assuring identities in an open trust framework the identity assurance framework kantara initiative...
TRANSCRIPT
Assuring Identities in an Open Trust FrameworkThe Identity Assurance Framework
Kantara Initiative
10-22-2009 Presentation to the Kantara Healthcare Identity Assurance Work Group
Identity in the Physical World
Today’s Collection of Identity Silos
Joe’s Fish Market.Com
Tropical, Fresh Water, Shell Fish, Lobster,Frogs, Whales, Seals, Clams
What the User wants…
Simplified online experience Get rid of the need for multiple
user-ids and passwords Fewer clicks
Protected personal information Reduce my risk from fraud
Better product & service offerings Web 2.0 and/or “smart phone”
data service integration
A solution that didn’t work…
Centralized Model Identity and user
information in single repository
Centralized control Single point of failure
Central Provider
What we learned
Open Federated Model User information is
already in various locations
No centralized control No single point of failure The user can use their
credentials to receive services anywhere the credential is accepted
ProviderProvider
ProviderProvider
Provider
Provider
ATM Historic Analogy
Seamless Access Across all Networks
Linkage of Trust Domains
.com .com
.com.com
.com.com
.com .com
.com.com
.com.com.com .com
.com.com
.com.com
Bank ATMNetwork A
Bank ATMNetwork B
Bank ATMNetwork C
Bank AATM Card
Bank BATM Card
Bank CATM Card
Separate Cards with Each Bank
Individual Accounts with Many Web Sites
.com
.com
.com
Bank AATM Card
Bank BATM Card
Bank CATM Card
Linked Cards within Bank Networks
Federated Accounts within Trust Domain
.com
.com
.com
.com
.com
.com
Bank ATMNetwork A
Bank ATMNetwork B
Bank ATMNetwork C
8
Effective Identity Requires Interoperable Assurance
Credential Service Provider (CSP)– Identity Proofing– Credential Lifecycle Management– Operational Criteria for Trust
Relying Party (RP)– Assesses Risk of Application– Complies with Best Practices– Provisions the Service or Resource
User gets great experience: safe, simple access from any device to services/resources
Credential Service Provider
RelyingParties
There are Two Problem Areas Technical Interoperability
Does the client application I'm using “talk” to the systems I want to use? (can I type in my PIN on my iPhone and have unfettered access to services without logging in again?)
Does the system that authenticates me (vouches for me) “talk” to the service provider systems I want to access? (can I login to my bank's site and use that to pay my taxes, book travel, and check my Gmail account?)
Operational Interoperability & Assurance Do the commercial and government systems “trust” each
others' systems, operating procedures, vetting practices, etc.? (i.e., understand & accept the distribution of liability when/if something goes wrong)
We’ll focus today on the Operational Interoperability & Assurance Aspects
Federated Cloud:RP applications trusting
Federations, who enroll & monitor CSP’s compliant w/FO policies,
based on Assessor Assessments
Identity Ecosystem: Trust
End user (subscriber)
Federation OperatorAssessor
Government Applications,
Services, Resources
Authentication Technology
Credential Service Provider
RelyingParties
…so why the need for a common standard?
Identity Assurance Framework
IAF enabled Inter-Federated Cloud:RP applications trusting [Certified Federations, who enroll & monitor]
IAF compliant CSP’s, based on Accredited Assessor Assessments
Identity Ecosystem: Trust after IAF
End user (subscriber)
Federation OperatorAssessor
Government Applications,
Services, Resources
Accredited Assessors List
IAF’s Initial Focus
Authentication Technology
Certified Federations
List
Credential Service Provider
RelyingParties
13
End Goal
The end goal of this activity is to provide public and private sector organizations with a uniform means of relying on digital credentials issued by a variety of identity assurance providers (credential service providers) in order to advance trusted identity and facilitate public access to online services and information.
Interoperability of e-authentication systems, mutual acceptance of rules, policies and supporting business processes is critical to the cost-effective operation of safe and secure systems that perform essential electronic transactions and tasks across industry lines.
Identity Assurance Framework What is it?
Framework supporting mutual acceptance, validation and lifecycle maintenance across identity federations (i.e. systems that trust each other)
Started with EAP Trust Framework, UK tScheme and US e-Auth Federation Credential Assessment Framework as baseline
Harmonized, best-of-breed industry identity assurance standard Identity credential policy Business procedure and rule set Baseline commercial terms
Guideline to foster inter-federation (i.e. inter-trust) on a global scale It consists of 4 parts:
Assurance Levels Service Assessment Criteria Assurance Assessment Scheme and Certification Program Business Rules/Deployment Guidelines
IAF Assurance Levels
Definition: Level of trust associated with a credential measured by the strength and rigor of the identity-proofing process, the inherent strength of the credential and the policy and practice statements employed by the Credential Service Provider (CSP, aka “IDP”, aka “OP”, aka “Claims Provider”)
Four Primary Levels of Assurance Level 1 – Little or no confidence in asserted identity’s validity Level 2 – Some confidence Level 3 – Significant level of confidence Level 4 – Very high level of confidence
Use of Assurance Level is determined by level of authentication necessary to mitigate risk in the interaction, as determined by the Relying Party
CSPs are certified by Assessors to a specific Level(s)
Note: Assurance level criteria as posited by the OMB M-04-04 & NIST SP 800-63
IAF Assurance Levels Illustrated
Multi-factor auth; Cryptographic protocol; “soft”, “hard”, or “OTP” tokens
Stringent criteria – stronger attestation and verification of records
Stringent organizational criteria
Access to an online brokerage accountAL 3
Multi-factor auth w/hard tokens only; crypto protocol w/keys bound to auth process
More stringent criteria – stronger attestation and verification
Stringent organizational criteria
Dispensation of a controlled drug or $1mm bank wireAL 4
Single factor; Prove control of token through authentication protocol
Moderate criteria - Attestation of Govt. ID
Moderate organizational criteria
Change of address of record by beneficiaryAL 2
PIN and PasswordMinimal criteria - Self assertion
Minimal Organizational criteria
Registration to a news websiteAL 1
Assessment Criteria – Credential Mgmt
Assessment Criteria – Identity Proofing
Assessment Criteria – Organization
ExampleAssurance
Level
Sample Criteria from IAF
AL2_CO_SER#010 Security event logging Maintain a log of all security-relevant events concerning the operation of
the service, together with a precise record of the time at which the event occurred (time-stamp) , and such records must be retained with appropriate protection, accounting for service definition, risk management requirements, and applicable legislation.
AL2_CO_ISM#050 Configuration Management Demonstrate a configuration management system that at least includes:
a) version control for software system components.
b) timely identification and installation of all applicable patches for any software 531 used in the provisioning of the specified service.
Assurance Assessment Scheme & Certification Program Oversight by Member Committee
(ARB) Assessor is Accredited based on
application of demonstrated expertise
CSP service is Certified to LOA(s) based on IAF compliance
Technology is Certified to be Interoperable
User has safe, simple access to services
Credential Service Provider
RelyingParties
Assurance Review Board Assurance Review Board (ARB): effects oversight and
processes all applications Comprised of representatives of the identity marketplace
ecosystem, and currently includes representatives from the following communities: Credential Service Provider (CSPs) Relying Party (RP) Auditor Federation Operator “Interested Party”—ie. an entity that stands to benefit from such a
program, but does not have an offering to put through the program
Current ARB appointees include Mark Coderre, Aetna; Nigel Tedeschi, BT; David Temoshok, GSA; Nathan Faut, KPMG; and Leif Johansson, SUNET/NORDUnet
20
The Result – Identity Ecosystem
Commercial
SocialNetworks
Financial
Government
Institutions
Industry
Employers
Family/Friends
People, Entities,
Machines...
•Ubiquitous interoperability
•Minimize or Eliminate “Token Necklace”
•Customer Convenience
•Consistent User Experience
•Plain Language
•Simplified On-boarding
•Low-to-No Cost
•Ease of Service Selection
•Clear Risk & Liability
More Information on IAF and the Assurance Certification Program
http://kantarainitiative.org/confluence/display/certification/Identity+Assurance+Certification+Program
If you are interested in participating in the Certification pilot, please contact Britta Glade ([email protected])