Trust and Shared Identity Management Across Company Borders Policies, Processes and Agreement Issues to be Considered – A Case Study Markus Salo Concept.

Slides:



Advertisements
Similar presentations
Building Secure Mashups D. K. Smetters PARC Usable.
Advertisements

Connected Health Framework
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
High Performance Computing Course Notes Grid Computing.
Secure Communication Architectures.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
The Global API Federation
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Digital Identities for Networks and Convergence Joao Girao, Amardeo Sarma.
OASIS Reference Model for Service Oriented Architecture 1.0
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Widely Distributed Access Management Tom Barton University of Chicago.
Understanding Active Directory
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Data Modeling Using the Entity-Relationship Model
IT 244 Database Management System Data Modeling 1 Ref: A First Course in Database System Jeffrey D Ullman & Jennifer Widom.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.
Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.
1 Conservation Transaction Plug-In (CTP) Tool Overview March 23 & 25, 2010 Tim Pilkowski State Conservation Agronomist Annapolis, MD USDA is an equal opportunity.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
What is Enterprise Architecture?
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Invitation to Computer Science 5th Edition
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Sanzi-1 CSE5 810 CSE5810: Intro to Biomedical Informatics Dynamically Generated Adaptive Credentials for Health Information Exchange Eugene Sanzi.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
WeADAPT Principles of Adaptation Ben Smith and Tahia Devisscher SEI Oxford.
1 Designing a Privacy Management System International Security Trust & Privacy Alliance.
1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Project Discovery – Monday Holyoke 561 Most updates will only have 30 minutes maximum for their presentations. At least 10 minutes should be left for Q&A.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
Open Collaboration Exchange Alexander Blanc, Niels van Dijk, Jocelyn Manderveld, Remco Poortinga - van Wijnen VAMP 2013, Espoo.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.
Trust Profiling for Adaptive Trust Negotiation
Stop Those Prying Eyes Getting to Your Data
Identity Federations - Overview
InCommon Steward Program: Community Review
Introduction to the Federal Defense Acquisition Regulation
Distribution and components
Choosing the Discovery Model Martin Forsberg
Ethical questions on the use of big data in official statistics
IT 244 Database Management System
OU BATTLECARD: Oracle Identity Management Training
Presentation transcript:

Trust and Shared Identity Management Across Company Borders Policies, Processes and Agreement Issues to be Considered – A Case Study Markus Salo Concept Owner for Identity and Access Management Nokia Oyj

Introduction In 2006, Nokia and Siemens decide to join their network functions. A new company, Nokia Siemens Networks (NSN), is founded for this purpose. In the beginning, the new company does not yet have the necessary IT infrastructure in place. To ensure viability of NSN, the parent companies have to chip in. One of the necessary IT infrastructure components is, of course, Identity and Access Management (IAM). Our story begins here….

In the beginning… n HR functions are the first to separate – all former Nokia, former Siemens and new NSN people are consolidated to NSN HR. Former Nokia people disappear from Nokia HR, and thus from the ken of Nokia’s highly centralized Identity and Access Management (IAM) n How to retain the identities and access rights of former Nokia workforce in Nokia systems until comparable NSN services are in place? n How to create identities and access rights in Nokia- controlled systems for former Siemens, new NSN people if that is required?

Well, we have options… n Option 1 (straightforward) l Freeze the identities of former Nokia people to retain access rights l Use normal collaboration processes for former Siemens, new NSN people if they require access to Nokia-administered NSN systems not yet migrated to NSN control n …but there are drawbacks… l Identity information for former Nokia people degrades quickly (terminations, significant attribute changes) l Nobody left at Nokia has an interest in managing former Siemens, new NSN people n Former Siemens, new NSN user volumes may become very high since it takes time to set up services in new company n Applications have come to rely on highly centralized IAM so cannot migrate to NSN control until services are ready

…and other options… n Option 2 (more complicated) l Set up trust and identity exchange between companies (mostly one-way) n Get identities for former Nokia people directly from NSN – and this way, we’ll also get all the significant changes in real time n Same mechanism can also be used to get identities for former Siemens, new NSN people who require access to Nokia-administered systems l Identity and authorizations approval authority is (mostly) delegated to NSN since there’s nobody at Nokia who has an interest in this on individual-user level

Guess what – we go to option 2! n Not without problems though (and this is only technical!) l IdM technology is not really geared for identity exchange on either side – but we muddle through, adapting existing systems l Access methodologies do not really support massive use in cross-organizational environment n It would have been wonderful to have a scalable, easily deployable federation solution available…again, we adapt existing methods l IAM concept for trust and identity exchange is not ready on either side – we cobble it together as we go along (and this is partly to be blamed for the other problems we had)

We did get some things right… n We (correctly) assumed that usage of Nokia-controlled systems by former Siemens, new NSN people would get very high – and designed technical solution to support this n We delegated (most of the) identity and authorizations approval authority to NSN, since NSN is the only party with active interest on authorizing its individual users n We designed and implemented policies to support trust and identity exchange n We designed and implemented processes to support trust and identity exchange n We even managed to harmonize credential spaces (partly anyway), anticipating increased integration needs

…but failed to consider others. n We did not check whether NSN had a supportable identity & authorizations approval process in place l What they had was not geared to the user volumes we were facing n We did not verify identity exchange data quality l Checks and filters were not in place, so we ended up getting flawed data, with imaginable consequences n Nokia IdM could not flawlessly support two separate identity sources l Technical limitation, but rooted in the IdM concept n We were unable to define exactly the scope of services Nokia would provide to NSN l And were swamped with service requests that wildly exceeded what we thought was the scope n We did not have a universally applicable authentication mechanism in place, so ended up adapting our existing systems

What’s to be learned from this? n If you choose to exercise this kind of trust for collaborating with a partner… l Ensure that your partner is capable of handling the delegated identity and authorizations approval authority without your support n Policies, processes and support systems must be in place l Review your security policies and, if necessary, change them to reflect the trust relationship l Verify the quality of data you are receiving – in the end, you will be left holding the bag l Have the technical IdM capability to support a multi-organizational environment l Define exactly what services you are providing to your partner – this must be stated in agreements n On a technical level, having a workable RBAC solution may help… l Ensure that you have an authentication and connectivity solution to address most access requirements n Again, federation may help as a technical solution

To put it all in context…. n Note that the case described here is not one where a purely commercial service is provided by one company to another. In such situations, the scope of activities is severely circumscribed and more easily definable. n Rather, this case describes partnership between companies, a situation where responsibility is harder to affix and the scope of activities may change at a moment’s notice.

Thank You!

Speaker Bio Markus Salo began his Nokia career in From almost the very beginning, he became involved in Nokia Identity Management initiatives, and has worked in this area since. He has participated in numerous projects addressing Nokia internal and external identity and access management needs, particularly in his capacity as Identity Management architect. Markus is currently working as Concept Owner for Identity and Access Management, guiding the conceptual development of this field at Nokia. Contact Information: GSM: