380 likes | 481 Views
Identity Management: a Key e-Business Enabler. Marco Casassa Mont Pete Bramhall Mickey Gittler Joe Pato Owen Rees. Trust, Security and Privacy Hewlett-Packard Laboratories Bristol, UK. SSGRR 2002s . Outline. Background: Identity & Identity Management
E N D
Identity Management: a Key e-Business Enabler Marco Casassa Mont Pete Bramhall Mickey Gittler Joe Pato Owen Rees Trust, Security and Privacy Hewlett-Packard Laboratories Bristol, UK SSGRR 2002s
Outline • Background: Identity & Identity Management • Current and Future Trends • Important Issues • Our Research on Identity Management • Conclusions
Identity Identity = Identifier Information & Profiles Digital Identity: effort to Recreate, Organise, Automate and Integrate these Aspects in the Electronic World
Identity Management • Goals: • Assess, Certify an Manage Digital Identities & Profiles • Provide Mechanisms for Authentication • Provide Mechanisms for Authorization • Underpin Accountability in Transactions • Provide Customised Services to People • …
Identity Management • Relevance in Multiple Contexts: • Personal • Social • E-Commerce • Enterprise, B2B • Government • …
Heterogeneous Environment B2C E-Commerce 1 E-Commerce 2 Home P2P C2G B2B Home Office Driving Licence Service Tax Health B2G Enterprise 2 Enterprise 1 Government Services
Identity Management Current Trends • Consumer and E-Commerce Space • Enterprise and B2B Space • Government Space
Current Trends Consumer and E-Commerce Space
Liberty Alliance Project SSO User Internet SSO Modules Browser E-Commerce Sites Authentication Identity Providers SSO Modules SSO Modules Exchange of Identity and Profile Information Trust Domain 1 Trust Domain 2 Trusted Third Parties, Trust Services, ...
Current Trends Enterprise and B2B Space
Current Trends Government Space - Privacy Concerns … - Possible Threats to Freedom …
Identity Management Future Trends
People’s Perspective: Views of Identity “The Aggregated me” Credit Rating Government view “Me me” Foo.com view of me Enterprise view of me
Identity Management: Our Reference Model
Identity Management Model Identity Tracing Identity Mapping Added-Value Tools and Solutions … Trust Domains Identity & Profile Certification Dynamic Information Update Longevity Management … Identity Management Lifecycle Privacy and Data Protection Policies Context Trust Services Federated Single-Sign-On Selective Disclosure Policy-driven Authorization … Identity Management Infrastructure Reliable Storage
Identity Management: Our Past Research PASTELS project: - Trust Management for Identities and Profiles in Dynamic B2B Environments - Flexible and Dynamic Authorization at the Service Level
Operation Operation Operation Operation Operation Operation Operation Dynamic B2B Environment Enterprise 1 Service Provider K Enterprise Web Service1 Enterprise 2 B-2-B Web Service2 Portal User x Web Service3 Internet Enterprise 3 Not Trusted Enterprise Z Trusted
PASTELS Objectives • Understand PKI, Extendibility and its Usability at the • Business Level • Explore a Framework that makes use of Digital Credentials • as Mechanism to represent Identities and Profiles: • - End to End Credential Exchange • - Solutions for Client and Server Side • Trust Management and Monitoring • Integration of Digital Credentials with Authorization • at the Application and Service level
PASTELS: Focus Areas Enterprise 2 Service Provider Enterprise 1 User Client Identity Certificate Server Identity Certificate Credential Management Credential Validation Portal Server Attribute Credentials Credential Usage Monitoring Services Browser Plug-in Client Attribute Credentials Authorization B2B Publishing Mechanism for Semantic of Credential Common Trusted Third Parties
PASTELS Architecture AA CA OCSP/CVSP Remote Enterprise Web Server Services P O R T A L Function Remote User’s Browser Function SSL Credential Issuer/Pusher Credentials Push and Pull Plug In Login Service Credential Content Mgmt Credential Validation Abstractor Credentials Session Manager Internet Policy Evaluation Request Policy Evaluation Request Authorization Request User Context Manager User Context Enterprise Credential Validation and Management Policies Object Pool Manager (Cache) Authorization Server Credentials Usage Monitoring Service Users’ profiles Users’ Roles Users’ Identity Credentials Users’ Attribute Credential Users’ Anonymous Credential - Service Model - Authorization Policies Repository
PASTELS Lessons Learnt • Systems driven by Polices (at the Business, Trust and • Security levels) introduce Flexibility in coping with • Dynamic Enterprise Requirement. • Complexity of PKI in term of Trust Management: • CAs Hierarchies do not Scale and Introduce • Complexity during Credential Verification • Need to Simplify PKI at the User site: • Dealing with multiple Digital Credentials is Not Trivial • Dynamic Data is a Problem for Digital Credentials. • Overhead in Lifecycle Management and Communication.
Identity Management: Our Current Research Areas • Work In Progress: • Active Digital Credentials • Accountable Management of Identities • Identity Management in Dynamic Mobile • Environment
1. Active Digital Credentials • Problems • Cope with Dynamic Identity and Profile Information • (financial, trust, rating, etc.) • Provision of Up-to-Date Certified Information • Complexity of Current Lifecycle Management • when dealing with Dynamic Information
Active Digital Credentials Local Processing Attributes Bank Enterprise Government
Active Digital Credentials Scenario 1
Active Digital Credentials Scenario 2
2. Accountable Management of Identities • Problems • “Who Knows What about Me”? • How to Trace Disclosures of my Identities/Profiles? • How to Enforce Privacy when Disclosing • Personal/Business Identities and Profiles? • How to Prevent Abuses? • Context • Federated Identity Management (Liberty Alliance) • Dynamic B2B environment • Personal or Group Interactions with PDAs
Accountable Management of Identities Transaction / Interaction User Identity Provider/Enterprise Negotiation of Privacy Policy 2 Identity/ Profile Disclosure 1 Policies Plug-in Tracing Identity Providers/ Enterprises Provision of Identity & Profile Data Notification/ Authorization Logging & Audit 3 Notifications/ Requests of Authorization Tracing, Fraud Detection, Forensic Analysis
3. Identity Management in Dynamic Mobile Environment • Problems • People are Sociable but also Paranoid … • Protection of Identity and Profile Information • contained in Mobile Devices and PDAs • Selective Disclosure of Information • Trust Measurement and Management • Context • Ad-hoc Group Interactions • Usage of Personal Appliances (PDAs, Mobiles, …)
Personal Identity Assistant Work Home Pub
Virtual Private Identity Networks • Personal Identity Assistant • Discover/Hide from other People • Selective Disclosure of Identity Information • Secure PDA • Tracing and Auditing Mechanisms Mall School Work Environment … Dynamic Groups of Interest
Important Aspects • Importance of Security for Identity Management: at the • System, Application, Service and Communication levels • Need for Survivable Data Storages to Store Sensitive Identity • and Profile Data and related Logging/Auditing Information • Enforcement of Accountability: non-Repudiable Event Logging • and Auditing Mechanisms • Research Challenges in Open and Dynamic Contexts, involving • Dynamic Relationships and Interactions between People and • Organisations.
Conclusions • Identity Management is about the Electronic Management • of Digital Identities and Profiles. • Added Value: Underpins Accountability. It enables Interactions • and Transactions in the Personal, Social, E-Commerce Business and • Government Context. • Simplification of Identity Management is Important • for Ubiquitous Computing. • Dilemmas: on one hand Identity Management helps to • Bridge Digital and Physical Worlds. On the Other • Hand it could be a Threat to Privacy and Freedom • It is not only a Technological Play. Legislation is Needed • to Mitigate Risks