Emerging Standards Editors: Rick Kuhn,
[email protected] Susan Landau,
[email protected] Ramaswamy Chandramouli,
[email protected]
User-Centric Identity Management New Trends in Standardization and Regulation
I
n offering services to individuals, enterprises often deal with a lot of personal information, the improper handling of which creates security risks for both the enterprises and individuals concerned. Authentication procedures usu-
ally assume specific behavior on the part of individuals, and this
PETE BRAMHALL HewlettPackard Laboratories MARIT HANSEN Independent Centre for Privacy Protection KAI RANNENBERG Goethe University Frankfurt THOMAS ROESSLER Worldwide Web Consortium
perception becomes a critical part of an enterprise’s security mechanism. Identity management systems are touted as a solution, but even though users and enterprises are stakeholders in the broader conversation about identity management, their interests aren’t necessarily aligned: who’s in control, and whose interests will prevail in case of conflict? The European Commissionfunded Privacy and Identity Management for Europe project (Prime; www.prime-project.eu) proposes a solution driven by the EU Privacy Directive (95/46/EC; http://ec. europa.eu/justice_home/fsj/privacy/ law/), which puts the user in control wherever possible. This article focuses on that project and how it interacts with standardization initiatives and international organizations.
Corporate access management Enterprises must be efficient in identifying and addressing users and customers—for instance, managing access control policies might, at least in theory, require a competent point within the enterprise to determine which user has access to which assets under specific conditions. In prac-
84
PUBLISHED BY THE IEEE COMPUTER SOCIETY
■
tice, employees often have a plethora of legacy identifiers and access rights, making it difficult to know and manage who has authorization to do what. Establishing an efficient framework for corporate access management with reliable accountability isn’t trivial.
Single sign-on Single-sign-on systems are popular tools for addressing identity needs: they attempt to unify all accounts and access rights into one system per enterprise against which users can authenticate themselves. The enterprise then uses this association to make authorization decisions about access to resources such as computers, customer databases, or printers. Yet, account and access unification can be a double-edged sword for users and service providers. Although users typically like the added convenience of single-sign-on systems, as the number of applications in their daily lives increases, so too does the risk of data misuse: the more you access your sensitive information with one identifier, the higher the risk you’ll fall victim to identity fraud. Similar considerations apply to 1540-7993/07/$25.00 © 2007 IEEE
■
service providers. It might seem useful for a citizen to have an account with the Internal Revenue Service to deal with an annual tax declaration online or to link it with information about medical service costs, but a unification of all the data and profiles stored by the tax office, the hospital, and the health insurance provider would require close management. Ideally, users should have control over their identity information as it’s collected and stored. Additionally, users should be able to know and restrict who might use the data, and for what purposes.
Identity management Vendors often tout “identity management” as an answer to both enterprise and user needs. Identity management systems come in a variety of flavors—the term comprises several technologies (together with organizational processes) used to manage entities’ attributes, including authorizations, authentication data, and accounting information, possibly complemented with policy information. So-called user-centric identity management systems, which focus on the users’ rather than the service providers’ perspective, have increasingly come forward in the past few years. This approach lets users choose, for example, what personal data to disclose under various conditions, and which credentials to present in response to authentication or attribute requests. As the Higgins (www.eclipse.org/higgins), CardSpace (http://cardspace.netfx3.com), and Liberty Alliance (www.project
IEEE SECURITY & PRIVACY
Emerging Standards
liberty.org) systems illustrate, usercentric identity models are usually combined with federated identity management paradigms rather than purely centralized approaches. Given that those centralized systems usually let the identity provider monitor all activities, this privacy-invasive approach is less suitable for user-centric models in which the user can decide in each specific situation what to reveal and who to trust. The flipside of users’ offering data only under conditions is the requirement that enterprises connect their databases and business processes to privacy policies and accountability systems. Today’s policy languages and identity systems only partially serve this requirement, and new research challenges continue to arise as data and policies are aggregated across different domains.
Privacy and identity management à la Prime User-centric identity management is also a key idea in the Prime project, which began in 2004 with 20 partners from industry, academia, and a data protection authority. Prime aims to develop a working prototype of an identity management system that lets users maintain control of their own private spheres. It implements the dataminimization principle as far as possible—by using private credentials that offer anonymous, yet accountable, interaction, for example. The project has developed an architecture for privacy-enhancing identity management that integrates state-of-the-art mechanisms, including privacy policies, ontologies, privacy-enhancing access control policy languages, private credentials, anonymous communication, assurance, seals, and audits. Prime tools can enhance various application scenarios, including Web browsing, aviation passenger
processes, location-based services, and collaborative e-learning.
Interaction with standardization bodies When Prime began, work toward the development and standardization of specifications relevant to identity management was under way in various forums, including the Liberty Alliance’s specifications for federated identity management, the Organization for the Advancement of Structured Information Standards’ (Oasis; www.oasis-open.org) specifications such as the Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML), and various Web services specifications. The World Wide Web Consortium’s Platform for Privacy Preferences (P3P) also introduced a vocabulary to express services’ privacy policies in a machine-readable way. Since then, additional efforts relevant to identity management standardization have commenced. Prime partners monitor ongoing work and adopt its results where appropriate; the goal is to then feed results back into standardization initiatives. The Prime project organized open workshops on standardization in user-centric identity management in 2006 and 2007. Participants active in efforts at the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), International Telecommunication Union (ITU), and W3C attended these workshops. The perspective of Prime—
tures, and products. These, in turn, would offer the landscape in which Prime’s identity management could come into full effect.1
ISO/IEC efforts In May 2006, Subcommittee 27 (which works on IT security techniques; www.jtc1sc27.din.de) of the ISO/IEC Joint Technical Committee on Information Technology (JTC 1) established Working Group 5 to focus on identity management and privacy technologies. In its Working Draft 24760, WG 5 defines identity management as “an integrated concept of processes, policies, and technologies that enables authoritative sources to accurately identify entities, and authoritative sources, as well as individual entities to facilitate and control the use of identity information in their respective relations.” Four of WG 5’s active projects are especially relevant here: • A framework for identity management (WD 24760) addresses the secure management of identity information, letting individuals and organizations protect privacy and control access to information, regardless of the nature of the activities in which they’re involved. • Authentication assurance (New Project [NP] 29115) aims to improve and enhance trust and confidence in authentication by providing objective, vendor-neutral guidelines for authentication assurance. • A privacy framework (WD 29100) aims to provide mechanisms for
The flipside is the requirement that enterprises connect their databases and processes to privacy policies and accountability systems. striving for maximum privacy in realistic scenarios—is valuable for designing acceptable and legally compliant standards, infrastruc-
defining privacy-safeguarding requirements related to personally identifiable information processed by any information and communi-
www.computer.org/security/
■
IEEE SECURITY & PRIVACY
85
Emerging Standards
cation system in any jurisdiction. • A privacy reference architecture (NP 29101) promises a model to describe best practices for consistent
W3C At the W3C’s October 2006 Privacy Workshop, researchers and practitioners explored new directions in
Most enacted privacy-related laws and regulations mandate data protection rather than provide privacy. technical implementation of privacy requirements in information and communication systems. Two other projects deal with biometric template protection (WD 24745) and the authentication context of biometrics (Committee Draft [CD] 24761). Further projects can be expected.
ITU-T The telecommunication standardization sector of the ITU recently published a report that outlines the need to improve the design of identity-management mechanisms from the consumers’ perspective.2 In December 2006, the ITU then established the Focus Group on Identity Management (FG IdM; www. itu.int/ITU-T/studygroups/com 17/fgidm/)—defined here as “management by providers of trusted attributes of an entity such as a subscriber, device, or provider”—to help facilitate and advance the development of a generic identiymanagement framework and means of discovery for autonomous distributed identities and identity federations and implementations. The aim is interoperability among solutions via an open mechanism—a “trustmetric system”—that will let different identity-management systems communicate even as each continues to evolve. The FG IdM is open to ITU member states, sector members, and associates, as well as individuals from any country that’s an ITU member, as long as they’re willing to contribute to the work. 86
IEEE SECURITY & PRIVACY
■
privacy policy languages and enforcement mechanisms. Participants considered technologies to address privacy needs across the whole value chain, including data processing within enterprises and data distribution among enterprises. Workshop attendees identified policy interoperability and mapping as key enablers for future privacy-enhancing policy deployment.3 Although it would be difficult (or impossible) to create and distribute a new, all-encompassing access control and obligation language, participants showed significant interest in exploring the interfaces between different, possibly domain-specific, policy languages. Ontologies and common modeling principles could help combine policy languages and enable automatic translation among them. Important contributions in this area could include a standardized language to describe evidence and mechanisms for discovering ontologies that expose relationships between vocabularies used by different organizations. W3C is reviewing options for chartering an interest group to serve as a forum for further community building and technical discussions in this space. The group’s work is expected to include architectural considerations for policy languages and their interoperability, as well as the use of Semantic Web technologies and the W3C Rule Interchange working group’s efforts toward delivering interoperability frameworks for policy languages.
Legislative activity All of this activity is unfolding against
JULY/AUGUST 2007
a backdrop of worldwide legislative activity on privacy concerns expressed by academics, individuals, and businesses. Various enterprises are investing in improving their own privacy-respecting practices, which not only reduce the chances of privacy breaches but also demonstrate leadership and improve companies’ reputations. Despite the lead shown by these beacons of excellence, however, the main motivation for most enterprises to adopt stringent privacy policies (and privacy-enhancing technologies as a means for achieving these) is to avoid punitive action for failing to comply with privacyrelated legislation and regulations.
Anonymity technologies Regardless of their titles, most enacted privacy-related laws and regulations mandate data protection rather than provide privacy. Because most legislation is written to be technology-neutral, references to the data-minimization aspect of privacy fail to specifically consider or require the use of anonymization or pseudonymization technologies. As a result, organizations have no regulatory incentive to invest in these important enablers for user-centric privacy in their identity management systems.
Regulations Given regulation’s current role as the preeminent driver for investment decisions—both by organizations in privacy-related technologies and practices and by standardization bodies in developing tools to ease their adoption—trends in regulatory activities provide a key indicator to the future privacy landscape for organizations and individuals. Europe follows the most mature regulatory approach: the 1995 adoption of the EU Privacy Directive mandated that member states enact data-protection measures that comply with (at least) the directive’s minimum terms. The directive is based on the notion of individual rights, which therefore forms the basis for
Emerging Standards
the national-level legislation that’s been enacted. In the Asia-Pacific Economic Cooperation (APEC) organization, work is under way to formulate a common approach to privacy regulation. Given the different histories, priorities, philosophies, and customs of the nations within APEC, the organization’s approach is based not on the notion of rights but on minimizing the probability and impact of actual harm to individuals. In China, for example, the government is considering a privacy-related law in response to the concerns of its rapidly growing consumer class. Within the US, pressure from consumer advocacy groups and some forward-thinking businesses is building for Congress to enact an enhanced federal privacy law. The resulting legislation might also be based on the principle of minimizing harm. To come full circle, there is some support in Europe for a review of the EU’s Privacy Directive. Although no plans currently exist to amend it, this support could ultimately lead to a change from a rightsbased to a harm-avoidance approach for European privacy law, as well.
or harm-avoidance to drive a significant increase in the use of privacy-enhancing technologies such as user-centric identity management systems, the incentives for organizations to adopt them to meet regulatory data-minimization requirements would need to be based on very severe penalties for harms caused by inadequate safeguarding of personal data and its use. In addition to a legal baseline supporting users’ privacy, reliable reputation systems on companies—for example, privacy seals certifying privacy-compliant procedures— and transparency for consumers about enterprises’ misconduct are needed to help users make well-informed choices regarding how and with whom they deal.
F
Prime’s comprehensive approach to research into and development of requirements, architectures, and technologies for user-centric identity management, to enhance privacy for individual participants in the digital economy, provides a valuable first step toward meeting the needs of the diverse set of stakeholders in this space. The project is disseminating its outputs (software, design knowledge, tutorials, and socio-economic analysis) in a wide variety of industrial, public policy, standardization and academic fora to catalyze further refinement and adoption. References 1. Privacy and Identity Management for Europe—Prime White Paper, version 2.0, R. Leenes, J. Schallaböck and M. Hansen, eds., white paper, June 2007; www.prime-project.eu/ prime_products/whitepaper/. 2. L. Srivastava et al., Digital.life, ITU Internet Report 2006, tech. report, Int’l Telecommunication Union, 2006; www.itu.int/osg/ spu/publications/digitalife/. 3. T. Roessler, “W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement,” workshop report, Oct. 2006; www.w3.org/2006/ 07/privacy-ws/report. Pete Bramhall is a senior project manager at Hewlett-Packard Laboratories in Bristol, England. His team’s research interests include user and enterprise aspects of managing privacy, identity, reputation and trust. Bramhall has an MSc in computer science from the University of Manchester, England. Contact him at
[email protected]. Marit Hansen is head of the PrivacyEnhancing Technology (PET) department at the Independent Centre for Privacy Protection. Her research interests include identity management, anonymity, pseudonymity, transparency, and user empowerment. Hansen has a Diplom in computer science from the University of Kiel, Germany. She is a member of the ACM and Gesellschaft für Informatik where she serves as chair of the Special Interest Group on PETs. Contact her at
[email protected].
Kai Rannenberg is a professor of mobile business and multilateral security at Goethe University. His research interests include mobile applications and multilateral security, privacy and identity management, communication infrastructures and devices, and IT security evaluation and certification. Rannenberg has a PhD in business informatics and economics from Albert-Ludwigs-Universität. He serves as convener of ISO/IEC JTC 1 SC 27/WG 5 and as chair of the International Federation for Information Processing’s Technical Committee 11 (Security & Protection in Information Processing Systems). Contact him at kai.
[email protected]. Thomas Roessler is security activity lead at the W3C. His work covers areas including security usability, digital signature standards, and policy languages. Roessler has a Diplom in mathematics from Bonn University, Germany. Contact him at
[email protected].
FREE Visionary Web Videos about the Future of Multimedia. Listen to premiere multimedia experts! Post your own views and demos! Visit www.computer.org/ multimedia
www.computer.org/security/
■
IEEE SECURITY & PRIVACY
87