Entities and Entitlement – The Bigger Picture of Identity Management

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives. And in the third video we described how “Trust and Privacy” interact to provide a trusted privacy-enhanced identity ecosystem.

In this fourth “Entities and Entitlement” video, we explain the bigger picture – why identity is not just about people. It’s about all things – we call them “entities” – that we want to identify in our digital world. Also, an identity ecosystem doesn’t stop at just “identity,” but additionally involves “entitlement” to access resources.

In our identity ecosystem, we define five types of “entity” that require digital identity: people, devices, organizations, code and agents. For example, a laptop is a device that needs identity. Potentially this device is a company-owned laptop and, therefore, will have a “corporate laptop” persona involving an organization identity. The laptop is running code (we include data in this term), and this code needs to be trusted, therefore, necessitating both identity and attributes. Finally there are agents – someone or something you give authority to act on your behalf. For example, you may give your personal assistant the authority to use specified attributes of your business credit card and frequent flyer personas to book your travel, but your assistant would use their identity.

Identity needs to encompass all these entities to ensure a trusted transaction chain.

All entities having their identity defined using interoperable identifiers allows for rich risk-based decisions to be made. This is “entitlement” – a set of rules, defined by the resource owner, for managing access to a resource (asset, service, or entity) and for what purpose. The level of access is conditioned not only by your identity but is also likely to be constrained by a number of further security considerations. For example your company policy, your location (i.e., are you inside your secure corporate environment, connected via a hotspot or from an Internet café, etc.) or time of day.

In the final (fifth) video, which will be released next Tuesday, August 14, we will examine how this all fits together into a global Identity ecosystem and the key challenges that need to be solved in order to realize it.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

1 Comment

Filed under Identity Management

One response to “Entities and Entitlement – The Bigger Picture of Identity Management

  1. Pingback: de-perimeterisation