CAUDIT IAM Framework_v1.1

An IAM Framework for Australian and New Zealand Higher Education and Research May 2009

An Identity and Access Management Framework for Australian and New Zealand Higher Education and Research

Rodney McDuff and Patricia McMillanThe University of Queensland

EDUCAUSE AUSTRALASIA, PERTH, 6 MAY 2009


CONTENTS

BackgroundWhat are we doing?

An introduction to the IAM framework

How you can participateWiki, discussion list, blog


SOME THOUGHTS ON IDENTITY


BACKGROUND

An initiative of the CAUDIT Standing Committee on Technical Standards

Grew out of the MAPS Project (Middleware Action Plan & Strategy)


WHY IDENTITY AND ACCESS MANAGEMENT?

IAM ranks among the most important issues facing CIOs and IT Directors on CAUDIT and EDUCAUSE annual surveys.


WHAT ARE WE BUILDING?

An online compendium of IAM resources

A wiki designed to grow through community contributions

Information providing the benefit of the community's prior experiences

A common language and shared vision

A framework for prioritising actions


WHAT THE COMPENDIUM CONTAINS

Business case for IAM

Glossary

Framework for the spectrum of IAM processes

Advice – evaluating technologies; federating with other organisations

A set of resources



The real meditation is the meditation on one’s identity. You try it. You try finding out why you’re you and not somebody else. And who in the blazes are you anyhow? • Ezra Pound, US poet, 1885-1972


Identity and Access Management Lifecycle is?

• A sequence of orchestrated business processes

– Performed by many actors – Governed by some set of policies– Implemented using some array of

technologies

• All so that an individual can gain authorized access to some set of resources


Identity and Access Management Lifecycle is?

• Prior to this point….– Many processes have been performed by many actors– Most individuals and relying parties are not familiar with these actors

or their roles– Some of these actors may not understand their own roles

– And how they fit into the bigger IAM picture.

• Need a way to allow interested parties to understand the bigger picture

• Need an IAM framework to illuminate:– Relationships across the spectrum of business processes– Governing policies, – Technologies– Actors and their roles

• Need a maturity model to:– define what improved IAM means for your organisation– prioritise actions.


AN INTRODUCTION TO THE FRAMEWORK

• The CTSC IAM framework is based on a logical timeline of significant processes in the life-cycle of an IAM event

• 6 classes of IAM processes

• To help classify and simplify IAM ideas and concepts


Governance and Policy

• IAM Governance is the management, control, and orchestration of IAM business processes guided by

– The policies & business requirements of the organisation.– The policies & business requirements of Trust Federations.– Local, national and (possibly) international legislation.

• Answers such questions as:– How are the enterprise's IAM business requirements to be achieved? – How may the enterprise's policies constrain or shape this achievement? – Who within the enterprise is responsible for the various IAM processes and

sub-processes? – When are these processes enacted?

• IAM Governance also needs to benchmark itself – so that it may evolve and mature to meet the IAM requirements of the

enterprise.

• IAM Governance is the most important of the six classes.– Unfortunately its usually the most neglected.


Identification and Credentialing

• The “digital identity” of an entity is at the crux of IAM.– Its is also a complex entity in itself.

• A “digital identity”* consists a set of claims made by one “digital subject” about itself or another “digital subject“

• A “digital subject” is a person or thing represented or existing in the digital realm which is being described or dealt with".

• A “subject” is the central substance or core of a thing as opposed to its attributes.

• It is this “subject” that needs to be identified.

• Once identified:– Sets of claims and attributes can be accrued and pinned to it.– Credentials can be issued to it

– To proving the binding “subject” and its “digital identity” to some level of assurance.

*Kim Cameron's Laws of Identity <http://www.identityblog.com/?p=354>


Attribute Aggregation

• As soon as a subject is identified it can start to accrue attributes.

– Usually first are subject's personal details – first-name, surname, gender, …

– Enterprise attributes soon to follow.

• Attributes are stored in information store called System of Record– An enterprise may have several SORs.

– HR, SIS, Library, PABX, …– Digital Identity is inevitably scattered across a number of

SORs.

• To combat this a system like metadirectory or virtual directory can be deployed to construct a consolidated view of the shattered digital identities.


Authentication and Assertions

• Authentication is the act of proving possession and control of the authentication credentials

– Used to assure the identity of an end entity to a relying party. – Also binds the subject to its digital identity for the duration of the transaction.

• Authentication based on the familiar 3 factor metaphor:– Something you know -- a secret, such as a password or PIN. – Something you have -- such as a physical token .– Something you are -- a biometric evaluation.

• Many authN technologies– Each have pros & cons protecting against attacks.– Enterprise must choose appropriate technologies based onS:

– Risk assessment of erroneous access to a particular resource. – Ease of use of the technology to individuals.

• When subject authenticates a assertion is normally constructed.– May range from a simple “OK” response, …– To a digitally signed SAML assertion.


Transport

• Once an assertion has been constructed it must be transported to the relying party so it can consume it.

– Possibly to make an informed authorisation decision

• However it is quite possible that during its transport:– Assertion may be tampered with.– Its content revealed to unauthorised parties.

• Relying parties needs to understand the LoA provided by the transport mechanism– Understand the risks associated with consuming assertion.

• In some cases this transport is trivial and LoA maybe high.– Eg. Assertion generator and consumer on same server.

• In other case it may not be so high– Eg. Transport of assertion over network.– RP may need to consider the assertion's security, confidentiality,

and integrity.


Relying Parties and Resources

• Once an assertion has been transported to a relying party it must process it according to:

– The information contained within (or implied by) the assertion based on a shared semantic understanding of the attributes and claims within.

– The ability to verify the truth of the assertion based on the understanding of the IAM business processes, policies and technologies that led to its construction and their LoA which manifests trustworthiness.

– Its own business plan, processes, risk analysis and requirements as well as its obligation, if any, to other parties such as actors in the IAM process.

• Relying parties shoulder most of the risk burden in IAM transactions.


Identity and Access Management Compendium

• Organised in to 6 volumes inline with the 6 classes

• Each volume explains how this aspect of IAM fits into the framework

• Addresses issues such as– Policy considerations– Risk assessment, risk management and LoAs– Relevant standards– Evaluating technology solutions– Maturity model – Federating with other organisations– Communication and education– Resources for further information


WHAT YOU CAN CONTRIBUTE

Case studies on IAM within your organisation, whether these deal with business, process, policy, or technology aspects;

Policy considerations and risk management related to IAM;

Good IAM processes and practices extending to all parts of an enterprise;

How to evaluate technology solutions;

Pointers to useful resources on IAM;

Comments and feedback as sections are added.


HOW TO CONTRIBUTE

https://wiki.caudit.edu.au/confluence/dashboard.action

Email [email protected] to be added to the mailing list and wiki.

Regular blog entries will pose issues and questions to keep the discussion going.



Americans may have no identity, but they do have wonderful teeth. • Jean Baudrillard, French semiologist

Technology

CAUDIT IAM Framework_v1.1