Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sabett: ESRA Identity Management 11-09-10


Published on

  • Be the first to comment

  • Be the first to like this

Sabett: ESRA Identity Management 11-09-10

  1. 1. Case Study: A New Modelfor Federated IdentityManagementPresented at the ESRA ConferenceNovember 10, 2010Randy V. SabettPartner and Co-Chair, Internet and DataProtection Practice GroupT +1 1
  2. 2. About SNR Denton SNR Denton is a client-focused international legal practice delivering quality and value. We serve clients in key business and financial centers from 48 locations in 32 countries, through offices, associate firms and special alliances across the US, UK, Europe, the Middle East, Russia and the CIS, South-East Asia, and Africa, making us a top 25 legal services provider by lawyers and professionals worldwide. Joining the complementary top tier practices of its founding firms— Sonnenschein Nath & Rosenthal LLP and Denton Wilde Sapte LLP—SNR Denton offers business, government and institutional clients premier service and a disciplined focus to meet evolving needs in eight key industry sectors: Energy, Transport and Infrastructure; Financial Institutions and Funds; Government; Health and Life Sciences; Insurance; Manufacturing; Real Estate, Retail and Hotels; and Technology, Media and Telecommunications. 2
  3. 3. Our Locations 3
  4. 4. Converged Issues in Federated Identity (legal/technical/administrative)1 Scope of Problem 2 Root Causes • Lack of trust • Old model of communications focused • Multiple identity infrastructures on closed systems • Lack of widespread adoption of identity/ • Lack of widely accepted methods for credentialing standards electronic signatures • Paper is the traditional system of record • Electronic identity is confused with for most entities information technology • Local regulatory and legal needs differ3 Impact 4 The opportunity • Reduction in Identity access management • Unified approach for identity, even at high costs (~$100 per user) levels of assurance • Transaction cost avoidance • Technology vs. people and paper • Clean data faster • Industry leadership – allow company to • Improve intellectual property protection scale solution capabilities 4
  5. 5. Review: Values of Federated Identity Tactical (Near Term) Value Strategic Value Infrastructure cost Innovation and productivity reduction/avoidance improvements  Identity management for 3rd parties  Transaction cost avoidance  Supports single credential issuance  Simplifying external collaboration for employees/contractors  Compliance efficiencies  Common applications enablement  Common liability framework  Standard systems validation model  Improved intellectual property protection  Expanded use of electronic and digital signatures 5
  6. 6. Implementation Decisions Participant scope and relationships? • Risk management, geographic requirements & support Determining Business Value • Tactical vs. strategic • Common entry point Single or Tiered PKI ? • Financial, Regulatory, Legal and Enterprise transactions Legal • Contracts Insource, Outsource, or Hybrid? • Governance, Technical Integration, Privacy, Operations 6
  7. 7. Typical liability and contract issues  Risk management – Relationship between liability assumption and control capability – How to manage current risks? – How to manage new risks?  Issues introduced by Federated Identity – Legal enforceability and local dispute resolution capabilities – Relationships with technology and service providers – Relationships with employees, business partners, and others  Support – Provisioning – Lifecycle management – Helpdesk/call center integration & escalation 7
  8. 8. Typical Architecture Approach: Trust Bridge All entities can participate through an industry/government trust bridge Federating Entity Legally enforced digital signatures via global contract law SP/IdP SP/IdP SP/IdP Trust + Users Users Users Bridge User User Credentials Credential Accredited Accredited Issuer Issuer Technical (Insourced) (Outsourced) interoperability via a Bridge CA Bridge CA 8
  9. 9. Federation Introduces Additional Legal Variables Federation and third party bridges, however, don’t solve all trust issues… Federating A contract Entity may not exist + + between all parties or may not SP/IdP IdP + SP address identity federation Users Users issues Users User User Credentials Credential Accredited Accredited Issuer Issuer (Insourced) (Outsourced) Bridge CA 9 9
  10. 10. Why 3PA? Not just legal reasons Operational Risk – Federation has significant security advantages but creates points of “blind trust” for the relying party – For each IdP, the Federation Operator adjudicates the auditors opinion and report – The Federation Operator certifies IdPs against the COR – The Federation Operator helps to uniformly govern the community COR standard Introducing a Federation Operator who provides Third Party Assurance of the IdP mitigates this operational risk 10
  11. 11. Bilateral Agreements Alone are Not Enough Legal Risk – The existing bilateral agreement between the SP and IdP does little to enforce the COR even when specific clauses are added Hypothetically, a SP becomes aware that the IdP is not following part of the COR but has not yet suffered damage – Without damage the SP is not likely to have contractual rights to claim breach of contract. I.e., this contract’s protection is only reactionary Plus – The SP is not in a position to likely be aware of a COR breach – At best, specific injunctive relief might be available in an egregious case of IdP neglect The SP obligating the IdP to the COR in their bilateral contract should be thought of as a backstop protection 11
  12. 12. Legal Advantages of 3PALegal Risk Mitigation1. The IdP signs an agreement with the FO specifically to bind the IdP to the COR – This contract with the FO will unequivocally be in breach if the IdP is not adhering to the COR – This contract contains an indemnification of all SPs the IdP asserts identities to2. The SP and IdP execute their business oriented bilateral agreement but include – An obligation on the IdP to remain certified in good standing with the FO for the duration of their bilateral agreement. • The IdP is now “doubly bound” to the COR and there in no need for the SP to reference the COR in this business contract • Should the FO revoke the IdPs certification for failure to adhere to the COR, the relying party now has a material breach of this bilateral contract – Any obligations the IdP wishes to place on the SP (data privacy, protection, etc.)3. There is no general reason for a contract between the SP and the FO 12
  13. 13. The 3PA Model – Summary Points  Utilizes existing bilateral agreements between IdP and SP – only one clause is added to support Federation – Number of contracts is a good metric to judge a model but doesn’t take into account En st ab Tru how complicated or how “new” the le les s contracting material is Tr ab us En t  Requires a new contract between the FO and the IdP … but, this only happens once per IdP/ FO pair  Creates a quasi-multilateral effect to the benefit of the SP (recall how hard multilateral contracts are to execute) – Specifically created through third party beneficiary rights defined in the IdP/FO contract.  The COR defines most of the obligations on the IdP – The FO/IdP contract becomes boilerplate and scales to large numbers of IdPs as necessary 13
  14. 14. Variations on the Theme SP FO SP/IdPB FO IdP IdPA V Model Triangle Model SP SP FO FO IdP AP IdP i Model U Model 14
  15. 15. Summary The 3PA model incorporates the best features of other federation legal models All stakeholders can have certainty as to the rights and obligations of all of the entities involved in that federation A COR that is incorporated by reference in the contract between the FO and each IdP provides clarity 15 15
  16. 16. SNR Denton US LLP1301 K Street, NWSuite 600Washington, DC© 2010 SNR Denton. SNR Denton is the collective trade name for an international legal practice. Any reference to a "partner" means a partner, member, consultant or employee with equivalent standing and qualifications in one ofSNR Dentons affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Attorney Advertising. Please see for Legal Notices. 16