Jim Fenton, profile picture
Uploaded byJim Fenton
PDF, PPTX649 views

Identity systems

The document discusses key concepts related to identity systems, including subjects, relying parties, attributes, and the basic functions of an identity provider. It outlines a basic identity system model where the identity provider authenticates the user and authorizes the release of attributes to relying parties. It also covers important topics such as user trust, authentication methods, credential management, directed identity, attribute sources, and security and availability challenges.

Embed presentation

Download as PDF, PPTX
Identity Systems Jim Fenton
“Defining identity is like nailing Jell-O® to the wall.” – Source Uncertain Flickr photo by stevendepolo Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Terminology   Subject The person (usually) whose identity is involved Sometimes called the User   Relying Party The entity the Subject is interacting with Sometimes called the Service Provider   Attribute A piece of information about the Subject Sometimes called a Claim Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
A Basic Identity System Government Identity Provider Authentication Request Commerce Social Media Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
A Basic Identity System Government Identity User Provider User Credentials Authentication Commerce Social Media Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
A Basic Identity System Government Identity Authorize Info Provider Attribute Request/ Release Response Commerce Social Media Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Elements of Identity Management Percent Authentication Credential Management Establish who the Subject is Prove to Relying Parties who the Subject is Attribute Management Provide information about the Subject Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
User Trust   User trust in their Identity Provider is fundamental Not all users trust any one entity Most likely to trust entities they do business with and strong, trusted brands Different trusted entities in different cultures   An ecosystem of identity providers is required Users need to choose their own identity provider Need to consider ability to migrate to a different provider if required Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Authentication Flickr photo by shannonpatrick17 Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Authentication Methods   Methods useful for user authentication are situation-specific Type of endpoint being used Required authentication strength (transaction value, etc.)   Problem: Many existing identity systems are bound tightly to specific authentication methods Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Authentication Strength   Authentication strength should depend on transaction value iTunes purchase (99 cents) vs. vehicle purchase   NIST Special Pub 800-63 defines 4 levels: Level 1: Minimal challenge/response Level 2: Single-factor identity proofing Level 3: Multi-factor identity proofing Level 4: Hardened multi-factor   Relying party specifies the required strength to the identity management system Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Authentication Endpoint Diversity   The Web is pervasive, but not everything is a browser   Examples Vending Machines Set-top boxes Doors (physical security)   Modular approaches to authentication needed to consider a wide range of use cases Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Security Opportunities   Users that authenticate frequently at a given service are more likely to detect anomalies More likely to be suspicious about, for example, lack of a certificate Browsers can be configured to specially flag “chosen” identity providers   Identity providers can detect anomalous user behavior Similar to detection of fraudulent credit card transactions Business/policy framework should encourage this Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Credential Management Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Imagery supplied by Photodisc/Getty Images 14
Credential Management: Functions   Act as a “key cabinet” for the user Each relying party has its own credentials   Support Directed Identity Prevent undesired release of correlation handles Identifiers to Relying Parties are opaque by default   Enforce secure use of credentials Require use of secure channel (e.g., SSL) Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Directed Identity   It should not necessarily be possible for different Relying Parties to correlate identifiers Insurance company vs. supermarket account Pseudonymous identifiers for tip hotlines   Users may still choose to link relying parties’ identifiers   Attributes may also provide correlation handles   Credential manager can be subpoenaed if appropriate Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Security and Availability Issues   Security The credential store is a very high-value target Credentials can be distributed to diffuse attack High-level physical security is also required   Availability Failure of an Identity Manager may have severe impact on its Subjects Solvable problem, but needs to be addressed Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Attribute Management Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
Distributed Attributes   Self-asserted attributes have limited utility   Authoritative sources for different attributes come from different places FICO scores from a credit bureau Driving record from state Motor Vehicle Department Proof of employment from employer   Identity system has a role in locating trustable sources of attributes   Attributes delivered as signed assertions Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Attribute Distribution: Example Healthcare Provider Identity Provider Authorization “Is subject 21?” Request Request Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
Attribute Distribution: Example Healthcare Provider Identity Provider Release Trust Negotiation Authorization Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
Attribute Distribution: Example Healthcare Provider Identity Provider “Is subject 21?” Request Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Attribute Distribution: Example Healthcare Provider Identity Provider “Subject is 21 or over” –DMV Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Attribute Trust   Federation: Prearranged trust relationships Personnel Security Clearances among Federal agencies Business partners   Accreditation: Indirect federation Financial institutions, schools Scales much better than direct federation Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Identity Provider Trust   Identity Provider has a fiduciary responsibility   To the Subject: Must use credentials only for the proper Subject   To Relying Parties: Must associate attribute requests and responses reliably   Identity Provider may coincidentally function as an Attribute Provider Functions should be considered separate to maintain privacy Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Summary Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
Observations   Scaling is critical Technical (protocol) aspects of scaling are a solved problem Scaling of trust relationships is the real limitation   Chosen technologies need to consider a very wide range of use cases   An ecosystem of identity and attribute providers is needed Need business models for these functions Public policy should encourage constructive behavior and help these entities manage liability exposure Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27
Identity systems

More Related Content

PDF
Comodo Overview Presentation Read Only
byJayHicks
 
PDF
State-of-the-Art in Web Services Federation
byOliver Pfaff
 
PDF
Cloud Computing Webinar: Legal & Regulatory Update for 2012
byitandlaw
 
PDF
Extending Enterprise Security into the Cloud
byCA API Management
 
PDF
Enrique Castro Leon Virtual Service Oriented Grids
bySOA Symposium
 
PDF
How to Overcome the 3 Biggest PCI Compliance Challenges
byVISIHOSTING
 
PDF
Enterprise Security Architecture: From Access to Audit
byBob Rhubart
 
PDF
Under Lock And Key
byYarko Petriw
 
Comodo Overview Presentation Read Only
byJayHicks
 
State-of-the-Art in Web Services Federation
byOliver Pfaff
 
Cloud Computing Webinar: Legal & Regulatory Update for 2012
byitandlaw
 
Extending Enterprise Security into the Cloud
byCA API Management
 
Enrique Castro Leon Virtual Service Oriented Grids
bySOA Symposium
 
How to Overcome the 3 Biggest PCI Compliance Challenges
byVISIHOSTING
 
Enterprise Security Architecture: From Access to Audit
byBob Rhubart
 
Under Lock And Key
byYarko Petriw
 

What's hot

PPT
Vormetric data security complying with pci dss encryption rules
byVormetric Inc
 
PDF
Oded Tsur - Ca Cloud Security
byCSAIsrael
 
PPTX
Password fatigation
byVASCO Data Security
 
PDF
Sgtn Supply Chain Initiatives V44 S
byJames Cofield
 
PDF
#EMC #DOCUMENTUM -content-management-in-action
byMountaha
 
PDF
Veriphyr bright talk 20120523
byAccenture
 
ODP
Lotusphere 2011 SHOW104
byWorkFlowStudios
 
PPTX
Juniper Provision - 13martie2012
byAgora Group
 
PDF
Enrique Castro Leon Scaling Delivery Of I T Services
bySOA Symposium
 
PDF
Federated and Secure Identity Management in Operation
byFederation for Identity and Cross-Credentialing Systems (FiXs)
 
PDF
Webinar: Move Your Business Forward with Cisco VOIP for SMB
byAdvanced Logic Industries
 
PDF
Presentatie mc afee emm 2011
bySecutecGroup Baudewijns
 
PPTX
Security for heterogeneous enviroments
byFederman Hoyos
 
PDF
Oracle a TBIZ2011
byTechnologyBIZ
 
PDF
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
byRamesh Nagappan
 
PPTX
2012-01 How to Secure a Cloud Identity Roadmap
byRaleigh ISSA
 
PDF
Mulin Holstein PKI-strategy
byfEngel
 
PPTX
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
PPTX
Legal nuances to the cloud
byRitambhara Agrawal
 
PDF
Ubisecure presentation short
byCharles Sederholm
 
Vormetric data security complying with pci dss encryption rules
byVormetric Inc
 
Oded Tsur - Ca Cloud Security
byCSAIsrael
 
Password fatigation
byVASCO Data Security
 
Sgtn Supply Chain Initiatives V44 S
byJames Cofield
 
#EMC #DOCUMENTUM -content-management-in-action
byMountaha
 
Veriphyr bright talk 20120523
byAccenture
 
Lotusphere 2011 SHOW104
byWorkFlowStudios
 
Juniper Provision - 13martie2012
byAgora Group
 
Enrique Castro Leon Scaling Delivery Of I T Services
bySOA Symposium
 
Federated and Secure Identity Management in Operation
byFederation for Identity and Cross-Credentialing Systems (FiXs)
 
Webinar: Move Your Business Forward with Cisco VOIP for SMB
byAdvanced Logic Industries
 
Presentatie mc afee emm 2011
bySecutecGroup Baudewijns
 
Security for heterogeneous enviroments
byFederman Hoyos
 
Oracle a TBIZ2011
byTechnologyBIZ
 
Managing PIV Card Lifecycle and Converging Physical & Logical Access Control
byRamesh Nagappan
 
2012-01 How to Secure a Cloud Identity Roadmap
byRaleigh ISSA
 
Mulin Holstein PKI-strategy
byfEngel
 
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
Legal nuances to the cloud
byRitambhara Agrawal
 
Ubisecure presentation short
byCharles Sederholm
 

Viewers also liked

PDF
BPMN Usage Survey: Results
byMichele Chinosi
 
PPTX
Varilla de soldadura oxiacetilenica
byEmmanuel351
 
PPTX
Motiverende samtale - en tilnærming til samtale om endring
byNina Sletteland
 
DOCX
MP fortsætter fremgangen.
byhusetnybo
 
PPTX
Rotary.23.august2016
byIda Borch
 
PPTX
moser
byTran Ly
 
PPTX
K ommunikation i arbetslivet del 5
byjonathansikh
 
PPT
Czym rozni sie paszport biometryczny od tradycyjnego
byrafaljurkowlaniec
 
PPT
Hvordan Blir Du Et Personligt Brand?
byIda Borch
 
PDF
EUs personvernforordning: Krav til leverandører og kan vi designe oss rundt
bySimen Sommerfeldt
 
PPTX
Types of Evidence
bytet2
 
PPT
Interview skills
byAvinash Varanasi
 
PPTX
Types of Evidence
byRamanand Karwa
 
PPTX
Police oral board interview questions
byselinasimpson880
 
PPTX
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
byForgeRock
 
PDF
Confession an overview
bySandeep K Bohra
 
PPTX
IAM for the Masses: Managing Consumer Identities
byForgeRock
 
PPTX
Machine Readable Travel Documents (MRTD) - Biometric Passport
byTariq Tauheed
 
PPTX
Identity Theft Presentation
bycharlesgarrett
 
PPTX
Face detection By Abdul Hanan
byAbdul Hanan
 
BPMN Usage Survey: Results
byMichele Chinosi
 
Varilla de soldadura oxiacetilenica
byEmmanuel351
 
Motiverende samtale - en tilnærming til samtale om endring
byNina Sletteland
 
MP fortsætter fremgangen.
byhusetnybo
 
Rotary.23.august2016
byIda Borch
 
moser
byTran Ly
 
K ommunikation i arbetslivet del 5
byjonathansikh
 
Czym rozni sie paszport biometryczny od tradycyjnego
byrafaljurkowlaniec
 
Hvordan Blir Du Et Personligt Brand?
byIda Borch
 
EUs personvernforordning: Krav til leverandører og kan vi designe oss rundt
bySimen Sommerfeldt
 
Types of Evidence
bytet2
 
Interview skills
byAvinash Varanasi
 
Types of Evidence
byRamanand Karwa
 
Police oral board interview questions
byselinasimpson880
 
FUTURE-PROOFING CONSUMER IDENTITY AND ACCESS MANAGEMENT
byForgeRock
 
Confession an overview
bySandeep K Bohra
 
IAM for the Masses: Managing Consumer Identities
byForgeRock
 
Machine Readable Travel Documents (MRTD) - Biometric Passport
byTariq Tauheed
 
Identity Theft Presentation
bycharlesgarrett
 
Face detection By Abdul Hanan
byAbdul Hanan
 

Similar to Identity systems

PDF
Demystifying TrustSec, Identity, NAC and ISE
byCisco Canada
 
PPTX
ReadyCloud Collaboration, a Cisco Powered service
byGen-i
 
PDF
Cisco Cloud Briefing and Experiences for Cloud Slam 2011
byCisco Collaboration
 
PPTX
Express Data - BYOD
byGen-i
 
PPTX
Express Data - BYOD
byGen-i
 
PDF
Cisco Study: State of Web Security
byCisco Canada
 
PDF
Outsourcing your TDM Gateways: SIP Trunking as a Service Provider Cloud Service
byCisco Canada
 
PPT
Identity management
bykamalikamj
 
PDF
Wireless LAN Security, Policy, and Deployment Best Practices
byCisco Mobility
 
PDF
OAuth 2.0 101
byAnand Sharma
 
PPTX
Social Intelligence Drives Social CRM
byLaSandra Brill
 
PDF
The Network Enabled EOC
byCisco Crisis Response
 
PDF
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
byCisco Canada
 
PDF
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
byCisco Canada
 
PDF
Cisco small business_communicate_by_leah_davis
bygkmurase
 
PDF
Cloud and On Premises Collaboration Security Explained
byCisco Canada
 
PPT
EXPLOITING VIDEO AS AN OPPORTUNITY TO BUILD PERSONAL RELATIONSHIPS
byKGS Global
 
PPT
CCNA Security - Chapter 3
byIrsandi Hasan
 
PDF
Cisco services and_cloud-serge_dupouy (1)
byA Ivan Colin
 
PDF
Collaboration in the Cloud
byCisco Canada
 
Demystifying TrustSec, Identity, NAC and ISE
byCisco Canada
 
ReadyCloud Collaboration, a Cisco Powered service
byGen-i
 
Cisco Cloud Briefing and Experiences for Cloud Slam 2011
byCisco Collaboration
 
Express Data - BYOD
byGen-i
 
Express Data - BYOD
byGen-i
 
Cisco Study: State of Web Security
byCisco Canada
 
Outsourcing your TDM Gateways: SIP Trunking as a Service Provider Cloud Service
byCisco Canada
 
Identity management
bykamalikamj
 
Wireless LAN Security, Policy, and Deployment Best Practices
byCisco Mobility
 
OAuth 2.0 101
byAnand Sharma
 
Social Intelligence Drives Social CRM
byLaSandra Brill
 
The Network Enabled EOC
byCisco Crisis Response
 
Cisco Connect Vancouver 2017 - Cloud and on premises collaboration security e...
byCisco Canada
 
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
byCisco Canada
 
Cisco small business_communicate_by_leah_davis
bygkmurase
 
Cloud and On Premises Collaboration Security Explained
byCisco Canada
 
EXPLOITING VIDEO AS AN OPPORTUNITY TO BUILD PERSONAL RELATIONSHIPS
byKGS Global
 
CCNA Security - Chapter 3
byIrsandi Hasan
 
Cisco services and_cloud-serge_dupouy (1)
byA Ivan Colin
 
Collaboration in the Cloud
byCisco Canada
 

More from Jim Fenton

PDF
Notifs 2018
byJim Fenton
 
PPTX
REQUIRETLS: Sender Control of TLS Requirements
byJim Fenton
 
PDF
User Authentication: Passwords and Beyond
byJim Fenton
 
PDF
User Authentication Overview
byJim Fenton
 
PDF
Making User Authentication More Usable
byJim Fenton
 
PDF
Toward Better Password Requirements
byJim Fenton
 
PDF
Security Questions Considered Harmful
byJim Fenton
 
PDF
LOA Alternatives - A Modest Proposal
byJim Fenton
 
PDF
Notifs update
byJim Fenton
 
PDF
IgnitePII2014 Nōtifs
byJim Fenton
 
PDF
iBeacons: Security and Privacy?
byJim Fenton
 
PPTX
OneID Garage Door
byJim Fenton
 
PPTX
Adapting Levels of Assurance for NSTIC
byJim Fenton
 
Notifs 2018
byJim Fenton
 
REQUIRETLS: Sender Control of TLS Requirements
byJim Fenton
 
User Authentication: Passwords and Beyond
byJim Fenton
 
User Authentication Overview
byJim Fenton
 
Making User Authentication More Usable
byJim Fenton
 
Toward Better Password Requirements
byJim Fenton
 
Security Questions Considered Harmful
byJim Fenton
 
LOA Alternatives - A Modest Proposal
byJim Fenton
 
Notifs update
byJim Fenton
 
IgnitePII2014 Nōtifs
byJim Fenton
 
iBeacons: Security and Privacy?
byJim Fenton
 
OneID Garage Door
byJim Fenton
 
Adapting Levels of Assurance for NSTIC
byJim Fenton
 

Recently uploaded

PPTX
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Raman Bhaumik - A Junior Software Developer
byRaman Bhaumik
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

Identity systems

  • 1.
  • 2.
    “Defining identity is like nailing Jell-O® to the wall.” – Source Uncertain Flickr photo by stevendepolo Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2
  • 3.
    Terminology   Subject The person (usually) whose identity is involved Sometimes called the User   Relying Party The entity the Subject is interacting with Sometimes called the Service Provider   Attribute A piece of information about the Subject Sometimes called a Claim Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3
  • 4.
    A Basic IdentitySystem Government Identity Provider Authentication Request Commerce Social Media Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4
  • 5.
    A Basic IdentitySystem Government Identity User Provider User Credentials Authentication Commerce Social Media Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5
  • 6.
    A Basic IdentitySystem Government Identity Authorize Info Provider Attribute Request/ Release Response Commerce Social Media Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6
  • 7.
    Elements of IdentityManagement Percent Authentication Credential Management Establish who the Subject is Prove to Relying Parties who the Subject is Attribute Management Provide information about the Subject Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7
  • 8.
    User Trust   Usertrust in their Identity Provider is fundamental Not all users trust any one entity Most likely to trust entities they do business with and strong, trusted brands Different trusted entities in different cultures   An ecosystem of identity providers is required Users need to choose their own identity provider Need to consider ability to migrate to a different provider if required Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8
  • 9.
    Authentication Flickr photo by shannonpatrick17 Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9
  • 10.
    Authentication Methods   Methodsuseful for user authentication are situation-specific Type of endpoint being used Required authentication strength (transaction value, etc.)   Problem: Many existing identity systems are bound tightly to specific authentication methods Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10
  • 11.
    Authentication Strength   Authenticationstrength should depend on transaction value iTunes purchase (99 cents) vs. vehicle purchase   NIST Special Pub 800-63 defines 4 levels: Level 1: Minimal challenge/response Level 2: Single-factor identity proofing Level 3: Multi-factor identity proofing Level 4: Hardened multi-factor   Relying party specifies the required strength to the identity management system Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11
  • 12.
    Authentication Endpoint Diversity  The Web is pervasive, but not everything is a browser   Examples Vending Machines Set-top boxes Doors (physical security)   Modular approaches to authentication needed to consider a wide range of use cases Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12
  • 13.
    Security Opportunities   Usersthat authenticate frequently at a given service are more likely to detect anomalies More likely to be suspicious about, for example, lack of a certificate Browsers can be configured to specially flag “chosen” identity providers   Identity providers can detect anomalous user behavior Similar to detection of fraudulent credit card transactions Business/policy framework should encourage this Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13
  • 14.
    Credential Management Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Imagery supplied by Photodisc/Getty Images 14
  • 15.
    Credential Management: Functions  Act as a “key cabinet” for the user Each relying party has its own credentials   Support Directed Identity Prevent undesired release of correlation handles Identifiers to Relying Parties are opaque by default   Enforce secure use of credentials Require use of secure channel (e.g., SSL) Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15
  • 16.
    Directed Identity   Itshould not necessarily be possible for different Relying Parties to correlate identifiers Insurance company vs. supermarket account Pseudonymous identifiers for tip hotlines   Users may still choose to link relying parties’ identifiers   Attributes may also provide correlation handles   Credential manager can be subpoenaed if appropriate Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16
  • 17.
    Security and AvailabilityIssues   Security The credential store is a very high-value target Credentials can be distributed to diffuse attack High-level physical security is also required   Availability Failure of an Identity Manager may have severe impact on its Subjects Solvable problem, but needs to be addressed Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17
  • 18.
    Attribute Management Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18
  • 19.
    Distributed Attributes   Self-assertedattributes have limited utility   Authoritative sources for different attributes come from different places FICO scores from a credit bureau Driving record from state Motor Vehicle Department Proof of employment from employer   Identity system has a role in locating trustable sources of attributes   Attributes delivered as signed assertions Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19
  • 20.
    Attribute Distribution: Example Healthcare Provider Identity Provider Authorization “Is subject 21?” Request Request Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20
  • 21.
    Attribute Distribution: Example Healthcare Provider Identity Provider Release Trust Negotiation Authorization Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21
  • 22.
    Attribute Distribution: Example Healthcare Provider Identity Provider “Is subject 21?” Request Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22
  • 23.
    Attribute Distribution: Example Healthcare Provider Identity Provider “Subject is 21 or over” –DMV Wine Merchant Motor Vehicle Department Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23
  • 24.
    Attribute Trust   Federation:Prearranged trust relationships Personnel Security Clearances among Federal agencies Business partners   Accreditation: Indirect federation Financial institutions, schools Scales much better than direct federation Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24
  • 25.
    Identity Provider Trust  Identity Provider has a fiduciary responsibility   To the Subject: Must use credentials only for the proper Subject   To Relying Parties: Must associate attribute requests and responses reliably   Identity Provider may coincidentally function as an Attribute Provider Functions should be considered separate to maintain privacy Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25
  • 26.
    Summary Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26
  • 27.
    Observations   Scaling iscritical Technical (protocol) aspects of scaling are a solved problem Scaling of trust relationships is the real limitation   Chosen technologies need to consider a very wide range of use cases   An ecosystem of identity and attribute providers is needed Need business models for these functions Public policy should encourage constructive behavior and help these entities manage liability exposure Fenton 091120 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27