Speaker: Hellmuth Broda from Sun
I found this session pretty hard to blog. It ranged quite widely around the challenges of identity management, but I’m not sure it came to very firm conclusions. Without the slides (lots of diagrams), it’s difficult to capture some of the stuff, and Hellmuth also used his actual driving license to demonstrates some aspects of identity management – which I can’t get down here!
The original post rambled a bit too much, so I’ve removed most of it, and tried to just bring out some key things that stuck:
- Problems with managing identity is not a problem unique to computing – each card we carry in our wallets represents an indentity. However, we perhaps face new (larger?) problem.
- A typical ‘intensive’ IT user has 21 passwords (presumably actually username/password pairs?), and 49% write their passwords down or store in a file on their PC!
- Hellmuth suggests that in the future, we start to see firewalls (limiting on location) going away, and identity becomes a ‘distributed firewall’. It’s a nice point, but slightly idealistic. We protect data by both location (firewalls) and identity (login) – not one or the other. Also, managing by location is practical, and sometimes desirable – for some applications IP authentication seems both sufficient and works well – it’s easy.
- The biggest issues around identity management are privacy and trust. Specifically data is prone ‘purpose creep’ – people often are happy for data to be used in a specific context, and only feel privacy has been compromised when the same data is used in a completely different context.
Identity Management is becoming more important in the HE sector because of:
- More stringent regulations
- Complex identity requirements (and rapidly changing user roles)
- Enormous scale
- Working across groups/organisations
- Cost of changing passwords/identities
Stages of Implementing Identity Management are:
- Stage 1 – every application for itself
- Stage 2 – central authentication services – enables web initial sign-on for participating applications
- Stage 3 – full indentity management
(I guess we at RHUL are currently somewhere between Stage 1 and Stage 2)
- You have to ‘think female’ to do identity management properly. The ‘male’ way tends to be One Big Database (seems like this should become an IT acronym – as in “I thought we’d do OBD”, or “Using the OBD model we will…”). Female way is to look at much more distributed approach.
Location can be a cipher for identity – you know who someone is, because they can access a specific computer. We limit access to systems by asking ‘where are you requesting this from’ rather than necessarily ‘who are you’ (although sometimes both)
Finally, Hellmuth talked about Federation (the female approach) to identity management, and mentioned two key Federation initiatives:
(We (RHUL) have started with Shibboleth as part of Shibboleap – http://www.angel.ac.uk/ShibboLEAP/)
Sun is a Shib partner, and will support it via SAML 2.0 (due later this year – probably Q2), and they are currently testing Access Manager with a Beta version of SAML 2.0. However, happy to work with customers on Shib connectors before this date.