‘identity management in telcos - kuppingercole · 080416-17_user-centrism_web2_0 17.04.2008 1...
TRANSCRIPT
17.04.2008080416-17_User-Centrism_Web2_0 1
‘Identity Management in Telcos’
Jörg Heuer, Deutsche Telekom AG, Laboratories.Munich, April 2008
17.04.2008080416-17_User-Centrism_Web2_0 2
Agenda.
§ Introduction§ User-centric Identity and Telcos§ Comprehensive Identity Models§ IDM Reference Architecture§ Selected Concepts, Projects, Results
Introduction
17.04.2008080416-17_User-Centrism_Web2_0 4
TU Berlin Brings Inspired Research, Deutsche Telekom Contributes Engineering Skills and Business Experience.
Technical University Berlinn Scientific communityn Establishment of
professorshipsn Integration into TU
curriculumn Attraction of aspiring
young scientists
Deutsche Telekom AGn Links to customers and
industryn Funding n Private sector management
“University Industry Research Center” of Deutsche Telekom and TU Berlin
1. 2.Value creation for DT by substantial contributions to the product roadmap
Building excellence and reputation as a world class R&D institution in telecommunication
17.04.2008080416-17_User-Centrism_Web2_0 5
Deutsche Telekom Laboratories’ InnovationFramework.
Intuitive Usability
Integrative Service Components
Intelligent Access
Infrastructure Development
Inherent Security
Simplify your life.
Always best served.
Always best connected.
High quality at reasonable cost.
Trusted IP networks and services.
Focus fields (5i) Innovation guidelines
17.04.2008080416-17_User-Centrism_Web2_0 6
Deutsche Telekom –Business Areas and Divisions.
Broadband/Fixed Network
T-M
obile
Mobile Communications
T-Sy
stem
s
Business Customers
DeutscheTelekom
T-Co
m
T-O
nlin
e
User-centric Identity and Telcos
17.04.2008080416-17_User-Centrism_Web2_0 8
Usercentric
Usercontrolled
Userconsented
n User interaction always requiredn Identity flow always through Usern People always in the protocol
n User interaction is an option, but not mandatory
n Identity flow is user controlled by means of policies
n Users have identity agents
n User interaction is no option n Identity flow is controlled by
authoritiesn Users have consented by means
of contracting (e.g. employment contract)
User-centrism in Identity Transactions –a Taxonomy (by Paul Madsen of NTT/LAP)
User centric
User consented
User controlled
Source: http://connectid.blogspot.com/2006/06/protocol-for-people.html
17.04.2008080416-17_User-Centrism_Web2_0 9
Company centric Identity vs. User centric Identity.
Company centric Identity User centric Identity
/ SiteCompany
Company
Community
Site
Community
Site
Company
Identities issued by the companyLiability is with the company
Identities are issued by the user itselfLiability is with the user
17.04.2008080416-17_User-Centrism_Web2_0 10
Concept of Claims vs. Concept of Assertion.
User centric Identity: Claims
Identity IssuerIdentity Agent
Identity ConsumerRelying Party
Company centric Identity: Assertion
Authoritative Site
Service Provider
Claim(in doubt)
Claim(proven to be true)
releases requests
releases
requests
assures believes
Identity and Role Provider
Trust Brokerassures
believes
checks
Assertion
17.04.2008080416-17_User-Centrism_Web2_0 11
User-centrism Transcends BeyondIdentity Management.
User-centric identities cannot replace corporate-centric identity management.§ Customer data bases§ Public/ governmental registers§ Financial institutions' accounts and records§ … even your address book…
User-centrism puts power into the hand of the user – but also liabilities.§ User-centrism can help saving users from advertisement-based harassment§ Changing service contracts on the fly is a cumbersome – and expensive undertaking§ Users can mash-up services in a user-centric way much easier§ User-centric solutions introduces new complexities to the ‘normal’ user
There is a large gap between mash-ups and ‘mess-ups’
Comprehensive Identity Models
17.04.2008080416-17_User-Centrism_Web2_0 13
Identities in a Telco Organization.
Acquisition/Profiling
Sale CustomerCare Terminate …
Browsing Registration Authenti-cation
Service/Aggregation/Federation
De-register
Identify/ Persona-
Selection/Pre-Pay
Login/SSO
Use/Aggregate/
Post-Pay/Review
De-Register
User/ Consumption§ Using access§ Reading eMail§ Sending SMS§ ….
CRM/ Customer Care§ Ordering/up-
grading products§ Contract
administration§ Complaints
Resource/ Delivery§ Provisioning/
creation of mailboxes
§ Storage allocation
Privacy
Cons
isten
t Ide
ntity
han
dlin
g
17.04.2008080416-17_User-Centrism_Web2_0 14
NGN/ IMS
Web 2.0
Our Telco Identity Reference Model.
IdentityIdentity
Identity
Network
Service
Enabler
AuthN
Service Cloud
§ User-Centric
§ MSISDNs§ Network
Addresses
§ Directories§ Federation§ E-Mail
Addreses
Gov’t
User
SIM/ UICC
IDM Reference Architecture
17.04.2008080416-17_User-Centrism_Web2_0 16
AAA & IdM Reference Architecture –Challenges of Telcos.
Service Provider Domain A Service Provider Domain B
Network Access Provider Domain A Network Access Provider Domain B
Mobile Applications
Digital Content
SIM Card Authentication
Web ApplicationsDigital Content
ISP Network Access
ISP
Acce
ss
3G A
cces
s
Roaming
Streaming
Contracts
Privacy
Roles
Cost Control
Identities
Roaming
Preferences
Access Rights Credentials
17.04.2008080416-17_User-Centrism_Web2_0 17
AAA & IdM Reference Architecture –Essentials.
Domain centric Identity Management
Federated Identity Management
Corp. Corp.
Corp.Corp.
SSO, SLOAttributes
CoT
NoInterop.
17.04.2008080416-17_User-Centrism_Web2_0 18
AAA & IdM Reference Architecture – Essentials.Mission – Provide guidance and blueprints for seamless and overarching AAA & IdM functionalities by means of defining an AAA & IdM Reference Architecture.
AAA & IdM Reference
Architecture
Service Provider Domain A Service Provider Domain B
Network Access Provider Domain A Network Access Provider Domain B
Federation
Single Sign On/Off
IdentityManagement
Privacy
AttributeExchange
Authentication
AccountingCharging
Authorization
Mobile Applications
Digital Content
SIM Card Authentication
Web ApplicationsDigital Content
ISP Network Access
17.04.2008080416-17_User-Centrism_Web2_0 19
AAA & IdM Infrastructure
Relying Party
AAA & IdM Reference Architecture – Concepts.Simplified version.
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
17.04.2008080416-17_User-Centrism_Web2_0 20
AAA & IdM Reference Architecture – Concepts.Some selected concepts with regards to Service oriented Architectures.
AAA & IdM Infrastructure
Relying Party
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
17.04.2008080416-17_User-Centrism_Web2_0 21
AAA & IdM Reference Architecture – Concepts.Trust: Security Tokens, Claims & Assertions
AAA & IdM Infrastructure
Relying Party
User Agent(Principal)
Relying Party
Identity Provider AuthenticationEnforcement
AuthenticationValidation
AuthorizationEnforcement
AuthorizationDecision
AccountingProvider
ChargingProvider
Identity Provisioning
Identity Auditing
Attribute Provider
X.509, PKI KerberosSAML WS-Trust
Basic Building Block of an IdM & AAA infrastructure
… can be distributed over any fixed or mobile network and
interchanged between network and service layer
without further requirementon security
Security Token Service
Trust Validation
Security Token(Issuer)
Information(about someone)
Selected Concepts, Projects, Results
17.04.2008080416-17_User-Centrism_Web2_0 23
Microsoft CardSpace - Dimensions.
Dimensions§ Cardstore: Where is the cardstore?
Service Providers store the information cards and facilitate the use through different devices.
§ CredentialStore: Where are the credentials?Storage of credentials and engine for cryptographic operations.
§ UI Generation: Where is the UI generated?The UI could be generated on a server but be displayed on one of the user’s devices.
§ Identity Selector (UI): Where is the UI displayed and where is the Information Card selected?
§ STS: Where is the STS?
§ STS Authentication: Authentication Technology
§ Browser: On which device is the authentication needed?
CredentialStore
CardStore
UI Generation
SecurityTokenServer
STS Authentication
local
removable
network
local
removable
network
PC
Secure Desktop
networkmobile
Kerberos
Self-issued IC
Username/PW
X509
SAML
PC
removable (U3; mIdenty)
network
mobile
mobilemobileBrowser
PC
mobile
Identity Selector
PCmobile
17.04.2008080416-17_User-Centrism_Web2_0 24
CardSpace Scenario.
X509 Certificate on UICCG
Managed Cards backed by X509 Certificate
H
InternetInternet
Tools on PCE
F Applet on UICC
CardSpace
RPIDPSTS IDP
RPIDPSTS
A Relying Party
DNFC Card Driver on PC
B Secure Token Server
C IDP Website
C
F
G
H
DE
A B
17.04.2008080416-17_User-Centrism_Web2_0 25
Technology Prototype - Identity Broker.
UserUserUser
Service Provider / Relying Party
Resource
1 2 42 3 5 6
1 Access to protected resource
2 Redirect to Identity Provider
3 Direct to login page
4 User chooses InfoCard for authentication
5 CardSpace preselects InfoCard based on tagged information by IDP
6 User logs in using chosen InfoCard
Identity Provider
STSLA
ID-FF 7
7 Security Token transfer to LA
9
88
8 Redirect to Service Provider
9 SAML assertion
10 Access to protected resource
10
17.04.2008080416-17_User-Centrism_Web2_0 26
Identity and Reputation –The Building Blocks of Trust.
Trust
ReputationIdentity
§ In-game self-provided attributes§ External self-provided attributes
§ 3rd party authority provided attributes§ 3rd party community provided perceptions
“Identity is my story about me. Reputation is your story about me.”
Phil Windley
17.04.2008080416-17_User-Centrism_Web2_0 27
Telcos need to solve Identity ManagementIssues in Many places.
§ Telcos are large Enterprises too, they run operational infrastructures controlled by AAA-systems (Authentication, Authorization, Accounting), and handle customer data for Millions…
§ Privacy – in contrast to ad-based players, telcos are obliged to handle personal data with extreme care. In the face of increasing amounts of unsolicited communication and unprecedented opportunities to disclose personal information in Social Networks, a crucial asset – especially in conjunction with…
§ Establishing trust between consumers, prosumers, and enterprises.§ Advertisement-driven ‘feels-like-free’ business models are limited – usage-based
models can help especially small sites and user-generated content. AAA, Billing, and Payment will be substantial for this.
17.04.2008080416-17_User-Centrism_Web2_0 28
Author’s Contact Information.
Dipl.-Inform.
Jörg HeuerE-mail: [email protected]: +49 (30) 8353 58422
Thank You for Your Kind Attention.
Ernst-Reuter-Platz 7, 18th Floor10587 Berlin, GermanyWeb: www.telekom.de/laboratoriesFax: +49 (30) 8353 58409
Deutsche Telekom Laboratories