Transcript GSC16-PLEN-93

Document No:
GSC16-PLEN-93
Source:
ATIS
Contact:
Brian Daly, [email protected]
GSC Session:
PLENARY
Agenda Item:
6.4
ATIS Identity Management
(IdM) Standards Development
Brian K. Daly,
Director, Core Standards
AT&T
Halifax, 31 Oct – 3 Nov 2011
GSC16-PLEN-93
Highlight of Current Activities (1)
ATIS’ Packet Technologies and Systems Committee (PTSC) is
actively developing the following IdM-related standards:
• Identity Management (IdM) Use Cases and Requirements
for Service Provider Identity (SPID)
– Describes use cases to illustrate service scenarios where SPID
is utilized, including assumptions on security, authentication, and
discovery. SPID requirements are derived from these Use
Cases.
– Existing mechanisms and encoding formats are being examined
for applicability and gaps.
– Target Date: 4Q 2011
• Identity Management (IdM) Mechanisms for NGN
– Describes a set of IdM mechanisms and suites of options that
should be used to satisfy the ATIS IdM Requirements Standard
(see next slide).
– Gaps in existing mechanisms are identified in order to meet the
requirements.
– Target Date: 4Q 2011
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
2
GSC16-PLEN-93
Highlight of Current Activities (2)
PTSC recently completed:
• Identity Management (IdM) Requirements and Use Cases
Standard
• Provides IdM example use cases and requirements for the NGN
and its interfaces. IdM functions and capabilities are used to
increase confidence in identity information and support and
enhance business and security applications including identitybased services. The requirements provided in this standard are
intended for NGN (i.e., managed packet networks) as defined in
ATIS-1000018, NGN Architecture, and ITU-T Recommendation
Y.2001.
• Completed as ATIS-1000044.2011
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
3
Strategic Direction
•
•
•
•
•
GSC16-PLEN-93
Define value added use cases that will derive requirements
Continue to support government services (e.g., ETS, e-commerce)
Support the National Strategy for Trusted Identities in Cyberspace
(NSTIC) which addresses two central problems impeding economic
growth online:
– Passwords are inconvenient and insecure
– Individuals are unable to prove their true identity online for significant transactions
Leverage User-Centric solutions where possible, while identifying deltas
to meet the needs of NGN providers
– NGN service providers need to address both real-time and near-real time
applications
– Solution for real-time applications (e.g., exchange of IdM information for SIP
communication sessions) would be distinct
Provide structured and standard means to discover and exchange
identity information across network domains/federations
– Bridge different technology dependent systems including existing network
infrastructure systems (e.g., use of existing resources such as Line
Information DataBase (LIDB) where appropriate)
– Address new and emerging applications and services (e.g., IPTV and
convergence)
– IPTV Downloadable Security, including key management, certificate
authority, and authorization
– Address unique security needs
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
4
Challenges
GSC16-PLEN-93
• Identify theft, phishing scams, etc., are becoming continually
more sophisticated, and increasing IdM education is a
necessity.
• Un-trusted identity information as a result of migration to IP
packet networks, emergence of new service providers (e.g.,
3rd party providers) and other changes over the past decade
(e.g., smart terminals, and an open internet environment)
– Historically, trusted information was provided by closed and fixed network
environment operating under regulatory conditions
– Changes to the trust model are resulting in operations, accounting,
settlements, security and infrastructure protection problems
• Overcoming silo solutions
– User-centric model focusing on web services and electronic commerce
– Available standards focus mainly on web services (e.g., OASIS, WS*,
Liberty, SAML) and human identities
– Vendor specific solutions/products (e.g., Microsoft Cardspace,
PayPal, iNames)
– Impact of Kantara Initiative needs to be assessed
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
5
Next Steps/Actions
GSC16-PLEN-93
• Continue to leverage User-Centric IdM solutions
– Avoid duplication and redundancy
• Leverage, use, enhance and adapt existing work and technology
solutions where appropriate managed networks
• Enhance and customize existing IP/web services capabilities and work
of other industry groups (e.g., Liberty Alliance, Kantara, OASIS, 3GPP,
ITU-T) as appropriate
– Allow for the use of existing (e.g., LIDB) and new (e.g., IPTV)
resources and capabilities
• Continue to solicit IdM Use Case/Requirements inputs from all
ATIS committees
• Contribute ATIS IdM requirements and mechanisms to the
ITU-T to obtain global solutions
• Collaborate with the White House initiative on National
Strategy for Trusted Identities in Cyberspace (NSTIC) to
improve the privacy, security, and convenience of
sensitive online transactions
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
6
Proposed Resolution
GSC16-PLEN-93
• ATIS supports the reaffirmation of the
existing IdM Resolution:
– GSC-15/04: Identity Management
GSC15-CL-11
2 September 2010
RESOLUTION GSC-15/04: (Plenary) Identity Management (revised)
The 15th Global Standards Collaboration meeting (Beijing, 30 August – 2 September 2010)
Recognizing:
a) the importance of Identity Management (IDM) to practically all forms of social and
economic activity, as well as the technical development and deployment of all information
and communication technology (ICT) services for diverse entities (persons,
organizations/providers, and objects), including:
1) authentication and credentials;
2) identifiers and their resolution or use for access;
3) attributes including directories, presence and availability;
4) derivative identity information including reputation;
5) discovery and interoperability of the above authoritative resources;
6) identity assurance; and
7) identity management privacy, security and governance;
b) a common interest of network operators, service/application providers, government, and
users in effective, trusted, interoperable frameworks for Identity Management;
c) that Identity Management capabilities are essential to almost all areas of GSC cooperation,
including RFIDs, sensors, wireless and near-field devices, on-board GSM, IPTV, NGN,
cloud computing, healthcare, emergency communications, e-government, disaster relief,
product proofing against misuse of resources, lawful interception, mitigating identity theft;
d) the rapidly increasing implementation of nomadic and mobile network access by users,
providers, and objects to a complex interconnected set of providers necessitate enhanced
and new IdM capabilities;
e) that effective protection of all kinds of national communications, transportation, electrical
and other critical infrastructures are fundamentally dependent on effective Identity
Management capabilities;
f) that ITU-T has initiated study of Identity Management requirements, architectures, security
frameworks and interoperability including use cases and gap analysis (including
coordination with other SDOs);
g) that ISO/IEC JTC1/SCs and ISO TCs have already produced international standards and
are developing others standards which address and resolve issues associated with
management of identities.
h) that ITU-T’s JCA-IdM (Joint Coordination Activity) coordinates IdM activities within
ITU-T and collaborates with other major IdM standards bodies to resolve issues associated
with management of identities.
i) that standards of GSC organizations can provide a coherent systematic framework for
enhancing trusted open Identity Management interoperability that can minimize risks and
the development of mechanisms to mitigate the risks;
j) that common frameworks can provide for trusted global discovery and interoperability of
identity resources; and
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
7
GSC16-PLEN-93
Supplemental Slides
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
8
GSC16-PLEN-93
Identity Management (IdM)
• Identity Management (IdM) involves secure management
of the identity life cycle and the exchange of identity
information (e.g., identifiers, attributes and assertions)
based on applicable policy of entities such as:
•
•
•
•
Users/groups
Organizations/federations/enterprise/service providers
Devices/network elements/systems
Objects (Application Process, Content, Data)
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
9
ID Theft and Online Fraud:
By the Numbers
•
Identity theft is costly, inconvenient and all-too common
–
–
–
•
–
In December 2009, the Rockyou password breach revealed the vulnerability of passwords. Nearly
50% of users’ passwords included names, slang words, dictionary words or were extremely weak,
with passwords like “123456”.
Maintenance of multiple accounts is increasing as more services move online
–
•
A small business of 500 employees spends approximately $110,000 per year on password
management. That’s $220 per user per year.
Passwords are failing
–
•
In 2008 and 2009, specific brands or entities were targeted by more than 286,000 phishing attacks,
all attempting to replicate their site and harvest user credentials.
A 2009 report from Trusteer found that 45% of targets divulge their personal information when
redirected to a phishing site, and that financial institutions are subjected to an average of 16
phishing attacks per week, costing them between $2.4 and $9.4 million in losses each year.
Managing multiple passwords is expensive
–
•
In 2010, 8.1 million U.S. adults were the victims of identity theft or fraud, with total costs of $37
billion.
The average out-of-pocket loss of identity theft in 2008 was $631 per incident.
Consumers reported spending an average of 59 hours recovering from a “new account” instance of
ID theft.
Phishing continues to rise, with attacks becoming more sophisticated
–
•
GSC16-PLEN-93
One federal agency with 44,000 users discovered over 700,000 user accounts, with the average
user having individual accounts.
Improving identity practices makes a difference
–
–
Implementation of strong credentials across the Department of Defense resulted in a 46%
reduction in intrusions.
Use of single sign-on technologies can reduce annual sign-in time by 50 hours/user/year.
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
10
GSC16-PLEN-93
Value Added for NGN Provider
• Dynamic/automatic IdM means between multiple partners (e.g.,
end users, visited and home networks) reduce costs (compared
to pair-wise arrangements) compared to pair-wise arrangements
to
– Establish service arrangements
– Exchange identity information
– Exchange policy information and enforce policy
• Enabler of new applications and services (e.g., IPTV and
convergence) including identity services
• Leverage existing and expanding customer base
• Common IdM infrastructure enables support of multiple
applications and services
• Enables
–
–
–
–
standard API and data schema for application design
multi-vendor/platforms solutions
inter-network/federations interoperability
Security protection of application services, network infrastructure
and resources
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
11
GSC16-PLEN-93
Value Added for the User
• Privacy/user control
– Protection of Personal Identifiable Information [PPII]
– Ability to control who is allowed access (i.e., providing consent)
to personal information and how it is used
• Ease of use and single sign-on / sign-off (multiple
application/services across multiple service
providers/federations)
• Enabler of Social Networking
• Security (e.g., confidence of transactions, and Identity
(ID) Theft protection)
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
12
GSC16-PLEN-93
Government Motivations
• Infrastructure Protection (i.e., against cyber threats)
• Protection of Global Interests (e.g., business and commerce)
• Provide assurance capabilities (e.g., trusted assertions about digital
identities [credentials, identifiers, attributes and reputations]) to
enable
• National Security/Emergency Preparedness (NS/EP)
• Early Warning Services
• Electronic Government (eGovernment) Services (e.g., web-based
transactions)
• Public Safety Services (e.g., Emergency 911 services)
• Law Enforcement Services (e.g., Lawful Interceptions)
• National/Homeland Security
• Intelligence Services
Halifax, 31 Oct – 3 Nov 2011
ICT Accessibility For All
13
ATIS PTSC IdM Documents
Document
Scope
Issue Description
Target Date
ATIS NGN IdM
Framework Standard
[PTSC Issue S0058]
Framework for
NGN IdM
 Framework for handling identities in a secured and
authenticated manner in a multi-network, multiple
service provider environment
Published as
ATIS1000035.2009
ATIS IdM
Requirements and
Use Cases
[PTSC Issue S0059]
IdM Use Case
examples for NGN
 Develop Use Cases illustrating IdM applications in a
multi-network, multiple service provider environment
defined by the ATIS NGN architecture
 Requirements for handling identities in a secured and
authenticated manner in a multi-network, multiple
service provider environment
 Harmonized approach to address IdM issues in the
ATIS NGN architecture
Published as
ATIS1000044.2011
ATIS IdM
Mechanisms
Standard
[PTSC Issue S0060]
NGN IdM
Mechanisms and
Procedures
 Develop IdM mechanisms (e.g., registration,
authorization, authentication, attribute sharing,
discovery) to be used in a harmonized approach for the
ATIS NGN architecture
4Q 2011
ATIS Service
Provider Identity
(SPID)
[PTSC Issue S0067]
Define ATIS Use
Cases and
Requirements for
SPID
 Develop an ATIS NGN SPID standard that derives
requirements from Use Cases applicable to managed
NGN deployments. These requirements will be used to
define industry solutions.
4Q 2011
Note: parallel documents exist in ITU-T SG13, Q15
14