Identity Management 2.0

George O. Strawn

NSF CIO

Outline

• Who are we and what are we doing here?

• What is Identity Management (IdM)?

• IdM 1.0

• Why not IdM 1.0?

• Why IdM 2.0?

• Why not IdM 2.0?

• What is IdM 2.0?

• Other matters

Who are we?

• Campus thought leaders (plus one)– One third high tech– One third middle tech– One third low tech/high application

• My job: to provide a level-setting definition and description of the state-of-the-art of Identity Management to an audience that ranges broadly in IT and IdM background

What are we doing here?

• Creating a “business plan” outline that could be used by EDUCAUSE member institutions to sell IdM 2.0 to the campus administration

• Creating a “marketing plan” outline that could be used by EDUCAUSE member institutions to sell IdM 2.0 to the campus

What is Identity Management?

• Organization: The policies, processes, and tools used to “assure” that IT systems and applications are made available only to appropriate persons

• Individual: The persons I am working with and the systems I am using really are who they say they are. And no one can impersonate me, or read or change my information

IdM has become important!

• Identity Management has greatly increased in importance as IT systems and applications are used to perform more and more of the work of society and commerce

• For this reason, we’ve got to do a better job of IdM (from IdM 1.0 to IdM 2.0)

IdM 1.0

• IdM is nothing new– we’ve had “user names and passwords” almost

forever (in IT terms)

• A defining characteristic of IdM 1.0 is that each IT system and application does its own identity management– usually by keeping a list of authorized

username/password pairs and checking it at login time

Why not IdM 1.0?

• Ineffective: IdM 1.0 does a poor job of assuring privacy and security

• Inefficient: IdM 1.0 is expensive to manage and maintain (many separate IdM systems)

• Liability: IT and application providers (and their organizations) are now burdened with security and privacy responsibilities

• User-unfriendly: Users are now burdened with many username/password pairs

Why IdM 2.0?

• Effective: IdM 2.0 can provide a uniformly strong (eg, secure and private) identity management capability for an organization

• Efficient: IdM 2.0 can provide a single IdM system for an organization

• User-friendly: IdM 2.0 can greatly reduce the number of username/password pairs that a user must remember

Why not IdM 2.0?

• IdM 2.0 will require changes to policies, processes, and IT systems– eg, replacing the IdM 1.0 software with the

standardized IdM 2.0 software (middleware)

• IdM 2.0 is not free– The policies, processes, and IT systems must be

developed and maintained

• But the benefits will outweigh the costs!

What is IdM 2.0?

• A single, standardized solution for an organization to “assure” access to IT systems and applications only to appropriate persons

• Requires a “bigger/better” list of persons and it divides IdM divides into two parts: – authentication of users: Are you who you say

you are?– authorization of users: Should you have access

to a particular system or application?

A bigger/better list of persons

• Often called a directory• Will include all persons in your organization

Q: But what about persons in other organizations who need access to your IT systems and applications? A: See next+2nd slide.

• Will require as much “care and feeding” as your financial and student record databases

• Will include information to enable authentication and authorization

Authentication

• Are you who you say you are?– What you know (eg, a private password)– What you have (eg, a token that generates time-

dependent random numbers)– What you are (eg, your fingerprint or retinal

scan)

• These can be done alone (more or less well), or in (1-, or 2-, or 3-factor) combination

Authorization

• Answers the question (for each person): which IT systems and applications are you permitted to use?

• Can be based on individuality (eg, Jane Jones is authorized to access the financial system)

• And can be based on attribute (eg, any student is authorized to use the library system)

Beyond the organization

• Another major benefit of IdM 2.0 will be that organizations can authenticate their members to other organizations (called “federated identity management”). Eg,– University X authenticates a student, and– College Y authorizes any student at University

X to use its library system

• Higher Ed, USG, and industry are working hard to do this (eg, InCommon in HE)

In my other (the Federal) world

• We are working to create a USG-wide “e-authentication” system

• We are working (under the spur of “HSpd-12”) to create an “intelligent card” for USG-wide physical access and (ultimately) for IT access

• NSF intends to move FastLane authentication from IdM 1.0 to IdM 2.0

Creating a Trusting e-Community

• Trusted Identity Management is one component of a trusted IT environment (together with secure IT applications and systems, and and digital information that is confidential, integral, and available)

• We will not enter the digital promised land until we do all these things better!