Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Governance Framework (“IGF”) Overview and Status Phil Hunt and Prateek Mishra.

Published byConstance May Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Governance Framework (“IGF”) Overview and Status Phil Hunt and Prateek Mishra."— Presentation transcript:

1 Identity Governance Framework (“IGF”) Overview and Status Phil Hunt and Prateek Mishra

2 Agenda  Introduction  Use Cases  Standardization Path  Q&A

3 Liberty Alliance  Standards development organization focused around enterprise use-cases  enable a networked world based on open standards  Range of activitiies around assurance, federation, privacy  Standards developed include ID-FF (precursor to SAML 2.0), ID-WSF, Identity Assurance frameworks  http://www.projectliberty.org

4 Observations about Identity Data  Names, home addresses, phone numbers, social security number, rank, e-mail address,…  Essential to enterprises and web sites providing services to customers  Business applications cannot function without identity information  Multiple sources of data (attribute authorities)  Enterprise View: HR, CRM, Partners, IT Directory, Departmental Systems, …  Internet View: Portals, users, banks, employers, governments, retail, identity processors (background and credit checks)

5 Concerns about identity data  Increasing legal and regulatory focus  Privacy concerns: HIPAA, SB 1386, theft  Compliance: SOX, GLB, EU legislation  Industry vertical regulations: credit bureaus, credit-card processors (PCI standard)  With each new heist or problem, new regulation or best practice model  There are going to be more issues in the future  How can the enterprise reduce risk associated with storing and using identity data?  Lock it all up!  With each new regulation conduct forensic scanning and analysis of systems  Invest in an architecture that supports a governance model for identity

6 Identity Governance Framework Open architecture that addresses governance of identity related information within the enterprise Standards development ongoing at the Liberty Alliance Open source implementation being created at http://www.openliberty.org http://www.openliberty.org Addresses gap between high-level assurance and regulatory requirements and lower-level protocols and architecture Privacy aware architecture that can express many different constraints and requirements Overlays on existing infrastructure at enterprises

7 Assurance Liberty IAF, PCI, Privacy Legislation Best Practices Requirements that an enterprise or group of enterprises should meet to obtain certification. Governance IGF XACML Audit Standard? Policy creation and update, policy enforcement, audit, decision explanation Run-time Protocols SQL, SAML 2.0 WS-*, LDAP Run-time protocols and wire representations. impacts

8 IGF Focus  How to reduce the risk associated with creation, maintenance and use of identity data?  Who has access to my social security number or account number, and, under what conditions?  Declarative statements (aka policies) published by consumers (applications, services) and sources of identity data (attribute authorities)  Enterprises can audit and implement governance against these policies

9 Observations on Key Roles  Users  Capture what agreements the user accepted  Reflect consent and purpose of data use  But IGF does not directly address interactions with users  Application developers are not identity experts  How can they express application identity requirements?  Tools and frameworks for developers are a key focus for IGF  Identity Administrators  Identity-related data is distributed & web based  User consent must be supported and enforced  Enable owners of identity data to express use constraints

10 Agenda  Introduction  Components and Use Cases  Standardization Path  Q&A

11 IGF Components  CARML – Defines application identity requirements  what identity information an application needs and how the application will use it.  AAPML – Defines identity use policies (XACML)  Constraints on user and application access to personal data  obligations and conditions under which data is to be released  Attribute Service – Links applications to identity data  Developer APIs/Tools – Developers can express identity requirements at a business level at development time  Key to IGF adoption/use

12 Components  CARML (“kaar-mull”): Client Attribute Requirements Markup Language  Declarative model for identity interactions by applications  List of required/optional attributes and types, other properties  Includes some support for update of identity data  Developers focus on app business requirements for identity-related data  Developers and deployers express privacy rules followed by application  Will the data be stored by the app? For how long?  What purpose is it being used for?

13 CARML Use-Case  Application developer lists their identity requirements in CARML file  Last four digits of user social security number  User home address  Office location in which user is employed  None of this data is stored or forwarded to other applications  Application is delivered to customers  WidgetFactory, Inc. uses AD for employment level and office location, Oracle database for social security numbers  AcmeCo uses MySQL database for office location, employment level, proprietary application for social security number.  Administrators review CARML file and connect to appropriate back-end resources  Ensure that enterprise privacy constraints are met by applications

14 Components  Attribute Authorities  AAPML (“aap-mull”): Attribute Authority Policy Markup Language  Describes constraints on use of attribute data  Declarative policy model for authorities that provide attributes  Contextual rule support – who is asking for the data? On whose behalf? For what purpose?  User-consent support  Direct enforcement policy  Obligations & declarations  Proposed as XACML Profile

15 Sample AAPML Rules  Users can update only their own contact information and personal data  List of attributes: telephone number, contact information, mailing address, emergency information  Authorized Subjects: Application “SelfService”, authenticated user  Target Records: must match the authenticated user context.  Auth Requirements: Proof of application authentication required  Rights: Read + Write  Consent: Not required  Marketing applications can access certain user attributes provided explicit user- consent is available  List of attributes: name, address, e-mail  Authorized Subjects: Any authenticated user with attribute “employee”, Any application in marketing  Auth Requirements: None  Target Records: any  Rights: Read  Consent: consent record based on agreement of Dec 10, 2006 must be available

16 Components  Identity Service:  Many possible realizations or implementations  Could be client integrated, middleware server, or source- server integrated based service  Read/Write attributes from many different sources using various protocols

17 Sample Architecture Run-Time Interactions Admin Deploy Time Interactions Standard Components Legend Authority1 End-User(s) Authority2 External Partners Authority3 HR Systems Authority4 Departmental Systems Authority5 Enterprise Directory Identity Sources Delivery/Gateway/ Enforcement Identity Service Identity Policy Engine Existing or non-specified Admin Deploy & Run-Time Interactions LDAP, ODBC, SAML Query, SAML Assertions, … AAPML : Attribute Use Policy Admins reconcile sources and policies with client CARML requirements to create “views” View AView B Optional: LDAP, legacy protocols WS-Trust STS Query Protocol SAML / ID-WSF /SPML CARML : Attribute Requirements ApplicationsAPIApplications API Java.NETPerl Existing Applications Client Apps API

18 IGF Part 1: Foundations Multi-protocol (LDAP, SQL, SAML, ID-WSF,..) Focus on producers and consumers of identity data

19 IGF Part 2: AAPML Many distributed authorities, each capable of expressing constraints on use of identity data

20 IGF Part 3: Declarative Applications Applications publish requirements for identity data

21 IGF Part 4: App Developer and Enterprise Administrators  Application Developer  Identity needs of business applications expressed at a high-level  Application developers lack identity middleware expertise  Declarative model is preferred  Ability to express identity requirements at a business- level without regard to sources  Enterprise Administrators  Support for deployment-time binding to specific identity architectures which vary over time and between enterprises  Declarative approach simplifies compliance and configuration

22 IGF Lifecycle

23 Agenda  Introduction  Use Cases  Standardization Path  Q&A

24 Nov 2006: Oracle Announces IGF 1.Open-vendor initiative to address handling of identity related information within enterprise lead by Oracle 2.Released key draft specifications  CARML and AAPML  Sample CARML API  Announced intention to submit to a standards org 3.Key vendors supported initiative  CA, Layer 7, HP, Novell, Ping Identity, Securent, Sun Microsystems

25 1H2007: Liberty Alliance  Start of broader review on gathering expanded use-cases and market requirements  Oracle makes IGF “straw-man” specifications available royalty-free  Participation from:  Computer Associates, France Telecom/Orange, Fugen, HP, Intel, NEC, New Zealand, NTT, Oracle  IGF Market Requirements Document Released July 2007  Use-cases, Scenarios, End-to-End Examples  www.projectliberty.org/index.php/liberty/strategic_initiativ es/identity_governance

26 Next Steps (2007-2008)  Two parts -  Development of open source components at www.openliberty.org www.openliberty.org  Anticipate release of some components in 1H08  Technical work – specifications and profiles – to continue at Liberty Alliance and complete in 2H-2008  Follows successful completion and publication of IGF Market Requirements Document within Liberty Alliance  Anticipate release of some working drafts in 1H08  Supported by HP, CA, NEC, NTT, Novell, SUN and other partners

27 Open Source  Hosted at www.openLiberty.com  Based upon Apache 2.0 license  Create software libraries aimed at developers  Aligned with open source ecosystem (Higgins, Bandit)  Re-use existing components wherever possible  In parallel with creation of Liberty final specification drafts  Draft of CARML-compliant Attribute Services API available today

28 Summary  Identity Governance Framework  Open initiative for identity governance across enterprise systems  Key draft specifications provide initial policy components  CARML, AAPML  Intent to ratify as full standards at an existing standards body  Under Liberty Alliance Leadership  Broad input and support in an open standards process  Legal community review  IP clearances - open standards for everyone to use

29 Learn More  www.projectliberty.org/index.php/liberty/strategic_initiatives/identity_governance  IGF Overview Whitepaper  FAQ  Use Cases (MRD)  Links to Oracle draft specifications: CARML, AAPML, Client API  Inquiries to  Mail: phil.hunt@oracle.com & prateek.mishra@oracle.com  Blog: blogs.oracle.com/identityprivacy

30 Q &A

Download ppt "Identity Governance Framework (“IGF”) Overview and Status Phil Hunt and Prateek Mishra."

Similar presentations

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Kantara: From IRM to Context. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public.

Kantara: From IRM to Context. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
System Center Configuration Manager Push Software By, Teresa Behm.

System Center Configuration Manager Push Software By, Teresa Behm.
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Understanding Active Directory

Understanding Active Directory
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.

Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.
Understanding Active Directory

Understanding Active Directory
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Similar presentations

Ads by Google