Identity Management Business Scenario. 23 January 2002

Transcription

1 Identity Management Business Scenario 23 January 2002

2 Session Agenda Overview of the workshop and scenario to be followed by Issues from today s presentations Group Discussion

3 This Presentation Overview of Business Scenarios The Workshop The Draft Scenario Next Steps Issues and Discussion

4 Business Scenarios Semi-formal technique for exploring requirements and developing architectures Part of The Open Group Architectural Framework (TOGAF) Used by the DIF to explore directory requirements space The Directory-Enabled Enterprise Directory in the Key Management Infrastructure The Executive on the Move (Mobile and Directory)

5 7 Steps to Building a Business Scenario 1 - problem 2 - environment 3 - objectives 4 - human actors After completion the scenario is basis and yardstick of The Open Group s work (e.g. brands), of customers planning/procurement, and of vendors implementation plans 5 - computer actors 6 - roles & responsibilities 7 - refine

6 The Workshop First pass through steps 1-6 by small group of problem owners Held on 18 December 2001 in Reading UK hosted by The Open Group s UK Regional Chapter Participation from CGNU (UK-based provider of insurance and other financial services) HP Labs UK government Department for Work and Pensions

7 The Draft Scenario

8 What is Identity? There are differing views of what identity is: Is it more than just a name - what makes a thing different from everything else? Can a person have different identities when working with different systems? Can a person have different identities in different roles? Are we just concerned with people, or do computers, buildings, etc. have identities too?

9 Aims of Identity Management Aims for the community six aims were stated in the workshop Aims for the individual not discussed in the workshop - but important

10 Organizations Aims for Identity Management Organizational efficiency - enable transactions and personto-person communication. Security - enable authorized access and prevent unauthorized access to information and services Speed of reaction to change - mergers, reorganizations, departmental moves Fraud prevention - hard to quantify, but can clearly provide major savings Consistent treatment of the individual - End-to-end management of employees. Single View of the Customer, Joined-Up Government. Integrated Information Infrastructure - enable move away from Information Silos and IT-Processing Chimneys.

11 Business Environment Employee, Salesman Supplier Taxpayer Owner Taxpayer, Mayor Customer Employee, Apprentice

12 Business Processes - Person Join Community Acquire Role Act in Role Give up Role Leave Community

13 Business Processes - Community Form Act Merge Split Dissolve

14 Technical Environment The Internet

15 Technical Processes (1) Create identity Update identity information selective control over who (or what) can update what information updates must propagate through distributed store Maintain identity information stores design and create keep secure maintain consistency of distributed stores split and merge stores to reflect organizational changes

16 Technical Processes (2) Obtain identity information selective control over who can access what information controlled access by individuals and by communities Apply information access control for update and access Destroy identity archive information is an identity ever completely destroyed?

17 Human Actors Not specifically discussed in the Workshop Should include people with identities people that control identity information (HR, security teams) information system managers tool and application developers

18 Computer Actors secure id devices enterprise computers directories client computers dumb terminals

19 SMART Objectives Objectives for the community eight objectives were put forward in the workshop for achievement by organizations in 2002/2003 Objectives for the individual not discussed in the workshop - but important

20 Objectives for the Organization (1) Enable someone to find information about an individual eg telephone number within 1 minute given sufficient information to distinguish the individual - name may or may not be enough assuming authorized to see the information Deploy directory services to enable identity management internal-facing directories external-facing directories synchronization tool (eg metadirectory) application interface for developers white and yellow pages with a web interface

21 Objectives for the Organization (2) Have 100% directory data consistency between a select subset of legacy systems and all new systems with change propagation time of less than a minute Be able to instantiate a new identity in less than 20 minutes including identification but not procurement of equipment and applications needed to support the individual Be able to set up a workstation for a registered peripatetic user within 1 minute, except where lengthy software downloads are required without administrator intervention

22 Objectives for the Organization (3) Implement single-owner management of e- clients change made once (on-line) propagates to all back-end systems issues are organizational and to do with integration of legacy systems Implement a single sign-on authentication system for the web and internal systems as part of a co-ordinated management system that adheres to a specific security policy and architecture Save millions by reducing fraud

23 Requirements (1) Privacy. A person may want to restrict particular information to a particular community - for example, may not want work colleagues to know details from personal life. But the individual s wishes are not always paramount. Ease of management - individual. It should be easy for a person to manage his or her identities. The right thing should happen without them having to worry about it. Ease of management - community. It should be easy for an organization to manage its members identities. Information should automatically propagate where needed.

24 Requirements (2) Separation of roles. For example, when an insurance company employee buys insurance from the company his roles as employee and customer must be kept separate. In some cases, it may be a requirement that different roles are filled by different people. Self-service. As far as possible, individuals should be able to update their own identity information. Legacy Systems. An identity management solution should cater for legacy equipment and applications. Comply with Legislation. Legislation such as the UK Data Protection act covers (amongst other things) storage of information about individuals by organizations. This legislation differs from one country to another. Money laundering legislation may require tracking of identity information.

25 Requirements (3) Prevent Identity Theft. Process by which criminal knowing a small amount of information about an individual can claim the individual s identity and falsely obtain information or services. Ease of use. Information Access should be efficient. A person should not have to give the same information several times, and should not have to remember multiple passwords. Location dependence. A person s rights may depend on their location as well as on their identity. For example, access to some systems may be allowed only to people physically in a particular building. Location transparency. Ability to move from location to location and have your environment move with you.

26 Requirements (4) Consistency of Information. Consistent information should be available in different locations. Security. Maintain security of community identity stores, and of clients that access them. Auditability. It must be possible to follow an audit trail in case of breaches of security or questioned assertions of identity

27 Possible Architecture management processes business applications identity applications directories global sign-on personal identifiers application generators identity management tools security infrastructure (eg PKI)

28 Next Steps Discussion and further input (here) New draft to be reviewed by contributing forums Final document once review complete

29 Issues and Discussion?

30 Identity Management Business Scenario Thank You!