Identity & Access Management DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart
The Problem How do you establish a digital ID? How do you “guarantee” somebody’s ID? How do you prevent unauthorized access? How do you protect confidential ID data? How do you “share” identities? How do you avoid “mistakes”?
What is IdM/IAM? The Burton Group defines identity management as follows: – “Identity management is the set of business processes, and a supporting infrastructure for the creation, maintenance, and use of digital identities.”
Internet2 HighEd IdM model
A more “complete” definition An integrated system of business processes, policies and technologies that enables organizations to facilitate and control user access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. TI-Glossary.html
Identity Management Policy Technology/Infrastructu re Business Processes Enables Defines Uses Confidential Information
Why is IdM/IAM important? Social networking Customer/Employee Management Information Security (Data Breach laws) Privacy/Compliance issues Business Productivity Crime prevention
Components of IdM/IAM Directory Services Identity Life-Cycle Management Access Management
Directory Services Lightweight Directory Access Protocol (LDAP) Stores identity information – Personal Information – Attributes – Credentials – Roles – Groups – Policies
Components of a digital identity Biographical Information (Name, Address) Biometric Information (Behavioral, Biological) Business Information (Transactions, Preferences)
Access Management Authentication/Single Sign On Entitlements (Organization/Federation) Authorization Auditing Service Provision Identity Propagation/Delegation Security Assertion Markup Language (SAML)
Access Management Authentication (AuthN) – Three types of authentication factors Type 1 – Something you know Type 2 – Something you have Type 3 – Something you are Authorization (AuthZ) – Access Control Role-Based Access Control (RBAC) Task-Based Access Control (TBAC) – Single Sign On/Reduced Sign On – Security Policies
Levels of Assurance LowHigh Data Classification/Privileges Low High Risk LOA-1 Little or no confidence identity is accurate Impacts individual LOA-2 Confidence exists identity is accurate Impacts individual and organization LOA-3 High confidence identity is accurate Impacts multiple people and organization LOA-4 Very high confidence identity is accurate Impacts indiscriminate populations Buy Tickets Give Donations Join a Group Apply to College Enroll in a Course Take a Test Manage My Calendar View My Grades View My Vacation Manage My Benefits Administer Course Settings Enter Course Grades Manage Student Records Manage Financial Aid Manage Financials Manage Other’s Benefits Access to Biotechnology Lab Manage Research Data
Identity Life-Cycle Management User Management Credential Management Entitlement Management Integration (Authoritative Sources of Record) Identity Provisioning/Deprovisioning
“Student” Identity Life Cycle Accepted Paid Deposit Registered Leave of Absence Withdrawn Graduated Prospective
Federated Identity Management Business Enablement Automatically share identities between administrative boundaries – Identity Providers (IdP) – Service Providers (SP) Easier access for users (use local credentials) Requires trust relationships
Shibboleth
Internet2 HighEd IdM model
Research Areas Public Safety – Identity theft, cybercrime, computer crime, organized crime groups, document fraud, and sexual predator detection National Security – Cybersecurity and cyber defense, human trafficking and illegal immigration, terrorist tracking and financing Commerce – Mortgage fraud and other financial crimes, data breaches, e- commerce fraud, insider threats, and health care fraud Individual Protection – Identity theft and fraud Integration – Biometrics, Policy assessment/development, Confidentiality, Privacy