Identity Management Setting Context Joseph Pato Trusted Systems Lab Hewlett Packard Laboratories One Cambridge Center Cambridge MA 02412 USA joe pato hp com Identity Management is the set of processes tools and social contracts surrounding the creation maintenance and termination of a digital identity for people or more generally for systems and services to enable secure access to an expanding set of systems and applications artists and when conducting business we know that our partners are authorized to make decisions Today identity management systems are fundamental to underpinning accountability in business relationships providing customization to user experience protecting privacy and adhering to regulatory controls Traditionally identity management has been a core component of system security environments where it has been used for the maintenance of account information for login access to a system or a limited set of applications An administrator issues accounts so that resource access can be restricted and monitored Control has been the primary focus for identity management More recently however identity management has exploded out of the sole purview of information security professionals and has become a key enabler for electronic business 1 What is Digital Identity Identity is a complicated concept having many nuances ranging from philosophical to practical For the purposes of this discussion we define the identity of an individual as the set of information known about that person For example a person s identity in the real world can be a set of names addresses driver s licenses birth certificate field of employment etc This set of information includes items such as a name which is used as an identifier it allows us to refer to the identity without enumerating all of the items a driver s license or birth certificate which are used as an authenticator they are issued by a relevant authority and allow us determine the legitimacy of someone s claim to the identity a driver s license which is used as a privilege it establishes the permission to operate a motor vehicle As the richness of our electronic lives mirrors our physical world experience as activities such as shopping discussion entertainment and business collaboration are conducted as readily in the cyber world as in person we begin to expect more convenience from our electronic systems We expect our personal preferences and profile to be readily available so that for example when we visit an electronic merchant we needn t tediously enter home delivery information when participating in a discussion we can check the reputation of other participants when accessing music or videos we first see the work of our favorite Digital identity is the corresponding concept in the digital world As people engage in more activities in the cyber world the trend has been to link the real world attributes of identity with an individual s cyber world identity giving rise to privacy concerns 1 performed Primary authentication techniques include mechanisms such as password verification proximity token verification smartcard verification biometric scans or even X 509 PKI certificate verification Each identity may be associated with more than one authentication provider The mechanisms employed by each provider may be of different strengths and some application contexts may require a minimum strength to accept the claim to a given identity 2 Elements of an Identity Management System Identity management solutions are modular and composed of multiple service and system components This section outlines components of an example identity management architecture illustrated in figure 1 Consumable Single Sign On Personalization Access Management Lifecycle Provisioning Repository Policy Control Foundation Longevity Policy Control Access to and use of identity information is governed by policy controls Authorization policies determine how information is manipulated privacy policies govern how identity information may be disclosed Policy controls may cause events to be audited or even for the subject of an identity to be notified when information is accessed Auditing Secure auditing provides the mechanism to track how information in the repository is created modified and used This is an essential enabler for forensic analysis which is used to determine how and by whom policy controls were circumvented Auditing Authentication Provider Figure 1 Identity Management System Components 2 1 Identity Management Foundation Components Repository At the core of the system is the logical data storage facility and identity data model which is often implemented as an LDAP accessible directory or metadirectory Policy information governing access to and use of information in the repository is generally stored here as well 2 2 Identity Management Lifecycle Components Authentication Provider The authentication provider sometimes referred to as the identity provider is responsible for performing primary authentication of an individual which will link them to a given identity The authentication provider produces an authenticator a token which allows other components to recognize that primary authentication has been 2 Provisioning Provisioning is the automation of all the procedures and tools to manage the lifecycle of an identity creation of the identifier for the identity linkage to the authentication providers setting and changing attributes and privileges and decommissioning the identity In large scale systems these tools generally allow some form of selfservice for the creation and ongoing maintenance of an identity and frequently use a workflow or transactional system for verification of data from an appropriate authority and to propagate data to affiliated systems which may not directly consume the repository governments all see value in the emergence of mature identity management systems Often the requirements of these communities are complementary but in some cases conflicting needs raise new issues Longevity Longevity tools create the historical record of an identity These tools allow the examination of the evolution of an identity over time 3 1 Consumer Trends With each new web site a user discovers consumers finds themselves creating a new digital identity This proliferation of accounts is tedious both in the work needed to keep information correct and in the need to remember unique account name password combinations Often this leads to security