managing cyber-identity, authorization and trust (and their inter-relationships)

Managing Cyber-Identity, Authorization and Trust(and their inter-relationships)

Prof. Ravi SandhuLaboratory for Information Security

TechnologyGeorge Mason University

www.list.gmu.edusandhu@gmu.edu

2

Problem Drivers and Consequences

PROBLEM DRIVERS Uncertain threat: We always fight the last war Technological change: B2B integration, Pervasive (ubiquitous)

computing, Peer-to-peer, grid and utility computing, Intel’s LaGrande and Microsoft’s Longhorn, the next Intel, Microsoft, Cisco, …

Business change: Outsourcing/globalization, Cost/ROI, federated identity (relying party is NOT the identity provider), identity grades (identity vetting, authentication strength, purpose, privacy all vary)

CONSEQUENCES The 3-decade old problem of managing identity, authorization and

trust is rapidly becoming more difficult, challenging and essential Real progress requires radical shifts in our approach and

fundamental advances in basic research

3

Radical Shifts: get real

Focus on what needs to be done rather than how it is to be done real-word business requirements rather than

hypothetical academic scenarios the 80% problem rather than the 120% problem soft and informal rather than hard and formal constructing the policy rather than auditing the policy constructive safety via policy articulation and

evolution rather than post-facto algorithmic safety ordinary consumers as end-users and administrators

rather than techno-geeks or math-geeks

4

Radical Shifts: good enough beats perfect

EASY SECURE

COST

Security geeksReal-world users

System owner