Identities An introduction What is an Identity ISOIEC

  • Slides: 38
Download presentation
Identities An introduction

Identities An introduction

What is an Identity? ISO/IEC 24760 -1 defines it as “a set of attributes

What is an Identity? ISO/IEC 24760 -1 defines it as “a set of attributes related to an entity”

But then. . . what’s an Entity ? • entity (n): a thing with

But then. . . what’s an Entity ? • entity (n): a thing with distinct and independent existence • We have lots of different types of entities in the identity space…

Name Email Address Gender Birth Date Phone Number Password

Name Email Address Gender Birth Date Phone Number Password

Image source: https: //en. wikipedia. org/wiki/Identity_management

Image source: https: //en. wikipedia. org/wiki/Identity_management

What makes up a digital identity? In other words…. what do you already know

What makes up a digital identity? In other words…. what do you already know about your users ?

Sources of Identity - Students • Student number / identifier • Name • Email

Sources of Identity - Students • Student number / identifier • Name • Email address • Qualifications • Course registration • Marks, exam results • Password • ….

Sources of Identity - Staff • Employee number /identifier • Name, address, phone number

Sources of Identity - Staff • Employee number /identifier • Name, address, phone number • Contract status • Password • Email address • Faculty, department, division • Committee membership • …

Sources of Identity – Researchers • Current research • Grants • Publications, research output?

Sources of Identity – Researchers • Current research • Grants • Publications, research output? • …

Where do we get Identity attributes ?

Where do we get Identity attributes ?

Registrar Information Technology Library Human Resources Research Office

Registrar Information Technology Library Human Resources Research Office

Systems that use Identity where does identity live in your institution?

Systems that use Identity where does identity live in your institution?

• Active Directory • Student records • Human resources/employee management • Payroll •

• Active Directory • Student records • Human resources/employee management • Payroll • Current research information system (CRIS) • Grant management system • Institutional repositories • Alumni relations • …

Active Directory Student Records Institutional Repository Employee Management Payroll CRIS

Active Directory Student Records Institutional Repository Employee Management Payroll CRIS

Image source: https: //en. wikipedia. org/wiki/Identity_management

Image source: https: //en. wikipedia. org/wiki/Identity_management

Person Identifiers

Person Identifiers

Privacy Implications ? • Username • National ID • Passport number • Student number

Privacy Implications ? • Username • National ID • Passport number • Student number • Employee/staff number • Email address? • ORCID i. D • GUID Do we agree on formatting ? When/How do these attributes change? Can there be duplication ?

What makes a good identifier?

What makes a good identifier?

• Persistent vs transient • Transferable / reassignment • Unique • Pseudo-anonymous •

• Persistent vs transient • Transferable / reassignment • Unique • Pseudo-anonymous • Opaque • Pseudonym • Targeted

• Should be generated • Must be opaque and uni-directional • e. g.

• Should be generated • Must be opaque and uni-directional • e. g. a SHA-256 hash • Think about making them targeted

Open Researcher and Contributor Identifier https: //orcid. org/0000 -0003 -2845 -6969 Persistent, opaque Institutionally

Open Researcher and Contributor Identifier https: //orcid. org/0000 -0003 -2845 -6969 Persistent, opaque Institutionally independent Like a Digital Object identifier (DOI) for people

Identity Management “enables the right individuals to access the right resources, at the right

Identity Management “enables the right individuals to access the right resources, at the right time, for the right reasons” (Wikipedia)

What do we need to get here ?

What do we need to get here ?

Image Source: http: //cwsolutions. ca/cws 2/wp-content/uploads/2014/02/RH 5 DQJK. png

Image Source: http: //cwsolutions. ca/cws 2/wp-content/uploads/2014/02/RH 5 DQJK. png

• If you haven’t already done so, conduct an institution-wide audit of identity

• If you haven’t already done so, conduct an institution-wide audit of identity to determine who has what attributes • Determine the authority for each attribute, e. g: • • Email address -> IT department Student numbers -> Registrar Student name -> Registrar Staff name -> Human resources • Determine consumers for each attribute • Determine what constraints exist for each attribute: • Name field is 100 chars at authority, but CRIS system only accepts 80 chars

• You probably already have some processes to share information between departments, but:

• You probably already have some processes to share information between departments, but: • Make sure these are aligned with the audit results (right authority) • Use common language and descriptions (what do we mean by given. Name? ) • Start aligning the constraints (if smallest name field is 80 chars and this cannot be changed, use 80 char names) • Introduce update processes to ensure identities remain in sync (all consumers are told when a change happens at the authority)

• You need institutional buy-in – can be hard to get • Take

• You need institutional buy-in – can be hard to get • Take small steps, easy wins • but do not lose sight of the big picture • These interim steps do not need to depend on technology

What are the small steps?

What are the small steps?

7 Laws of Identity

7 Laws of Identity

1) User Control and Consent • Technical identity systems must only reveal information identifying

1) User Control and Consent • Technical identity systems must only reveal information identifying a user with the user’s consent Required by law (Data Protection and Privacy Bill in Uganda; GDPR)

2) Minimal Disclosure for a Constrained Use • The solution which discloses the least

2) Minimal Disclosure for a Constrained Use • The solution which discloses the least amount of identifying information and best limits use is the most stable long term solution. Required by law (Data Protection and Privacy Bill in Uganda; GDPR)

3) Justifiable Parties • Digital identity systems must be designed so the disclosure of

3) Justifiable Parties • Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. Required by law (Data Protection and Privacy Bill in Uganda; GDPR)

4) Directed Identity • A universal identity system must support both “omni-directional” identifiers for

4) Directed Identity • A universal identity system must support both “omni-directional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

5) Pluralism of Operators and Technologies • A universal identity system must channel and

5) Pluralism of Operators and Technologies • A universal identity system must channel and enable the interworking of multiple identity technologies run by multiple identity providers.

6) Human Integration • The universal identity metasystem must define the human user to

6) Human Integration • The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks.

7) Consistent Experience Across Contexts • The unifying identity metasystem must guarantee its users

7) Consistent Experience Across Contexts • The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. • RA 21: Resource Access for the 21 st Century