Click to edit Master title style Identity

Click to edit Master title style Identity & Access Management Presenter: Mike Davis Mike. davis@va. gov (760) 632 -0294 January 09, 2007 HEALTH INFORMATION

Definitions Click to edit Master title style • Id. M: Identity management (Id. M) is comprised of the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities within a legal and policy context. - Burton. Group™ 2003 • IAM: Identity and access management (IAM) is comprised of the set of services to include authentication, user provisioning (UP), password management, role matrix management, enterprise single sign-on, enterprise access management, federation, virtual and metadirectory services, and auditing. - Gartner HEALTH INFORMATION 2

More Master title Click to edit. Definitions style • Provisioning: Provisioning of user access control credentials refers to the creation, maintenance, correlation, synchronization and deactivation of user-objects and user-attributes, as they exist in one or more systems, directories or applications, in response to an automated or interactive business processes. Provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. Provisioning is typically a subsystem or function of an identity management system that is particularly useful within organizations where users may be represented by multiple user objects on multiple systems. - EDE IPT • The process of managing attributes and accounts within the scope of a defined business process or interaction. Provisioning an account or service may involve the Creation, modification, deletion, suspension, restoration of a defined set of accounts or attributes. –OASIS SPML HEALTH INFORMATION 3

Yet edit Master title Click to More Definitions style • Single Sign-on: (SSO) Any user authentication system permitting users to access multiple data sources through a single point of entry. Part of an integrated access management framework. • At present, there is no “universal” definition of SSO, no agreement on whether it is really possible and no understanding of what is considered true SSO. - Pistolstar HEALTH INFORMATION 4

Identity Mgt Attributes Click to edit Master title style HEALTH INFORMATION (1 of 2) 5

More to edit Master title style Click Identity Mgt Attributes HEALTH INFORMATION (2 of 2) 6

Access Mgt Attributes Click to edit Master title style HEALTH INFORMATION One. VA Identity Management IPT, December 19, 2005 One. VA Enterprise Identity Management White Paper, v 1. 3, October 12, 2006 7

Authentication Services Click to edit Master title style • Centralized authentication services reduces complexity – PIV (HSPD 12, NIST FIPS PUB 201) – MS NAS (AD Kerberos) • Applications should accept trusted third party credential…applications do not authenticate users directly – Kerberos, X 509, SAML – CCOW – Security token services (STS) • SSO is intrinsic – SSO is now expected – SSO is now technically feasible HEALTH INFORMATION 8

Click WS Trust scenario style to edit Master title • A client sends a SOAP message (Request) to a SOAP based application Server. • The original client request is intercepted at a SOAP gateway and redirected (based on Policy) to the IP/STS. • The SOAP gateway and STS will use WS-Trust messages to enable interoperable processing of the more fundamental WS-Security protected SOAP message sent between the client and the service. HEALTH INFORMATION 9

Click to edit Master title style IDM…Whose Identity is It? • VHA Problem Statement: How does Security Id. M portion of IAM fit with traditional ownership of Id. M controlled by administrative, demographic, payroll and HR functions. Solution: Need standards for Id. M and for IAM. Consistent vocabularies. Clear differentiation of role/ ownership Id data used for different purposes. Oracle Identity Governance Framework is setting the initial definitions in this area prior to vetting in standards organization (TBD). Identity Governance Framework http: //www. oracle. com/technology/tech/standards/idm/igf/index. html HEALTH INFORMATION 10

IAM Technology Viewpoint Click to edit Master title style Assertions • IAM (PIV) transforms future SOA security infrastructures • Centralization reduces complexity of authn/authz administration • Web Services provide the key underlying standards/technology • Application security (end-end) replaces castle and moat paradigm • SSO is assumed/expected Obstacles • Lack of consistent approach (Different goals, views, vendors) • Immature/incomplete industry technology/few solutions • Developer experience/confidence/ in solutions…resistance to change HEALTH INFORMATION Implications • Projects will use existing/closed solutions to avoid risk • Projects will not be able to adapt to coming centralized infrastructure • Project schedules will limit time to innovate in security • Security will continue to lag Advice Implement/innovate/adopt: • SOA Architecture • CCOW, Kerberos SSO/TTP Authn • HL 7 RBAC/ASIS XACML • Implement Web Services • Manage globally, enforce locally • Pilot a SOA Security Application 11