1 / 14

Dragoljub Nesic

Does Identity Managent really have to be difficult ?. Dragoljub Nesic. 08/12/2013. What will we talk about today ?. A brief introduction to me A quick look at recent history of shared authentication in the UK A glance at the pressure points from the world around us now

tatum
Download Presentation

Dragoljub Nesic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Does Identity Managent reallyhaveto be difficult? Dragoljub Nesic 08/12/2013

  2. Whatwillwe talk abouttoday? • A briefintroductiontome • A quick look at recent historyofsharedauthentication in the UK • A glance at the pressurepoints from the worldaroundusnow • An overviewof the PSIIF • An example scenario walkthrough • Whatcanyou do?

  3. Lord of the tokens • EAS • Sponsored at the time by DCSF (ContactPoint), aimed to establish a trust-framework for registration, and an authentication infrastructure based on 2FA • It also provided a shared IdP for LAs that did not want to establish their own • 2FA device in the hands of all public sector employees accessing central applications • What did the local authorities really want? • Cost efficient CoCocompliance • Freja – “One token to rule them all”

  4. Real life • World-widefinancialcrisis 2008 onwards • Governmentchange 2009 • ContactPointwasdiscontinued • ConcernsaboutGovernmentGatewayperformance in conjunctionwith LAs • A failure, or?

  5. Positive Legacy • ContactPointwasdiscontinued– EAS uptakewaslow. But… • Wider public sectoragreement on trust frameworkagreement • Especiallyregistrationofuser/reuseofcredentials • Governance and assurance approach for distributeduserregistration • Flexible IdP implementation model • Body of best practice for LA registration • Newham & Salford • Regional hubprojects kickoff • Principlesofcollaboration DWP/HMRC/E&H/Police workingtogether

  6. Today’s challenges • Remote workforce • PSN compliance is getting tougher and tougher • More workers are working remotely a greater portion of time • CO2 footprint reduction • Escalating costs or not so secure solution • What if one could locally issue strong, 2FA for remote workers with a potentially zero-cost authentication device? • Cloud services are exploding • Most with own – password based – identity systems • Often complicated directory integration • What if one could reuse locally issued, strong 2FA for authenticating users to such systems i.e. cloud based services with ground based authentication?

  7. Today’s challenges, cont’d • Need to collaborate with neighbours • Shared services amongst boroughs are a real need • But who authenticates an individual? • Directory federation is difficult to setup and manage • What if one could reuse locally issued, strong 2FA across partnerships? • Increase internal efficiency • Bringing new applications online is expensive • What if one could reuse locally issued, strong 2FA for plug-and-play integration of new applications? • Still need to access central government services • The applications may have changed, the basic need still remains • What if one could reuse locally issued, strong 2FA for accessing applications hosted by or on behalf of central government?

  8. PSIIF – a 180 turn • Not a “top-down” approach • PSIIF - Standards based infrastructure on top of PSN defining exchanges between • IdPs • Hubs • Service Providers • Allows re-use of (conformant) credentials for accessing “external” services including G-Cloud, central government or services hosted by regional partners on the PSN

  9. Information highway needs vehicles • An infrastructure is only good if it is put to use • Imagine if you could decide whom and how you want to collaborate with: • Your employees to access G-Cloud services while retaining identity issued by you • Employees of regional partners to access your systems without issuing a separate authenticator to their employees • Your employees access central government services • Request attributes from or release attributes to parties you select

  10. G-Cloud service example G-Cloud Service • Where are your from? • Please authenticate this user • Do I recognize the service? • Convince me who you are • What do I know about you? • How much information should I/can I release to the service? • Sign an assertion • Do I trust the assertion issuer? • OK, what can this user do here Registration & Provisioning FrejaIdP Freja SSP Freja User

  11. SSO Cloud Service • Click on link to service 2 • Please authenticate this user • Do I recognize the service? • Do I have a valid session? • How much information should I/can I release to this service? • Sign an assertion • Do I trust the assertion issuer? • OK, what can this user do here Cloud Service 2 FrejaIdP Freja SSP Freja User

  12. What can you do? • You get to chose whether you want to act as SP, IdP, AP or any combination thereof – no mandate • A lot of software you own already supports SAML 2 integration – you can act as SP straight away • A lot of G-Cloud services already support SAML 2 (or are rapidly adapted to do so) • IdP functionality can be plugged into your existing authentication infrastructure with practically no disruption

  13. Why would you? • Standards-based, loosely coupled architecture – no vendor tie-in • Potential for better services, to larger audiences • An identity need not be established times and times again • Better control of identity, better control of data access, better control of information release (please search for TheEllenShow, “Out of your password minder” on YouTube) • Easier to audit

  14. {ENTER TEXT}

More Related