Identity Management Business Scenario

23 January 2002

Session Agenda

q Overview of the workshop and scenario

to be followed by

q Issues from today’s presentations

q Group Discussion

This Presentation

q Overview of Business Scenarios

q The Workshop

q The Draft Scenario

q Next Steps

q Issues and Discussion

Business Scenarios

q Semi-formal technique for exploring requirements and developing architectures

q Part of The Open Group Architectural Framework (TOGAF)

q Used by the DIF to explore directory requirements space§ The Directory-Enabled Enterprise§ Directory in the Key Management Infrastructure§ The Executive on the Move (Mobile and Directory)

7 Steps to Building a Business Scenario

1 - problem

2 - environment

3 - objectives

4 - human actors

5 - computer actors

6 - roles & responsibilities

7 - refine

After completion the scenario is basis and yardstick of The Open Group’s work (e.g. brands), of customers’ planning/procurement, and of vendors’ implementation plans

The Workshop

q First pass through steps 1-6 by small group of “problem owners”

q Held on 18 December 2001 in Reading UK hosted by The Open Group’s UK Regional Chapter

q Participation from§ CGNU (UK-based provider of insurance and other financial

services)§ HP Labs§ UK government Department for Work and Pensions

The Draft Scenario

What is Identity?

There are differing views of what identity is:

q Is it more than just a name - what makes a thing different from everything else?

q Can a person have different identities when working with different systems?

q Can a person have different identities in different roles?

q Are we just concerned with people, or do computers, buildings, etc. have identities too?

Aims of Identity Management

q Aims for the community§ six aims were stated in the workshop

q Aims for the individual§ not discussed in the workshop - but important

Organizations’ Aims for Identity Managementq Organizational efficiency - enable transactions and person-

to-person communication.

q Security - enable authorized access and prevent unauthorized access to information and services

q Speed of reaction to change - mergers, reorganizations, departmental moves

q Fraud prevention - hard to quantify, but can clearly provide major savings

q Consistent treatment of the individual - “End-to-end” management of employees. Single View of the Customer, “Joined-Up Government”.

q Integrated Information Infrastructure - enable move away from “Information Silos” and “IT-Processing Chimneys”.

Business Environment

Employee,Salesman

Customer

Taxpayer

Owner

Supplier

Taxpayer,Mayor

Employee,Apprentice

Business Processes - Person

q Join Community

q Acquire Role

q Act in Role

q Give up Role

q Leave Community

Business Processes - Community

q Form

q Act

q Merge

q Split

q Dissolve

Technical Environment

The Internet

Technical Processes (1)

q Create identityq Update identity information§ selective control over who (or what) can update what

information§ updates must propagate through distributed store

q Maintain identity information stores§ design and create§ keep secure§ maintain consistency of distributed stores§ split and merge stores to reflect organizational changes

Technical Processes (2)

q Obtain identity information§ selective control over who can access what information§ controlled access by individuals and by communities

q Apply information access control§ for update and access

q Destroy identity§ archive information§ is an identity ever completely destroyed?

Human Actors

q Not specifically discussed in the Workshop

q Should include§ people with identities§ people that control identity information (HR,

security teams)§ information system managers§ tool and application developers

Computer Actors

directories

enterprise computers

client computers

secure id devices

dumb terminals

SMART Objectives

q Objectives for the community§ eight objectives were put forward in the workshop for

achievement by organizations in 2002/2003

q Objectives for the individual§ not discussed in the workshop - but important

Objectives for the Organization (1)

q Enable someone to find information about an individual§ eg telephone number§ within 1 minute§ given sufficient information to distinguish the individual - name may

or may not be enough§ assuming authorized to see the information

q Deploy directory services to enable identity management§ internal-facing directories§ external-facing directories§ synchronization tool (eg metadirectory)§ application interface for developers§ white and yellow pages with a web interface

Objectives for the Organization (2)

q Have 100% directory data consistency§ between a select subset of legacy systems and all new

systems§ with change propagation time of less than a minute

q Be able to instantiate a new identity§ in less than 20 minutes§ including identification but not procurement of equipment

and applications needed to support the individual

q Be able to set up a workstation for a registered peripatetic user§ within 1 minute, except where lengthy software downloads

are required§ without administrator intervention

Objectives for the Organization (3)

q Implement single-owner management of e-clients§ change made once (on-line) propagates to all back-end

systems§ issues are organizational and to do with integration of legacy

systems

q Implement a single sign-on authentication system§ for the web and internal systems§ as part of a co-ordinated management system that adheres

to a specific security policy and architecture

q Save £millions§ by reducing fraud

Requirements (1)

q Privacy. A person may want to restrict particular information to a particular community - for example, may not want work colleagues to know details from personal life. But the individual’s wishes are not always paramount.

q Ease of management - individual. It should be easy for a person to manage his or her identities. The “right thing” shouldhappen without them having to worry about it.

q Ease of management - community. It should be easy for an organization to manage its members identities. Information should automatically propagate where needed.

Requirements (2)

q Separation of roles. For example, when an insurance company employee buys insurance from the company his roles as employee and customer must be kept separate. In some cases, it may be a requirement that different roles are filled by different people.

q Self-service. As far as possible, individuals should be able to update their own identity information.

q Legacy Systems. An identity management solution should cater for legacy equipment and applications.

q Comply with Legislation. Legislation such as the UK Data Protection act covers (amongst other things) storage of information about individuals by organizations. This legislationdiffers from one country to another. Money laundering legislation may require tracking of identity information.

Requirements (3)

q Prevent Identity Theft. Process by which criminal knowing a small amount of information about an individual can claim the individual’s identity and falsely obtain information or services.

q Ease of use. Information Access should be efficient. A person should not have to give the same information several times, and should not have to remember multiple passwords.

q Location dependence. A person’s rights may depend on their location as well as on their identity. For example, access to some systems may be allowed only to people physically in a particular building.

q Location transparency. Ability to move from location to location and have your environment move with you.

Requirements (4)

q Consistency of Information. Consistent information should be available in different locations.

q Security. Maintain security of community identity stores, and of clients that access them.

q Auditability. It must be possible to follow an audit trail in case of breaches of security or questioned assertions of identity

Possible Architecture

security infrastructure

(eg PKI)

globalsign-on

business applications

application generators

personal identifiers

management processes

identity applications

directories

identity management

tools

Next Steps

q Discussion and further input (here)

q New draft to be reviewed by contributing forums

q Final document once review complete

Issues and Discussion

?

Identity Management Business Scenario

Thank You!