Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia.

Slides:

Advertisements

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Advertisements

NRL Security Architecture: A Web Services-Based Solution

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Massachusetts: Transforming the Healthcare Economy John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

1 Federated, Secure Trust Networks for Distributed Healthcare IT Services Alfred Weaver Samuel Dwyer Andrew Snyder Jim Van Dyke Tim Mulholland James Hu.

A Primer on Healthcare Information Exchange John D. Halamka MD CIO, Harvard Medical School and Beth Israel Deaconess Medical Center.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

July 25, 2005 PEP Workshop, UM A Single Sign-On Identity Management System Without a Trusted Third Party Brian Richardson and Jim Greer ARIES Lab.

Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Integrating the Healthcare Enterprise Enterprise User Authentication and Consistent Time Glen Marshall Co-Chair, IHE IT Infrastructure Planning Committee.

1 Dynamic Context-Aware Access Control for Protecting Medical Records Junzhe Hu July 26, 2004 Master's Project Presentation.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Identity Management 20/01/2005 Abhai Chaudhary. Facts Today, many organizations routinely create and manage user identities and access privileges in 25.

High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Security Protection on Trust Delegated Medical Data in Public Mobile Networks Dasun Weerasinghe, Muttukrishnan Rajarajan and Veselin Rakocevic Mobile Networks.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

CSIIR Workshop March 14-15, Privilege and Policy Management for Cyber Infrastructures Dennis Kafura Markus Lorch Support provided by: Commonwealth.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Interoperable Trust Networks Chris Rogers California Dept of Justice February 16, 2005.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

1 Token–based Dynamic Trust Establishment for Web Services Zhengping Wu and Alfred C. Weaver Department of Computer Science University of Virginia March.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

DOCUMENT #:GSC15-PLEN-27 FOR:Presentation SOURCE:ETSI AGENDA ITEM:PLEN 6.4 CONTACT(S): Amardeo Sarma, ISG INS Chair Identity & Access Management activities.

The Four Pillars of Identity: A Solution for Online Success Tom Shinder Principle Writer and Knowledge Engineer, SCD iX Solutions Group Microsoft Corporation.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Data and Applications Security Developments and Directions

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

ESA Single Sign On (SSO) and Federated Identity Management

Dynamic Context-Aware Access Control for Protecting Medical Records

Dynamic Context-Aware Access Control for Protecting Medical Records

Presentation transcript:

Identity Federation in Healthcare Networks Xiaohui Chen Department of Computer Science University of Virginia

Department of Computer Science, University of Virginia 2 Agenda  Introduction  Current Efforts  System Design  System Implementation  Demo  Conclusions and future work

Department of Computer Science, University of Virginia 3 Introduction  What is identity? The distinguishing characteristic or personality of an individual  Why is identity important? All the important things you do require your identity  Why has identity become a problem? Enterprise side Personal side

Department of Computer Science, University of Virginia 4 Introduction  Our proposed solution “ Identity Federation ” “ The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains ”

Store cookie Initial login Authorization decision Authorization request Request authentication token Data request + authentication token Return generated token Authorization Rules Data Authorization Web Service (Authorization Engine ) Medical Data PortalAncillary Services Pharmacy Insurance Billing Clinics Authentication Web Service (Secure Token Service) WS-Policy Data Repository and Web Service Fingerprint Scanner HP IsAttending == true TrustLevel %gt;= Fingerprint..... Trust Establishment and Federation Signaturee-TokenRFID WSE 2.0

Department of Computer Science, University of Virginia 6 Current Efforts  OASIS and SAML  Microsoft, IBM and WS-Roadmap  Liberty Alliance .NET Passport  Shibboleth

Department of Computer Science, University of Virginia 7 System Design  Identity Federation by inter-domain identity mapping through anonymous token/attribute exchange via Token Exchange Service  Why choose this design?

Department of Computer Science, University of Virginia 8 System Design  Key Ideas: Identity establishment/management with strong authentication Trust establishment between domains Universal identity with inter-domain identity mapping and attribute mapping Inter-domain security information exchange via Token Exchange Server Privacy protection – pseudonym, attribute exchange Request forwarding for web single sign-on

Department of Computer Science, University of Virginia 9 System Design  Strong authentication Biometric Non-biometric Two factors  Trust levels Numerical Comparable

Department of Computer Science, University of Virginia 10 System Design  Identity mapping One-to-one Many-to-one One-to-many Pseudonym

Department of Computer Science, University of Virginia 11 System Design  Attribute mapping Any security information can establish meaningful mappings between domains along with a user ’ s identity, e.g. trust level mapping, role mapping, privilege mapping … Standard attribute names

Department of Computer Science, University of Virginia 12 System Design  Trust Relation Setup Defined by policy files Administrated by authority With whom to federate identity? How to federate identity?

Department of Computer Science, University of Virginia 13 System Design  Inter-domain security information exchange Heterogeneous systems have different security information formats Attribute exchange via standard web service interface Standard token formats – SAML, WS- Trust  Single-Sign-On

Department of Computer Science, University of Virginia 14 System Design  Security Token Service  Token Exchange Service  Trust Authority

Department of Computer Science, University of Virginia 15 System Design

Department of Computer Science, University of Virginia 16 System Design  Security Token Service WSE2.0 based Attribute extension  Trust level  Location  Time  Role Identity Federation extension  Inter-domain request control  Endpoint for inter-domain security information exchange with web service  Identity and attribute mapping

Department of Computer Science, University of Virginia 17 System Design  Token Exchange Service Facilitates inter-domain security information exchange with request forwarding Automatic directory lookup Trust broker Define standard attribute names

Department of Computer Science, University of Virginia 18 System Design  Trust Authority Manages inter-domain trust relationship Publishes domain information Defines attributes provided Defines services provided

Department of Computer Science, University of Virginia 19 System Design

Department of Computer Science, University of Virginia 20 System Implementation  Three trust domains Medical portal – hospital Pharmacy portal – pharmacy News portal – MSN  Related services Security token service Trust authority Token Exchange Service

Department of Computer Science, University of Virginia 21 System Implementation  Medical Portal Authentication and authorization Medical data management Doctor/Patient portal service Electronic prescription management/submission via active federation Event alert system

Department of Computer Science, University of Virginia 22 System Implementation  Pharmacy Portal Structurally the same as hospital portal Electronic prescription management Automatically sends/receives prescription information to hospital via active federation

Department of Computer Science, University of Virginia 23 System Implementation  Mock MSN Portal Represents a third party news portal Federates identity with hospital portal Web Single-Sign-On

Department of Computer Science, University of Virginia 24 Demo  Trust Level  Alerts with active federation  Federation between MSN and hospital

Department of Computer Science, University of Virginia 25 Conclusion  Identity federation with user identity mapping between domains is flexible, maintainable and powerful  Token Exchange Service with web service security information exchange successfully hides local security system implementation  Trust authority with domain information publishing is a practical way to administrate trust relationship  Levels of authentication provide one way to evaluate identity trustworthiness across domains  Identity federation with Single Sign-On successfully alleviates the identity crisis

Department of Computer Science, University of Virginia 26 Future Work  Fully automatic trust negotiation and establishment  More powerful attribute exchange/evaluation algorithm to protect user privacy  Become SAML compliant  Standards other than Microsoft and IBM ’ s WS-X  Integration with other federation approaches

Department of Computer Science, University of Virginia 27 Publications  Xiaohui Chen and Alfred C. Weaver, Identity Federation in Federated Trust Healthcare Network, Submitted to XXXXIdentity Federation in Federated Trust Healthcare Network  Alfred C. Weaver, Samuel J. Dwyer III, Andrew M. Snyder, James Van Dyke, James Hu, Xiaohui Chen, Timothy Mulholland, Andrew Marshall, Federated, Secure Trust Networks for Distributed Healthcare IT Services, IEEE International Conference on Industrial Informatics, Banff, Alberta, Canada, August 2003Federated, Secure Trust Networks for Distributed Healthcare IT Services  Junzhe Hu and Alfred C. Weaver, A Dynamic, Context- Aware Security Infrastructure for Distributed Healthcare Applications, Pervasive Privacy Security, Privacy, and Trust (PSPT2004), Boston, MA, August, 2004A Dynamic, Context- Aware Security Infrastructure for Distributed Healthcare Applications,  Alfred C. Weaver, Enforcing Distributed Data Security via Web Services, Workshop on Factory Communications (WFCS2004), Vienna, Austria, September 21-24, 2004Enforcing Distributed Data Security via Web Services,