identity management 2.0 george o. strawn nsf cio
TRANSCRIPT
Identity Management 2.0
George O. Strawn
NSF CIO
Outline
• Who are we and what are we doing here?
• What is Identity Management (IdM)?
• IdM 1.0
• Why not IdM 1.0?
• Why IdM 2.0?
• Why not IdM 2.0?
• What is IdM 2.0?
• Other matters
Who are we?
• Campus thought leaders (plus one)– One third high tech– One third middle tech– One third low tech/high application
• My job: to provide a level-setting definition and description of the state-of-the-art of Identity Management to an audience that ranges broadly in IT and IdM background
What are we doing here?
• Creating a “business plan” outline that could be used by EDUCAUSE member institutions to sell IdM 2.0 to the campus administration
• Creating a “marketing plan” outline that could be used by EDUCAUSE member institutions to sell IdM 2.0 to the campus
What is Identity Management?
• Organization: The policies, processes, and tools used to “assure” that IT systems and applications are made available only to appropriate persons
• Individual: The persons I am working with and the systems I am using really are who they say they are. And no one can impersonate me, or read or change my information
IdM has become important!
• Identity Management has greatly increased in importance as IT systems and applications are used to perform more and more of the work of society and commerce
• For this reason, we’ve got to do a better job of IdM (from IdM 1.0 to IdM 2.0)
IdM 1.0
• IdM is nothing new– we’ve had “user names and passwords” almost
forever (in IT terms)
• A defining characteristic of IdM 1.0 is that each IT system and application does its own identity management– usually by keeping a list of authorized
username/password pairs and checking it at login time
Why not IdM 1.0?
• Ineffective: IdM 1.0 does a poor job of assuring privacy and security
• Inefficient: IdM 1.0 is expensive to manage and maintain (many separate IdM systems)
• Liability: IT and application providers (and their organizations) are now burdened with security and privacy responsibilities
• User-unfriendly: Users are now burdened with many username/password pairs
Why IdM 2.0?
• Effective: IdM 2.0 can provide a uniformly strong (eg, secure and private) identity management capability for an organization
• Efficient: IdM 2.0 can provide a single IdM system for an organization
• User-friendly: IdM 2.0 can greatly reduce the number of username/password pairs that a user must remember
Why not IdM 2.0?
• IdM 2.0 will require changes to policies, processes, and IT systems– eg, replacing the IdM 1.0 software with the
standardized IdM 2.0 software (middleware)
• IdM 2.0 is not free– The policies, processes, and IT systems must be
developed and maintained
• But the benefits will outweigh the costs!
What is IdM 2.0?
• A single, standardized solution for an organization to “assure” access to IT systems and applications only to appropriate persons
• Requires a “bigger/better” list of persons and it divides IdM divides into two parts: – authentication of users: Are you who you say
you are?– authorization of users: Should you have access
to a particular system or application?
A bigger/better list of persons
• Often called a directory• Will include all persons in your organization
Q: But what about persons in other organizations who need access to your IT systems and applications? A: See next+2nd slide.
• Will require as much “care and feeding” as your financial and student record databases
• Will include information to enable authentication and authorization
Authentication
• Are you who you say you are?– What you know (eg, a private password)– What you have (eg, a token that generates time-
dependent random numbers)– What you are (eg, your fingerprint or retinal
scan)
• These can be done alone (more or less well), or in (1-, or 2-, or 3-factor) combination
Authorization
• Answers the question (for each person): which IT systems and applications are you permitted to use?
• Can be based on individuality (eg, Jane Jones is authorized to access the financial system)
• And can be based on attribute (eg, any student is authorized to use the library system)
Beyond the organization
• Another major benefit of IdM 2.0 will be that organizations can authenticate their members to other organizations (called “federated identity management”). Eg,– University X authenticates a student, and– College Y authorizes any student at University
X to use its library system
• Higher Ed, USG, and industry are working hard to do this (eg, InCommon in HE)
In my other (the Federal) world
• We are working to create a USG-wide “e-authentication” system
• We are working (under the spur of “HSpd-12”) to create an “intelligent card” for USG-wide physical access and (ultimately) for IT access
• NSF intends to move FastLane authentication from IdM 1.0 to IdM 2.0
Creating a Trusting e-Community
• Trusted Identity Management is one component of a trusted IT environment (together with secure IT applications and systems, and and digital information that is confidential, integral, and available)
• We will not enter the digital promised land until we do all these things better!