Economic Tussles in Federated Identity Management Tyler Moore joint work with Susan Landau WEIS 2011.

Slides:

Advertisements

Similar presentations

Identity Network Ideals – Heterogeneity & Co-existence

Advertisements

Duke Enterprise CMS CGS Meeting 5/7/2004 Cheryl Crupi Senior Manager, Duke OIT Office of Web Services.

EXPERIENCES OF OTHER COUNTRIES IN REGULATION OF PAYMENT CARDS SYSTEM This section reviews the regulatory experiences of other countries with respect to.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

HP Quality Center Overview.

CHAPTER 4 E-ENVIRONMENT

Vice President, e-Business Development Dubai United Nations Conference on Trade & Development Conference on Electronic Commerce.

NETWORK INTERCHANGE, INNOVATION, AND ENTRY TOOLS TO DRIVE PARTICIPATION AND GROWTH Tim Attinger – Managing Director, MPD June 15, 2011.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Managing Digital Identities: Challenges.

Identity Federation: Some Challenges and Thoughts OGF 19 Jan 30, 2007 Von Welch

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

The Information Opportunity Instructor: Pankaj Mehra Teaching Assistant: Raghav Gautam Lec. 2 April 1, 2010 ISM 158.

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

Chapter 9 e-Commerce Systems.

NTIA Privacy Multistakeholder Meeting March 25, 2014 Amanda Koulousias, Attorney Division of Privacy and Identity Protection Federal Trade Commission FTC.

LEVERAGING THE ENTERPRISE INFORMATION ENVIRONMENT Louise Edmonds Senior Manager Information Management ACT Health.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.

FIM-ig Federated Identity Management Interest Group.

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Understanding the Value of Identity in Government Social Networking A Framework of Identity Trust in Government Social Networking September 4, 2015.

Bill Newhouse Program Lead National Initiative for Cybersecurity Education Cybersecurity R&D Coordination National Institute of Standards and Technology.

Information Systems Today, 2/C/e ©2008 Pearson Education Canada Lecture Outline eCommerce Highlights of Electronic Business 2-1.

Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.

Andrew Nash Senior Director of Identity Services Topics in Identity and Payments.

Identity Management Report By Jean Carreon and Marlon Gonzales.

1 TAPAS Workshop Nicola Mezzetti - TAPAS Workshop Bologna Achieving Security and Privacy on the Grid Nicola Mezzetti.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

1 Identity and Transparency ( Bridging the GAPS of Governance Bridging the GAPS of Governance in eGov Initiatives in eGov Initiatives )‏ Badri Sriraman.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

1 The Benefits of an SOA in the Contact Center Brian Garr Program Director, IBM Speech Solutions.

1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001 MAXIMUS.

Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.

Navigating the Standards Landscape Andrew Owen SEARCH.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Overview of Issues and Interests in Standards and Interoperability Mary Saunders Chief, Standards Services Division NIST.

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

© 2010 South-Western/Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole.

BUILDING DIVERSE IMPLEMENTATIONS HMIS PROCESSES THAT SUPPORT SUCCESS!

GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Brenda Watkins Director Policy and Business Strategies Information.

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

Tussle in Cyberspace: Defining Tomorrow’s Internet Presented by: Khoa To.

Geneva, Switzerland, September 2014 ITU-T SG 17 Identity management (IdM) Progress Report Abbie Barbir Ph.D., ITU-T Study Group 17 Q10/17 (Identity.

IEEE IT (Information Technology) Strategy – 2005 Unapproved.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Federations: The New Infrastructure Speaker Name Here Date Here Speaker Name Here Date Here.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Protecting Your Assets By Preventing Identity Theft 1.

E-Commerce Systems Chapter 8 Copyright © 2010 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin.

The Value of Creating the Identity Ecosystem. The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices and tools.

Presented by: Sonali Pagade Nibha Dhagat paper1.pdf.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Chapter 9 e-Commerce Systems.

Cloud Security– an overview Keke Chen

National Strategy for Trusted Identities in Cyberspace

Getting the Green Light on the Red Flags Rule

Presentation transcript:

Economic Tussles in Federated Identity Management Tyler Moore joint work with Susan Landau WEIS 2011 June 14 th, 2011

Outline Federated identity management (FIM) – Users authenticate once and access information across multiple domains – Use case successes and failures Identify 4 key economic tussles that may arise when engineering a FIM system – Provide empirical analysis of online-authentication adoption to support one tussle – Explain use case success/failure in terms of ability to overcome tussles

Federated Identity Management Two-sided market – Identity providers and service providers must attract users – Cross-side network effects Engineered system – Platform mediates the relationship between actors – Different levels of assurance of identity credentials – Rules for handling failures – Designed well, systems align the interests of all stakeholders

FIM Use Cases Successful deployments – Shibboleth online sharing of library resources – InCommon/NIH research collaboration – Sun Microsystems outsourced services – Aetna’s medical billing system Less successful deployments – Information sharing across law-enforcement agencies – OpenID standard for online authentication

Tussle 1: Who gets to collect transactional data? FIMs generate rich trail of user data as byproduct of transactions Which stakeholders (if any) are given access to transactional data can explain system’s success OpenID benefits IdPs & users, but not SPs – IdPs gain user loyalty, data on user activity; users get single-sign on convenience – Service Providers collect less demographic information, lose user loyalty

Facebook shares more extensive user data than OpenID can offer vs.

Comparing IdP penetration on top websites

FIM platforms sharing social graph attract more service providers

Implications for user privacy Government intervention can alter the dynamic of how private information is handled – Shibboleth’s library mechanism protects privacy in compliance with US law – FTC has leveraged authority to protect against deceptive trade practices to help shape privacy agenda NSTIC has emphasized privacy as a guiding principle for the development of FIMs

Tussle 2: Who sets the rules of authentication? Identity management platforms offer huge first- mover advantage – Time to market matters more than robustness of authentication – Entrenched payment networks may be willing to tolerate higher levels of fraud Setting the right level of authentication is hard – Competitive IdPs want to attract users, and so want to make authentication easy (e.g., OpenID) – SPs may desire stronger authentication, and so ask for more stringent requirements that dampen uptake

Tussle 3: What happens when things go wrong? Two types of failure – IdP becomes unavailable, harming user-SP interaction – Unauthorized users incorrectly authenticated Clear allocation of responsibility for failure is key – Shibboleth: library serving as IdP clearly responsible – Payment cards: merchants and banks fight over who should pay for failure (e.g., PCI compliance rules) What’s at stake also matters – Low: clarity less essential (web auth.) – Large but easy to measure: clarity essential (payments) – Large and poorly understood: clarity impossible?

Tussle 4: Who gains and who loses from interoperability? Key benefit to FIMs is that users authenticated by one IdP can be served by many SPs Yet the benefit (or risk) of improved interoperability may vary by stakeholder Global Federated Identity and Privilege Management (GFIPM) is designed to facilitate sharing among state and local law enforcement – Information sharing easy sell to IdPs – better access to intelligence – Yet sharing sensitive information with outsiders is a clear threat to SPs

Tussle Recap

Insights & concluding remarks All stakeholders must gain from FIM to succeed Policy makers must ensure the interests of users are protected, especially wrt privacy Unresolved liability is but one way to fail Tackling the tussles simultaneously is essential For more: