Chapter 3 Identity Management

"The increasingly distributed nature of corpo-rate networks, the proliferation of web-basedapplications, increased security awareness, andgovernment regulations such as Sarbanes-Oxley and HIPAA have contributed to makingidentity management a necessity for virtuallyevery business."-Roberta Witty, Research Director, Gartner, Inc.

Identity management is one of the three key securityareas in which HP is innovating. Within the HPsecurity framework, identity management provides aset of processes and tools that allow administratorsto manage large populations of users, applications,and systems quickly and easily. In addition, businesspolicies, regulatory compliance, and risk factorsshape the policies and practices that direct identitymanagement.

This chapter begins by providing the definition andpurpose of identity management. Next, it presentsthe identity management components, and key ele-ments of identity management solutions. The finalsection of the chapter discusses the specific identitymanagement capabilities that HP delivers.

1. DefinitionIdentity management is the set of principles,processes, tools, and social contracts surroundingthe creation, maintenance, and use of digital identi-ties for people, systems, devices and services. Itenables secure access to a set of systems and appli-cations. Identity management solutions and infra-structures include data repositories, security services,lifecycle management services, consumable value,and management components. Identity managementhas strong links to security, trust, and privacy man-agement. It also delivers components of risk man-agement.

Traditionally, identity management has been a corecomponent of system security environments. It is usedfor maintaining account information and controllingaccess to a system or limited set of applications.Control is usually the primary focus of identity man-agement. For example, an administrator issuesaccounts to restrict and monitor access to resources.More recently, however, identity management hasalso become a key enabler of electronic business.

2. PurposeIdentity management combines processes and tech-nologies to secure and manage access to an orga-nization's resources and assets. In addition, it identi-fies every user (even anonymous ones), application,service or device throughout and across organiza-tions, and over time. Identity management providesflexible authentication, access control, and auditingwhile respecting privacy and regulatory controls.Identity management systems are fundamental toestablishing accountability in business relationships,customizing the user experience, protecting privacy,and adhering to regulations.

The following list provides examples of the primarygoals that drive organizations to implement identitymanagement solutions:

• Reduce total cost of ownership (TCO) for all sys-tems, including the costs of administration, helpdesk, and technical support• Reduce management overhead• Provide competitive advantage by enablingautomation and streamlining optimization of busi-ness processes• Improve customer and employee service• Support the maintenance, the control and confi-dentiality of customer, supplier, and employee data• Reduce the time for employees, partners, cus-tomers, services, devices and others (e.g. contingentand emergency workers) to gain access to requiredorganizational resources• Reduce the risk of using incorrect information forbusiness processes• Reduce the risk of employees, partners, customers,services, devices and others retaining access toorganizational resources after their relationship withthe organization has changed (e.g. promotion of anemployee) or ended (customer ends service contract)• Support legal and compliance initiatives related toemployee and customer data, for example, theHealth Insurance Portability and Accountability Act(HIPAA), Sarbanes-Oxley, the EU Directive on DataProtection, the Basel II Accord, and the CanadianPrivacy Act

In short, the purpose of identity management is toprovide organizations the following key benefits:

• Enhanced enterprise agility and productivity• Improved end-user convenience• Increased IT management efficiency, including costreduction• Effective regulatory compliance

ProactiveSecurityM

anagement

Governance and Compliance

Business Objectives

RegulatoryCompliance

Consumables Management Policies

Data Repository Security Lifecycle

Identity Management

Trusted Infrastructure

OperationalRisk

IdentityM

anagement

Figure 3-1Identity management

"Organizations areusing identity and

accessmanagement to

reduceadministrative costs,

increase user productivity,

tighten security andmake systems com-pliant with policiesand regulations."

-Carol Baroudi,Aberdeen Group,

"Identity and AccessManagement"

Report, March 2007

3-1

3. What is a Digital Identity?Identity is a complicated concept with many nuancesthat range from the philosophical to the practical. Inthe context of identity management, however, theidentity of an individual is the set of informationknown about that person. In the digital world, a per-son's identity is typically referred to as a digital iden-tity. Different contexts, roles, affiliations, and applica-tion environments can require different levels ofassurance and digital identities. Therefore, a personcan have multiple digital identities. These potentialmultiple identities are often referred to as personali-ties, profiles, guises, avatars and other similar terms.

Although digital identities are predominantly associ-ated with humans, they are increasingly being asso-ciated with non-human entities (services, systems, anddevices) that could act on behalf of people. Specificexamples include trusted platforms, next-generationmobile phones, identity-capable platforms and DigitalRights Management (DRM)-based devices.

Figure 3-2 illustrates the content of a digital identity.Identity consists of a person's unique profile data,identifier data, and authentication and authorizationdata. Each content piece can be linked to differentcontexts (company, web, and application) and theperson's role in that context. For example, a person’sidentity can be made up of a set of names, address-es, driver’s licenses, passports, field of employment,etc. This information can be used for identification,authentication and authorization purposes, for exam-ple:

• A name can be used as an identifier - it allows usto refer to the identity without enumerating all of theitems.

• A passport which can be used as an authenticator - they are issued by a relevant authority and allow us determine the legitimacy of someone’s claim to theidentity.

In different contexts, different unique identifiers canbe used. For example, in the above example thedriving license could be a relevant unique identifierfor interacting with the Department of Motor Vehicles;and name-surname-address is the unique identifierfor the post office or a delivery service, and so on. Itis also important to consider the information andpotential identifiers that can be derived or aggregat-ed from such data. For example, in many countries adriver’s license, while functioning as a privilege, mayalso contain other information such as a name,address and a photo allowing it to serve as an iden-tifier or authenticator. This information can be used tolink to other systems, going well beyond the functionof proving the privilege to drive.

Often data associated with an identity is usedimproperly. For example, the use of a birth certificateas an authenticator represents a particularly poorchoice, for there is generally nothing about the birthcertificate that allows an individual to be correlatedto the claims on the certificate. A better choice wouldbe to use a passport holding an individual’s photoID, or a smart card storing an individual’s fingerprint,or better still, multiple authenticators at the same time.Ultimately each of these documents is derived from aninitial claim of identity which is often established bypresenting a birth certificate.

Figure 3-2Identity content

"Digital identity isone of the funda-mental building

blocks for the nextgeneration of infor-

mation systems."- Tony Scott,

CTO, GeneralMotors

3-2

Identity Managem

ent

This is especially important during the identity verifi-cation phase, where an organization first establishesa relationship with an employee, partner, customeror otherwise. This process is a critical step in ensur-ing that future actions and processes are maintainedto an acceptable level of protection.

A high value is placed on authenticators that havegone through a rigorous vetting process prior toissuance. For example, despite the intention, andgovernment guidance, not to use the U.S.Government’s Social Security Number (SSN) as aunique identifier for anything other than financialinstitutions, many organizations do so. Because ofthe ubiquitous and generally accepted use of thisidentifier, its value as a unique personal identifierhas decreased as identity thieves look to takeadvantage of that ubiquity. The value of an identifieris directly related to how it is connected to an indi-vidual; the stronger the linkage the more valuablethe identifier.

Metadata (information about data) qualify all iden-tity data, and an organization's policies for identity,authentication, authorization, and privacy protectiondefine the metadata requirements. Policies aredefined by an organization's IT and business deci-sion makers - they are aligned with corporate gov-ernance rules, regulatory restrictions, and contractualobligations specific to the organization's operatingenvironment.

Identity information and related policies can changeover time. This means that identity management notonly deals with static information but also copes withchanges to identity data. The same is true for secu-rity policy management.

Multiple views can exist on an entity’s identity infor-mation. Each view defines a digital identity that is

valid and appropriate based on the context or pur-pose. Using multiple views within and across multi-ple contexts enables interactions and transactions.Examples of different views and contexts are illus-trated in Figure 3-3.

Different stakeholders can disclose, access, and usedigital identities in one or more contexts, includingpersonal, social, e-commerce, enterprise, and gov-ernment. The process occurs through a variety ofmeans including personal appliances, enterprisesystems, and web services.

From an identity subject’s point of view, there aremultiple perceptions of their identity information:

• Me Me is the part of identity information that thesubject is aware of and directly controls. An exam-ple is personal address information stored andmaintained in an organization's white pages direc-tory. It can also include personal or private informa-tion - such as a credit card number or SSN - that anindividual carefully protects and reveals only in par-ticular circumstances.• Known Me is the part of identity informationthat the subject is aware of and indirectly controls.An example is an individual's revenue data andassociated tax levels that are stored in the taxdepartment's database. Even though an individualprovides the revenue data to the tax department, heor she doesn't have direct control of the content inthe database.• Unknown Me is the part of identity informationthat the subject is not aware of and cannot control.Other stakeholders, which may be known by thesubject, can control this information. Examplesinclude Certification Authorities (CAs), authorized e-commerce sites, Trusted Third Parties (TTPs), andunknown third parties (for example, credit ratingagencies and identity thieves).

3-3"Unknown Me"

Government Contexts

Personal Contexts

Social Contexts

E-CommerceContexts(identity view) Work

Contexts(Enterprise)

"Me Me"

"Known Me"

Other Contexts

Figure 3-3Identity views and contexts (Subject’s perspective)

Management Components

UserManagement

Consumable Value Components Single Sign-On Personalization Self-Service

Authentication Authorization Auditing

Directories Meta-directories Virtual Directories Databases

Provisioning LongevityLifecycleComponents

SecurityComponents

Data RepositoryComponents

AccessManagement

PrivacyManagement

FederationManagement

4. Identity ManagementComponentsIdentity management solutions are modular and com-posed of multiple service and system components. Thissection outlines the components of a typical identitymanagement solution, as illustrated in Figure 3-4.

Components of identity management solutions exist atdifferent maturity stages. Components like authentica-tion and directories are very mature and are consid-ered consolidated technologies.

Provisioning, authorization, federation and single sign-on (SSO) components are rapidly consolidating.Others, such as the privacy management component,are still in a definition and research stage.

4.1. Data Repository ComponentsIdentity repositories deal with the representation, stor-age, and management of identity and profiling infor-mation. They provide standard Application ProgramInterfaces (APIs) and protocols for information access.Data repositories are often implemented as aLightweight Directory Access Protocol (LDAP)-accessibledirectory, meta-directory, or virtual directory. Otherrepositories that are used in the context of identitymanagement solutions are databases and XML-for-matted files. Policy information, which governs accessto and use of information in the repository, is generallymanaged and stored in these repositories as well.

4.2. Security ComponentsAuthentication providers, sometimes referred to asidentity providers, are responsible for performing theprimary authentication that links an individual to agiven identity. The authentication provider produces anauthenticator - a token allowing other components torecognize that primary authentication has been per-formed.

Primary authentication techniques are generally con-sidered in terms of:

• “Something you know”, such as a password, PIN orthe answer to an identifying question (e.g. mother’smaiden name).• “Something you have”, such as a mobile phone,credit card, an X.509 public-key infrastructure (PKI)certificate, smart card, or other hardware securitytoken.• “Something you are”, such as a fingerprint, a retinalscan, or other biometrics.• “Somewhere you are”, such as being within a givengeographical location, or within range of a knownbeacon.

Each identity may be associated with multiple authen-tication providers. In addition, the mechanismsemployed by each provider may be of differentstrengths. To accept the claim of a given identity, someapplication contexts may require a minimum level ofstrength.

Authorization providers enforce access control when anentity accesses an IT resource. Authorization providersallow applications to make authorization and otherpolicy decisions based on privilege and policy infor-mation stored in the data repository. An authorizationprovider can support simple access control manage-ment at the operating system (OS) level. It can alsosupport finer-grained role- and/or rule-based controlsat the application and service levels.

Auditing providers supply mechanisms to track howidentity information in the data repositories is created,modified, and used. They are an essential enabler offorensic analysis, which helps determine who circum-vented policy controls and howthe controls were evaded. 3-4

Figure 3-4Identity management components

Identity Managem

ent

4.3. Lifecycle ComponentsProvisioning is the automation of all the proceduresand tools used to manage the lifecycle of an identity.Provisioning procedures include:

• Creating the identity including an identifier• Linking to authentication providers• Setting and changing attributes and privileges• Decommissioning an identity

In large systems, provisioning tools generally permitsome form of self-service for creating and maintainingan identity. They frequently use a workflow or trans-actional system to verify data from an appropriateauthority. The tools may also propagate data to affil-iated systems that may not directly consume therepository.

Longevity tools create the historical record of anidentity. These tools allow the examination of theevolution of an identity over time. Longevity is linkedto the concept of attestation - the ability to determinewhich actors had access to which resources and inwhat timeframe (irrespective of whether they exercisedaccess, which is a matter of auditing).

4.4. Consumable Value ComponentsIdentity Management solutions can provide the fol-lowing value-added services for the users or con-sumers of an identity management system: SSO, per-sonalization and self-service.

SSO allows a user to perform a single primaryauthentication for access to the set of applicationsand systems in the identity management environment.

Personalization and preference management toolsassociate an identity with application-specific andgeneric information. These tools allow applications totailor the user experience, streamline the user inter-face, and target information dissemination for a busi-ness.

Self-service enables users to self-register for access tobusiness services and manage profile informationwithout administrator intervention. It also allows usersto manage their proper authentication credentials; forexample, assigning passwords, resetting passwords,and requesting X.509 PKI certificates. Self-servicereduces IT operation costs, improves customer service,and improves information consistency and accuracy.

4.5. Management ComponentsUser management provides IT administrators with acentralized infrastructure for managing user profileand preference information. User managementenables organizations to decrease overall IT coststhrough directory optimization and profile synchro-nization. User management tools provide user self-service capabilities and enhance the value of an organization's existing IT investments.

Access management provides IT administrators with acentralized infrastructure for managing user authenti-cation and authorization. An access control manage-ment service increases security, reduces complexity,and reduces overall IT costs by automating accesspolicies for employees, customers, and partners.

Privacy management assures that identity manage-ment solutions respect privacy and data protectionpolicies as defined in company, industry, and gov-ernmental regulations, while storing, accessing, pro-cessing and disclosing personal data.

Federation management establishes trusted relation-ships between distributed identity providers. This ofteninvolves sharing web service endpoints, X.509 PKIcertificates, and supported/desired authenticationmechanisms.

4.6. The Effect of Policies on ManagementComponentsPolicy controls govern and drive management com-ponents. Policies may cause events to be audited oran identity subject to be notified when information isaccessed. The following policies are typically involvedin an identity management solution:

• Identity policies control the format and lifetime ofan identity and its attributes.• Authentication policies control the characteristicsand quality requirements of authentication credentials.• Authorization policies determine how resources canbe accessed.• Privacy policies govern how identity informationmay be accessed, processed or disclosed.• Provisioning policies determine what resources areallocated to which identities and how the resourcesare allocated and de-allocated.

5. Key Elements of IdentityManagement SolutionsThere are many products and solutions available inthe identity management market. They generally pro-vide one or more of the identity management com-ponents and target different types of users and con-texts, including e-commerce sites, service providers,enterprises, and government institutions. Key IT indus-try players are currently focusing on creating identitymanagement suites that provide all of the componentsshown in Figure 3-4.

3-5

There is a considerable amount of overlap betweenthe different solution categories available on themarket. A good example is meta-directories and pro-visioning solutions. The role of meta-directories hasgradually shifted from pure data synchronization (arepository function) to lifecycle component functionsfor the creation of user entries (a provisioning func-tion).

Identity management solutions also involve otherstakeholders. These include authentication devices(smart cards, biometric devices, and authenticationtokens); anonymity services; and the standards out-lined in the next section.

The quality of identity management products andsolutions depends on how successfully they handle anumber of factors. Among other things, these factorsinclude keeping identity information in a consistentand up-to-date state, satisfying related managementpolicies and legal requirements, preserving privacyand trust, and ensuring that security requirements arefulfilled. The key elements to consider in an identitymanagement solution include:

• Adherence to identity management standards• Types of deployment models• Means of addressing complexity and competingdemands• Methods of safe digital identity management• Level of product interoperability

Organizations should also consider the followingidentity management trends when building an identitymanagement solution:

• Identity services• Business-driven identity management• Identity-capable platforms and device-based iden-tity management

We will explain these key elements and trends inmore detail in the following sections.

5.1. Identity Management StandardsStandards provide a common set of protocols,semantics, and processing rules that allow the variouscomponents of an identity management solution tointeroperate. Table 3-1 provides an overview of themost important current and emerging standards usedin identity management architectures and solutions.

Recently there has been an increase in the standardsthat are proposed by one or a few companies thatare very active in the identity management sector (asopposed to the traditional consortium-driven identitymanagement standards). Good examples are theOpenId initiative and the Microsoft CardSpace initia-tive (that leverages WS-*).

Type Relevant Standards More Information

Identity Repositories Lightweight Directory Access Protocol (LDAP) www.ietf.org

ISO/ITU x.500 www.itu.int

Privacy Standards Platform for Privacy Preferences (P3P) www.w3.org/P3P

Enterprise Privacy Authorization Language(EPAL)

www.zurich.ibm.com/security/enterprise-privacy/epal

Access Control eXtensible Access Control Markup Language (XACML)

www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

Provisioning Authorities Service Provisioning Markup Language (SPML) www.oasis-open.org/committees/tc_home.php?wg_abbrev=provision

Federation Security Assertion Markup Language (SAML) www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

Liberty Alliance Standards www.projectliberty.org

User-centric IdentityManagement

OpenID www.openid.net

Microsoft CardSpace www.microsoft.com/net/cardspace.asp

Higgins www.eclipse.org/higgins/

Supporting Standards WS-Security www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

WS-* (Roadmap) http://msdn2.microsoft.com/en.us/library/ms977312.aspx

Table 3-1Relevant standards for identity management architectures

3-6

Identity Managem

ent

5.2. Deployment ModelsIdentity management systems are primarily deployedin one of three models: silos, walled gardens, orfederations.

• Silos are the predominant model on the Internettoday. In this model, the identity management envi-ronment is established and operated by a singleentity for a fixed user and resource community. Agood example is a Microsoft Windows domaingoverned by a set of predefined administrators anddomain controller (DC) servers.

• Walled gardens represent a closed communityof organizations. A single identity management sys-tem serves the common user community of a collec-tion of businesses. Most frequently, this occurs inbusiness-to-business exchanges, and specific rulesgovern the entity operating the identity managementsystem. A good example is the Identrus PKI, whichbrings together individual bank-level PKIs into aclosed banking-community PKI.

• Federations and federated identity managementenvironments are emerging deployment models. Theyinclude systems like Liberty Alliance Project-basedfederations, federation systems built on the WebServices Security (WS-Security) and WS-Federation(WS-Fed) standards, and relatively recent user-cen-tric frameworks such as the OpenId and MicrosoftCardSpace initiatives.

The central difference between federated identitymanagement systems and walled gardens is that asingle entity operates a walled garden. By contrast,federated systems support multiple identity providersand a distributed and partitioned store for identityinformation. Clear operating rules govern the variousparticipants in a federation - both the operators ofcomponents and the operators of services rely on theinformation provided by the identity managementsystem. Most systems exhibit strong end-user controlsover the dissemination of identity information tomembers of the federation.

5.3. Complexity and Competing DemandsThe current identity management landscape is verycomplex because of the multiple interests, perspec-tives, concerns, and technologies that are involved.Identity management is important in different sce-narios, including enterprise, e-commerce, social net-working and government. It supports businessprocesses and services, and it enables digital inter-actions and transactions.

There are competing demands on what identitymanagement should provide, differing concernsabout its focus, and conflicting interests. Examples ofcompeting demands include enterprise focus versus consumer focus, mobility versus centralization, legis-lation versus self-regulation, subjects' control versus organizations' control, and privacy versus free mar-ket.

5.3.1. Numerous StakeholdersDemands are dictated by various stakeholders,which can include enterprises, e-commerce sites,service providers, government agencies, and identitysubjects (consumers). Stakeholders have differentobjectives and priorities when dealing with themanagement of digital identities:

• Enterprises are driven by their business objectivesand needs. They manage large sets of identity datato enable their businesses, rationalize their assets,simplify interactions with partners and customers,ensure regulatory compliance, and meet contractualobligations. Identity data also helps enterprisesmanage the information lifecycle of their workforceand manage access to enterprise resources.• E-commerce sites and service providers manageconsumers' identity information to achieve a varietyof goals, such as increasing sales, understandingcustomers' needs, customizing services, and sellinginformation to third parties.• Government agencies are concerned with thecontrol and protection of their citizens' personalinformation. They also seek strong and undeniableauthentication mechanisms and the automation andrationalization of their services via the Internet.• Consumers have different concerns and needsdepending on the role they play. They are in themiddle (or, depending on the point of view, thesource) of most of the competing demands previouslynoted. As employees or consumers, they want toaccess and use services in the simplest and mostefficient way. Private citizens' needs and concernsmight include privacy, distrust of institutions, and theaccountability of the involved parties.

This variety of interests and concerns, along withemerging technologies, increases the complexity ofidentity management. All of these aspects influenceeach other, via a spiral of potentially conflictingrequirements. For example, new legislation address-es citizens' needs for privacy; however, it constrainshow enterprises, service providers, and e-commercesites process personal information.

3-7

5.3.2. Multiple DomainsMultiple domains can also increase the complexity ofidentity management. Business tasks, digital interac-tions, and digital transactions can span multipledomains. In an e-commerce context, for example, adigital transaction might require the involvement ofidentity e-commerce sites and the exchange of iden-tity information among these sites. This exchange hasstrong implications for managing trust, privacy,authentication, authorization, and accountability.Business-to-business interactions and transactions within supply-chain communities face similar chal-lenges as a result of multiple domains.

5.3.3. Fragmented ImplementationFurther complexity derives from the challenge ofinstalling, configuring, administering, and integratingcurrent identity management products. This is mainlydue to the fragmentation of identity managementcomponents and the lack of interoperability andstandards. This complexity creates frustration anddelays the adoption of identity management solutionsin the IT environment.

5.4. Safe Digital Identity ManagementIdentity management systems bring great value to thedigital world. Federated identity environments, inparticular, hold promise for widespread deployment.As the distinction between real-world identity anddigital identity blurs, however, methods of safe digitalidentity management need to be considered:

• Authenticity of identity or Identity Assurance. Howis the accuracy and validity of identity informationmeasured and determined? What trust services oridentity proofing processes are necessary to generateconfidence in information in the identity managementsystem?• Longevity of information. Do identity managementsystems adequately track changes to identity infor-mation over time? Do they maintain the necessaryartifacts to support historical investigations? Howoften does identity proofing or re-proofing need totake place? How is information disposed of and howoften must the disposal occur?• Privacy. Do identity management systems provideadequate controls to preserve individual privacy?Does the system provide adequate support foranonymity and multiple user-controlled personas?• Identity theft. Do widespread identity managementsystems make it easier to perpetrate identity theft oridentity fraud, and what can we do to minimize riskto the organization, its employees, partners, cus-tomers and others?• Legal structures. What protections exist for theholder of the identity or the relying party? Do theseprotections go beyond contractual obligations whendigital identity systems are used for interactions thatare limited to the physical world today?

5.5. Product and Solution InteroperabilityChallengesMost of the current identity management productsand solutions rely on self-contained, stand-alonemanagement and control tools. Little integration or interoperability is available with other managementtools to deal with the management of security, trust,and privacy in an orchestrated way. To react tochanges, identity management products and solutionsneed to evolve toward higher levels of interoperabili-ty, flexibility, and capability.

Particularly challenging are the interoperability issuesin the federated identity management space, that aredue to competing and overlapping proposals, suchas the Liberty Alliance ID-FF, OpenId, Higgins, andCardSpace initiatives. A promising initiative in thiscontext is the Concordia Initiative, which tries to cre-ate interoperability options and proposals among theabove mentioned proposals and initiatives. More infocan be found atwww.projectconcordia.org/index.php/Main_Page.

6. Identity Management TrendsOrganizations should not only focus on the key ele-ments that were outlined above when building anidentity management solution they must also considerthe following identity management trends:

• Identity services• Business-driven identity management• Identity-capable platforms and device-based iden-tity management

6.1. Identity ServicesAn emerging trend in enterprise identity managementand federated identity management is the use ofIdentity Services, or services that leverage identitymanagement components and solutions to providereusable identity management capabilities acrossorganizations. Examples of emerging identity servicesare:

• Authentication and credentialing services• Single-sign-on services• Authorization services• Provisioning services• Services for long-term archiving of identity informa-tion and related records• Cryptographic services such as digital signing,time-stamping and encryption

Identity services reflect the increasing interest andshift of enterprise IT applications and solutionstowards Service Oriented Architecture (SOA)-basedand Web 2.0-based approaches. In the medium andlongterm, identity services will significantly impactapplications and services and the way organizationsdeal with identity management in general.

3-8

Identity Managem

ent

6.2. Business-driven Identity ManagementEnterprises and other organizations are increasinglymanaging IT from a business perspective, to reducecosts, improve availability, tune capacity, optimizeresource utilization, and to deal with risks and regu-latory compliance.

In this context, the ITIL (IT Infrastructure Library)framework defines a set of best practices that arefocused on aligning IT with business objectives. TheITIL best practices create a service-oriented culture,where there is an understanding that IT exists tosupport the business, that there is a commitment todeliver an agreed level of service, and that cus-tomers’ satisfaction always comes first.

The ITIL core disciplines are centered on ServiceSupport and Service Delivery. ITIL provides guidancein terms of Configuration Management, ChangeManagement, Incident Management, SecurityManagement (based on ISO/IEC 17799) and AuditManagement.

Considering the increased importance identity man-agement has in enterprises and the trend towardsidentity services, ITIL will play a key role in the defi-nition of best practices and identity controls foridentity management.

6.3. Identity-Capable Platforms and Device-based Identity Management An important emerging area in identity managementis device-based identity management. This is aboutthe management of the identity of devices(smartphones, PDAs, laptops, etc.) in enterprise andfederated contexts; using these devices to store - in asecure and trusted way - identity information; andenabling interactions and SSO between thesedevices, their users and other parties.

A considerable amount of work in this space hasbeen done by HP Labs, together with HP businesses.Two research projects that are specifically worth not-ing are the HPL project on 1) Liberty Allianceidentity-capable platforms and provisioning services;and the HPL project on 2) device-based identitymanagement in enterprises.

Liberty Alliance Identity-Capable Platforms andProvisioning ServicesLiberty Alliance’s “Advanced Client Technologies”initiative aims at defining and specifying technolo-gies that encompass a suite of advanced functional-ity in the areas of identity-capable devices, SSO,identity federation, service hosting, reporting andprovisioning.

The key goal of this HPL R&D initiative is to enableusers, via identity-capable platforms (ICP - such aslaptops, smart phones, PDAs, etc.) to engage infederated, multiparty interactions and transactions(on the Internet or other networks) in a simplifiedand transparent way. At the same time these ICPdevices store, process and potentially disclose iden-tity tokens in a secure, private and policy-controlledway. Identity tokens are provisioned to ICP devicesvia provisioning services and by means of protocolsspecified by the Liberty Alliance.

Intel has been leading the definition of Identity-capable Devices specifications in the context ofLiberty Alliance. Other players include Nokia, BT,Vodafone, Gemplus, NTT, Sun, Symlab and HP. Aworking group in Liberty Alliance (supported, amongmany, by Intel, BT, HP Software/HP Labs) is stan-dardizing ICP properties and its capabilities alongwith the required back-end operational services. HPand HP Labs have developed and provided back-end service capabilities that are required to enableICP.

Device-based Identity Management in EnterprisesThe management of device identities is becoming akey requirement in enterprises where the identities ofplatforms and devices have become as important asthe identities of humans to grant access to enterpriseresources. In this context, access control systemsneed to understand which devices with what prop-erties are being used to access resource, by whomand in which contexts. Trust in managed devices’identities is an important first step to enable this.

The separation between work, public and privateaspects of a person’s life is becoming more andmore blurred. In particular, some devices are notonly used for work-related matters but also for per-sonal matters, such as accessing the web to retrieveinformation and make transactions, exchanging per-sonal e-mails, making personal phone calls, storingand keeping track of personal information, calen-dars, etc.

From a user (individual) perspective, this trend furthersimplifies their day-to-day life by avoiding anyunnecessary duplication of devices, tools and relatedefforts. From an enterprise perspective, the fact thatdevices are used by employees for a variety of pur-poses, introduces additional risks and threats, inparticular about the integrity of these devices andtheir trustworthiness to access enterprise intranetsand networked resources. An additional risk is thatprivate devices (e.g. personal laptops, etc.) couldalso be used at work - with potential lower securityand assurance levels (e.g. about installed software,patch control, local access control settings, etc.) thanthe ones mandated by the enterprise.

3-9

Current enterprise services, applications and informa-tion are mainly protected by traditional access controlsystems that usually only take into account human-based identities (via passwords, digital certificates,etc.) or (in more advanced situations) only human-based identities that are strongly bound to a givendevice. To have better control of accessed resources,it is becoming more and more important for enter-prises also to explicitly identify what the identity of adevice is, along with its properties - consider theidentity of a device as a self-standing entity or theidentity of a device as one of a group of known enti-ties. Furthermore, trust and assurance is requiredabout the authenticity and validity of a device’s iden-tity.

HP Labs R&D in this space has been focusing onmodeling devices’ identities, enabling their provision-ing in heterogeneous enterprise systems, providingsupport for making and enforcing related accesscontrol decisions, and leveraging trusted computingcapabilities of modern devices to deal with aspects oftrust management.

7. Summary of IdentityManagement ConceptsFrom a technological and IT perspective, identitymanagement is just one aspect of managing businesssolutions and the overall IT stack of networks, plat-forms, OSs, applications, middleware, and services.Identity management must be considered in a holisticway by including the management of security, trust,and privacy along with the management of policies,requirements, and changes. All of these aspects areinterrelated and affect business solutions and the ITstack at different levels of abstraction.

The components within the identity managementlandscape are rapidly changing. Classic identitymanagement components are consolidating. On theother hand, new components and standards areemerging, such as identity federations, identity forweb services, and privacy management solutions. Agood example is the linking of identity and networksecurity solutions in the network access control (NAC)space. Where NAC begins by authenticating andvalidating the posture (or health) of a device attempt-ing to connect to a network, the identity dimensionensures that the device is known, as well as the userof that device, before access is granted to specificparts of the network. Combining the various layers ofdevice, network, identity and communication accesscontrols into common policy models and knownenforcement points allows an organization to delivera more comprehensive defense in depth environment.

Identity management is also gaining importance.Future identity management solutions will play a morecentral role in the IT industry due to the pervasivenessand the increased presence of identity information in

all components of the IT stack. Very important trendsare also identity services, business-driven identitymanagement, identity-capable platforms and device-based identity management.

8. HP Identity ManagementProducts and SolutionsFor HP, identity management is the ability to:

• Identify every user, application, and devicethroughout and across organizations over time• Provide flexible authentication, access control, andauditing technologies, while respecting privacy andregulatory controls• Bring management capabilities to individuals, smallorganizations, and large organizations via easy-to-use and understandable tools that cope with dynamicpopulations and business changes

HP's identity management vision is centered on thepervasiveness of identity management technologiesand solutions:

• Identity management is about the management ofuser, application, service and device identities.• Identity management is about the management ofidentities in different contexts: enterprises, small andmedium businesses (SMBs), consumers, and the pub-lic sector.• Identity management deals with the managementof the entire lifecycle of identities and their attributes.

The following sections will define HP’s identity man-agement vision in more detail by exploring the dif-ferent identity management building blocks. We willaddress identity repositories, security components,privacy management, identity lifecycle management,and federated identity management. In addition, wewill discuss the Hewlett Packard National IdentitySolution (HP NIS) as an example of how these build-ing blocks are combined to create an integratednational identity management solution.

8.1. Identity RepositoriesDirectories are the most commonly used repositoriesfor storing identity-related information. As mentionedpreviously, identity management solutions can incor-porate other repositories, including SQL-rooted data-bases and XML-formatted files.

8.1.1. Types of Directory-based IdentityRepositoriesDifferent technological approaches exist for directory-based identity repositories: centralized enterprisedirectories, meta-directories, directory synchronizationutilities, and virtual directories. Of these, only a cen-tralized enterprise directory is a true identity reposi-tory. The other tools integrate and link different iden-tity repositories:

3-10

Identity Managem

ent

• Enterprise directories can provide a single author-itative source for identity information throughout anenterprise. All users and directory-enabled applica-tions rely on the identities stored in the enterprisedirectory. This is the ideal scenario. However, mostenterprises cannot use this approach due to thepresence of legacy service-and application-specificdirectories.

• Meta-directories provide a consolidated view ofthe identity data stored in different repositories. Theyalso synchronize the data in the different reposito-ries. A meta-directory resembles an advanceddirectory synchronization utility. Most meta-directorysolutions come with workflow logic, and they overlap with many of today's identity provisioningsolutions.

• Directory synchronization utilities are intelligentLDAP-based utilities that can synchronize identitydata between different types of identity repositories -such as directories and databases.

• Virtual directories, unlike meta-directories, do notbuild a central repository - although there is usuallysome degree of caching capability inherent in theproducts to mitigate potential network performanceand reliability issues. Instead, they rely largely ondirectory server or client functions to access the datastored in different directory sources. Virtual directo-ries also allow for the creation of different applica-tion-specific views of directory data - e.g. a customerapplication view and an employee application view.

8.1.2. HP and Identity RepositoriesHP considers directory identity repositories a maturemarket and uses a best-of-breed and customer pref-erence approach. Table 3-2 gives a non-exhaustiveoverview of directory solutions.

HP offers the Red Hat/Netscape Directory Server forHP-UX 11i. The directory server is built into thefoundation HP-UX operating environment. It providesthe central database repository of user names andobjects for system and application access.

Vendor Directory Product URL

Enterprise Directory

HP Red Hat/Netscape Directory Server www.hp.com/go/redhat

www.hp.com/go/hpux11isecurity

Novell eDirectory www.novell.com

Microsoft Corporation Active DirectoryActive Directory Application Mode (ADAM)Active Directory Lightweight Directory Services(AD LDS)

www.microsoft.com

Critical Path, Inc. Directory Server www.cp.net

Oracle Oracle Internet Directory www.oracle.com

Sun Microsystems, Inc. Sun Java System Directory Server www.sun.com

Meta-directory

Microsoft Corporation Identity Lifecycle Manager 2007 (ILM 2007) www.microsoft.com

Critical Path, Inc. Meta-Directory Server www.cp.net

Siemens HiPath SIcurity DirX Identity www.siemens.com

DirectorySynchronization

HP LDAP Directory Synchronizer (Compaq LDSU) www.hp.com

IBM Corporation IBM Tivoli Directory Integrator www.ibm.com

Virtual Directory

Radiant Logic, Inc. Radiant One Virtual Directory Server www.radiantlogic.com

Table 3-2Directory solutions

3-11

8.2. Security ComponentsThis section discusses the triple-A components of anidentity management solution: authentication, authori-zation, and auditing services. It provides details aboutthe solutions HP offers in this space.

8.2.1. Authentication TechnologiesAuthentication is the process of verifying an entity'sidentity. Authorization credentials, which are uniquelylinked to an entity, are typically used for verification.The security quality of authentication technologieslargely depends on the following dynamics: the num-ber of authentication factors, the authentication proto-col, and the authentication method.

Multifactor authentication methods offer higher securi-ty quality than single-factor authentication methods. Agood example of a multifactor authentication system isa smart card. It combines possession (of the card) andknowledge (of the card's PIN). Table 3-3 gives anoverview of different authentication methods and thenumber of authentication factors they support.

Many identity management solutions require theauthentication infrastructure to support multipleauthentication methods and protocols. This may benecessary when the environment supports internal andexternal users that access a variety of resources.When resources hold different values or contain sen-sitive information, different methods and protocolsmay also be necessary. Access to confidential infor-mation, for example, may require a stronger authenti-cation method than access to information publishedon a corporate intranet. In some authentication infra-structures, this feature is known as graded authentica-tion. This simply means that the resources and infor-mation a user is allowed to access vary depending onthe strength of the authentication protocol andmethod.

8.2.1.1. Strong AuthenticationToday's problems of identity theft and the misuse ofidentities and their attributes are accelerated by theever-increasing amount of interconnected users,applications, and devices. To attain greater levels ofauthentication, identity management solutions requirestrong authentication. Over the last decade, strongauthentication has been associated with bothcryptography and multifactor-rooted authentication.

Cryptography-based authentication means that the authentication protocol includes cryptographic opera-tions in the identity and credential verification process.Table 3-4 provides descriptions of popular strong userand device authentication solutions.

Biometric AuthenticationBiometric authentication is a form of strong userauthentication receiving substantial attention. A bio-metric is any measurable aspect of a human's physi-ology or behavior that can be reliably captured andused as a distinguishing identifier for that personwithin a defined population. Biometrics are anauthentication mechanism that use the "what you are"about an individual to determine his or her identity.

Biometrics are a method of tying a claim of identity toan individual in a way that is not easy to spoof.Historically, passwords or PIN codes authenticated aperson's claim of identity. Passwords have manysecurity-related issues, including the ease with whichthey can be shared and intercepted. Biometricauthentication may not require a physical token ormemorized knowledge; the user makes a "claim ofidentity" and proves that claim through a biometricscan. Typically, a claim of identity takes the form ofentering a username, presenting a physical badge, orpresenting a passport/ID card. If the biometric scanmatches a previously stored sample, the user isauthenticated.

Biometrics can also distinguish an individual from apre-defined group, which is known as identification.Identification does not require a claim of identity fromthe individual in question; the system's goal is todetermine if the individual's identity is known to itwithin a specified degree of accuracy. Identification istypically conducted over a pre-defined population ofusers who have enrolled a sample of their biometrics.

A biometric system can only compare a current sam-ple with a previously enrolled sample set. Before userscan be authenticated using biometrics, they mustenroll samples in the authentication system. It is criticalto perform quality checking at the time of enrollment,as a poor quality biometric enrollment negativelyaffects the performance of the overall system.

3-12

Password or PIN Smart Card or Token Biometric Device Biometric Device andSmart Card

Dial Back Trusted PlatformModule (TPM)

Knowledge x x x x

Possession x x x

Biometric Data x x

Location x

Table 3-3Overview of authentication methods and the authentication factors they support

Today's problems ofidentity theft and

the misuse of iden-tities and theirattributes are

accelerated by theever-increasing

amount of intercon-nected users,

applications, anddevices.

Identity Managem

ent

Understanding Biometric TechnologyA biometric is any measurable aspect of a human'sphysiology that can be reliably captured and usedas a distinguishing identifier for that person within adefined population. Examples of biometrics used inpractice are fingerprints, iris scans, hand-geometryanalysis or facial recognition. A biometric securitysystem typically uses a biometric to replace a pass-word to authenticate an individual. However, bio-metrics can also be used to identify if an individualis a member of a user group (termed identification).

Like any relatively new technology, the biometricsindustry is rife with hype and speculation. Commonmyths about biometrics include:

Myth 1: Biometrics are foolproof. No security tech-nology is considered foolproof, especially when pit-ted against a determined attacker. Biometric match-ing of individuals is a probabilistic system, and thereis a probability of a false match, where an intruderis accepted as having a valid identity. The goal isincreasing the probability of a valid match andreducing the probability of a false match to as closeto zero as possible.

Myth 2: Biometrics are more secure than otherforms of authentication. While the biometric match-ing step could be considered a "secure" verificationof a person's identity, a biometric-based securitysystem is only as strong as its weakest link. Similar toattacks against cryptographic systems, attackers maynot only subvert the biometric component but also anelement in the supporting infrastructure, for examplethe storage of the biometrics.

Myth 3: A fingerprint is a secret and unique identi-fier. Although fingerprints are thought to be unique,an individual's fingerprints are not secrets. We leavethousands of impressions every day of our finger-prints as we move through the world.

Myth 4: Biometric systems have perfect accuracy.Biometric matching is a probabilistic algorithm; therecan be no absolute certainty that two biometricsamples match, merely degrees of confidence in amatch. Factors such as environment, device robust-ness and the demographics of a population eachaffect the total accuracy of a biometric system.

Myth 5: Biometrics can pick terrorists out from acrowd. The technology for face detection from mov-ing video streams is available today, but the qualityof the images captured is not sufficient for accuratematching. Even under ideal lighting and cameraconditions, people can easily obscure or changetheir face with hats, scarves, or glasses. For exam-ple, even if a face matching system had a 1% falsedetection error rate (an extremely optimistic sce-nario), in a busy metropolitan airport it would iden-tify more than 1,000 innocent people as terrorists.

3-13

SSttrroonngg AAuutthheennttiiccaattiioonn SSoolluuttiioonn DDeessccrriippttiioonn

Strong User AuthenticationHardware Tokens Hardware tokens are Liquid Crystal Display (LCD) panel devices that display number sequences that

change periodically, for example, once per minute. In combination with a PIN, the token's software usesthese sequences to create one-time passwords. Some tokens challenge the user with a built-in numerickeypad to calculate the passwords. Examples are the tokens from RSA (SecurID), ActivIdentity andVasco.

Smart Card-Based Tokens Smart cards are devices that can take a number of different physical forms. Most smart cards are similarto credit cards, with the addition of small, dime-sized memory chips or microprocessors. USB tokens canoperate similarly to smart cards, and some vendors have implemented smart card functionality on cellphones and PDAs. Smart cards and other tokens are tamper-resistant devices that can be used forsecure storage of private keys, passwords, and other personal information. Some models perform privatekey operations (generation, signing, and decryption) in a safe, isolated manner on the card itself. Smartcard solutions require smart card readers to be deployed or integrated with the devices.

Software Tokens Software tokens operate like hardware tokens, except that a software program installed on a user'sworkstation or other computing device (PDA or Pocket PC) provides a token generator orchallenge/response system.

Biometric Authentication Biometric authentication mechanisms match a physical characteristic of a user against a databaserecord. Common methods include iris, palm, or fingerprint scans, as well as voice authentication. Afteryears of development, these systems are becoming more reliable, yielding fewer false positives and falsenegatives. Prices are also falling, making biometrics increasingly practical, though still far more expen-sive than free passwords. Biometric solutions are particularly successful in physical facilities authentica-tion and government applications like border security and law enforcement.

Strong Device Authentication

Radio Frequency Identification (RFID) An RFID system is a tag, which contains a miniscule computer chip and an antenna, that is attached toor embedded in an item. Items can be anything from a computer, to a dishwasher, to a living being. Thetag transmits a signal to an electronic reader, which associates the signal with the specific item to whichit is attached. The evader transmits this information to servers that collect and organize the data fortracking. RFID systems have the power to dramatically refashion such processes as the supply chain bymaking them more efficient, and they can bring direct consumer and societal benefits such as personal-ized shopping, medical reminders, and the ridentification of toxins before they reach landfills. However,the potential to tag and track every item raises privacy and civil liberty concerns. RFID technology hasthe potential to invade customer privacy and diminish customer control over personal information.

Trusted Platform Module (TPM) A TPM is an embedded security chip uniquely bound to a single computer platform that can be used forboth user and device authentication. TPM core components are an RSA engine, a hash engine, a keygenerator, and a Random Number Generator (RNG). The TPM architecture has been defined by anindustry body called the Trusted Computing Group (TCG).

Why Use Biometrics?Biometrics are appropriate for situations that requirestrong user authentication, in place of a password orsmart card. For example, biometrics can be used asphysical access controls for facilities or logical accesscontrols for desktop computer login.

What Types of Biometrics are Available?There are many different forms of biometrics that canverify an individual's identity. No one biometric cansatisfy all operational requirements; some are moresuited for office environments, and others apply to abroader range of environments.

• Fingerprint: The most recognized form of biometricis a fingerprint. Fingerprint scanners can take whole-hand images, multiple -finger images, or single-fingerimages.

• Iris scan: Iris scanning is often confused with reti-nal scanning. The iris is the visible colored part ofthe eye that surrounds the pupil. It is believed to beunique for each human.

• Retinal scan: Often confused with iris scanning, theretina is an area at the rear of the eyeball. An iris

scanner is a specialized device that must scan theeye from very close range. Despite its accuracy, reti-nal scanning is rarely used because of privacy andusability issues.

• Vein pattern: The pattern of veins in the hand isbelieved to be unique across the population. Thehand is placed on a reader and illuminated withinfrared light to detect the veins.

• Hand geometry: The geometry of the hand ispotentially unique across the population. The hand isplaced on a scanner and various measurements aretaken of finger spacing, length, and angle.

• Voice analysis: Voice biometrics analyze theinflections of a speaker's voice to authenticate thespeaker.

• Face: Facial biometrics analyze a picture (orstream of images) from a human face. Typically, afacial biometric system uses a standard digital cam-era to take a picture of a face.

Table 3-4Overview of strong user and device authentication solutions

3-14

Identity Managem

ent

Biometrics IssuesBiometric technology brings a different set of opera-tional and security issues into consideration:

• Ease of measurement: A fingerprint is easy tomeasure in an office environment, but it may be dif-ficult to capture in an industrial setting where opera-tors wear protective gloves. If the biometric is noteasy to measure, users will be frustrated.• Range of accuracy: Biometrics accuracy is highlydependent on the choice of sensors, the user popu-lation, the operational environment, and the mannerof use.• Device robustness: Biometric readers are subject tothe usual wear and tear any office product experi-ences. Some will fail more rapidly than others, andeach device may fail in different ways. For example,some readers may degrade the image that theycapture so that a comparison may still be made, butothers may simply refuse to capture an image.• Technology improvements: The biometrics industryis moving at such a rapid pace of change thatchoosing a device and biometric system is often amoving target. When investing in biometric systemstoday, organizations should leave options open tomove to a newer technology in the future.• Acceptability to users: If users feel that the bio-metric system is slowing them down in their businessactivities, they will attempt to find ways around thesystem, or will claim that it does not work correctly.

HP Strong Authentication SolutionsHP offers a variety of strong authentication solutions.These include smart card technologies, biometricdevices, TPM solutions and RFID technologies.Smart Card Security for HP ProtectTools is HP'sstrong authentication solution rooted in smart cards.

It has several unique features:

• Smart card in BIOS allows for pre-boot authenti-cation and is OS independent.• Smart card logon allows for strong, smart card-based Microsoft Windows authentication withoutrequiring a PKI.

Smart Card Security for HP ProtectTools is availableon select commercial desktop, notebook, and work-station models. For the current model list, seewww.hp.com/go/notebooks orwww.hp.com/go/desktops.

HP biometric solutions include the HP USB biometricfingerprint reader, the HP built-in fingerprint readeron select models of the HP iPAQ Pocket PC, and theintegrated biometric readers on select commercialnotebooks. Credential Manager for HP ProtectTools,a module of HP ProtectTools, is standard on selectcommercial notebooks, desktops and workstations.Credential Manager offers an efficient and integrat-ed means of managing multi-factor authenticationwith a fingerprint reader, smart card or token.

Tying the TPM to authentication technologies pro-vides even stronger protection of identities by con-necting software to hardware. Embedded Securityfor HP ProtectTools uses the TPM embedded securitychip to help protect against unauthorized access tosensitive user data and credentials. It is supportedon all HP business notebooks, and select desktopsand workstations configured with a TPM embeddedsecurity chip. See www.hp.com/go/notebooks orwww.hp.com/go/desktops for specific informationon platforms. HP is the co-founder and leader ofTPM specification development within the TCG. Formore information about the TCG, see www.trusted-computinggroup.org.

3-15

HP is leveraging its experience, expertise, andunderstanding of RFID technologies in its consultingservices, and HP is one of the world's largest playersin the space. HP has taken a leadership role indeveloping RFID standards. In fact, HP was perform-ing trials and pilot projects long before January2005, when Wal-Mart and the U.S. Department ofDefense insisted that their suppliers begin using RFIDtagging. With the world's ninth largest non-militarysupply chain, HP wants to demonstrate the value ofRFID systems for increasing the end-to-end speed andvisibility of supply chains.

8.2.1.2. Single Sign-On (SSO)Single sign-on is the ability for a user to authenticateonce to a single authentication authority, obtain acredential token or artifact with a defined lifespan,and use it to access other protected resources withoutre-authenticating. The Open Group (www.open-group.org) defines SSO as the "mechanism wherebya single action of user authentication and authoriza-tion can permit a user to access all computers andsystems where that user has access permission, with-out the need to enter multiple passwords."

HP and SSOFor enterprise and web SSO, HP takes a best-of-breed approach, leveraging the solutions from indus-try leaders such as Citrix Systems (PasswordManager; www.citrix.com).

For facilitating SSO on the client side, HP offersCredential Manager for HP ProtectTools. CredentialManager for HP ProtectTools is a client-side creden-tial caching-based SSO solution. Credential Manageracts as a personal password vault that makesaccessing protected information more secure andconvenient by automatically remembering credentialsfor websites, applications and protected networkresources. Thanks to Credential Manager for HPProtectTools, users no longer need to remember mul-tiple passwords. Additionally, it provides enhancedprotection against unauthorized access to a commer-cial notebook, desktop, or workstation, includingalternatives to passwords when logging on toMicrosoft Windows.

For identity control and access protection, CredentialManager for HP ProtectTools allows the user to defineand implement multi-factor authentication capabilities.For example, when authenticating to a PC, users canbe required to provide combinations of differentsecurity technologies, such as a smart card or a bio-metric ID. Furthermore, Credential Manager for HPProtectTools password store is protected via encryp-tion. It can also be hardened through the use of aTPM embedded security chip.

SSO is the abilityfor a user to

authenticate onceto a single authen-tication authority,

obtain a credentialtoken or artifactwith a defined

lifespan, and use itto access other

protected resourceswithout re-authenti-

cating.

3-16

Identity Managem

ent

8.2.1.3. Authentication Support inHP-UX 11iThe HP-UX 11i OS is designed to meet the securityrequirements of demanding environments. With apluggable framework for authentication, HP-UX 11ican integrate into security infrastructures and alsomaintain a pervasive management solution. The HP-UX Pluggable Authentication Module (PAM) subsys-tem provides a pluggable authentication backbonefor secured authentication services on HP-UX. HPoffers several authentication pluggable securitymodules for PAM, including integration withKerberos and LDAP.

The HP-UX 11i AAA Radius server can act as thefront end to the identity management system byoperating at the point of entry to a network (theaccess control point). When the HP-UX 11i AAARadius server is tied to the Red Hat/NetscapeDirectory Server, external remote access is authenti-cated. In addition, this arrangement controls andpasses access to network usage accounting systemsand eventual billing software. This configuration isespecially useful for Telco and Internet serviceproviders.

8.2.2. Authorization TechnologiesThe goal of an authorization system is to protectresources and information while allowing fluidaccess for legitimate users of these resources.Authorization is the act of granting subjects accessrights to protected resources. The main difficulty isscaling authorization policy administration to thou-sands - possibly millions - of subjects and protectedresources. As the numbers grow, administrators needto reduce the ratio of policies to the number of sub-jects and protected resources without compromisingthe security of the system.

Authorization policies are rules for determiningwhich subjects are allowed to access resources. Insome cases, privacy considerations may requiresupport for some form of anonymous or pseudony-mous access. In most cases, however, users must beidentified prior to receiving the authorization toaccess resources. An identity management infra-structure is therefore critical to establishing users'identities as the basis for authorizing access toresources.

Two interesting access control models used in theidentity management infrastructure are the role-based access control (RBAC) model and the rule set-based access control (RSBAC) model. A role is anorganizational job function with a clear definition ofinherent responsibility and authority (permissions).The process by which an enterprise develops,applies, and maintains RBAC is known as role engi-neering. As old roles are retired or modified andnew roles are defined to meet changing businessneeds, an enterprise defines processes for updatingroles.

Role-based approaches are suitable when job func-tions are easily partitioned. Wide-scale implemen-tations remain stalled because of the complex natureand large scope of role engineering projects, transi-tory job assignments in knowledge-based organiza-tions, lack of funding, limited standardization, andproprietary access control mechanisms. A commonchallenge facing role-based systems is findingagreement among stakeholders for standardizedvocabularies and role definitions.

An alternative to an RBAC approach is RSBAC. Withthis approach, access is granted or denied based ona set of pre-defined rules or organizational policies.Access control decisions can change dynamicallybased on access control policies. Rules are context-dependent: they can take into account things like thetime of day, resource type, and access location.

The main difficultyis scaling authori-

zation policyadministration to

thousands -possibly millions -

of subjects andprotected resources.

As the numbersgrow, administra-tors need to reducethe ratio of policiesto the number of

subjects and protected resources

without compromising the

security of the system.

3-17

8.2.2.2. Authorization Support in HP-UX 11iHP-UX 11i is designed to meet the security require-ments of demanding environments and provides apluggable framework for both authentication andauthorization. As part of HP-UX 11i v2, HP-UX addsthe Access Control Policy Switch, which is availableas part of the RBAC subsystem.

With the PAM, RBAC, and identity managementintegration features of HP-UX 11i, administration ofauthentication and OS- or application-specific privi-leges can be centrally managed through identitymanagement products. These features enable thepervasive management capabilities required bytoday's organizations.

As noted previously, the HP-UX 11i AAA Radiusserver can act as the front end to the identity man-agement system by operating at the access controlpoint. When combined with the Red Hat/NetscapeDirectory Server, the system offers additional benefitsfor authentication, access control, and accountingthat are especially useful for telco and internet serv-ice providers.

8.2.3. Auditing TechnologiesIncreasingly, regulatory demands require enterprisesto understand what their users are doing. The chal-lenge is consolidating and making sense of identitydata with respect to policies and regulations in acomplex and ever-changing environment. Auditingsystems capture security-related events in identitymanagement systems and ensure accountability forthe underlying IT and security infrastructure.Complete and accurate audit and event records pro-vide the evidence that enterprises need to demon-strate compliance with business, security, legal, andregulatory mandates. It is especially critical to auditthe authorization, provisioning, and privacy compo-nents of identity management systems, which maycreate or remove user privileges and accounts.

Typically, it is difficult and costly for an organizationto determine who did what and when. There are noteasy methods for management to determine compli-ance with specific regulations or to view trends.Additionally, organizations cannot track who knewabout violations - clear and specific ownership doesnot exist.

As a result, organizations risk failing regulatoryaudits. This is a critical concern for all CIOs, CSOs,and personnel directly responsible for the protectionof organizational resources, including privacy offi-cers, risk managers, and auditors. Company execu-tives can now be personally liable for failures in theircontrol systems, and regulatory failures can lead tocritical business impacts such as lost customers, fines,or jail time for those responsible.

Challenges requiring organizations to better manageaudit and reporting include the need to:

• Comply with regulations such as the Basel IIAccord, EU Directive on Data Protection, JapaneseData Protection, and the Personal InformationProtection and Electronic Documents Act (PIPEDA)• Control the identity infrastructure; specifically,knowing who has access to what and who approvedaccess• Track and trend compliance for repeatable successwith audits, for example, compare compliance fortoday, last week, the last six months, and longer

HP uses a best-of-breed and customer preferenceapproach for recommending multi- platform andmulti- application auditing solutions to customers.

8.3. Privacy ManagementIn the context of electronic privacy, users expressconcerns regarding today's IT systems and environ-ments like the Internet. Some of the key privacy con-cerns include:

• Data is collected silently. This is facilitated by theWeb, which allows large quantities of data to becollected inexpensively and unobtrusively.• Data from multiple sources may be merged. Non-identifiable information can become identifiablewhen merged with other sources and information.• Data collected for business purposes may be usedin civil and criminal proceedings.• Data collected for business purposes may be for-warded to third parties, without notifying the user.• Data may be copied and used without authoriza-tion. This may happen simply when data are usedfor purposes other than those for which they werecollected; it may also happen as a result of failure ofaccess controls allowing malicious parties, within oroutside the collecting organization, to obtain data forcriminal purposes such as fraud and identity theft.• Users are not given meaningful choices for the useof their personal data.

3-18

Increasingly,regulatory demandsrequire enterprisesto understand what

their users aredoing. Thechallenge is

consolidating andmaking sense ofidentity data withrespect to policiesand regulations in

a complex andever-changingenvironment.

Identity Managem

ent

Trends TopicGlobal Privacy

Privacy involves the treatment of personal data. A key concern of individuals who provide personal data isits authorized but undisclosed secondary use. Preventing undisclosed use requires the collecting party toinform individuals of any intent to share their personal data beyond the primary use. The collecting partyshould allow individuals a choice to opt in and then subsequently respect the agreement. These circum-stances bring the matter of privacy closer to the contractual and legal spheres rather than the technological.

Legal and cultural approaches to privacy differ widely around the globe. The European Union, for example,has explicit data-protection regulations. In the U.S., individual privacy is generally a matter of contractualand informed-consent practices, although regulations apply in specific sectors such as the health industry.Privacy approaches in Asian countries vary widely in both legal requirements and prevailing attitudes.Further complicating the picture are tensions related to anonymity, such as preserving the right to individualprivacy while preventing the use of anonymity as a means for criminals to conceal activities, and allowinglaw enforcement and homeland security agencies to gather extensive personal data to pursue preventiveand investigative programs.

Some specific technologies that address global privacy and anonymity pressures are in development. Forexample, there are many cryptographic techniques for "managed anonymity" or pseudonymity. These tech-niques, such as double-spending detection in electronic cash schemes, protect individual identities for nor-mal operations; however, they can reveal identities in exceptional circumstances. Privacy-preserving compu-tations are also feasible in some cases. For example, the holders of two different databases can jointly dis-cover common entries without revealing information to each other. The provision of reliable remote executionenvironments, where executable content can run on a machine that demonstrates its trustworthiness, offersthe promise of data transmission with continued effective controls on data use.

3-19

Privacy considerations typically arise when anorganization needs to collect and store customer,employee, and other private data. Other situationsthat raise privacy concerns include demonstratingconformance with privacy regulations and forwardinguser information (identity information, web-serviceaccess information, security assertions, or localizationdata) to third-party service providers.

Numerous efforts have produced legislative frame-works for privacy. Examples are the EU Directive onData Protection, U.S. laws such as HIPAA and theChildren's Online Privacy Protection Act (COPPA),and frameworks such as Safe Harbor. However, pri-vacy and data protection laws are hard to enforcewhen personal information spreads across bound-aries. In general, users have little understanding orknowledge of privacy laws and their implications.

Privacy management in an IT environment has manydifferent aspects. These include negotiation, policylifecycle management, enforcement, monitoring,decision support, violation detection, preservingcomputation, data minimization and transformation,rating and branding, verification and certification,auditing and accountability, mediation and delega-tion, anonymization and pseudonymization, and usertraining. In the context of identity management solu-tions, privacy-protecting technologies can be viewedas an extension to 1) authorization systems and 2)provisioning and identity lifecycle management solu-tions. Authorization policies control data accessbased on factors like privacy regulations and userconsent. Obligation policies control how to handlethe lifecycle of identity information during its lifetime,including data deletion/retention, datatransformation/minimization, notifications, etc.

Privacy management is an identity management areathat requires much work and effort. HP and othermajor IT players like IBM Corporation are leadingkey developments in the privacy management space.HP is involved in several cross-industry and govern-ment-driven privacy standardization initiatives. HPLabs, jointly with HP business groups (and also in thecontext of international projects, such as theEuropean Union (EU)-funded PRIME project), areactively researching and developing technologiesand solutions in the privacy space. HP Labs privacyresearch has been focusing on a Privacy PolicyEnforcement System and an Obligation ManagementSystem to model, deploy and enforce privacy policiesand obligations at the operational level: the feasibili-ty of these R&D systems has been demonstrated byshowing how they can be integrated with HP identitymanagement solutions.

HP Labs privacy research has been focusing on aPrivacy Policy Enforcement System and an ObligationManagement System to model, deploy and enforceprivacy policies and obligations at the operationallevel.

HP Labs Privacy Policy Enforcement SystemTraditional access control solutions (that involve users,their roles, protected resources and access rights) arenecessary but not sufficient to enforce privacy con-straints when accessing personal data. These solu-tions need to be extended to keep into account thepurpose by which data has been collected, consentgiven by data subjects and other conditions.

This HPL research focuses on the development of aprivacy-aware access control system that enforcesprivacy policies (defined by privacy administratorsand based on data subjects' privacy preferences) onpersonal data stored in heterogeneous enterprisedata repositories. In this system, privacy policiesexplicitly define the purposes for which personal datacan be accessed, how to keep into account datasubjects' consent and what actions need to be ful-filled when the data is accessed (filtering out data,blocking access, logging, etc.).

The HP Labs Privacy Policy Enforcement System pro-vides the following key functionalities: (1) it allowsadministrators to graphically author policies involvingboth privacy and access control aspects; (2) it allowsfor fine–grained modeling of personal data (stored inrelational databases, LDAP directories, etc.) that aresubjected to privacy policies; (3) it allows for thedeployment of policies and the decision–makingprocess based on these policies; (4) it allows for theenforcement of privacy–related policies when thedata is accessed.

3-20

Identity Managem

ent

HP Labs Privacy Obligation Management SystemAccess control solutions cannot deal with all aspectsof privacy policy enforcement. In particular they arenot designed to handle constraints dictated by pri-vacy obligations, such as duties and expectations ondata deletion, data retention, data transformation,etc. For example, data might need to be deletedafter a predefined period of time, independentlyfrom the fact that this data has ever been accessed.Privacy obligations introduce the need to deal withprivacy–aware information lifecycle management -i.e. ensure that the creation, storage, modificationand deletion of data is driven by privacy criteria.

HP Labs has been working on this area, in particularon the problem of explicitly representing obligations,reasoning on them, enforcing and monitoring them.A main differentiation of the HP Labs work is theclear separation between access control manage-ment and obligation management – without impos-ing a subordinated view of obligations to accesscontrol policies.

HP Labs has defined a privacy obligation manage-ment modeland an Obligation Management System(OMS) to explicitly manage privacy obligations onpersonal data.

The HP Labs OMS provides the following functional-ities: (1) explicit representation of privacy obligationsas reaction rules; (2) scheduling of privacy obliga-tions; (3) enforcement of obligations; (4) monitoringof enforced obligations. Privacy obligations can beautomatically derived from privacy preferences (e.g.requests for deletion or notifications) expressed bypeople or administrators on personal data. Theseobligations are scheduled by the OMS system basedon relevant events. If triggered by these events, OMSenforces privacy obligations, for example by delet-ing data, sending notifications or triggering work-flows. Enforced obligations are monitored for a pre-defined period of time for compliance reasons.

A full working prototype of the HP Labs OMS hasbeen implemented in the context of the EU PRIMEProject (see www.prime-project.eu).

8.4. Identity Lifecycle ManagementIdentity lifecycle management or provisioning solu-tions are similar to SSO solutions in that they oper-ate from the top down; the application manages allof the systems under it. Administrative functions -from the essential add, modify, and delete to themore general maintenance and monitoring - areunder the control of the provisioning system.Provisioning functions can also include non – elec-tronic tasks such as identifying a cubicle, connectinga network port, and acquiring a PC.

With provisioning products, organizations riskimplementing one solution that can potentially clashwith another. Provisioning solutions often incorporateother parts of the identity management framework,such as self – service and password management.

The only mature provisioning – specific standard atthis time is the Service Provisioning MarkupLanguage (SPML). SPML messages facilitate the cre-ation, modification, activation, suspension, enable-ment, and deletion of identity – related data in dif-ferent identity repositories. The Organization for theAdvancement of Structured Information Standards(OASIS) has been working on the SPML specificationsince late 2001. For more information, seewww.oasis–open.org/home/index.php.

HP uses a best-of-breed and customer preferenceapproach for recommending identity lifecycle man-agement and provisioning solutions to customers.

8.5. Federated Identity ManagementFederation enables the trusted interchange ofsecurity-related information between differentautonomous policy domains. Security-related infor-mation includes authentication, authorization, andauditing data. Although federation is generally usedin the context of an inter-enterprise security mecha-nism, it can also be used within an enterprise toprovide tighter integration between loosely coupledecosystems.

Typically, a federation provides a common frame-work for trust - a standard syntax, vocabulary,attribute set, and set of policies and practices for thetrusted interchange of security-related information. Bilateral (federation) agreements between partnersare often required to negotiate the specifics ofaccess, such as which users or systems can accesswhich resources, under what circumstances, andunder what contractual relationships. Access controlalways remains with the owner of the resource. Afederation might also define minimum acceptabletrust levels or authentication mechanisms required forspecific circumstances.

A federation agreement always deals with two enti-ties: an asserting party that generates securityassertions and a relying party that trusts the securityassertion made by the asserting party. There are anumber of federations being formed, supporting avariety of vertical marketplaces, communities ofinterest (financial services, health sciences, researchand education), and geopolitical boundaries (stateand national governments).

HP uses a best-of-breed and customer preferenceapproach for recommending identity federationsolutions to customers.3-21

8.5.1. Federation StandardsA variety of standards, specifications, and protocols relate to federated identity management. Figure 3-5shows the positioning of some of the relevant federated identity management standards. The Liberty Alliancespecifications define the protocol messages, profiles, and processing rules for identity federation and man-agement. They rely heavily on other standards such as SAML and WS-Security. Additionally, the LibertyAlliance has contributed portions of its specification to the technical committee working on SAML. More infor-mation is available from www.projectliberty.org. HP endorses the Liberty Alliance and actively participates inthe creation of its specifications.

SAML is an OASIS specification that provides a set of XML and Simple Object Application Protocol (SOAP)-based services, protocols, and formats for exchanging authentication and authorization information. Moreinformation is available from www.oasisopen.org/committees/tc_home.php?wg_abbrev=security.

WS-Security is another OASIS specification that defines mechanisms implemented in SOAP headers. Thesemechanisms are designed to enhance SOAP messaging by providing a quality of protection through messageintegrity, message confidentiality, and single message authentication. More information is available fromwww.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.

The Web Services protocol specifications (WS-*) are currently in development by Microsoft Corporation andIBM Corporation. They include specifications for WS-Policy, WS-Trust, and WS-Federation.

Other identity management enabling standards are:• Service Provisioning Markup Language (SPML),www.oasisopen.org/committees/tc_home.php?wg_abbrev=provision.• XML Access Control Markup Language (XACML),www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml.• XML Signature, www.w3.org/Signature.• XML Encryption, www.w3.org/Encryption.

Figure 3-5How the identity federation standards stack up

Oth

er E

nabl

ing

Stan

dard

s

OA

SIS

SAM

L

OA

SIS

WS-

Secu

rity

WS-

*

Spin

-O!s

(e.g

., M

eta

Dat

a Sp

ec)

3-22

Identity Managem

ent

8.6. HP’s National Identity SystemThe HP National Identity System (HP NIS) is apublic-sector identity credentialing solution that pro-vides the component modules required to implementa national-scale enrollment and document issuancesolution. HP NIS supports workflow processes forcitizen enrollment, establishes and maintains a dis-tributed citizen registry system, manages identifica-tion document processes, and incorporates biometricand PKI verification.

8.6.1. Multiple StakeholdersThere are multiple participants in a national ID sys-tem, and each group brings its own requirementsand perspective. A successful credential issuance

system must satisfy the needs of each stakeholder. The three stakeholder classes for HP NIS are:• Customers: National governments or governmentdepartments are the purchasing customers for mostnational ID or passport systems.• Suppliers: A single vendor cannot offer a compre-hensive national ID solution; for example, there arespecialists in passport production, ID card printing,and smart cards that must work together to meetcustomer needs.• Citizens: The ultimate credential holders and usersare citizens who expect their government to providea secure document that is durable, easy-to-use, andinexpensive.

8.6.2. The identity document lifecycleIdentity documents follow a well-defined lifecycle from issuance through end-of-life disposal, as illustrated inFigures 3-6 and 3-7. The lifecycle mirrors the processes in place in the government department that issuesthe document. For example, the lifecycle for a passport document includes document request (applying for apassport), adjudication (determining if a passport should be issued), issuance (printing the passport andencoding data on the chip), and usage (using the passport to cross the border).

Figure 3-6The identity document lifecycle

Document Usage

DocumentVeri!cation & Checking

User Education Support & Help Desk

Registration & Enrollment

Entitlement DocumentPersonalization

DocumentEnd-of-Life & Renewal

Key Generation & Certi!cates

EntitlementDocumentManagement

Secure Document/ Key Issuance & Distribution

Document or Key Revocation

Identity Veri!cation

Central Registry

Issuing O"ces

Certi!cation Authority

Secure Web Services Access

Public Access Points

Checking & Update Points

Entitlement Document Request

Distributed Registries

What is a public-sector identity credential?

A public-sector identity credential is a documentissued by a government or state agency used by acitizen or resident to gain access to state providedservices. Examples of these identity credentialsinclude ID cards, health/welfare entitlement cards,medical information cards, passports, visas anddriver’s licenses.

An identity credential issued by a government isoften considered a secure document and thusrequires security features to reduce the likelihood offraudulent copies being produced, or existing doc-

uments being modified. Furthermore there must be trust in the integrity of the document issuance process so that suitable background checks areperformed before a document is issued. For exam-ple, in countries which issue ID cards to citizensthere is an expectation that one card is issued percitizen and each citizen can hold only one ID card.Machine-readable travel documents include pass-ports (both traditional and ePassports) and mustcomply with international standards for dataencoding and formatting to permit inspection atborder crossing points.

3-23

8.6.3. HP NIS ArchitectureNIS incorporates several high-level core processes consisting of enrollment, validation, registration, issuace,card usage, support, and lifecycle management. The processes begin after properly validating an applicantin accordance with customer policy.

EnrollmentEnrollment typically includes review and authentication of an applicant's official breeder documents, personalinformation, and biometric data. Customer policy dictates the number and types of breeder documents toauthenticate and the nature of the authentication process. Generally, an apparatus electronically screensthese documents to detect document tampering (such as an altered driver’s license with a different photo-graph, signature, or other demographic information). The analysis of several factors easily detects tampering,for example, changes in laminating materials, changes in text density and color, or minute misalignments ofbackground patterns or holograms. Checking documents such as birth certificates with the issuing agency forauthenticity is another common requirement.

Demographic and biometric information may be collected from applicants. Demographic information may beuploaded via optical character recognition technology from paper forms completed by applicants; entered byapplicants at kiosks or workstations located at application processing centers; or entered, in part, from aweb-based interface. Biometric scanning occurs at an application processing station. All information, demo-graphic (from whatever input source) and biometric, is encrypted and transmitted to a secure enrollmentdatabase where it remains in encrypted format. Once the applicant authenticates the demographic informa-tion gathered during the enrollment process, the application document is signed. Signed documents areencrypted and forwarded to the enrollment database.

All information submitted by the applicant is stored exactly as submitted (either text input or scanned docu-ment). Subsequent changes are captured and stored as submitted, and the system maintains a complete his-tory of all data entries. Data management of applications is configurable according to local legislativerequirements. Receipt of the signed application form is the trigger for the next step of validation.

ValidationValidation is an automated process that electronically verifies demographic and biometric information withexisting watch lists and with public records on file in various governmental and targeted public databases.Biographic information, such as fingerprints, are checked against existing national registries and against theNIS database of completed registrants to ensure that an applicant is not registering with an illegal alias toobtain a fraudulent credential. Applicable demographic information, such as birth date, address, and anyother information designated by customer policy, is crosschecked against external databases and registers.During processing, the applications database maintains a historical record of validation processing.

Entitlement Cards Identity Cards Passports Election Management

Drivers Licenses BMD Certi!cates Foreign Residents

Government Information

Arms Licenses

Central Registry

Figure 3-7Central registry

3-24

Identity Managem

ent

When validation is complete, the applicant’s file isconsidered a positive verification, or it is listed as asuspicious record for further examination and adju-dication. Customer policy dictates the reviewprocess; generally, it requires human intervention. Ifdesired by the customer, however, the validationreview can be entirely automated.

RegistrationValidated records are forwarded to the personnelregistry (database), where a complete record of alldata files, including biometrics, are stored andmaintained. Separately, a dedicated biometricdatabase stores biometric data files to provide visualand electronic replication. Records from this data-base help create digital information for the identifi-cation document. The biometric records also authen-ticate online requests for identity verification whencardholders attempt to gain physical or logical entryinto locations and/or systems.

IssuanceIssuance is an automated four-step procedure:

1. Personalization: In this first step the blank docu-ment is printed and digital information is loaded if achip is present on the card. Examples of informationthat may be stored on a chip include applets, cer-tificates, key materials, demographic information,and biometric information for visual or electronicviewing. 2. Quality assurance: The finished document isvisually and electronically checked to ensure that itcomplies with requirements. The visual inspectionprocess is usually automated.3. Issuance: The document is issued to the appli-cant, often requiring an identity check.4. Activation: If the card contains a chip, it must beactivated by the holder before it can be used.

The exact format, appearance, and electrical char-acteristics conform to the standards directed by cus-tomer policy.

PersonalizationDuring personalization, information together withsecurity features are physically printed on the card.The card’s chip is electronically formatted with per-sonalization data, PKI materials if required, certifi-cates if required, and other customer-specified codessuch as PINs and/or personal unlock keys (PUKs). Personalization artifacts physically printed on thecard typically consist of the card holder’s name,picture, signature, and card expiration date. Thesame information is electronically stored on thecard’s chip, together with biometric information suchas face or fingerprints images.

Quality AssuranceCredential quality assurance is an automated pro-cedure to verify that:

• The data printed on the card conforms to the pre-cision and security requirements specified by thecustomer (e.g. all elements are clearly printed).• The data encoded on the chip is correctly encod-ed.

IssuanceDetailed procedures for the handover of an identitycard to a user conform to customer policy. HP NIS isa versatile system designed to support a multitude ofoptions including the use of mailing/courier services,internal document distribution systems, and in-personcard handover.

ActivationActivation of the identity card can occur upon han-dover (if it is performed at a site with a card reader)or upon first use at a site with a card reader.Activation of the card and all subsequent usage isrecorded and maintained in an auditable registryper the customer’s policies and procedures.

Card UsageDuring card usage, a comparison process deter-mines that the credential holder is the persondepicted by the information on the credential docu-ment. Depending upon the level of securityemployed, the comparison process can include:

• A visual comparison of the credential holder’s facewith the photograph on the credential• An automated comparison of live biometric data(for example, from a fingerprint scanner) to biometricdata stored on the credential document• A comparison of live biometric data with a remotebiometric data registry, and an authentication of thePKI materials by a central database

SupportCredential holder support includes both a self-administration component and a help desk compo-nent. The self-administration component lets endusers make limited credential changes, such asmodifying PINs, and changes to non-critical data (asdefined by customer policies). Help desk staff canblock credential use in cases of lost or stolen identitycards and unblock credentials under specific situa-tions.

3-25

Lifecycle ManagementLifecycle management is the most critical element ofHP NIS. Lifecycle management is the all-encompass-ing maintenance and management of every piece ofidentity management information and material,including, but not limited to, blank identity documentsreceived into inventory, collected demographic andbiometric data, accumulated vetting reports and otherancillary information from official sources, activeidentity credential status, revoked or suspended cre-dentials, and auditing reports.

HP NIS lifecycle management consists of six generalprocesses:

• Track and manage all unused security consum-ables, such as blank identity cards, PKI materials,certificates, holograms, and laminates. The inventoryand control function tracks quantities and locations ofthese materials, and it generates reorder notices asappropriate.• Track and manage identity card OS and appletlifecycles, including revision and version control for allinstalled firmware and software, by credential serialnumber.• Manage application forms for all materials submit-ted to NIS during the enrollment of an applicant.Submitted materials are never deleted.• Manage the personnel registry and biometricdatabase where copies of all validated documents,reports, and other data entries are stored, togetherwith biometric data files, respectively. Once entered,items are not deleted from the personnel registry.• Track and manage all issued physical credentials,including a complete audit trail for credentialenabling, use, suspension, query, revocation, reissue,loss, recovery, and compromise of the issued docu-ment.• Track and manage all personalization entries, con-sisting of all initial and updated demographic, bio-metric, PKI materials, and/or certificate entries on theissued credential document.

8.6.4. NIS GovernanceGovernance refers to implementing and enforcing thepolicies that control data encryption, data storage,and access to stored data. NIS is designed to meetor exceed the stringent security standards dictated bygovernments around the world. All sensitive data isencrypted and signed before transmission and whenstored on any permanent or erasable medium.Encryption applies to all data, including data collect-ed and stored during enrollment and data perma-nently stored in the personal and biometric registries.

8.6.5. Confidence in Identity DocumentsFor an identity document to be useful, both the issuerand the validator of the document must have confi-dence in its integrity and authenticity. Documentintegrity applies to the physical document and anyelectronic data encoded on the document’s smart

card chip. Physical security features include securityfoils, laminates, microprinting, and holograms. Thesefeatures allow a visual inspection of the document todetect tampering or forgery. Logical security featuresinclude digital signatures on the chip contents,encrypted sessions between the chip and a readerdevice, and PKI technology to ensure that the elec-tronic data on the chip was issued by a known entity(for example, a country or state).

At the least secure level, an individual seeking entryinto a restricted space surrenders his or her identifi-cation card to an attendant, who verifies that the cardis not altered, that the photograph on the card is thatof the presenter, and that the card has not expired.Once satisfied that identity is verified, the attendantgrants access to a controlled area. This examplechecks only the physical security features of the iden-tity document.

Security is increased when individuals use a cardreader for access. In this example, individuals passtheir card through a reader and enter a PIN to verifythey are the cardholder. The card reader verifies thatthe PIN matches the stored PIN on the card and thatthe card has not expired. If the data matches, indi-viduals gain physical entry into the controlled facilityor electrical access to a computer or network. To fur-ther increase security, an attendant can also checkthe physical security features of the identity document.

Incorporating biometric authentication with the cardreader substantially increases security. Individualsseeking entry into a controlled area or access to acomputer or network must pass their card through areader and enter a PIN for comparison against thestored PIN. Additionally, individuals must submit abiometric sample (such as a fingerprint scan) to com-pare with the digital biometric file stored on the card.Finally, the reader verifies that the card is not expired.If all checks are satisfactory, the individual is grantedphysical entry or logical access. Again, the process ismore secure if an attendant verifies the picture on theID card and checks that the card is not altered.

8.6.6. NIS SummaryHP NIS is a versatile credentialing system, designedand engineered from the ground up to meet the mostdemanding requirements for stringent security, world-wide. It is easily deployed as a modular system, andit efficiently operates from widely dispersed, remotelocations. The system's scalability fits deployment tosmall, large, or global populations with equal ease.Deployment causes minimal impact on day-to-dayactivities and does not require excessive overhead.The ease of scalability means that NIS is capable ofprocessing very large citizenries, including nationalpopulations, in a relatively short time span.

3-26

Identity Managem

ent

9. Successfully ApproachingIdentity ManagementIdentity management employs a consolidated viewof an "identity" across the enterprise, includingidentity information and attributes aspects, authenti-cation aspects and privilege and entitlement aspectsaffecting people, processes and technology.Because of the scope and enterprise-wide reach ofidentity management, starting in the humanresources organization, over to the business, internaland external audit and compliance and securityorganizations, to IT and helpdesk, identity manage-ment programs need to be set up and justified cor-rectly in order to become successful. Identity man-agement will then become an integral strategy of theenterprise iterating through defined and plannedcycles of improvements.

9.1. Review and Envision PhaseA critical success factor of identity management ini-tiatives is to move early toward a value consensusshared across all organizations that will be impactedin your identity management initiative. Shared valueconsensus will be a key to motivating separate inter-ests to work together toward a common cause.We help enterprises determining the readiness tolaunch improvement initiatives. Using the BusinessReadiness service for identity management, HPServices supports enterprises define targeted busi-ness capabilities and postulate impact of thosecapabilities to the organization.

Utilizing the experience from identity managementprograms in other organizations, business impact isseen key to the program and can be categorizedinto the following areas:

Regulation conformance: Enterprises that need toconform to regulations such Sarbanes-Oxley, Basel IIor other industry specific regulations are often chal-lenged with optimizing the regular auditing processfor compliancy to required security controls.

Security: Enterprise security risk and business impactanalysis results in risk mitigation strategies often inthe area of inadequate account and permissionmanagement with lifecycle events of job and rolechanges and terminations.

Data quality: Due to the fast growth of applicationsand identity systems and repositories, companieshave been struggling in setting up the right lifecycleprocess resulting in inconsistencies in profile andentitlement data.

Agility and productivity and user convenience:Identity lifecycle processes such as user onboarding,role change and termination can be complexprocesses with many people and organizationsinvolved. Enterprises with high dynamics with the

work force or the customer base look at automationto respond to changes quicker.

Cost Reduction: Enterprises looking at return ofinvestment calculations reviewing spending in manyareas such as the helpdesk performing manual pro-visioning and password management, user man-agement efforts within business applications or theconsolidation of point identity management solu-tions.

9.2. Definition PhaseDeveloping an overarching strategy represents a keysuccess factor for the identity management initiative.HP Services provides the Discovery and Frameworkservice to help enterprises organize this initiative,achieving a common understanding of the currentsituation and providing the strategic alignmentthroughout the organization of the desired state,including a roadmap of how and when to get there. Utilizing individual workshops with various parts ofthe organization supports the discovery of the currentstate from all angels including major painpointsexisting throughout the organization.

To achieve enterprise value, the ultimate scope mustdeliver benefits meaningful across the constituencies,however, a broad scope can create what mayappear initially to be an insurmountable projectchallenge. To overcome this, the prioritization andevaluation of major pain points including the align-ment of corporate and IT architecture strategy is theenablement for the development of not only a high-level architecture but also the partitioning andsequence of the ultimate scope into an implementa-tion roadmap of manageable projects in whichprogress can be measure and goals can be adjustedas necessary.

9.3. Design and Implementation PhaseOnce the scope and project has been clearlydefined for the particular cycle of improvement, thedetailed functional, technical and implementationrequirements will be discovered and aligned to theoriginating business requirements.

The resulting design must comprehend not only toolsand technologies but also lifecycle processes andorganizational responsibilities and agreements.

The implementation must factor in the best practicesfor the technology, process and organizationalimpact. HP Services utilizes its 10-step implementa-tion methodology for identity management deploy-ments to ensure successful deployments.

3-27

9.4. Identity Management Success FactorsIn addition to the many success factors that are spe-cific to the program phases, HP has developed overallkey success factors for enterprises’ identity manage-ment initiatives:

Manageable Project Phases: Because of the globalreach of identity management, the amount of func-tional and technical requirements an identity man-agement initiative is challenged with can be large.Therefore identity management programs must ensurethat business value is returned to the organization in atimely manner, while not trying to attempt to solve toomany issues at the same time. This includes the cleardefinition of: • Scope• Realistic timelines• Demonstrable benefits

Governance: Operationalizing identity managementprograms require the establishment of strategy align-ment and definition of responsibilities throughout theorganization. This includes:• Steering committee to prioritize efforts and resolveconflicts• Accountability from all program participants• Continuous communication and loopback to busi-ness stakeholders

Experience: Identity management programs requireextensive experience in a lot of very different areas,covering:• Business processes• Legal and regulatory implications• Technology• Operations

10. HP Identity ManagementServicesBased on the principles that were outlined in the section on "Successfully Approaching Identity Management" above, HP Services provides thefollowing end-to-end service offerings for identitymanagement (the offerings are summarized in Figure3-8):

Business Readiness WorkshopThis service analyzes and assesses the true businessvalue that an identity management solution couldhave for your organization. By taking a high-levelview of your current business objectives, internalprocesses and IT infrastructure, you’ll be able to pin-point where identity management might have thegreatest financial impact for your organization; someof the key areas to target for improvement; and themost effective long-term strategy. Focal areas includeregulation conformance, security, data quality, agilityand productivity and cost reduction.

Identity Management Discovery andFramework ServiceThis service follows a proven methodology to lay thefoundation for effective change of your identity man-agement processes and IT environment. Working withyou, we gather information, establish guiding designprinciples, help express business value, outline theidentity management vision architecture and developa roadmap for improvement phases.

Discovery &Framework

Discovery

Design

Planning

Define

User Provisioning

Federation

Access Management

Directory Integration

Review & Envision

Manage & Support

Implement

Design & Plan

ReadinessWorkshop

Build

Testing

Pilot

Deployment

Assurance

Figure 3-8HP identity management services

"Building a flexibleand responsive

identitymanagement

foundation requiresan investment of

time, money,energy, and

resources, but it canhelp enterprises

gain anadvantage over

their competition."-The Burton Group,

“Building theBusiness Case for

identity managementInvestment”,

v2, January 3,2006

3-28

Identity Managem

ent

Design and Planning ServicesAligning with your architecture vision and roadmap, we develop detailed business, functional and technicalrequirements that will be transformed into the detailed design for the identity management solution, coveringthe functional solution areas of User Provisioning, Directory Integration, Auditing and Reporting and/orAccess Management and Federation.

Identity Management Implementation ServicesUsing a proven HP methodology, our experienced consultants review, detail, and finalize your identity man-agement implementation plan; conduct a production pilot; train and equip your deployment staff; fully exe-cute the plan by deploying all solution components; conduct acceptance testing; and orient your operationsstaff for transition to production.

11. Identity Management SummaryIdentity management is the ability to identify every user, application, or device across organizations and toprovide flexible authentication, access control, and auditing while respecting privacy and regulatory con-trols. Delivered via a set of processes and tools for creating, maintaining, and terminating a digital identity,these tools allow administrators to manage large populations of users, applications, and systems quicklyand easily. They allow selective assignment of roles and privileges, making it easier to comply with regula-tory controls and contribute to privacy-sensitive access controls.

For HP, identity management is centered on the pervasiveness of identity management technologies andsolutions:

• Identity management is about the management of user, application, and device identities.• Identity management is about the management of identities in different contexts: enterprises, SMBs, con-sumers, and the public sector.• Identity management deals with the management of the entire lifecycle of identities and their attributes.

HP considers privacy management, identity services, business-driven identity management, identity-capableplatforms, and device-based identity management as important emerging identity management fields andhas invested in specific research in these different areas that is driven from HP Labs. As an example of anend-to-end identity management system, the HP National Identity Solution provides governments with ahigh-performance, extremely secure, and extremely reliable credentialing solution. Similarly, HP can providefully integrated end-to-end identity management solutions to meet any enterprise or public sector need.

Table 3-5HP identity management solution offering summary

IDM Component Solution URL

Strong User and Device Authentication Embedded Security for HP ProtectToolsSmart Card Security for HP ProtectTools

www.hp.com/go/notebookswww.hp.com/go/desktops

SSO Credential Manager for HP ProtectTools www.hp.com/go/notebookswww.hp.com/go/desktops

AAA & Identity Repositories HP-UX 11i Identity Management Solutions www.hp.com/go/hpux11isecurity

Identity Management Services IDM Consulting and IntegrationIDM Managed Services

www.hp.com/go/securityClick HP security services link

Government National Identity Solution (NIS) http://government.hp.com

3-29