An Introduction to Identity Management Written by Jan De Clercq and Jason Rouault June 2004

Introduction......................................................................................................................................... 2 Definition ............................................................................................................................................ 2 What is a digital identity?..................................................................................................................... 2 Views and contexts .............................................................................................................................. 4 Solutions and components .................................................................................................................... 5 Data repository components .............................................................................................................. 5 Security components......................................................................................................................... 5 Lifecycle components ........................................................................................................................ 6 Consumable value components.......................................................................................................... 6 Management components ................................................................................................................. 6 Relevant standards............................................................................................................................... 7 Deployment models.............................................................................................................................. 9 Complexity ......................................................................................................................................... 9 Open Issues ...................................................................................................................................... 10 Conclusion........................................................................................................................................ 11 Acknowledgement ............................................................................................................................. 12 About the Authors .............................................................................................................................. 12 For more information.......................................................................................................................... 13 Call to action .................................................................................................................................... 13

Introduction This paper is the first of two papers targeting developers that define, describe and explore the landscape of identity management, one of the three pillars of HP’s security strategy. The main goal of this paper is to define identity management, its processes and its components. It introduces identity management, defines the concept of a digital identity, and explains the key components of an identity management solution. The second paper, Identity Management Architectures, explains how the different identity management components are combined into an identity management architecture. It also provides insights on how the different components communicate and how HP is working to implement identity management architectures through products, services, and solutions.

Definition Identity Management can be defined as the set of processes, tools and social contracts surrounding the creation, maintenance, utilization and termination of a digital identity for people or, more generally, for systems and services to enable secure access to an expanding set of systems and applications. Identity management has strong links with the management of security, trust and privacy. Traditionally, identity management has been a core component of system security environments where it is used for the maintenance of account information to control login access to a system or a limited set of applications. An administrator issues accounts so that resource access can be restricted and monitored. Control is usually the primary focus for identity management. More recently, however, the scope of identity management has become a key enabler for electronic business. As the richness of our electronic lives begins to mirror the interaction of our physical world, activities such as shopping, discussion, entertainment and business collaboration are conducted as readily in the cyber world as in person. As a result, users expect more convenience from electronic systems. We expect our personal preferences and profile to be readily available so that, for example, when we visit an electronic merchant there is no need for us to tediously reenter home delivery information; when participating in a discussion, we can check the reputation and background of other participants; when accessing music or videos, our favorite artists are presented to us first; and when conducting business, we know that our partners are authorized to make decisions. Today, identity management systems are fundamental to underpinning accountability in business relationships; controlling the customization of the user experience; protecting privacy; and adhering to regulatory controls.

What is a digital identity? Identity is a complicated concept with many nuances, ranging from philosophical to practical. In the context of this paper, we define the identity of an individual as the set of information known about that person. In the digital world a person’s identity is typically referred to as their digital identity. A person can have multiple digital identities. Even though digital identities are still predominantly associated with humans, they are not an exclusive quality of humans, and they will increasingly be associated with non-human entities, such as services, systems and devices that could be used to act on behalf of people. Examples are trusted platforms, next generation mobile phones, Digital Rights Management (DRM)-based devices, etc. The content of an identity is illustrated in Figure 1 on the next page. It consists of a person’s unique identifiers, authentication and authorization data, and profile data. All of them can be linked to different contexts (company, web, application) and the role the person has in that context.

Figure 1. Identity content

For example, a person’s identity can be made up of a set of names, addresses, driver’s licenses, passports, field of employment, etc. This information can be used for identification, authentication and authorization purposes: •

A name can be used as an identifier – it allows us to refer to the identity without enumerating all of the items.



A passport which can be used as an authenticator – they are issued by a relevant authority and allow us to determine the legitimacy of someone’s claim to the identity.



A driver’s license which can be used as a privilege – it establishes the permission to operate a motor vehicle.

Unique identifiers can be used in different contexts. For example, in the above example the driving license could be a relevant unique identifier for interacting with the Department of Motor Vehicles; name-surname-address is the unique identifier for the Post Office or a Delivery Service, etc. Often data associated with an identity are used improperly. For example, the use of a birth certificate as an authenticator represents a particularly poor choice, for there is generally nothing about the birth certificate that allows an individual to be correlated to the claims on the certificate. Better choices would be a passport holding an individual’s photo-ID, or a smart card storing an individual’s thumbprint. All identity data are qualified by metadata that are defined in identity, authentication, authorization and privacy/data protection policies. They define the rules-of-the-game. Policy content is defined by an organization’s IT and business decision-makers; it is aligned with other corporate governance rules, regulatory restrictions and contractual obligations particular to the environment in which an organization is operating. Policy management and enforcement is the task of the management components of an identity management solution. Both policies and management components will be explained in the section on solutions and components.

Identity information and related policies can change over time. This means identity management not only has to deal with the management of static information, but must also cope with the changes to identity data. The same is true for security policy management.

Views and contexts Multiple views can exist on an entity’s identity information. These views can be used within and across different contexts to enable interactions and transactions. A single view defines a digital identity of a person, which has its validity and appropriateness, given the context or the purpose. The different views and contexts are illustrated in Figure 2.

Figure 2. Identity: views and contexts

Identity information and identities can be disclosed, accessed and used by different stakeholders in one or more contexts, including personal, social, e-commerce, and enterprise and government. This can happen via a variety of means and systems, including personal appliances, enterprise systems and web services. From an identity subject’s point of view, there are multiple perceptions of their identity information: •

Me Me: the part of identity information that the subject is aware of and directly controls. An example is the personal address information a person stores and maintains in an organization’s yellow pages.



Known Me: the part of identity information that the subject is aware of and indirectly controls. Examples are an individual’s revenue data and the associated tax levels that are stored in the tax department’s database. Even though an individual provides the revenue data to the tax department, he or she doesn’t have direct control over the content of the department’s database.



Unknown Me: the part of identity information that the subject is not aware of and over which the subject has no control. This information can be controlled by other stakeholders that can be known by the subject, such as certification authorities (CAs), authorized e-commerce sites, Trusted

Third Parties (TTPs), etc., or by unknown third parties, such as credit rating agencies, identity thieves, etc.

Solutions and components The above section described an identity from peoples’ perspectives. These concepts have been interpreted by the IT industry and embodied in identity management products. This interpretation is reflected in identity management solutions that are mainly focused on addressing identity management issues for organizations and enterprises. Identity management solutions are modular and composed of multiple service and system components. This section outlines components of an example identity management solution, as illustrated in Figure 3.

Figure 3. Identity management solution components

Data repository components Directory services and meta-directories deal with the representation, storage and management of identity and profiling information and provide standard APIs and protocols for their access. Data repositories are often implemented as an LDAP accessible directory, meta-directory or virtual directory, or a database. Policy information governing access to and use of information in the repository is generally stored here as well.

Security components •

Authentication Providers: The authentication provider, sometimes referred to as the identity provider, is responsible for performing primary authentication of an individual, linking them to a given identity. The authentication provider produces an authenticator ⎯ a token which allows other components to recognize that primary authentication has been performed. Primary authentication techniques include mechanisms such as password verification, proximity token verification, smartcard verification, biometric scans, or even X.509 PKI certificate verification.

Each identity may be associated with more than one authentication provider. The mechanisms employed by each provider may be of different strengths and some application contexts may require a minimum strength to accept the claim to a given identity. •

Authorization Providers: An authorization provider enforces access control when an entity accesses an IT resource. Authorization providers allow applications to make authorization and other policy decisions based on privilege and policy information stored in the repository. An authorization provider can support simple access control management at the OS level, more sophisticated role-based access control ⎯ RBAC ⎯ up to flexible, distributed, policy-driven authorization, at the application and service levels.



Auditing Providers: Secure auditing provides the mechanism to track how information in the repository is created, modified and used. This is an essential enabler for forensic analysis, which is used to determine how and by whom policy controls were circumvented.

Lifecycle components •

Provisioning: Provisioning is the automation of all the procedures and tools to manage the lifecycle of an identity: creation of the identifier for the identity; linkage to the authentication providers; setting and changing attributes and privileges; and decommissioning the identity. In large systems, these tools generally allow some form of self-service for the creation and ongoing maintenance of an identity. They frequently use a workflow or transactional system for verification of data from an appropriate authority and to propagate data to affiliated systems that may not directly consume the repository.



Longevity: Longevity tools create the historical record of an identity. These tools allow the examination of the evolution of an identity over time. Longevity is linked to the concept of attestation or the ability to attest what actors had access to what resources in what timeframe (irrespective of whether they exercised access, which is a matter of auditing).

Consumable value components •

Single Sign-On (SSO): Single sign-on allows a user to perform primary authentication once and then access the set of applications and systems that are part of the identity management environment.



Personalization: Personalization and preference management tools allow application-specific, as well as generic information, to be associated with an identity. These tools allow applications to tailor the user experience for a given individual, leading to a streamlined interface for the user and the ability to target information dissemination for a business.



Self Service: Enables users to self-register for access to business services and manage profile information without administrator intervention. It also allows users to perform authentication credential management: assigning and resetting passwords, requesting X.509 certificates, etc. Self service reduces IT operation costs, improves customer service, and improves information consistency and accuracy.

Management components •

User Management: Provides IT administrators with a centralized infrastructure for managing user profile and preference information. User management enables organizations to decrease overall IT costs by providing user self-service capabilities and also enhance the value of their existing IT investments through directory optimization and profile synchronization capabilities



Access Control Management: Provides IT administrators with a centralized infrastructure for managing user authentication and authorization. The access control management service increases security, reduces complexity and overall IT costs by automating access policies for employees, customers, and partners.



Privacy Management: Assures privacy and data protection policies (as defined in company, industry or governmental regulations) are respected in identity management solutions.



Federation Management: Enables the establishment of trusted relationships between distributed identity providers. Often this involves the sharing of things like web service endpoints, X.509 certificates, and supported/desired authentication mechanisms.

Management components are governed and driven by policy controls. The latter may cause events to be audited, or even for the subject of an identity to be notified when information is accessed. •

Identity policies control the format and lifetime of an identity and its attributes.



Authentication policies control the characteristics and quality requirements of authentication credentials.



Authorization policies determine how information is manipulated.



Privacy policies govern how identity information may be disclosed.



Provisioning policies determine what resources are allocated to which identity and how the resources are allocated and de-allocated.

The components described in Figure 3 exist at different maturity stages. Components like authentication, authorization and directories are quite mature and are considered consolidated technologies. Components like provisioning and SSO are rapidly consolidating. Others are still in a definition and research stage; good examples here are privacy and longevity. Many products and solutions are available on the identity management market today. They provide one or more of the above components and target different types of users and contexts, including e-commerce, service providers, enterprises and government institutions. Key IT industry players are currently focusing on the creation of identity management suites that provide all of the above components. There is a considerable amount of overlap between the different solution categories available on the market. A good example is meta-directories and provisioning solutions. The role of meta-directories today has gradually shifted from pure data synchronization (which is a repository component function) to lifecycle component functions for the creation of user entries (which is a provisioning component function). The quality of identity management products and solutions depends, among other things, on how good they are at keeping identity information in a consistent and up-to-date state, how well they satisfy related management policies and legal requirements, preserve privacy and trust, and ensure that security requirements are fulfilled. Identity management solutions also involve other stakeholders. These include, among many other things, authentication devices (smartcards, biometric devices, authentication tokens, etc.), anonymity services, cryptographic alternatives to RSA ⎯ such as Identifier Based Encryption (IBE), trusted platforms and the standards outlined in the next section.

Relevant standards Standards play an important role by providing the common set of protocols, semantics, and processing rules that allow the various components of an identity management solution to interoperate. Figure 4 depicts how some of the relevant identity management standards are positioned.

Figure 4. How the standards stack up

The Liberty Alliance specifications define the protocol messages, profiles, and processing rules for identity federation and management. They rely heavily on other standards such as SAML and WSSecurity. Additionally, Liberty has contributed portions of its specification back into the technical committee working on SAML. HP endorses the Liberty Alliance and actively participates in the creation of its specifications. The Security Assertion Markup Language (SAML) is an OASIS specification that provides a set of XML and SOAP-based services, protocols, and formats for exchanging authentication and authorization information. Currently work is underway for SAML version 2.0. WS-Security is another OASIS specification that defines mechanisms implemented in SOAP headers. These mechanisms are designed to enhance SOAP messaging by providing a quality of protection through message integrity, message confidentiality, and single message authentication. As of January 2004 work is just completing on version 1. The WS-* (the Web Services protocol specifications) are a set of specifications that is currently under development by Microsoft and IBM. It includes specifications as WS-Policy, WS-Security Conversation, WS-Trust, and WS-Federation. Other identity management enabling standards include (see tables at end of paper for URLs: •

Service Provisioning Markup Language (SPML)



XML Access Control Markup Language (XACML)



XML Key Management Specification (XKMS)



XML Signature



XML Encryption

Deployment models Identity management systems are primarily deployed in one of following three models: as silos, as walled gardens, and as federations. •

Silo: The predominant model on the Internet today. In this model the identity management environment is put in place and operated by a single entity for a fixed user and resource community. A good example is a Windows domain governed by a set of predefined administrators and domain controller servers.



Walled gardens: Represent a closed community of organizations. A single identity management system is deployed to serve the common user community of a collection of businesses. Most frequently this occurs in business-to-business exchanges and specific operating rules govern the entity operating the identity management system. A good example is the Identrus Public Key Infrastructure (PKI) that brings together different individual bank-level PKIs into a closed banking community PKI.



Federation and Federated identity management environments: This emerging model includes systems like the Liberty Alliance Project (endorsed by HP) and systems built upon the Web Services Security (WS-Security) standards, the development of which is driven by Microsoft and IBM.

The central difference between federated identity systems and walled gardens is that there is no single entity that operates the identity management system. Federated systems support multiple identity providers and a distributed and partitioned store for identity information. Clear operating rules govern the various participants in a federation ⎯ both the operators of components and the operators of services who rely on the information provided by the identity management system. Most systems exhibit strong end-user controls over how identity information is disseminated amongst members of the federation.

Complexity The current identity management landscape is very complex because of the multiple interests, perspectives, concerns and technologies that are involved. Identity management is important in different contexts, including the enterprise, e-commerce and government. It is the underpinning of business processes and services and enables digital interactions and transactions. There are different competing demands placed on identity management ⎯ what it should provide, as well as what it should focus on. There are also conflicting interests: enterprise focus vs. consumer focus, mobility vs. centralization, legislation vs. self-regulation, subjects’ control vs. organizations’ control, privacy vs. free market, etc. They are dictated by various stakeholders, including identity subjects (consumers), enterprises, service providers and government agencies, all of which have different objectives and priorities when dealing with the management of digital identities: •

Enterprises are driven by their business objectives and needs. They aim at the management of large sets of identity data to enable their businesses, rationalize their assets and simplify business interactions with partners and customers, manage the information lifecycle of their work-force, deal with access management to enterprise resources and assure regulatory compliance (HIPAA, Sarbanes-Oxley, etc.) and contractual obligations.



E-commerce sites and service providers manage consumers’ identity information with the hope of helping to increase their sales, understand customers’ needs, customize the provision of services, or just sell this information to third parties.



Government agencies are concerned with the control and protection of personal information of their citizens, the provision of strong and undeniable authentication mechanisms, and the automation/rationalization of the provision of their services via the web and the Internet.



Consumers have different concerns and needs depending on the role they play: they are right in the middle (or, depending on the point of view, the source) of most of the above competing aspects. As employees or consumers, they want to access and use services in the simplest and more efficient way, without any hassle. As private citizens they might be concerned about their privacy; they might distrust institutions and demand for more accountability of the involved parties.

This variety of interests and concerns, along with new emerging technologies, increase the complexity of identity management. All these aspects influence each other via a spiral of potentially conflicting requirements. For example, new legislation is addressing citizens’ needs for privacy. On the other hand, they are constraining the way enterprises, e-commerce sites and service providers deal with the processing of personal information. The mobility of employees creates security and trust management problems to enterprises and organizations on the one hand, and new business opportunities on the other. Last but not least, emerging appliances and web service frameworks create new issues, such as dealing with the identities of devices and web services, and coping with delegation aspects and trust matters. The fact that the execution of business tasks or the management of digital interactions and transactions can span multiple domains also augments the complexity of identity management. For example, in an e-commerce context, a digital transaction might require the involvement of identity e-commerce sites and the exchange of identity information among these sites. This has strong implications in terms of management of trust, privacy, authentication, authorization and accountability. Similarly this is true for B2B interactions or transactions within supply-chain communities. Further complexity derives from the increased complexity of current identity management products, to install, configure, administer and integrate. This is mainly because of the fragmentation of identity management components and the lack of interoperability and standards. This aspect can be leveraged by consulting companies. It also creates frustration and slows down a wider adoption of identity management solutions in the IT world.

Open Issues Identity management systems bring great value to the digital world and federated identity environments, in particular, hold great promise for widespread deployment. As the distinction between real world identity and digital identity becomes more blurred, however, a number of issues remain to be considered: •

Authenticity of identity. How is the accuracy and validity of identity information measured and determined? What are the trust services that must be in place to generate confidence in information in the identity management service?



Longevity of information. Do identity management systems provide adequate care to track changes to identity information over time? Do they maintain the necessary artifacts to support historical investigations?



Privacy. Do identity management systems provide adequate controls to preserve individual privacy? Does the system provide adequate support for anonymity and multiple user controlled personas?



Identity theft. Do widespread identity management systems make it easier to perpetrate identity theft or identity fraud?



Legal structures. What protections are in place for the holder of the identity or for the relying party? Do these protections go beyond contractual obligations when digital identity systems are used for interactions that today are limited to the physical world?



Product Interoperability. Most of the current identity management products and solutions still rely on their own self-contained and stand-alone management and control tools. Little integration or interoperability is available with other management tools, for example to deal with the management of security, trust and privacy in an orchestrated way. Identity management products and solutions need to evolve towards higher levels of interoperability, flexibility and capability to react to changes: their functionalities need to be orchestrated with other management aspects, including trust, privacy and security management.

Conclusion From a technological and IT perspective, identity management is just one of the aspects that are involved in the management of business solutions and the overall IT stack (i.e., networks, platforms, operating systems, applications, middleware, services, etc.). Identity management must be considered in a holistic way by including (among other things) the management of security, trust and privacy, along with the management of policies, requirements and changes. All these aspects are inter-related and affect business solutions and the IT stack at different levels of abstraction. The identity management landscape is rapidly changing. On one hand, classic identity management components are consolidating. On the other hand, new components and standards are emerging (identity federations, identity for web services, privacy, etc.). Identity management is also gaining importance. Future identity management solutions will play a more central role in the IT industry due to the pervasiveness and the increased presence of identity information in all components of the IT stack.

Acknowledgement Many thanks to Marco Casassa Mont (HP Labs), Joe Pato (HPSO and HP Labs), Tony Redmond (HPS CTO), Gene Amdur (HP SGBU), Alain Lissoir (HPS), Ron Carelli (SGBU), Christian Brunet (HPS), Christian Fischer (HPS) and Lyn Baird (HPS).

About the Authors Jan De Clercq is a member of the HP Security Office. He’s focusing on identity management and security for Microsoft platforms. Jan has written several Compaq white papers, Windows and .NET magazine articles and columns for the Penton Media Security Administrator monthly newsletter. He’s co-author of the book Mission-Critical Active Directory (Digital Press) and is currently working on a new book on Windows Server 2003 Security Infrastructures. He has been a speaker at several Microsoft and security-focused conferences. Jan has been involved in Windows, security and PKI-, SSO- related projects for large Compaq and HP accounts. Over the last year he has been a trusted advisor on security topics for several large Windows designs and deployments, and large PKI and SSO designs. He holds a masters degree in Criminology (RUG-Gent) and I.T. (VUB-Brussels), and a special degree in Telecommunications (ULB-Brussels). Jan is based in Belgium. Jason Rouault is responsible for Security Strategy, Architecture, and Planning in Hewlett-Packard’s Managed Software Organization where he is currently focused on Identity Management. He also represents Hewlett-Packard in the Liberty Alliance Project, an industry initiative for federated identity on the Internet. Within the Liberty Alliance, Jason is the Chair of the Technology Expert Group. Additionally, he also participates in many industry standards bodies and their working committees such as OASIS SSTC and OASIS WSTC. He has spoken on security topics at numerous industry security events and HP conferences, as well as, published articles on web services security and identity management. Jason has over 10 years experience in web application development and security technologies. He holds a bachelors degree in Business with an emphasis in Information Systems, Systems Engineering certification through EDS, and is a CISSP. He is currently based in Fort Collins, Colorado.

For more information For more information on…

Please see…

HP OpenView Select Access

http://openview.hp.com/products/select

Current HP identity managementrelated products and solutions

http://www.hp.com/go/security

Liberty and Liberty Alliance

http://www.projectliberty.org.

SAML

http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=security

WS-Security

http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=wss

Web Services protocol specifications

http://msdn.microsoft.com/webservices/understanding/s pecs/default.aspx?pull=/library/enus/dnglobspec/html/wssecurspecindex.asp

Other identity management enabling standards



Service Provisioning Markup Language (SPML): http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=provi sion



XML Access Control Markup Language (XACM): http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=xac ml



XML Key Management Specification (XKMS): http://www.xmltrustcenter.org/xkms/index.htm)



XML Signature: http://www.w3.org/Signature/



XML Encryption: http://www.w3.org/Encryption

Call to action Visit HP's Invent Online to view information on educational webcasts delivered by HP experts and partners. Webcasts target developers and present information on web services development, application management, identity management, and a variety of related technologies, including XML, WSDL, and SOAP. Enhance your ability to create web services and managed applications by signing up to receive the monthly HP Software Partner News newsletter. Links to white papers, info on the latest tools and downloads, and technical tips are delivered via monthly newsletter. Visit http://devresource.hp.com/drc/newsletters/subscriptions.jsp to subscribe.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

An introduction to identity management (PDF, 360 KB)

it is used for the maintenance of account information to control login access to a system or a limited ... All identity data are qualified by metadata that are defined in identity, .... HP endorses the Liberty Alliance and actively participates in the.
Download PDF
371KB Sizes 0 Downloads 164 Views
Report

Recommend Documents

PDF Online Autodesk Fusion 360 Introduction to ...
... 2nd Edition Engineering Design Graphics sketching modeling modeling and ... and Autodesk Fusion 360 enabling the flexibility of parametric CAD modeling.