On Sunday, 9th September, Liberty Alliance has announced the creation of a new Identity Assurance initiative:
“Liberty Alliance, the global identity consortium working to build a more trusted Internet for consumers, governments and businesses worldwide, today announced it has formed a new expert group to deliver the Liberty Trust Framework, an organizational framework designed to fill industry requirements for standardized identity assurance criteria for use in a broad range of federation scenarios. Liberty’s Identity Assurance Expert Group (IAEG) was established by the recent merge of the Electronic Authentication Partnership (EAP) into Liberty Alliance, and consists of representatives from the worldwide financial services, government, healthcare and service provider sectors working collaboratively to release the Liberty Trust Framework for public review and input later this year. The Liberty Trust Framework will remove a major barrier to global inter-federation deployments: the complexity of assessing the level of identity assurance among all organizations participating in federated relationships. Currently, different federations have varying policies and processes governing identity operations, the interpretation of which adds to the cost and complexity of deploying assured identity services. …”
Hopefully this initiative will help to define comprehensive requirements and criteria for “Identity Assurance” in Federated Identity Management contexts.
A few colleagues of mine and I recently wrote an HP Labs Technical report on a related topic, called “On Identity Assurance in the Presence of Federated Identity Management Systems”.
In our view Identity Assurance must be concerned with the proper management of risks associated with identity management. In an enterprise context, “processes” define how identity information has to be managed; identity management technologies ease the burden of dealing with them, by automating some of the related operational aspects. However, it is of paramount importance to ensure that these processes are well controlled and therefore risk is controlled – hence the need for identity assurance. Prior to defining an identity assurance framework, a risk analysis needs to be carried out identifying the identity assets (e.g. user accounts, user profiles, user rights, etc.) and the impact if there is a loss of confidentiality, availability or integrity along with threats that could lead to such losses. From an understanding of risks an enterprise can make decisions about the control objectives (strategies for mitigating risks) they need and ultimately design the controls that need to operate to achieve these objectives. Typically controls will be additional stages in management processes designed to mitigate risks (e.g. an approval step) although they may be technological mechanisms.
The interesting challenge is how to enable Identity Assurance in a federated identity management context, where multiple organisations need to collaborate and share information to achieve this. In our paper we suggested a potential approach to move forward …
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment