1. Global Scale Identity Management
To Emphasize The Pervasive Nature Of Identities
Krati Dadheech Gaurav Bhatia
Centre For Cyber Security
Sardar Patel University of Police, Security and Criminal Justice
February 18, 2017
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 1 / 15
2. What is Global Scale Identity Management
Global Scale Identity Management concerns identifying and authen-
ticating entities such as people, hardware devices, distributed sensors
and actuators and software applications when accessing Critical Infor-
mation Technology (IT) Systems from anywhere.
It aims specifically at government and commercial organizations with
diverse inter-organizational relationships that today are hampered by
the lack of trustworthy credentials for accessing shared resources.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 2 / 15
3. What is Global Scale Identity Management
Our concern here is mainly the IT oriented aspects of the broad prob-
lems of identity and credential management, including authentication,
authorization and accountability.
In particular, global scale identity management may require not only
advances in technology, but also open standards,social norms, legal
frameworks, and policies for the creation, use, maintenance, and audit
of identities and privilege information.
It must also provide mechanisms for two-way assertions and authen-
tication handshakes building mutual trust among mutually suspicious
parties.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 3 / 15
4. Components of Identity Management
”Management of the Identity” is the process of issuing and using
digital identities and credentials (such as usernames and passwords) for
authentication.
”Management by the Identity” combines the proven identity of the
user with their authorisation, in order to grant access to resources.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 4 / 15
5. Authentication and Authorisation
Authentication is the process or action of verifying the identity of a
user or process.
Authentication techniques make use of one or more of the following
factors:
1. Something you know (e.g. Password)
2. Something you have (e.g. A Smart Card)
3. Something you are (e.g. Fingerprint)
If two of these factors are needed for successful authentication, it is
termed a Two-Factor Authentication.
Two-Factor Authentication is generally believed to be more secure,
and therefore many high-risk systems such as Internet banking are now
implementing schemes like this.
Authorisation is a process that determines whether an entity is allowed
access to a given asset or resource.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 5 / 15
6. What are the Potential Threats
Identification and Authentication (IA) Systems are being attacked on
many fronts by a wide range of potential attackers with diverse motiva-
tions, within large scale organizations and across multiple organizations.
Insider and outsider misuses are commonplace.
Because of the lack of adequate Identity Management, it is often ex-
tremely difficult to identify the Misusers.
For Example, Phishing attacks have become a pervasive problem for
which identifying the sources and the legitimacy of the phishers and
rendering them ineffective where possible are obvious needs.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 6 / 15
7. What are the Potential Threats
Identity related threats exist throughout the development cycle and the
global supply chain, but the run time threats are generally predominant.
Misuse of Identities by people and misuse of flawed authentication by
remote sites and compromised computers (e.g. Zombies) are common.
The Internet itself is a source of numerous collateral threats, includ-
ing coordinated, widespread denial-of-service attacks, such as repeated
failed logins that result in disabling access by legitimate users.
In particular, threats are frequently aimed at violations of integrity,
confidentiality, and system survivability, as well as denial-of-service at-
tacks.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 7 / 15
8. Who are the Potential Beneficiaries
Government Agencies, Corporations, Institutions, Individuals, and par-
ticularly the Financial Communities would benefit enormously from the
existence of pervasive approaches to global identity management, with
greater convenience, reduction of administrative costs, and possibilities
for better oversight.
Users could benefit from the decreased likelihood of impersonation,
identity and credential fraud, and untraceable misuse.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 8 / 15
9. Policies for Enhancing Global Identity Management
Risk management across a spectrum of risks. This is tightly coupled
with authorization.
Game-theoretical analyses might be useful.
Trust or confidence in the interactions (untrustworthy third parties;
what happens when your credentials get stolen or the third party dis-
appears).
Understanding the implications of Quantum Computing and Quantum
Cryptography, and exploring the possibilities of global identity manage-
ment without public-key cryptography or with quantum-resistant public
key cryptography.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 9 / 15
10. Protocols for Enhancing Global Identity Management
SAML
Security Assertion Markup Language (SAML) is the authentication
protocol most often associated with single sign-on solutions for web
applications. The open standard has been leveraged widely by web
application and web service providers.
SAML implementations are defined by an identity provider and a service
provider. A service provider is, for example, a web application that a
user wants to access. The service provider will request authentication
from an identity provider, which can ultimately be backed by a directory
service.
SAML has made great inroads into the web application sector, but is not
leveraged for devices and generally not utilized by internal applications.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 10 / 15
11. Protocols for Enhancing Global Identity Management
OpenID
Another authentication mechanism for web applications, OpenID has
gained some adoption due to support from significant consumer facing
web applications such as Google and Yahoo!
OpenID works similar to SAML but is less complex to implement.
Using OpenID, a third party web application could allow users to log
in to their services via a Google or Yahoo ID.
This authentication mechanism has largely been used for consumer
facing web applications, although is starting to gain some traction in
business scenarios due to the popularity of Google Apps for Work.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 11 / 15
12. Protocols for Enhancing Global Identity Management
OAuth
A similar protocol to OpenID, OAuth is leveraged by major consumer
Internet sites such as Google, Facebook, and Twitter to federate their
identities to third party sites.
TACACS
Used extensively in the network infrastructure market, TACACS is a
relatively simple authentication protocol.
TACACS was first developed in 1980 to manage authentication for the
U.S. Department of Defense unclassified network.
The need behind this protocol was to allow users to jump between
machines or network infrastructure without having to relogin.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 12 / 15
13. Major Research Gaps
Existing systems tend to authenticate only would be identities of users,
not transactions, applications, systems, communication paths, hard-
ware, individual packets, messages, and so on.
Containment, detection, and remediation are poorly addressed, partic-
ularly following misuse of identities, authentication and authorization.
Maintaining consistency of reputations over time across identities is
extremely difficult.
However, carefully controlled mechanisms to revoke or otherwise ex-
press doubts about such reputations are also needed.
There is a serious lack of economic models that would underscore the
importance of global scale identity management and lead to coherent
approaches.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 13 / 15
14. Benefits of Global Scale Identity Management
Apart from improvements in security, a well implemented identity man-
agement system brings at least two business benefits to an organisation:
1) Cost Reduction
2) Improved Service Levels
With an enterprise wide identity management system in place, an or-
ganisation does not need to dedicate human resources to handling user
ID related issues for each individual application.
As a result, fewer people are needed for ID administration activities,
which could in turn reduce IT operation costs. In addition, fewer calls
to the help desk regarding user ID problems would contribute to more
cost savings.
With the help of an automatic identity management system, response
times for requests relating to user IDs would be improved, resulting in
an improvement to IT service levels and better user ID management
activities.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 14 / 15
15. Conclusion
Passwords are still the most common authentication method. To reduce
the possibility of passwords being compromised using brute-force at-
tacks, consecutive unsuccessful log-in trials should be controlled. This
can be accomplished by disabling an account after a limited number of
unsuccessful logins.
Alternatively, a mechanism of increasing the time delay between each
consecutive login attempts could be considered as a way of preventing
password guessing activities.
Additional authentication methods, such as biometrics or two-factor
authentication, could also be considered to strengthen the authentica-
tion process. Functions requiring another level of authorisation should
be implemented using re-authentication.
In addition, idle logged-on sessions should be timed-out after a set
period to prevent attackers from stealing idle session information.
Krati Dadheech, Gaurav Bhatia (Universities of Somewhere and Elsewhere)Global Scale Identity Management February 18, 2017 15 / 15