Tag Archives: Entitlement & Access commandments

Entities and Entitlement – The Bigger Picture of Identity Management

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives. And in the third video we described how “Trust and Privacy” interact to provide a trusted privacy-enhanced identity ecosystem.

In this fourth “Entities and Entitlement” video, we explain the bigger picture – why identity is not just about people. It’s about all things – we call them “entities” – that we want to identify in our digital world. Also, an identity ecosystem doesn’t stop at just “identity,” but additionally involves “entitlement” to access resources.

In our identity ecosystem, we define five types of “entity” that require digital identity: people, devices, organizations, code and agents. For example, a laptop is a device that needs identity. Potentially this device is a company-owned laptop and, therefore, will have a “corporate laptop” persona involving an organization identity. The laptop is running code (we include data in this term), and this code needs to be trusted, therefore, necessitating both identity and attributes. Finally there are agents – someone or something you give authority to act on your behalf. For example, you may give your personal assistant the authority to use specified attributes of your business credit card and frequent flyer personas to book your travel, but your assistant would use their identity.

Identity needs to encompass all these entities to ensure a trusted transaction chain.

All entities having their identity defined using interoperable identifiers allows for rich risk-based decisions to be made. This is “entitlement” – a set of rules, defined by the resource owner, for managing access to a resource (asset, service, or entity) and for what purpose. The level of access is conditioned not only by your identity but is also likely to be constrained by a number of further security considerations. For example your company policy, your location (i.e., are you inside your secure corporate environment, connected via a hotspot or from an Internet café, etc.) or time of day.

In the final (fifth) video, which will be released next Tuesday, August 14, we will examine how this all fits together into a global Identity ecosystem and the key challenges that need to be solved in order to realize it.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

1 Comment

Filed under Identity Management

Trust and Privacy – In an Identity Management Ecosystem

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable (i.e. enduring and unchangeable), and how we can create digital personas –as many as we like – to mirror the way we use personas in our daily lives.

This third video explains how trust and privacy interact to provide a trusted privacy-enhanced identity ecosystem:

Each persona requires only the personal information (attributes) it needs it assert what a relying party needs to know, and no more.  For example, your “eGovernment citizen” persona would link your core identifier to your national government confirmation that you are a citizen, so if this persona is hacked, then only the attribute information of you being a citizen would be exposed and nothing else.  No other attributes about you would be revealed, thereby protecting all your other identity information and your privacy.

This is a fundamental difference to having an identity provider that maintains a super-store containing all your attributes, which would all be exposed if it was successfully hacked, or possibly mis-used under some future change-of-use marketing or government regulatory power. Remember, too, that once you give someone else, including identity providers, personal information, then you‘ve given up your control over how well it’s maintained/updated and used in the future.

If a relying party needs a higher level of trust before accepting that the digital you is really you, then you can create a new persona with additional attributes that will provide the required level of trust, or you can supply several of your personas (e.g., your address persona, your credit card persona and your online purchasing account persona), which together provide the relying party with the level of trust they need. A good example of this is buying a high-value item to be delivered to your door. Again, you only have to reveal information about you that the relying party requires.  This minimizes the exposure of your identity attributes and anyone’s ability to aggregate identity information about you.

In the next (fourth) video, which will be released next Tuesday, August 7, we will look at the bigger picture to understand why the identity ecosystem needs to be about more than just people.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management

Real-world and Online Personas – From an Identity Management Perspective

By Jim Hietala and Ian Dobson, The Open Group

In the first of the five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas that should be under our control using the principle of primacy, i.e., giving you the ability to control the information about your own identity. You may, of course, decide to pass that control on to some other identity management party.

In this second “Operating with Personas” video, we explain how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable, enduring and unchangeable.

We then describe how we need to create digital personas to mirror the way we use personas in our daily lives – at work, at home, handling our bank accounts, with the tax authority, at the golf club, etc. We can create as many digital personas for ourselves as we wish and can also create new personas from existing ones. We explain the importance of the resulting identity tree, which only works one-way; to protect privacy, we can never go back up the tree to find out about other personas created from the core identifier, especially not the real-world core identity itself. Have a look for yourself:

As you can see, the trust that a relying party has in a persona is a combination of the trust in its derivation from an immutable and secret core identifier – its binding to a trusted organizational identifier, and its attribute information provided by the relevant trusted attribute provider.

In the next (third) video, which will be released next Tuesday, July 31, we will see how trust and persona interact to provide a privacy-enhanced identity ecosystem.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management

Understanding the Importance of Identity

By Jim Hietala and Ian Dobson, The Open Group

In May 2011, the Jericho Forum, a forum of The Open Group, published its Identity, Entitlement & Access (IdEA) commandments, which specified 14 design principles that are essential for identity management solutions to assure globally interoperable trusted identities in cyberspace. These IdEA commandments are aimed at IT architects and designers of both Identity Management and Access Management systems, but the  importance of “identity” extends to everyone – eBusiness managers, eCommerce operations, and individual eConsumers. In order to safeguard our ability to control and manage our own identity and privacy in online activities, we need every online user to support creating an Identity Ecosystem that satisfies these IdEA commandments.

We’re proud to announce that the Jericho Forum has created a series of five “Identity Key Concepts” videos to explain the key concepts that we should all understand on the topics of identity, entitlement, and access management in cartoon-style plain language.

The first installment in the series, Identity First Principles, available here and below, starts the discussion of how we identify ourselves. The video describes some fundamental concepts in identity, including core identity, identity attributes, personas, root identity, trust, attribute aggregation and primacy. These can be complex concepts for non-identity experts However, the cartoons describe the concepts in an approachable and easy-to-understand manner.

The remaining videos in the series cover the following concepts:

  • Video 2 – Operating with Personas
  • Video 3 – Trust and Privacy
  • Video 4 – The Bigger Picture, Entities and Entitlements
  • Video 5 – Building a Global Ecosystem

These identity cartoon videos will be published on successive Tuesdays over the next five weeks, so be sure to come back next Tuesday!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

1 Comment

Filed under Identity Management