identity & access management
DESCRIPTION
Identity & Access Management. DCS 861 Team2 Kirk M. Anne Carolyn Sher-Decaustis Kevin Kidder Joe Massi John Stewart. The Problem. How do you establish a digital ID? How do you “guarantee” somebody’s ID? How do you prevent unauthorized access? How do you protect confidential ID data? - PowerPoint PPT PresentationTRANSCRIPT
Identity & Access Management
DCS 861 Team2Kirk M. Anne
Carolyn Sher-DecaustisKevin Kidder
Joe MassiJohn Stewart
The Problem
• How do you establish a digital ID?• How do you “guarantee” somebody’s ID?• How do you prevent unauthorized access?• How do you protect confidential ID data?• How do you “share” identities?• How do you avoid “mistakes”?
What is IdM/IAM?
• The Burton Group defines identity management as follows:– “Identity management is the set of business
processes, and a supporting infrastructure for the creation, maintenance, and use of digital identities.”
Internet2 HighEd IdM model
A more “complete” definition
• An integrated system of business processes, policies and technologies that enables organizations to facilitate and control user access to critical online applications and resources — while protecting confidential personal and business information from unauthorized users. http://www.comcare.org/Patient_Tracking/IPTI-Glossary.html
Identity Management
PolicyPolicy
Technology/InfrastructureTechnology/
InfrastructureBusiness
ProcessesBusiness
Processes
Enab
les Defines
Uses
ConfidentialInformation
Why is IdM/IAM important?
• Social networking• Customer/Employee Management• Information Security (Data Breach laws)• Privacy/Compliance issues• Business Productivity• Crime prevention
Components of IdM/IAM
DirectoryServices
IdentityLife-Cycle
Management
AccessManagement
Directory Services
• Lightweight Directory Access Protocol (LDAP) • Stores identity information– Personal Information– Attributes– Credentials– Roles– Groups– Policies
Components of a digital identity
Biographical Information
(Name, Address)
Biographical Information
(Name, Address)
Biometric Information (Behavioral, Biological)Biometric Information (Behavioral, Biological)
Business Information(Transactions, Preferences)
Business Information(Transactions, Preferences)
Access Management
• Authentication/Single Sign On• Entitlements (Organization/Federation)• Authorization• Auditing• Service Provision• Identity Propagation/Delegation• Security Assertion Markup Language (SAML)
Access Management• Authentication (AuthN)– Three types of authentication factors
• Type 1 – Something you know• Type 2 – Something you have• Type 3 – Something you are
• Authorization (AuthZ)– Access Control
• Role-Based Access Control (RBAC)• Task-Based Access Control (TBAC)
– Single Sign On/Reduced Sign On– Security Policies
Levels of Assurance
Low HighData Classification/Privileges
Low
Hig
hRi
sk
LOA-1Little or no confidence
identity is accurateImpacts individual
LOA-2Confidence exists identity is accurate
Impacts individualand organization
LOA-3High confidence
identity is accurateImpacts multiple
people and organization
LOA-4Very high confidence
identity is accurateImpacts indiscriminate
populations
Buy TicketsBuy Tickets
Give DonationsGive Donations
Join a GroupJoin a Group
Apply to CollegeApply to College
Enroll in a CourseEnroll in a Course
Take a TestTake a Test
Manage My Calendar
Manage My Calendar
View My GradesView My Grades
View My VacationView My Vacation
Manage My Benefits
Manage My Benefits
Administer Course Settings
Administer Course Settings
Enter Course Grades
Enter Course Grades
Manage Student Records
Manage Student Records
Manage Financial Aid
Manage Financial Aid
Manage FinancialsManage Financials
Manage Other’s Benefits
Manage Other’s Benefits
Access to Biotechnology Lab
Access to Biotechnology Lab
Manage Research Data
Manage Research Data
Identity Life-Cycle Management
• User Management• Credential Management• Entitlement Management• Integration (Authoritative Sources of Record)• Identity Provisioning/Deprovisioning
“Student” Identity Life CycleAcceptedAccepted
PaidDeposit
PaidDeposit
RegisteredRegistered
Leave ofAbsenceLeave ofAbsence
WithdrawnWithdrawn
GraduatedGraduated
ProspectiveProspective
Federated Identity Management
• Business Enablement• Automatically share identities between
administrative boundaries– Identity Providers (IdP)– Service Providers (SP)
• Easier access for users (use local credentials)• Requires trust relationships
Shibboleth
Internet2 HighEd IdM model
Research Areas• Public Safety
– Identity theft, cybercrime, computer crime, organized crime groups, document fraud, and sexual predator detection
• National Security– Cybersecurity and cyber defense, human trafficking and illegal
immigration, terrorist tracking and financing• Commerce
– Mortgage fraud and other financial crimes, data breaches, e-commerce fraud, insider threats, and health care fraud
• Individual Protection– Identity theft and fraud
• Integration– Biometrics, Policy assessment/development, Confidentiality, Privacy