IDENTITY MANAGEMENT AS PREREQUISITE FOR SECURE END-TO-END NETWORK BASED TRANSACTIONS

Transcription

1 IDENTITY MANAGEMENT AS PREREQUISITE FOR SECURE END-TO-END NETWORK BASED TRANSACTIONS Lugano Communication Forum 2006 Dr.rer.nat. Hellmuth Broda Distinguished Director and European Chief Technology Officer Strategic Insight Office Sun Microsystems, Inc. Spokesperson, Liberty Alliance

2 What Is Identity Management? "Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities." The Burton Group

3 Identity Mess in Real Life Focus 23.Aug.04 Sun Proprietary/Confidential: Internal Use Only

4 Identity On the Internet Today...

5 Life With An Identity Mess A typical intensive IT user has 21 passwords 49% write their passwords down or store in a file on their PC Majority use common words for passwords; 67% rarely or never change their passwords * Source: NTA Monitor Password Survey, UK; zdnet.com Password proliferation increases HelpDesk Calls In a non-automated support model, password reset costs range from $51 (best case) to $147 (worst case) for the labor alone (Gartner) In an average 10,000 employee size company, about 45% of help-desk calls are requests for password resets. (Meta Group) Identity Silos (Source: Sun Customer Survey) Typical IT: 10 different apps or services that contain identity profiles Over 80% of companies have no Identity synchronization solution Sun Proprietary/Confidential: Internal Use Only

6 How Did Computing Live Without Identity? Location was an implicit proxy for Identity

7 Understanding Technology Evolution The Age of Firewall The Age of the Intranet/Internet The Age of the Extranet Keep data within the firewall Managing data inside and outside the firewall Managing data through the firewall The Future: Nothing but Net Just Access and Entitlement

8 Role of Identity While Perimeters dissolve Applications get distributed Access is anywhere, anytime, through any device... Identity enables security, control, manageability and accountability in a distributed network

9 What Has to Be Identified? Persons (real people) in their roles Legal entities (companies, agencies, corporations,...) Things (air quality monitoring sensor, traffic counter,...) RFID tags; DRM Software services, agents,... Sun Proprietary/Confidential: Internal Use Only

10 How We Can Build Trust The biggest concern of the principal/patient/customer is privacy Privacy does not mean that nobody knows nothing about me It is about managing the faith of the principal/patient/customer by adhering to the agreed scope and holding the information in trust Customers are afraid of Purpose Creep What could an architecture for privacy and trust management look like? Sun Proprietary/Confidential: Internal Use Only

11 Architecture for Trust Management Security Management Identity Management Definitions Policy Authorization Authentication Identity A combination of business and technology practices which define how a relationship is conducted and services are performed A set of rules governing decisions about what the user can do: access to information, services or resources Assertion of validity of a set of credentials. Credentials express a person s identity. A Yes/No answer Basic set of information that creates a unique entity (a name with a corresponding set of attributes) Sun Proprietary/Confidential: Internal Use Only

12 Architecture for Trust Management Security Management Identity Management Real World Example: Drivers License Policy Authorization Authentication Identity 4. The fact that we do have police; the rules that allow me to drive with my national license in other countries 3. The policeman will then see which kind of vehicle you are authorized to drive and if you are allowed to drive the one you are operating now 2. Assertion of validity: The policeman compares the document with you. Result: A Yes/No answer 1. Name, address, picture identify the driver and provide together with the document the credentials expressing that the carrier is identical to the person that passed the driving tests Sun Proprietary/Confidential: Internal Use Only

13 Architecture for Trust Management Security Management Identity Management Digitally Speaking... Policy Authorization Authentication Identity 4. Business practices to manage risk, enforce security/privacy, provide auditability. User, customer preferences, history, personalized services, 3. Determination of access rights to systems, applications and information: Match credentials against profiles, ACLs, policy 2. Log on with a UID/PW, token, certificate, biometrics etc. A process that demands the prove that the person presenting them is indeed the person to which credentials were originally issued. accept or reject 1. User, customer, device facts, e.g., name, address, ID, DNA, keys; credentials, certificates that were issued e. g. by a Certification authority Sun Proprietary/Confidential: Internal Use Only

14 How People Will Trust Policies Policy and its audit are guaranteed and certified by a approved public or private agency federal data protection agency Chamber of Commerce Postal Service or other basic service provider This can be achieved with processes and responsibilities as in ISO 9000 Remember: Trust is based on policies and the audit of those -- not just on security Sun Proprietary/Confidential: Internal Use Only

15 Importance of Identity The most basic element in a high-value relationship with customers, employees, citizens or business partners Has to be managed with great care to proactively fight fraud and identity theft > Secure solutions are essential > User consent must be supported Common mechanisms to handle identities are required: > Technically, to enable interoperability and seamless user experiences > Legally, to enable an online relationship between different entities in a distributed environment (government, commerce, health, education and so on) Identity (validating a set of credentials) is the key to the secure exchange of data about entitlements (authorization) and other attributes (transaction/trust data). Federation is the process of exchanging these assertions securely between multiple online entities...

16 Importance of Federation Today's ID world is distributed: (driver's license, national ID, phone SIM, ) Today's online service world is federated: collaborative business models, 'joined up government', cross-border authentication, e-procurement... ID federation facilitates scalable, efficient, user-friendly, cross-domain Identity Management Without federation, secure, convenient interactions and transactions become more difficult, if not impossible Federation is a foundation for pseudonymous and anonymous secure online relationships, and therefore also provides a basis for privacy protection In short: federation reflects, online, the way trust works in the real world.

17 Security Incidents on the Rise More Than 85% Have Experienced IT Security Incidents in the Past 12 Months* Unauthorized access to sensitive institutional data Threats or abusive behavior Altered/vandalized Web site Institution's database hacked * Based on a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003 Sun Proprietary/Confidential: Internal Use Only

18 Scope and Characteristics of identity abuse Identity theft and identity fraud are a factor in: > Money-laundering and financial fraud > Vulnerability of the online 'critical national infrastructure' > Other aspects of organised crime These activities are: > Organised > International > A 'commercial' enterprise > Facilitated by Internet technologies > It is tempting (but, I believe, wrong) to conclude that the solution is therefore primarily technical.

19 'Name this Industry'... 2 Bulk sale, cross-border shipment 1 - 'Mining' of raw materials 3 Reprocessing; consumer value-add 6 Re-sell cross-border to monetise 4 Re-export, cross-border Convert Assets to Goods

20 Retail Card 'Skimming' Case Study Details captured in North America 'Consolidated' in SE Asia Cards personalised in S Asia Physically shipped to EU Goods bought for shipment to Central Europe In other industries, this would be a normal supply chain... Organised entities operate in the theft, trafficking and exploitation of identities, for financial gain and other ends No single law-enforcement agency has the jurisdiction, resources or inclination to investigate or prosecute this crime (which one...?)

21 Identity Theft Life-cycle and Attack Vectors Planning Setup Targeting, Research Collect Defraud Materials and Capture 1st/2nd Stage Attack Tools exploitable data exploitation Each of these usually has 'bulk' and 'individual' attack variants Attack Post-attack Shut down, Remove evidence Sell expertise Technical Keystroke logging, DNS spoof/poison, wireless sniffing Physical Disk theft, 'trash analysis', insider attack (abuse of authorised access) Social Engineering Phishing, scams, 'trusted source', duress, 'politically exposed positions'

22 Mitigations by Attack Vector Some Examples As one might expect, the mitigations for identified attack vectors vary, include both technical and non-technical measures, and often overlap. The table below gives some examples: Attack type Attack Vector Description Technical Wireless intercept War-driving', open wireless access points, 'Evil Twin' attack Trash Analysis' Collecting (and (also called aggregating) identity 'Dumpster Diving') data which has been discarded without adequate protection (documents, disks, tapes) Social Luring individuals to Phishing Engineering reveal personal data Physical Mitigation Wireless encryption, MAC filtering, user education User education, use of document shredding, secure file delete, asset disposal policies, audit User education, browser toolbars, improved (e.g. multifactor) authentication

23 The Challenge We Face As long as we persist with C17th. notions of sovereignty C18th. judiciary and C19th. law enforcement the C21st. will belong to organised crime. Jeffrey Robinson Writer on Money-laundering and Organised Crime

24 The Liberty Alliance:

25 Liberty Board and Sponsor Members More than 150 member organizations globally Driven by end-users, government organizations and vendors Led by Technology, Business and Public Policy Expert Groups

26 Liberty Approach Distributed architecture (federation) Business oriented Policy/privacy focused Free access specification definition Based on the most common standards > HTTP, SOAP, XML, SAML, etc. Multi-platforms > Java,.Net, Opensource initiatives Interoperable > WS-Federation, WS-Security

27 Liberty Adoption American Express General Motors & Fidelity Investment > Portal B2E d e l b a Vodafone Vodaphone live! n 6 e 0 0 t y of 2 r e Lib end bout France Telecom n io l he ow a l i t b > Mobile phone convergence y ne ces b e kn o n i w a v t h e a t d Radio@AOL h e d r w n o t s M ies a u j s ADAEdentit that i and > Citizen portal Sun & BIPAC > Services outsourcing

28 Liberty Alliance Interoperable Products Current products listed at the Liberty Alliance Web site: The following member companies offer Liberty Alliance interoperable products (passed the conformance tests):

29 Sun Identity Management Products Comprehensive Identity Management Services Collaborative Enterprise Federation Manager Identity Manager SPE Directory Server Access Manager Identity Auditor Identity Manager Enterprise Edition Enterprise Sun Proprietary/Confidential: Internal Use Only Open and integratable works in any environment Secure access to systems across heterogeneous environments Enhances agility for existing and new business models Improves security and ensures regulatory compliance Streamlines and secures business processes

30 Thank You!