GSC17-PLEN-59
Download
Report
Transcript GSC17-PLEN-59
Document No:
GSC17-PLEN-59
Source:
ATIS
Contact:
Andrew White, [email protected]
GSC Session:
PLEN
Agenda Item:
6.4
ATIS Identity Management
(IdM) Standards Development
Andrew White
Principal Consultant
Nokia Siemens Networks
Jeju, 13 – 16 May 2013
Standards for Shared ICT
GSC17-PLEN-59
Highlight of ATIS IdM Standards
ATIS’ Packet Technologies and Systems Committee
(PTSC) completed the following IdM-related
standards:
• ATIS-1000035: Identity Management (IdM)
Framework
– Provides an IdM framework for Next Generation Network
(NGN)
– Describes the fundamental concepts, functional
components and capabilities of IdM that can be used to
organize and guide structured solutions and facilitate
interoperability in an heterogeneous environment
GSC-17, Jeju / Korea
2
Standards for Shared ICT
GSC17-PLEN-59
Highlight of ATIS IdM Standards
• ATIS-1000044: Identity Management (IdM)
Requirements and Use Cases Standard
• Provides IdM example use cases and requirements for the
NGN and its interfaces.
• IdM functions and capabilities are used to increase
confidence in identity information and support and
enhance business and security applications including
identity-based services.
• The requirements provided in this standard are intended
for NGN (i.e., managed packet networks) as defined in
ATIS-1000018, NGN Architecture, and ITU-T
Recommendation Y.2001.
GSC-17, Jeju / Korea
3
Standards for Shared ICT
GSC17-PLEN-59
Highlight of ATIS IdM Standards
• ATIS-1000045: Identity Management (IdM)
Mechanisms and Procedures Standard
• Describes the specific IdM mechanisms and suites of
options that should be used to meet the requirements in
the IdM Requirement standard (ATIS-1000044).
• In addition, it provides best practices, guidelines to support
interoperability and other needs.
GSC-17, Jeju / Korea
4
Standards for Shared ICT
GSC17-PLEN-59
Strategic Direction
•
Support the National Strategy for Trusted Identities in Cyberspace which
addresses two central problems impeding economic growth online:
– Passwords are inconvenient and insecure
– Individuals are unable to prove their true identity online for significant
transactions
•
Leverage User-Centric solutions where possible, while identifying deltas to
meet the needs of NGN providers
– NGN service providers need to address both real-time and near-real time
applications
– Solution for real-time applications (e.g., exchange of IdM information for SIP
communication sessions) would be distinct
•
Provide structured and standard means to discover and exchange identity
information across network domains/federations
– Bridge different technology dependent systems including existing network
infrastructure systems
– Address new and emerging applications and services
– Address unique security needs
GSC-17, Jeju / Korea
5
Standards for Shared ICT
GSC17-PLEN-59
Challenges
• Identify theft, phishing scams, etc., are becoming more
sophisticated, increasing the need for IdM education
• Un-trusted identity information as a result of migration to IP
packet networks, emergence of new service providers (e.g.,
3rd party providers) and other changes (e.g., smart terminals,
and an open internet environment)
– Historically, trusted information was provided by closed and fixed network
environment operating under regulatory conditions
– Changes to the trust model are resulting in operations, accounting,
settlements, security and infrastructure protection problems
• Overcoming “silo” solutions
– User-centric model focusing on web services and electronic commerce
– Available standards focus mainly on web services (e.g., OASIS, WS*,
Liberty, SAML) and human identities
– Vendor specific solutions/products (e.g., PayPal, iNames)
– Impact of Kantara Initiative needs to be assessed
GSC-17, Jeju / Korea
6
Standards for Shared ICT
GSC17-PLEN-59
Next Steps/Actions
• Continue to leverage User-Centric IdM solutions (e.g.,
OpenID and Oauth)
– Avoid duplication and redundancy
• Leverage, use, enhance and adapt existing work and technology
solutions where appropriate managed networks
• Enhance and customize existing IP/web services capabilities and
work of other industry groups (e.g., Liberty Alliance, Kantara,
OASIS, 3GPP, ITU-T) as appropriate
– Allow for the use of existing (e.g., LIDB) and new resources and
capabilities
• Collaborate with the White House initiative on National
Strategy for Trusted Identities in Cyberspace (NSTIC) to
improve the privacy, security, and convenience of
sensitive online transactions
GSC-17, Jeju / Korea
7
Standards for Shared ICT
GSC17-PLEN-59
Supplemental Slides
GSC-17, Jeju / Korea
8
Standards for Shared ICT
GSC17-PLEN-59
Identity Management (IdM)
• Identity Management (IdM) involves secure management
of the identity life cycle and the exchange of identity
information (e.g., identifiers, attributes and assertions)
based on applicable policy of entities such as:
•
•
•
•
GSC-17, Jeju / Korea
Users/groups
Organizations/federations/enterprise/service providers
Devices/network elements/systems
Objects (Application Process, Content, Data)
9
Standards for Shared ICT
ID Theft and Online
Fraud: By the Numbers
•
Identity theft is costly, inconvenient and all-too common
–
–
–
•
–
In December 2009, the Rockyou password breach revealed the vulnerability of passwords. Nearly
50% of users’ passwords included names, slang words, dictionary words or were extremely weak,
with passwords like “123456”.
Maintenance of multiple accounts is increasing as more services move online
–
•
A small business of 500 employees spends approximately $110,000 per year on password
management. That’s $220 per user per year.
Passwords are failing
–
•
In 2008 and 2009, specific brands or entities were targeted by more than 286,000 phishing attacks,
all attempting to replicate their site and harvest user credentials.
A 2009 report from Trusteer found that 45% of targets divulge their personal information when
redirected to a phishing site, and that financial institutions are subjected to an average of 16
phishing attacks per week, costing them between $2.4 and $9.4 million in losses each year.
Managing multiple passwords is expensive
–
•
In 2010, 8.1 million U.S. adults were the victims of identity theft or fraud, with total costs of $37
billion.
The average out-of-pocket loss of identity theft in 2008 was $631 per incident.
Consumers reported spending an average of 59 hours recovering from a “new account” instance of
ID theft.
Phishing continues to rise, with attacks becoming more sophisticated
–
•
GSC17-PLEN-59
One federal agency with 44,000 users discovered over 700,000 user accounts, with the average
user having individual accounts.
Improving identity practices makes a difference
–
–
Implementation of strong credentials across the Department of Defense resulted in a 46%
reduction in intrusions.
Use of single sign-on technologies can reduce annual sign-in time by 50 hours/user/year.
GSC-17, Jeju / Korea
10
Standards for Shared ICT
GSC17-PLEN-59
Value Added for NGN Provider
• Dynamic/automatic IdM means between multiple partners (e.g.,
end users, visited and home networks) reduce costs (compared
to pair-wise arrangements) compared to pair-wise arrangements
to
– Establish service arrangements
– Exchange identity information
– Exchange policy information and enforce policy
• Enabler of new applications and services (e.g., IPTV and
convergence) including identity services
• Leverage existing and expanding customer base
• Common IdM infrastructure enables support of multiple
applications and services
• Enables
–
–
–
–
standard API and data schema for application design
multi-vendor/platforms solutions
inter-network/federations interoperability
Security protection of application services, network infrastructure
and resources
GSC-17, Jeju / Korea
11
Standards for Shared ICT
GSC17-PLEN-59
Value Added for the User
• Privacy/user control
– Protection of Personal Identifiable Information [PPII]
– Ability to control who is allowed access (i.e., providing consent)
to personal information and how it is used
• Ease of use and single sign-on / sign-off (multiple
application/services across multiple service
providers/federations)
• Enabler of Social Networking
• Security (e.g., confidence of transactions, and Identity
(ID) Theft protection)
GSC-17, Jeju / Korea
12
Standards for Shared ICT
GSC17-PLEN-59
Government Motivations
• Infrastructure Protection (i.e., against cyber threats)
• Protection of Global Interests (e.g., business and commerce)
• Provide assurance capabilities (e.g., trusted assertions about digital
identities [credentials, identifiers, attributes and reputations]) to
enable
• National Security/Emergency Preparedness (NS/EP)
• Early Warning Services
• Electronic Government (eGovernment) Services (e.g., web-based
transactions)
• Public Safety Services (e.g., Emergency 911 services)
• Law Enforcement Services (e.g., Lawful Interceptions)
• National/Homeland Security
• Intelligence Services
GSC-17, Jeju / Korea
13
Standards for Shared ICT
ATIS PTSC IdM Documents
Document
Scope
Issue Description
Target Date
ATIS NGN IdM
Framework Standard
[PTSC Issue S0058]
Framework for
NGN IdM
Framework for handling identities in a secured and
authenticated manner in a multi-network, multiple
service provider environment
Published as
ATIS1000035.2009
ATIS IdM
Requirements and
Use Cases
[PTSC Issue S0059]
IdM Use Case
examples for NGN
Develop Use Cases illustrating IdM applications in a
multi-network, multiple service provider environment
defined by the ATIS NGN architecture
Requirements for handling identities in a secured and
authenticated manner in a multi-network, multiple
service provider environment
Harmonized approach to address IdM issues in the
ATIS NGN architecture
Published as
ATIS1000044.2011
ATIS IdM
Mechanisms
Standard
[PTSC Issue S0060]
NGN IdM
Mechanisms and
Procedures
Develop IdM mechanisms (e.g., registration,
authorization, authentication, attribute sharing,
discovery) to be used in a harmonized approach for the
ATIS NGN architecture
Published as
ATIS1000045.2012
Note: parallel documents exist in ITU-T SG13, Q15
GSC-17, Jeju/Korea
14
Standards for Shared ICT