1 / 81

Today’s slides available at: duke/~gettes/CAMP

Explore the components of identity management, the challenges faced by higher education institutions, and the importance of identity management in building a secure infrastructure. Learn about authentication, authority management, group management, directories, service provisioning, and more.

kpickerel
Télécharger la présentation

Today’s slides available at: duke/~gettes/CAMP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Today’s slides available at:www.duke.edu/~gettes/CAMP

  2. Seminar 02 Introduction to Identity Management: The Big PictureMichael R. GettesDuke UniversityCAMP: Building a Distributed Access Management Infrastructure

  3. Observations on:Identity Management, Middleware & Security in U.S. Higher Education • Michael R Gettes • Duke University

  4. A GLOBAL PROBLEM! We recognize there exists a larger world...

  5. Identity Management? • #1 Issue in Higher Education - 2005/2006 EDUCAUSE IT Survey. • Less than 10 years old - some HE schools doing it much longer. • IdM is defined by many components as follows ...

  6. IdM Componentsa.k.a. “middleware” (1) • Systems of Record (HR, SIS, Alumni, Telecom) • Information Switch (Vendor/build) • entity registry (Vendor/build) • identity business rule handling (Vendor/build)

  7. IdM Componentsa.k.a. “middleware” (2) • Authentication (Password, PKI, Kerberos (ECAR Survey - K5 everywhere), ...) • Authority Mgmt (Signet, HR system, ...) • Group Mgmt (Vendor, Grouper, Build) • Directories - fast repositories (Vendor, Open Source)

  8. IdM Componentsa.k.a. “middleware” (3) • Service Provisioning • Vendor, Built, Nexus • Message Mgmt - real-time and queuing • Vendor, Built or Jabber/XMPP

  9. IdM Componentsa.k.a. “middleware” (4) • Attribute Delivery • PKI, SAML/Shibboleth, Directory, Vendor, (Various) • Authorization, Act of (by Application) • Policy Decision Point (PDP) • Policy Enforcement Point (PEP)

  10. Age of this Technology • Technology is young. • Lots of options - much more than just 5 years ago. • If you buy - you will still need to build your own Identity Business Rules. Buy *and* Build decision. • NSF/Internet2 Middleware - these “solutions” are simply options. If you believe in Open Source - they are good. If not, then use these solutions to drive vendors for what you want. Remain aware of trends.

  11. Institutional Issues • STAY OFF THE FRONT PAGE OF NATIONAL NEWS!!! • IdM is part of any “good” security program. • Each institution having IdM leads to better National Security - or at least the perception of it. • IdM leads to Access Control via Authority Management, Authorization and timeliness

  12. Institutional Issues (2) • Nobody cares about implementing IdM. Need to define it in terms of Infrastructure to deliver a set of Services/Goals. • Duke - Goal is 1 hour to get ID Card and NetID services for new employee and 1 hour for status changes to take effect (job changes). Buy-in from VPs, EVP, Provost, etc...

  13. Institutional Issues (3) • Consider rolling affiliates (non-student/fac-staff/alumni) into HR system - many contracts based on FTE (=paid person). You might get affiliate management for free. • How do ID Proofing processes (identity registration) need to change for students and staff to enhance Business services?

  14. Institutional Issues (4) • How do we validate our processes? Is my institution doing a good job on IdM? • CAF - Credential Assessment Framework • How do we know if other institutions are doing a good job? • Federations! Like-minded organizations seeking like-minded services.

  15. Institutional Identity • BRANDING of the institution via E-Identity • my.harvard, stanford.you, CNetID (chicago) • How easy is institutional initiation? • How easy to change function at institution? • Uniting the institution electronically - overcoming typical political boundaries

  16. Levels of Assurance (LoA)? • Classify the requirements of an application • Assign confidence levels for the ID Proofing and Electronic Authentication Processes • Define mapping between Reqs and Confidence • As simple as a number (Levels 1,2,3,4). • Define confidence in terms of application requirements and you can use the same value for both.

  17. Federation? • A collection of organizations, having implemented some form of Identity Management, where Credential Service Providers (CSP, Universities) and Service Providers (SP, Content Providers) agree to “rules of engagement” (policy and attributes) using federating software (SAML/Shibboleth, PKI, InfoCard ...)

  18. Higher Ed Activity... • InCommon - SAML based Federation • USHER - US Higher Education Root - PKI • HEBCA - Bridged PKI similar to USGov • Federal eAuth involvement (see Alterman) • Research community seeking Id Mgmt • NSF CyberInfrastructure • Shy away from Biometrics - What if you lose your E-thumb? • National ID vs. Federated ID - NOT RFID!

  19. So, what is Identity Management, practically-speaking?

  20. “IAM” is… • “Hi! I’m Lisa.” (Identity) • “…and here’s my NetID / password to prove it.” (Authentication) • “I want to do some E-Reserves reading.” (Authorization : Allowing Lisa to use the services for which she’s authorized) • “And I want to change my grade in last semester’s Physics course.” (Authorization : Preventing her from doing things she’s not supposed to do)

  21. What questions are common to these scenarios? • Are the people using these services who they claim to be? • Are they a member of our campus community? • Have they been given permission? • Is their privacy being protected? • Policy/process issues lurk nearby

  22. Vision of a better way to do IAM IAM as a middleware layer at the service of any number of applications Requires an expanded set of basic functions

  23. Identity Mgmt System Systems of Record Stdnt Registry LDAP Reflect HR Join Other Credential Basic IAM functions

  24. Role- and Privilege-based AuthZ • Privileges are what you can do • Roles are who you are, can be used for policy-based privileges • Both are viable, complementary for authorization

  25. Privilege Management Feature Summary

  26. Identity Mgmt System Systems of Record AuthN Reflect Join Credential Mng. Affil. Mng. Priv. Basic IAM functions mapped to theNMI / MACE components

  27. Apps / Resources Identity Mgmt System AuthN Systems of Record AuthN Log Reflect Provision Join Credential AuthZ Pass Attributes Mng. Affil. Mng. Priv. Log The Environment

  28. How full IdM layer helps • Improves scalability: IdM process automation • Improves agility: Keeping up with demands • Reduces complexity of IT ecosystem • Complexity as friction (wasted resources) • Improved user experience • Functional specialization: App developer can concentrate on app-specific functionality

  29. The Environment Apps / Resources Identity Mgmt System AuthN Systems of Record AuthN Log Reflect Provision Join Credential AuthZ Pass Attributes Mng. Affil. Mng. Priv. Log Grouper Signet Shibboleth

  30. Grouper • Grouper project of Internet2 MACE • Infrastructure at University of Chicago • User interface at Bristol University in UK • $upport from NSF Middleware Initiative (NMI) • http://middleware.internet2.edu/dir/groups

  31. Signet • Project Signet of Internet2 MACE • Development based at Stanford • $upport from NSF Middleware Initiative • http://middleware.internet2.edu/signet

  32. IAM functions

  33. Terminology • CSP - Credential Service Provider - A trusted entity issuing electronic credentials to subscribers (aka Identity Provider) • RA - Registration Authority - Vouches for the identity of a subscriber to a CSP • Identity Proofing - Process by which CSP and RA uniquely identify a person/entity • RP - Relying Party - an entity relying upon the credentials issued by a CSP (aka Service Provider) • LoA - Level of Assurance - Classification of ID proofing suitable for electronic use to control access to information

  34. What is a Federation? A collection of organizations, having implemented some form of Identity Management, where Credential Service Providers (CSP, Universities) and Service Providers (SP, Content Providers) agree to “rules of engagement” (policy and attributes) using federating software (Shibboleth, SAML, PKI)

  35. What is a Federation? Continued • Sounds simple? It can be. It can be made really complex, really fast. • www.nmi-edit.org for more info • CSPs and SPs retain control over their environments (identity data and access ctrl) • www.InCommonFederation.org • Approx 37 participants (9/06), Launched 4/2005 • Inqueue.internet2.edu • Testing/Playground for InCommon • >225 participants (9/06) and GOING AWAY!

  36. Shibboleth and Federation • It’s real, uses SAML • Open source, freely available • Takes between 3 hours and 3 years to install -- depending on IdM infra • In production at various schools (Duke!) • For internal apps & external Univ vendors • shibboleth.internet2.edu

  37. Inter-institutional integration • Virtual Organization (VOs) • GridShib development to enhance VOs working with Institutional Identity Mgmt Systems • Federations • Federal E-Authentication Initiative • League of Federations • The Interfederation Interoperability Working Group (IIWG). yes, it’s real

  38. One key resource to help you start building the IdM infrastructure • Enterprise Directory Implementation Roadmap http://www.nmi-edit.org/roadmap/ directories.html • Parallel project planning paths: • Technology/Architecture • Policy/Management

  39. The Environment Apps / Resources Identity Mgmt System AuthN Systems of Record AuthN Log Reflect Provision Join Credential AuthZ Pass Attributes Mng. Affil. Mng. Priv. Log Grouper Signet Shibboleth

  40. A Different View of IdM Biz Process? Michael R Gettes Duke University CAMP @ Denver

  41. Prioritization… @ Duke • Cough • ahem • Cough, Cough • Gag… • Cough • Next slide please …………

More Related