Identity Management and Authorization

A step up from using groups, role-based access control enables privileges to be assigned to institutional roles assigned to individuals. Even though this is the brass ring of access control, leading an initiative to define the policy and process guiding this infrastructure is daunting. Questions arise, such as who should be represented in the roles system? You may find you have more than one organizational chart, so which one do you use? Who should decide the roles structure and make the policy decisions? For which resources will you be assigning privileges? And will you list all the roles and their access rights or have the supervisors/area managers assign rights given a set of boundaries? The outcome of the former could be a list of exceptions, and the outcome of the latter could be a pattern that leads to a set of defaults, clustering around the distinct roles. But there is no one way. This panel will explore this complex issue and provide a number of perspectives on how to plan for such an effort.

A level of assurance (LoA) refers to the degree of certainty that (1) a resource owner has that a person's physical self has been adequately verified before credentials are issued by a registration authority, and (2) a user indeed owns the credentials they are subsequently presenting to access the resource. The requirements for the level of certainty at both ends of that set of transactions should be driven by a risk assessment based on the value of the resources being protected. This session will describe the concept of LoA, discuss its importance, outline its technical components, and discuss the proposition that roles of the identity management and security staff are critical for a successful implementation of LoA.

Provisioning access is an IAM function, and deprovisioning that access is a security objective. How might these combined objectives be met with common process, and what sorts of access should be managed by it? Data, applications, networked services, and physical facilities all have particular provisioning and deprovisioning needs. Campus cards, for instance, mitigate risk only when the access information associated with them is current. When a card's rights get out of sync with its bearer's status, the card itself becomes a risk. Addressing this issue, given all the authorization and access points, can be a challenge unless they are tied into the enterprise identity management system.

Incident-response processes and tools are, by-and-large, designed to guide reaction to situations within an organization and are geared toward incidents involving local users and systems. With federated identity, we're now expanding this and entering into agreements and relationships that enable an extended community to access our services and our campus constituents to use off-site services in an authenticated and authorized fashion. In this new context, how do you respond when someone from a collaborating organization is hacking your systems? This session will discuss the challenges in the policy, practice, and technology of addressing incident response and mitigation in a federated world.

Unsure how all the parts of an identity management system fit together and would like to know more? This non-technical, preworkshop seminar offers a functional model of the campus infrastructure and provide attendees a chance to view it through the technology, policy, and business process lenses. Topics covered include technology model, lifecycle of identity, and policy frameworks and governance.

How can IAM be helpful in managing network intrusion and access? A researcher wants to show a national grid-enabled resource to her class, but can’t access it because she’s in a classroom and, by policy, unable to get through the firewall. She then clicks on her research icon, authenticates and, because of her researcher status, accesses the research van that is enabled to use the appropriate ports. Can coupling network capabilities and IAM replace the use of IP addresses as the criterion for access with identity, roles, and related attributes? Focusing in on wireless access specifically, can IAM can help correlate identity to an endpoint device by combining network registration and personal identification? This session will explore these questions and how one can identify the person behind the device or address.

This presentation will detail a five-phase deployment strategy for IAM, identity and access management. IAM provides a number of capabilities, including authentication management, authorization management, user administration, resource provisioning, auditing, and reporting to create a comprehensive and efficient approach to managing identities in a heterogeneous environment.

This is the final report for the 2007 NSF Cybersecurity Summit, held February 22 & 23rd, 2007, in Arlington, VA.

This presentation details a five-phase deployment strategy for identity and access management (IAM). IAM provides a number of capabilities, including authentication management, authorization management, user administration, resource provisioning, auditing, and reporting to create a comprehensive and efficient approach to managing identities in a heterogeneous environment.

The University of Washington faces a set of identity and access management challenges shared by many universities. The problems are numerous and familiar. To overcome these challenges, UW has implemented some novel solutions in pursuit of a vision of fully integrated authorization and identity management across the enterprise.