Identity & Access Management

DCS 861 Team2

Kirk M. Anne
Carolyn Sher-Decaustis
Kevin Kidder
Joe Massi
John Stewart
 The Problem
• How do you establish a digital ID?
• How do you “guarantee” somebody’s ID?
• How do you prevent unauthorized access?
• How do you protect confidential ID data?
• How do you “share” identities?
• How do you avoid “mistakes”?
 What is IdM/IAM?
• The Burton Group defines identity
management as follows:
– “Identity management is the set of business
processes, and a supporting infrastructure for the
creation, maintenance, and use of digital
identities.”
Internet2 HighEd IdM model
 A more “complete” definition
• An integrated system of business processes,
policies and technologies that enables
organizations to facilitate and control user
access to critical online applications and
resources — while protecting confidential
personal and business information from
unauthorized users.
http://www.comcare.org/Patient_Tracking/IP
TI-Glossary.html
 Identity Management
Policy

Confidential
Information

Technology/Infrastructu Business
re Uses Processes
 Why is IdM/IAM important?
• Social networking
• Customer/Employee Management
• Information Security (Data Breach laws)
• Privacy/Compliance issues
• Business Productivity
• Crime prevention
Components of IdM/IAM

Identity
Access
Life-Cycle
Management
Management

Directory
Services
 Directory Services
• Lightweight Directory Access Protocol (LDAP)
• Stores identity information
– Personal Information
– Attributes
– Credentials
– Roles
– Groups
– Policies
Components of a digital identity

Biographical
Biometric Information
Information
(Behavioral, Biological)
(Name, Address)

Business Information
(Transactions,
Preferences)
 Access Management
• Authentication/Single Sign On
• Entitlements (Organization/Federation)
• Authorization
• Auditing
• Service Provision
• Identity Propagation/Delegation
• Security Assertion Markup Language (SAML)
 Access Management
• Authentication (AuthN)
– Three types of authentication factors
• Type 1 – Something you know
• Type 2 – Something you have
• Type 3 – Something you are
• Authorization (AuthZ)
– Access Control
• Role-Based Access Control (RBAC)
• Task-Based Access Control (TBAC)
– Single Sign On/Reduced Sign On
– Security Policies
 Levels of Assurance
LOA-1 LOA-2 LOA-3 LOA-4
Confidence exists High confidence Very high confidence
High

Little or no confidence
identity is accurate identity is accurate identity is accurate identity is accurate
Impacts individual Impacts individual Impacts multiple Impacts indiscriminate
and organization people and organization populations

Manage Research
Risk

Data
Manage My Manage Other’s
Benefits Benefits
View My Vacation Manage Financials Access to
Biotechnology Lab
Manage Financial
Apply to College View My Grades
Aid
Manage My Manage Student
Join a Group
Calendar Records
Enter Course
Give Donations Take a Test
Grades
Administer Course
Buy Tickets Enroll in a Course
Low

Settings

Low Data Classification/Privileges High

 Identity Life-Cycle Management
• User Management
• Credential Management
• Entitlement Management
• Integration (Authoritative Sources of Record)
• Identity Provisioning/Deprovisioning
 “Student” Identity Life Cycle
Accepted

Prospective Paid
Deposit

Leave of
Absence

Graduated Registered

Withdrawn
 Federated Identity Management
• Business Enablement
• Automatically share identities between
administrative boundaries
– Identity Providers (IdP)
– Service Providers (SP)
• Easier access for users (use local credentials)
• Requires trust relationships
Shibboleth
Internet2 HighEd IdM model
 Research Areas
• Public Safety
– Identity theft, cybercrime, computer crime, organized crime groups,
document fraud, and sexual predator detection
• National Security
– Cybersecurity and cyber defense, human trafficking and illegal
immigration, terrorist tracking and financing
• Commerce
– Mortgage fraud and other financial crimes, data breaches, e-
commerce fraud, insider threats, and health care fraud
• Individual Protection
– Identity theft and fraud
• Integration
– Biometrics, Policy assessment/development, Confidentiality, Privacy