Identity Management

Overview

Can we develop a global framework for identity management in which the communities that an individual belongs to can operate - and cooperate - effectively, while maintaining the right of the individual to privacy, to dignity, and to be in control of his or her destiny?

That is the key question arising from the Identity Management meeting at the February 2002 conference of The Open Group.

At the start of the meeting, a keynote presentation from Jamie Lewis of The Burton Group discussed the emerging infrastructure for identity and access management. Following this were sessions of presentations from customers and vendors that addressed the Identity Management problem, and possible solutions to it. A final session on the way forward started with a presentation of a draft Identity Management Business Scenario and proceeded to a panel discussion of the issues.

The Identity Management Open Meeting was a joint initiative of The Open Group's Directory Interoperability, Security, Mobile Management, and EMA Forums, with support from the European Forum for E-Business (EEMA).

The results of the meeting will be included in the Identity Management Business Scenario which will be developed by the Directory Interoperability Forum with the help of the other bodies that contributed to the meeting, and published by The Open Group.

In3 - Identity Management - Keynote

Allen Brown opened the meeting and welcomed the plenary keynote speaker, Jamie Lewis.

Jamie set the scene, then addressed the questions of business drivers, architecture, and interoperability and portability of identity information, and finished by giving his overall conclusions.

Setting the scene, Jamie described the virtual enterprise network. The traditional security model no longer works, the hard perimiter enforced by firewalls is disappearing, and everything is becoming more loosely coupled. Organizations need to create a business context for authenticated identity. They must put in place a flexible infrastructure allowing for linkage between internal systems, the extranet, and the wider Internet. Identity management must be a pervasive part of that infrastructure, but the standards to enable this are only just emerging.

The business drivers for Identity Management are to lower costs, improve productivity, improve business and value chain efficiency, improve customer service, and meet regulatory requirements. An identity and access management infrastructure enables secure business and enhances intranet security. It reduces the risk of improper use of IT systems. It reduces the risk of privacy or other regulatory violations. It saves money, accelerating time to market, and reduces deployment costs. It enables new services that provide improved quality of experience for customers, giving competitive advantage.

An architecture for the identity and access management infrastructure is emerging. Directory services provide the foundation: they are maturing; their focus is moving to directory-enabled services for identity and access management; and the concept of the XML-based registry is becoming important. Identity management systems are extending directories. Provisioning systems are taking on an important role in bridging the gap between portals and enterprise security systems. Web-based access management systems are becoming a popular solution for centralized policy management. Portals provide personalization and are becoming the preferred interface to web-based resources. Most of these technologies come from different vendors; consolidation across these functional categories has already begun, and the market will drive further consolidation over the next year to 18 months.

Interoperability and portability of identity management information is needed within the enterprise, between enterprises, and to integrate with the external public identity infrastructure. This need has driven the development of XML standards such as SAML, XACML, XKMS, DSML, and SPML. When coupled with the web services framework, these standards have significant potential to address the need for interoperability and federation for B2B applications. Passport, Liberty Alliance, Magic Carpet, and others will force enterprises to address the intersection between enterprise identity/role and public identity. Integrated directory services can enable federation.

In conclusion, Jamie said that the road to an identity and access management infrastructure has curves, detours and construction zones. The end destination and scenery along the way is well worth the journey; solid business justification is there for most large organizations. Enterprises should invest in general-purpose systems today; plan carefully, but be flexible; and use the infrastructure to gain a strategic competitive advantage.

Following the presentation, Richard Paine of Boeing asked about mobility and wireless. Jamie said that a major difference between mobile and fixed computing is that security of mobile devices is massively more complicated.

Scott Lewis of IBM suggested that integrated products might provide the solution. Jamie replied that it was unlikely that an individual vendor would have all the answers.

Alexis Bor of Directory Works asked about the role of policies. Jamie said that policies have a role, but a policy designed by committee is likely to be good for no-one.

Rosa Caputo of Blockade Systems Corp. asked to what extent the infrastructure is implemented. Jamie said that it is implemented to some extent. Business needs will drive its roll-out.

In3 - Identity Management - The Problem

This session focused on how IT users manage identities, with presentations on different aspects of the problem. It was chaired by Winston Bumpus, Director of Open Technologies and Standards at Novell, and chair of the Directory Interoperability Forum.

Memorial Health Services is responsible for five hospitals. Currently, they have four different inpatient admission systems and many different outpatient admission systems. There are over 80 interfaces between systems, including clinical, financial, and administrative.

This makes it impossible to maintain a permanent patient record. There are multiple Master Patient Indexes. This means that: information from previous treatments may not be found when a patient is admitted; payment histories are not maintained; and demographic information may not be consistent.

Electronic patient records are an essential tool for clinicians which allows access to patients history online. But they can not be implemented where there are too many disparate systems.

The Health Information Portability and Accountability Act (HIPAA) will soon require maintenance of a permanent patient record, with availability of information to carers but security constraints to preserve confidentiality. Hospitals must comply to stay in business.

To solve these problems, they will implement an Enterprise-wide Master Patient Index (EMPI). Each admission and/or registration at each hospital will be recorded in the EMPI system, which will hold master permanent patient records, with sub-entries for individual admissions and registrations.

EMPI is currently in the early stages of implementation. Some proof-of-concept demonstrations have been done. Vendors are being evaluated.

EMPI is recognized in MemorialCare as the most important thing that they will do in the next three years. The cost of implementation is estimated to exceed $2 Million. It will enable consistent treatment of patients, and maintenance of payment histories, and it will satisfy HIPAA requirements.

In answer to a question, Jason explained that a patient would typically be identified by name, date of birth, and social security number. However, not all of this information may be available. Identification purely by name results in duplicate records, and the national average is 10%-12% duplicates for this reason. Systematic manual effort is required to remove this duplication. There are also numerous privacy issues and problems.

Peter Bachman, CEO of cequs inc. and member of the European Forum for E-Business (EEMA) spoke without slides on the Rights of the Internet Person.

He reviewed the evolution of communications networks from telephony to the Internet, and the growth of computing power in accordance with Moore's Law.

X.500 directory services were defined in the OSI world, with LDAP defined as an access method by the Internet community. But the universal X.500 model for a global directory has failed.

Engineers have gathered in various committees to define "The Internet Person", but no universally accepted standard definition has resulted.

Identity management is a matter of infrastructure. Infrastructure generally does not need a business case: people recognize the requirement for it, and install it.

Standards can not be imposed. People can not be made to use systems; they have to make the decisions.

Identity Management is a social problem. It is of concern to politicians. President Bush has elected himself "president of identity".

Powerful personal computing platforms put power in the hands of the user.

Users are becoming disenchanted with services that do not react to their specific needs. Systems are becoming personalized, event-driven, and real-time.

This means that users will drive the management of their own identities. Systems like Passport and Liberty Alliance are dinosaurs. In Europe at least, government will not allow a large proprietary organization to own people's identities.

Each person must create his or her own identity. Organizations that the person belongs to can add value, but can not control. The question is how to do this - and how to do it safely? Individuals will drive the design.

Dean gave a presentation describing the problems that had led Boeing to work in the EMA Forum of The Open Group to issue the Secure Messaging Challenge.

In normal commercial operation, there is information that should be protected and kept confidential. Examples are teleconference numbers, executive travel itineraries, contractual and budget information, general day-to-day customer communication, pre-merger communication, event or disaster communications, and legal or accounting information.

This requires exchange of strongly-encrypted e-mail between business partners. It is needed now. Current solutions - PGP, VPN, or "do nothing" - are not sufficient.

Rather than developing an in-house solution and requiring partners to accept it, or trying to support different solutions for different partners, Boeing believes that a standard solution is required. They hope to create a standard through the Secure Messaging Challenge.

The PKI "hairball" is huge. The need is to extract and define a manageable part of it.

The solution must use common off-the-shelf software and not impose more requirements than needed on partners. It must define what the partners do at the interface, not how they do it.

Ed set the scene for his presentation with two quotations.

• "The human experience of identity has two elements; a sense of belonging and a sense of being separate." - Salvador Minuchin, 1974.
• "Identity theft is the fastest growing crime in America, affecting approximately 900,000 new victims each year." - US Federal Trade Commission.

Mobile computing is used within a wide range of areas including utilities, finance, police, healthcare, trucking, construction, manufacturing, field service, emergency services (E911), military, and space exploration. People access services and information from multiple physical locations, using a range of physical devices. The context in which it is used is largely business-to-employee and employee-to-employee, and partly also business-to-business.

The Mobile and Directory Group is a joint working group of the DIF and the MMF in The Open Group. It is producing a Business Scenario to explore the requirements of directory to support mobile computing. The subject of the scenario is "The Executive on the Move"

The scenario identifies the following core activities for mobile computing: conversation, conferencing, messaging, alerting, information access, information update, and transactions.

The mobile computing infrastructure can keep track of an individual's physical location. This is a requirement in some cases, for example in imposing security policy or in implementing E911 emergency services. It is a key distinguishing feature of mobile computing for identity management. Other distinguishing features are device characteristics (limited display size, bandwidth, etc.) and user expectations: travelling and static users have different expectations.

Objectives of mobile computing with high identity management impact are to minimize time when people are not doing productive work, and to maximize availability of executives for decision making. Objectives with medium impact are to maximize competitive advantage by timely availability of information, and to improve quality of enterprise information.

Ed discussed the human and computer actors in the scenario, the requirements for mobile computing, the constraints on how those requirements should be satisfied, and the impact of all these things on Identity Management.

Completion of the scenario will include development on a technology architecture model for mobile computing. The form of this model will be of high relevance to Identity management.

Vance Heron, Security Architect for Institutional Computing and Information Systems in the NASA Jet Propulsion Laboratory at the California Institute of Technology gave a presentation on Role-Based Authorization and Access Control (RBAC).

One of the most challenging problems in managing large networked systems is the complexity of security administration. Today, security administration is costly and prone to error because administrators usually specify access control lists for each user on the system individually. Role based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications.

In RBAC, identities are assigned to roles. This can be a many-many relationship. It allows for hierarchical management. Roles are granted privileges.

RBAC allows enforcement of separation of duties, when a person is not allowed to assume two roles in the same transaction (teller and customer, for example).

The benefits of RBAC are that it reduces the number of relationships, reduces changes to access control information, reduces duplication of access control information, reduces management costs, and improves accuracy of access control information.

Vance illustrated the reduction in the number of relationships with an example of the "three musketeers".

The function of IT security in managing role information includes facilitating collection and dissemination (IT security does not own the information), working with providers and users, and helping to improve processes.

At JPL they are currently using RBAC for three services. Roles are kept as groups in the directory. Role information is maintained with direct interfaces and meta-directory software.

Obtaining and managing the role information is a problem when implementing RBAC. The information comes from multiple sources, with different management interfaces, and is often out of date. Updating the information when someone moves from one job to another is a particular challenge. Transitioning from the existing system, and defining roles consistently, are problems also.

Following the presentations on aspects of the Identity Management problem, there was a panel session in which Peter Bachman, Dean Richardson, Ed Harrington, and Vance Heron answered questions from the audience. The session was moderated by Winston Bumpus.

Vance was asked whether it is possible to achieve transactionality of updates when removing old roles. He said that updating is a combination of automatic and manual process. The easy cases can be automated. Printouts of lists of people with particular access is a useful aid to the manual part of the process.

Michele Rubenstein (Solutions 4 Networks) asked how RBAC can be handled in an automated manner, and how it scaled when there are many people. Vance said that RBAC makes scaling easier. Peter said that abstraction avoids the need to deal with minutiae. This has been understood since classical times. It is the basis of scalability for RBAC.

Ron Williams (IBM) said that there is a need to define roles from business policy, and asked how this should be done. Vance replied that business processes may or may not be well-defined. It is essential to work with management to define roles and privileges.

Ron said that automation was needed for scalability, and asked when and how the process of defining roles could be automated. Peter said that there is a methodology based on UML that could help.

Erik Skovgaard (Siemens) asked about disparity between what the business assumed and what the solution provided. Vance stressed the importance of not breaking what was working already.

There was a question to the whole panel on the role of biometrics and smart cards. Peter said that they are just methods of establishing identity; how you do this is less important than creating an open environment for Identity Management that anyone can use. Ed said that the choice of method for establishing identity is a question of basic risk assessment. Dean said that Boeing is studying this issue, and that it may be useful to choose the method of establishing identity on the basis of what is most suited to the application. Peter said that the distinction between what is inside the firewall and what is outside is disappearing, and Dean agreed with this.

David McCaskill (Procter and Gamble) said that P&G has a very strong policy of internal control and security, so that only things that are tightly defined can be automated. He asked Peter whether users should own their own identities. Peter replied that indeed they should: the role of the business is not to create the identity but to add value.

A questioner said that, when automating the role-engineering process, there is a need to delegate and distribute the administration. This can lead to many non-hierarchical relationships. Peter said that the system must cater for complexity; if it does not do so effectively then users will allow colleagues to use their passwords, for example. Vance said that RBAC simplifies complexity, but can not reduce it to zero. Steve Jenkins (NASA JPL) said that RBAC must provide for creation of roles by anyone. There should be role engineering for standard roles, but individuals must be able to create ad-hoc roles also. Peter spoke of the need for information auditing. Ideally, the soundness of the access-control system should be mathematically provable. What really matters in defining a role is that it should be useful for more than one application.

Matthew Hirsch (A&N associates) suggested that there is a security issue when consolidating information in a metadirectory. Vance said that in the special-purpose metadirectory used at JPL, SSL is used for almost all interactions.

Winston thanked the panel and the audience, and closed the session.

In3 - Identity Management - Possible Solutions

This session included presentations on different proposed solutions to the problems of identity management. The session was chaired by Steven Jenkins, Manager, Architecture and System Engineering, Institutional Computing and Information Services, Jet Propulsion Laboratory, California Institute of Technology.

Steve introduced the speakers and agenda for the afternoon session.

Wen explained he aimed to follow up in more detail the presentation he was part of on the EMA Challenge on the Tuesday evening of this Open Group conference.

He listed (see slides) Boeing's key messaging needs, and described the technical requirements that they have derived to satisfy these needs:

• use X.509 v3 CA services
• provide standards-based directory services accessible via the public internet
• provide S/MIME compliant messaging client & email system
• follow current standards for S/MIME, X.509v3 certificates, and LDAPv3.

He went on to identify the boundaries for their Challenge within the context of the overall scope of the issues involved. He then listed the deliverables, which includes comprehensive testing results and peer reviewed report of findings and recommendations.

Wen noted that Lynx Systems are using Lotus Notes and Microsoft Exchange in their testing. He also showed slides listing the Boeing demonstration environment, and explained how they have deployed an Internal LDAP proxy as their internal directory that maps through their firewall to an External LDAP Proxy which functions as their virtual directory connected to the Internet. He went on to describe their SMTP/Vendor certificate architecture.

Wen then outlined their demonstration scenarios, and their demonstration environment. He clarified that their simplified certificate policy is that any certificate in the directory is valid unless it has timed out or been revoked. It was noted that the interpretation of this depends on what the client is set up to accept, and the lifetime of the CRLs.

In response to specific questions, Wen confirmed that included in their test scenarios are some very tough security tests to challenge the correct operation of the pilot under error conditions, not just to test expected results from expected inputs, but also to test what happens when invalid inputs are applied.

Chris Harding, Executive Director of The Open Group's Directory Interoperability Forum, gave a presentation on the Passport approach from Microsoft.

Chris explained that the originally planned Microsoft presenter is not available, so he has stepped in. He added that his presentation is based on information that is publicly available from the Microsoft Web site, but is NOT a Microsoft presentation. He added that his presentation includes questions from him that he does not have answers to, but he hopes his and other questions that arise during his presentation will be answered by Microsoft when he presents them shortly after this event.

Chris started his presentation by volunteering that he personally has around 40 passwords for a variety of on-line activities he does, both in connection with his employment and in his personal life. Passport works by registering (email address, password, conditions) you and creating your wallet. It then sends you an email giving you confirmation and validation.

Once you have registered you can proceed. Signing on is straighforward, and after signing on to sites for the first time, the single sign-on is automatic

Personal information held in Passport includes:

• Name
• Country/Region State/Territory
• ZIP/Postal Code
• Time Zone
• Gender
• Birth Date
• Occupation
• Credit card information (in wallet)

Chris went on to list the features of specific items of log-on information in Passport. He noted you can use it quite widely - the current list of accepting organizations is reasonably extensive, and is growing rapidly.

He posed himself the question: might it help me, potentially? He has done a reality check on his list of all the sets of passwords he currently uses, and identified which he felt he would trust Password to handle for him. This list covered quite a few, but certainly not all, of his uses.

He went on to list the benefits to the user that Microsoft lists for Passport. He also pointed out the relatively stringent conditions that Microsoft places on service providers becoming a Passport site, in particular noting their very specific requirements for personal privacy.

Future directions for Passport .NET are identified by Microsoft as including:

• .NET "MY Services" application platform
• Federated model for Internet authentication

Questions Chris has raised in his review leading to his presentation:

• What is the Trust Model? The individual trusts Microsoft, and the Passport sites - but how much? The Passport site obviously trusts Microsoft.
• How secure is it?
• How does it compare with PKI? The private key is shared.
• Will it reach critical mass?

Another question raised in discussion was "Is the Passport system a single point of failure?"

Andrew gave a presentation on the Liberty Alliance approach, which proposes single sign-on for both consumer users and business users in an open, federated way.

He first talked about what is network identity - the set of attributes that describe the profile(s) of an individual on the network. He said that ultimately, without identity you can't have an enduring relationship with your customers, and knowing your customers better than your competitors is a huge advantage in business.

Today's barriers include

• accessing scattered data while protecting personal information from unauthorized access,
• difficulties consumers have in accessing their distributed information,
• incompatible identity standards between service providers,
• isolated applications making it difficult for technologies to work together.

For every barrier there is opportunity. Here is one for identity, authentication and authorization. A federated standard can be developed that will enable every business to maintain their own data. Andrew noted that Microsoft's announcement that Passport will offer federated facilities was completely reactive to announcements from the Liberty Alliance, and contradicts their centralized model. Federated identity premises are:

• distributed data stays with the rightful owner
• there are multiple authenticators
• there is a delineation between authentication and authorization
• consumer is in control of who can access their data

The benefits of federated identity to the consumer are similar to those of Passport. The commercial benefits are also similar:

Andrew showed slides describing how federated identity works. Data is united, not shared. It has a circle of trust concept. It gives individuals 1 identity but multiple profiles. It has 3 platform requirements. It provides a pragmatic approach, placing interoperability as the focus because it respects that other systems will exist so it has to plan to co-exist with them in the marketplace.

He showed slides describing more about Liberty, who is involved, the challenges as they see them, how they have organized themselves to progress their objectives, what they see as their value chain, their timeline for achieving solutions, and the criteria on which they will judge their success.

In discussion, Andrew noted that Microsoft is now taking Liberty seriously, having seen the backing that Liberty Alliance has from major business partners worldwide.

Regarding the technology and standards they intend to use, e.g. adopting SAML - Andrew said he could not make assertions at this time but noted that part of their technology work is to adopt existing standards and leverage relevant work wherever possible.

In answer to questions on where we can go to find more information on the infrastructure of the Liberty Alliance's technology, Andrew said this information is not available publicly yet but would be made so when it is ready.

Regarding when there will be a meaningful specification that vendors can take to implement and deliver product, Andrew thought this should be around mid Q2/Q3, 2002.

In3 - Identity Management - The Way Forward

This session looked at the whole Identity Management problem space (through a business scenario), and on the requirements and the possible solutions that emerge from this business scenario. It then held a panel session to bring out issues and respond to questions that attendees raised.

Chris gave a presentation describing the Identity Management Business Scenario that is being developed by the Directory Interoperability Forum in conjunction with The Open Group's Security Forum, Mobile Management Forum, and EMA Forum, and the European Forum for E-Business (EEMA). His presentation covered the Business Scenario as currently developed.

He started by explaining that he hopes to gather new input to this business scenario as a result of the Identity Management meeting, to develop it into a completed document that we can use as a substantive requirements base. Already we have new issues that we have captured from preceeding presentations and discussion. He checked in a show of hands that about 75% of the audience is already familiar with the business scenarion approach, so in his presentation he skimmed through the essential elements of the process.

The initial workshop that gathered requirements in the identity management problem space took place in December 2001, and has been captured in Chris' slides shown in this presentation. The workshop included representatives from 3 business communities.

Chris's slides representing his existing identity management business scenario draft addressed the following:

• what is identity?
• aims of identity management
• organization's aims for identity management
• the business environment
• business processes - the person
• business processes - the community
• the technical environment
• technical processes
• human actors
• computer actors
• SMART objectives (SMART means specific, measurable, actionable, realistic, time-bound)
• objectives for the organization
• requirements. These include privacy, ease of management, separation of roles, updates by individual, inclusive for legacy systems, compliance with legislation, prevent identity theft, ease of use, location dependence/transparency, consistency of information, security, auditability
• possible architecture - this slide suggests an architecture as proposed in the Dec'01 workshop, and we  would expect it to evolve along with the developing maturity of the business scenario.
• next steps. These include discussion and feedback, review by peer community, and completion/publication of first version.

In discussion, Chris listed issues that he had noted arose in presentations and discussion through this Identity Management event:

• the inadequacies of the traditional firewall approach and the consequent evolution of a much more loosely-coupled infrastructure
• the need for identity management in healthcare to enable electronic patient records and consistent communication with the patient
• the use of identity management by companies to enable role-based access control to information and services
• the problems a large organization has in communicating with its business partners that led Boeing to issue the secure messaging challenge
• the difficulties introduced by the increasing mobility of individuals within and outside the enterprise
• the right of the Internet Person to manage and control his or her identity information
• the architecture developed by the Secure Messaging challenge team, extracting a manageable part of the PKI "hairball".
• the approach of Microsoft's .NET Passport initiative, where identity information is owned by the individual and managed by Microsoft
• the open and federated approach of the Liberty Alliance project.

He said that the Identity Management Business Scenario would include points and discussions on these issues from the Identity Management meeting.

In this closing session, a panel comprising Andrew Shikiar, Wen Fang, and Chris Harding gave their views on the way forward, and discussed points raised by the audience. The panel discussion was moderated by Steven Jenkins (Jet Propulsion Laboratory, California Institute of Technology, and Chair of the Security Forum).

Bob Blakley of IBM asked whether Liberty understands the responsibility to verify personal identity information? Andrew replied that it does.

Roger Mizumori of Waterforest Consulting Services said that there is a difference between identity and profile. Steve agreed and added that these have to be more fine-grained. Chris said that Passport does allow a simple profile relationship between parent and child in its management module, though it does not go deeper.

Steve asked whether, in the Secure Messaging Challenge, there is anything to preclude identity as a role rather than as an individual. Wen replied in the negative.

Andrew was asked how, in the Liberty model, the data is shared and propagated when it is owned by the individual. He replied that this topic will be addressed in a later more advanced scenario.

Steve asked, regarding the Carnivore program, what position should Liberty take on this. Andrew replied he did not know at this time.

There is a somewhat polarized position on requirements for identity management between different public departments, but they should agree to share a common position; the qauestion was raised, how can we promote this? Michele Rubinstein of Solutions 4 Networks said that members of the American Bar Association have done a great deal more sharing since the Sept 11 terrorist attacks, and this is a big motivator to continue cooperation, both nationally and internationally. We should leverage the common concern over these attacks, to encourage more sharing for the common consumer good.

Bob commented that privacy for individual dignity has to be reconciled with anarchy and with legal needs and national security needs. All agreed these need to find a common natural acceptable balance.

Rosa Caputo of Blockade Systems Corp. said that liability and security are important to the business community, and the Identrus model is particularly favored. She asked whether this has this been included in Liberty's activities? Andrew confirmed this has been discussed.

David McCaskill of Procter & Gamble asked how the Liberty Alliance can argue that the way to keep personal identity information secure is to keep it dispersed, as dispersal would seem to make it less secure. Chris said that we are always trading convenience for security, and must find the right balance. No-one will know the answer until experience bears it out. Wen and Andrew agreed. Andrew added that having a single central holder for identity puts a serious onus on one central provider - this in itself represents a major problem with Passport.