Professional Documents
Culture Documents
User-Centric
Identity Management
New Trends in Standardization and Regulation
I
n offering services to individuals, enterprises often deal service providers. It might seem use-
ful for a citizen to have an account
with a lot of personal information, the improper handling with the Internal Revenue Service
to deal with an annual tax declara-
of which creates security risks for both the enterprises and tion online or to link it with infor-
mation about medical service costs,
individuals concerned. Authentication procedures usu- but a unification of all the data and
profiles stored by the tax office, the
ally assume specific behavior on the part of individuals, and this hospital, and the health insurance
provider would require close man-
PETE perception becomes a critical part of tice, employees often have a plethora agement. Ideally, users should have
BRAMHALL an enterprise’s security mechanism. of legacy identifiers and access control over their identity informa-
Hewlett- Identity management systems are rights, making it difficult to know tion as it’s collected and stored. Ad-
Packard touted as a solution, but even though and manage who has authorization ditionally, users should be able to
Laboratories users and enterprises are stakeholders to do what. Establishing an efficient know and restrict who might use the
in the broader conversation about framework for corporate access data, and for what purposes.
MARIT HANSEN identity management, their interests management with reliable account-
Independent aren’t necessarily aligned: who’s in ability isn’t trivial. Identity management
Centre for control, and whose interests will Vendors often tout “identity man-
Privacy prevail in case of conflict? Single sign-on agement” as an answer to both en-
Protection The European Commission- Single-sign-on systems are popular terprise and user needs. Identity
funded Privacy and Identity Manage- tools for addressing identity needs: management systems come in a vari-
KAI ment for Europe project (Prime; they attempt to unify all accounts ety of flavors—the term comprises
RANNENBERG www.prime-project.eu) proposes a and access rights into one system per several technologies (together with
Goethe solution driven by the EU Privacy enterprise against which users can organizational processes) used to
University Directive (95/46/EC; http://ec. authenticate themselves. The enter- manage entities’ attributes, includ-
Frankfurt europa.eu/justice_home/fsj/privacy/ prise then uses this association to ing authorizations, authentication
law/), which puts the user in control make authorization decisions about data, and accounting information,
THOMAS wherever possible. This article focuses access to resources such as comput- possibly complemented with policy
ROESSLER on that project and how it interacts ers, customer databases, or printers. information. So-called user-centric
Worldwide with standardization initiatives and in- Yet, account and access unifica- identity management systems, which
Web ternational organizations. tion can be a double-edged sword focus on the users’ rather than the
Consortium for users and service providers. Al- service providers’ perspective, have
Corporate access though users typically like the added increasingly come forward in the
management convenience of single-sign-on sys- past few years. This approach lets
Enterprises must be efficient in tems, as the number of applications users choose, for example, what per-
identifying and addressing users and in their daily lives increases, so too sonal data to disclose under various
customers—for instance, managing does the risk of data misuse: the conditions, and which credentials to
access control policies might, at least more you access your sensitive infor- present in response to authentication
in theory, require a competent point mation with one identifier, the or attribute requests. As the Higgins
within the enterprise to determine higher the risk you’ll fall victim to (www.eclipse.org/higgins), Card-
which user has access to which assets identity fraud. Space (http://cardspace.netfx3.com),
under specific conditions. In prac- Similar considerations apply to and Liberty Alliance (www.project
84 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/07/$25.00 © 2007 IEEE ■ IEEE SECURITY & PRIVACY
Emerging Standards
liberty.org) systems illustrate, user- processes, location-based services, tures, and products. These, in turn,
centric identity models are usually and collaborative e-learning. would offer the landscape in which
combined with federated identity Prime’s identity management
management paradigms rather than Interaction with could come into full effect.1
purely centralized approaches. standardization bodies
Given that those centralized When Prime began, work toward ISO/IEC efforts
systems usually let the identity the development and standardization In May 2006, Subcommittee 27
provider monitor all activities, this of specifications relevant to identity (which works on IT security tech-
privacy-invasive approach is less management was under way in vari- niques; www.jtc1sc27.din.de) of the
suitable for user-centric models in ous forums, including the Liberty ISO/IEC Joint Technical Commit-
which the user can decide in each Alliance’s specifications for federated tee on Information Technology
specific situation what to reveal and identity management, the Organiza- (JTC 1) established Working Group
who to trust. The flipside of users’ tion for the Advancement of Struc- 5 to focus on identity management
offering data only under condi- tured Information Standards’ (Oasis; and privacy technologies. In its
tions is the requirement that enter- www.oasis-open.org) specifications Working Draft 24760, WG 5 de-
prises connect their databases and such as the Security Assertion fines identity management as “an in-
business processes to privacy poli- Markup Language (SAML) and Ex- tegrated concept of processes,
cies and accountability systems. tensible Access Control Markup policies, and technologies that
Today’s policy languages and iden- Language (XACML), and various enables authoritative sources to ac-
tity systems only partially serve this Web services specifications. The curately identify entities, and au-
requirement, and new research World Wide Web Consortium’s thoritative sources, as well as
challenges continue to arise as data Platform for Privacy Preferences individual entities to facilitate and
and policies are aggregated across (P3P) also introduced a vocabulary to control the use of identity informa-
different domains. express services’ privacy policies in a tion in their respective relations.”
machine-readable way. Four of WG 5’s active projects
Since then, additional efforts rele- are especially relevant here:
Privacy and vant to identity management stan-
identity management dardization have commenced. Prime • A framework for identity management
à la Prime partners monitor ongoing work and (WD 24760) addresses the secure
User-centric identity management adopt its results where appropriate; management of identity informa-
is also a key idea in the Prime proj- the goal is to then feed results back tion, letting individuals and orga-
ect, which began in 2004 with 20 into standardization initiatives. The nizations protect privacy and
partners from industry, academia, Prime project organized open control access to information, re-
and a data protection authority. workshops on standardization in gardless of the nature of the activi-
Prime aims to develop a working user-centric identity management ties in which they’re involved.
prototype of an identity manage- in 2006 and 2007. Participants active • Authentication assurance (New Proj-
ment system that lets users maintain in efforts at the International Orga- ect [NP] 29115) aims to improve
control of their own private nization for Standardization (ISO), and enhance trust and confidence
spheres. It implements the data- International Electrotechnical in authentication by providing ob-
minimization principle as far as Commission (IEC), International jective, vendor-neutral guidelines
possible—by using private creden- Telecommunication Union (ITU), for authentication assurance.
tials that offer anonymous, yet and W3C attended these work- • A privacy framework (WD 29100)
accountable, interaction, for exam- shops. The perspective of Prime— aims to provide mechanisms for
ple. The project has developed an
architecture for privacy-enhancing
identity management that inte- The flipside is the requirement that enterprises
grates state-of-the-art mechanisms,
including privacy policies, ontolo- connect their databases and processes to
gies, privacy-enhancing access
control policy languages, private privacy policies and accountability systems.
credentials, anonymous communi-
cation, assurance, seals, and audits. striving for maximum privacy in defining privacy-safeguarding re-
Prime tools can enhance various realistic scenarios—is valuable for quirements related to personally
application scenarios, including designing acceptable and legally identifiable information processed
Web browsing, aviation passenger compliant standards, infrastruc- by any information and communi-
the national-level legislation that’s Prime’s comprehensive approach Kai Rannenberg is a professor of mobile
been enacted. to research into and development of business and multilateral security at
Goethe University. His research interests
In the Asia-Pacific Economic requirements, architectures, and
include mobile applications and multi-
Cooperation (APEC) organization, technologies for user-centric iden- lateral security, privacy and identity man-
work is under way to formulate a tity management, to enhance privacy agement, communication infrastructures
common approach to privacy regu- for individual participants in the dig- and devices, and IT security evaluation
and certification. Rannenberg has a PhD
lation. Given the different histories, ital economy, provides a valuable first in business informatics and economics
priorities, philosophies, and customs step toward meeting the needs of the from Albert-Ludwigs-Universität. He
of the nations within APEC, the or- diverse set of stakeholders in this serves as convener of ISO/IEC JTC 1 SC
ganization’s approach is based not on space. The project is disseminating its 27/WG 5 and as chair of the Interna-
tional Federation for Information Pro-
the notion of rights but on minimiz- outputs (software, design knowl- cessing’s Technical Committee 11
ing the probability and impact of ac- edge, tutorials, and socio-economic (Security & Protection in Information Pro-
tual harm to individuals. In China, analysis) in a wide variety of indus- cessing Systems). Contact him at kai.
for example, the government is con- trial, public policy, standardization rannenberg@m-chair.net.
sidering a privacy-related law in re- and academic fora to catalyze further
Thomas Roessler is security activity lead
sponse to the concerns of its rapidly refinement and adoption. at the W3C. His work covers areas includ-
growing consumer class. ing security usability, digital signature
Within the US, pressure from References standards, and policy languages.
Roessler has a Diplom in mathematics
consumer advocacy groups and 1. Privacy and Identity Management for
from Bonn University, Germany. Contact
some forward-thinking businesses is Europe—Prime White Paper, version him at tlr@w3.org.
building for Congress to enact an en- 2.0, R. Leenes, J. Schallaböck and
hanced federal privacy law. The re- M. Hansen, eds., white paper, June
sulting legislation might also be based 2007; www.prime-project.eu/
on the principle of minimizing prime_products/whitepaper/.
harm. To come full circle, there is 2. L. Srivastava et al., Digital.life,
some support in Europe for a review ITU Internet Report 2006, tech.
of the EU’s Privacy Directive. Al- report, Int’l Telecommunication
though no plans currently exist to Union, 2006; www.itu.int/osg/
amend it, this support could ulti- spu/publications/digitalife/.
mately lead to a change from a rights- 3. T. Roessler, “W3C Workshop on
based to a harm-avoidance approach Languages for Privacy Policy
for European privacy law, as well. Negotiation and Semantics-Driven
Enforcement,” workshop report,
Oct. 2006; www.w3.org/2006/
F or harm-avoidance to drive a
significant increase in the use of
privacy-enhancing technologies
07/privacy-ws/report.
FREE Visionary
Pete Bramhall is a senior project man-
such as user-centric identity man- ager at Hewlett-Packard Laboratories in Web Videos
agement systems, the incentives for Bristol, England. His team’s research
organizations to adopt them to meet interests include user and enterprise
aspects of managing privacy, identity,
about the
regulatory data-minimization re-
quirements would need to be based
reputation and trust. Bramhall has an
MSc in computer science from the Uni-
Future of Multimedia.
on very severe penalties for harms versity of Manchester, England. Contact
caused by inadequate safeguarding him at pete.bramhall@hp.com.
of personal data and its use. In addi-
Marit Hansen is head of the Privacy-
Listen to premiere
tion to a legal baseline supporting
users’ privacy, reliable reputation
Enhancing Technology (PET) department
at the Independent Centre for Privacy
multimedia experts!
systems on companies—for ex-
ample, privacy seals certifying
Protection. Her research interests include
identity management, anonymity, pseu- Post your own views
donymity, transparency, and user em-
privacy-compliant procedures— powerment. Hansen has a Diplom in and demos!
and transparency for consumers computer science from the University of
about enterprises’ misconduct are Kiel, Germany. She is a member of the
ACM and Gesellschaft für Informatik
needed to help users make well-in-
formed choices regarding how and
where she serves as chair of the Special Visit www.computer.org/
with whom they deal.
Interest Group on PETs. Contact her at
marit.hansen@acm.org. multimedia
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 87