resulting strategies, policies and architecture • Overviews • Business/Organizational model • Implementation issues and strategies Digital Identity Management (ISC)

  3. D.I. What is a Digital Identity? A computer object representing a real person … we used to call them Computer Accounts … could also represent • A device • An application • … Digital Identity Management (ISC)

  4. Digital Id’s… so many of them!  • Systems have separate user accounts • Some applications maintain id databases • Some maintain additional personal information to control authorization or personalize service. • Maintained by separate administrations Digital Identity Management (ISC)

  5. HS Express Colleague Athletics F R S Purchasing Library Patron Library Patron Library Patron Res Admin Bldg Access Human Resources Bldg Access Bldg Access Bldg Access Periodic data sharing Bldg Access OOL D2L ResNet Phones Central ID WebCT Active Directory V.Mail Web Hosting Central File Service Central eMail Campus Directory “general” “stats” Portal Dept Server Dept Server Dept Server Network Access Dialup Modem Dept Server Dept Server Dept Server Dept Server Dept Server Digital Identity Management (ISC)

  6. What is a Digital Identity used for? • Authentication Verifying the user really is who they say they are. • Authorization Determining what the user can and can’t do. • Accounting Having a record to investigate incidents after the fact. • Identification Identifying user by unique ID, common name, email address, … • Personalization Making services efficient and effective by knowing the user. Digital Identity Management (ISC)

  7. What’s in a Digital Identity? Security information (computer account stuff) • Authentication: ID, Password, … • Authorization: access control, groups, file permissions Organizational Information • Relationship to Org: Dept; status • Organizational Identifiers: Empl.#, Student #; Email addr. Personal information • Name, Email addr., phone#, address, … • Personal preferences for services Digital Identity Management (ISC)

  8. Limitations of local “accounts” • Security • Varying quality of administration • Controlling exposure: limited scope but slow response • No institutional policy control • Efficiency • Mange administration points • Multiple relationships with information “owners” • Service • No single sign-on ... or complicated process • Personalization varies between services Digital Identity Management (ISC)

  9. Efficiency? <–> Centralization? First Try: Managing identities on many systems is expensive.  Put all the data in one place. Campus Directory! Why isn’t this working well? Technical reasons … But mainly Organizational reasons … Digital Identity Management (ISC)

  10. Technical pitfalls • Success of Directories for systems and application management • Proprietary architecture and designs • Applications with closed requirements • Data must be indifferent formats for different uses Digital Identity Management (ISC)

  11. Organizational pitfalls • Privacy concerns • Security concerns • Data ownership concerns • Different interpretations of data • In-appropriate use • Trusting the data of others • Silo approach to service management Digital Identity Management (ISC)

  12. Strategy: deal with Org Issues! • Identify the Organizational opportunities • Define an Organizational reference model • Create policies and strategies to deal with the organizational pitfalls. Digital Identity Management (ISC)

  13. The Organizational Trust Model • Users and Service providers must trust one another • and trust a central Digital Identity Management System • Trust Domain - a collection trusting each other. • Service providers; users; trust and identity management • Can’t trust everyone and everything immediately • It takes time to build a trust domain. • Overlapping domains create problems • The scope of a domain should match organizational boundaries. Digital Identity Management (ISC)

  14. Security Management Trust Management Trust Vulnerability Management Identity Management Identity Systems Communication Threat Management Digital Identity Management (ISC)

  15. Trust <-> Policies In an organization trust is managed by successful implementation of appropriate institutional Trust Management Policies Identity Management Policies • Security • Privacy • Appropriate Use - Who and How • Involves • Persons: faculty, staff, students, temporary, … public • Owner and Steward responsibilities Digital Identity Management (ISC)

  16. ROLES • Organizations are people with roles • Roles define org. relationships  Identity! • Computer applications define roles for users. • Org. Role - a key element of a Digital Identity • Assigning a Role defines Authorization • Need to harmonizing organizational roles to computer application roles. Digital Identity Management (ISC)

  17. Outside the Trust Domain • With the Internet, a Trust Domain is not a closed system. • Persons outside the trust domain need to access campus services • Where do those services go? • How do we authenticate and authorize those persons? • People in our trust domain need to access services at other institutions  Federated Identity Management Digital Identity Management (ISC)

  18. Federated Id. Management UoG Trust Domain Services users users users UW Trust domain Services users users users One Trust relationship Authen Author Servers Authen Author Servers Authentication/Authorization Servers are critical components of both trust domains Digital Identity Management (ISC)

  19. Implementation Digital Identity Management (ISC)

  20. Ideal Architecture - industry target A few Policy Servers handle sensitive information Computer Systems Software IT Services Replace/integrate System/Appl’tn AAA controls Policy Servers “Central Auth. Server” Authentication Authorization Accounting One reliable, secured information store All data centrally administered Reliable Datastore DIRECTORY Digital Identity Admin Tools Services have limited Access to DI info Digital Identity Management (ISC)

  21. Directory reality • Directories, directories, directories, … • implementations are intimately linked to systems and applications! • Most Directories do not have appropriate administration and policy management tools • A Directory is not always the appropriate technology Digital Identity Management (ISC)

  22. Authen./Author. Imbedded • Some applications rely on Operating System control functions • Many applications have imbedded business rules controlling authentication and authorization • Trust Domain Policies must be implemented in many places. • Need common vocabulary and explicit policy implementations Digital Identity Management (ISC)

  23. System #1 Software IT Services Authen Author Account DIRECTORY # A Realistic Architecture System #5 Software IT Services System #4 Software IT Services Authen Author Account System #2 Software IT Services Authen Author Account System #3 Software IT Services Authen Author Account System #6 Software IT Services Authen Author Account DIRECTORY # B DIRECTORY # C Digital Identity Admin Tools Digital Identity Management (ISC)

  24. Centralized vs distributed • Collecting all Identity information into one central “longitudinal” record does not work • Data exists in several places • Central repository (e.g. campus Directory) • Shared repositories (e.g. CFS AD) • Within a single application • Use a “virtual” Identity Object Model • Central design / distributed data • Centrally administer global/essential data • Define where other data is stored - Provide key link information • Copy data to accessible location • Use referral directory lookups (ask one directory) Digital Identity Management (ISC)

  25. Human Resources Colleague HS Express Dir. Dir. Dir. ref: Employee # ref: Express # ref: Student # Data Mngt Applications & Services Central Digital Identity Management Service Master Digital Identity Directory Central Authentication/ Authorization Service Digital Identity Management (ISC)

  26. What’s in the central DI object? • Authentication data • Password, Digital Certificate, fingerprint signature • Identity • Unique ID, Common names, • Address • Office, phone#, FAX, email address, … • Hyperlink to personal webpage • Affiliations • Org Units , group memberships, … • Organizational Roles • Who are you; what are you allowed to do? • Keys to D.I. information in other repositories • Employee#, Student#, Library barcode, ExpressCard#, … Digital Identity Management (ISC)

  27. Summary 1 A good D.I. Mgmt design • requires an organization wide model • recognizes use outside the trust domain • starts with policy to build a trust domain • Security, privacy and appropriate use of DI data • administered efficiently, timely, accurately • relates Identity to organizational role Digital Identity Management (ISC)

  28. Summary 2 A DI Mgmt system is implemented with • multiple distinct Directory Servers • authentication and authorization functions • Implemented on AAA separate servers, • Instead of being imbedded in systems and applications • a virtual DI object defining information in multiple datastores • A central DI object component which • Provides general Digital Identity information • Provides keys to other DI information in datastores managed by others. Digital Identity Management (ISC)

  29. First Steps: Develop Org .Trust Model • Identify the Organizational opportunities • Define an Organizational reference model • Create policies and strategies to deal with the organizational pitfalls. Digital Identity Management (ISC)

More Related