Identity Management

Security and trust play key roles in enabling the emerging global information society. Identity management, a cornerstone of establishing trust in the evolving Information and Communications Technologies (ICT) infrastructure, is necessary to control access to services and infrastructures, to protect personal information, to perform online transactions, and to comply with legal and regulatory requirements. A diverse set of identity management (IdM) solutions existing for specific market segments and perspectives. Many of these solutions are highly distributed and autonomous, resulting in a need to establish a trusted, global, and interoperable IdM capability.

This contribution provides an overview of key concepts associated with identity management, outlines current activities related to identity management, and recommends future work on identity management within the PCC.I Working Group on Technology.

1. INTRODUCTION

A global information society is emerging, a society based on fundamental principles, including the unimpeded ability to communicate with others. New forms of media, ubiquitous devices, and broadband interconnectivity are allowing all members of society to create innovative content and to share their creations with others. The global information society is also inducing major changes in our global economic structure, enabling companies to conduct business, to access information for critical decision making and to gain competitive advantage. Small and medium enterprises (SMEs) productivity and revenue growth requires access to the global information society. Governments are also leveraging the emerging information society to deliver services and information to its citizenry, thus enabling a citizen’s access to their government.

Information and Communications Technologies (ICTs) power this global information society. ICTs and associated infrastructures are critical to a nation’s competitiveness and to the global marketplace. ICT infrastructures also support and enable society’s critical infrastructures, such as transportation, energy, public safety, communications, etc. Our society – both economically and socially – is inextricably tied to ICTs.

An evolution of the ICT infrastructure is underway. Formerly separate networks delivering voice, data, and broadcast services are converging into a unified IP network that enables the emerging global information society, where everyone and everything is connected. Paradoxically, this new converged network is inherently more complex because of the increased number of interconnections between components.

Fundamentally, security and trust play key roles in enabling the global information society. For example, users must have the confidence that online transactions, either with business or government services, are security and trustworthy. SMEs must also have trust and confidence in their e-business transactions. Security and trust become even more important factors with the use of ubiquitous wireless devices, allowing access to new media and services, where everyone is connected to everything.

Security in the emerging hyper-connected society requires, in part, robust management of digital identities to establish trust, to protect personal information, to control access to services and infrastructures, to perform online transactions, and to comply with legal and regulatory requirements. ICT infrastructures and services have typically evolved with a diverse set of identity management (IdM) solutions, many of which are highly distributed and autonomous. There is a need to establish a trusted, global, and interoperable IdM capability.

This contribution provides an overview of key concepts associated with identity management and outlines current activities related to identity management.

2. IDENTITY MANAGEMENT CONCEPTS

Identity may be viewed as an attribute of a specific entity – a human, an organization, a service provider, an application, a process, a sensor – in a specific context. While the term “identity” has been used extensively in international standards documents, it is often never explicitly defined.

The ITU-T has recently initiated an activity related to identity management (see Section 3 for more details). As part of this effort, one objective is to develop a common understanding of the term “identity” that can be expressed in one or more ways to meet the needs and expectations of ITU members. Recent (draft) conclusions of this work indicate that identity, as used in current standards, is a concept that allows for various kinds of representations of an entity at some point in time and space with some degree of desired consistency. An ontology of identity is proposed as shown in Figure 1.

Figure 1: Ontology of Identity

[Reference: ITU-T Correspondence Group Report on the Definition of the Term “Identity”, draft version 0.7, 22 February 2008]

According to this ontology, an entity is a real person, legal person or object – which in turn can consist of anything physical, network elements, or software or content.   Identity is a set of representations that are either asserted (e.g., an entity saying “this is my identity”) or manifested by an entity.   Representations take some kind of physical or electro-optical form – some of which may consist of digital expressions. There are four distinct kinds of representations: identifiers, authenticators or credentials, attributes, and patterns. 

Identifiers are universally regarded as “names, numbers, or addresses” which may arise in two different ways, such as assigned, registered by some authority, or self-issued.  Authenticators or credentials are certificates (e.g., ITU‑T X.509 digital certificates) or tokens which may be issued by established authority or self-issued.  Attributes consist of any kind of information with a binding to an identifier or authenticator that is either registered or captured in conjunction with their use (e.g., geospatial location, transactional activity, and images).  Patterns take the form of either signatures derived from activity or reputation when asserted by an entity for identity purposes.

Based on this ontology, the ITU-T Correspondence Group Draft Report defines identity as [Reference: ITU-T Correspondence Group Report on the Definition of the Term “Identity”, draft version 0.7, 22 February 2008]:

identity.   The assertion or manifestation of a structured representation of an entity in the form of one or more credentials, identifiers, attributes, or patterns.  Such representations can take any physical or electro-optical form or syntax, and have associated implicit or explicit time-stamp and location specifications. 

It should also be noted that at the TSAG meeting December 2007, it was agreed, for ITU-T purposes, that the identity asserted by an entity represents the uniqueness of that entity in a specific context and is not intended to indicate positive validation of a person.  The recent results of the Correspondence Group activity will be presented to TSAG for further deliberation.

The Correspondence Group Draft Report also defined identity management as:

identity management.  The diverse arrays of different technical, operational, and legal systems and practices involving the structured capture, syntactical expression, storage, tagging, retrieval, and destruction of entity identities.

A large number of industry groups and standards organizations are working on standardizing aspects of identity management (see Section 3).  Generally, different groups develop optimum solutions for specific market segments and perspectives (e.g., user-centric, application-centric [web services and electronic commerce], and network-centric perspectives).  The result is a variety of identity-based solutions that ultimately should interoperate with each other.

The ITU-T surveyed many of these initiatives and identified seven groups of common global IdM requirements, although there were diverse existing capabilities within each group [Reference: ITU-T Focus Group Identity Management Output: Report on Requirements for Global Interoperable Identity Management, September 2007]:

1.          A common, structured identity management model and identity management plane.

2.          Provision of core credential, identifier, attribute, and pattern identity services with known assurance levels to all entities. 

3.          Discovery of authoritative identify provider resources, services, and federations. 

4.          Interoperability among authorization privilege management platforms, identity providers and provider federations, including identity bridge providers. 

5.          Security and other measures for reduction of identity threats and risks, including protection of identity resources and personally identifiable information.

6.          Auditing and compliance, including policy enforcement protection of personally identifiable information.

7.          Usability, scalability, performance, reliability, availability, internationalization, and disaster recovery. 

Identity management therefore provides assurance of identity information that supports secure, trusted access control.  Identity management supports a multitude of identity-based services that includes targeted advertising, personalized services based on geo-location and interest, and authenticated services to decrease fraud and identity theft.  A trusted, global, interoperable IdM capability is a goal that would help meet the needs of the evolving, hyper-connected ICT infrastructure and services.

3.          ACTIVITIES RELATED TO IDENTITY MANAGEMENT

As previously noted, there are many activities that relate to identity management standardization. A non-exhaustive list of identity management activities is presented below in three categorizes:

• Standardization bodies and similar organizations: de jure/de facto standards including standard development organizations such as ITU-T, partnership projects such as 3GPP, and well-established open communities such as IETF and Liberty Alliance Project.

• Research activities: aimed at developing IdM technologies.

• Other IdM related activities: examples include open source projects and advocacy groups.

More complete information and pointers to these activities are listed in the document ITU-T Focus Group Identity Management Output: Report on Identity Management Ecosystem and Lexicon, September 2007.

Standards bodies and similar organizations

• 3GPP: Developed specifications related to Subscription Management (SuM);

• ATIS: Packet Technologies and Systems Committee (PTSC) is studying IdM;

• ETSI: TIPSAN developed specifications related to Subscription Management (SuM);

• IETF: Developed many resource/entity identification specifications, including Uniform Resource Identifier/Name, Internationalized Resource Identifier, Uniform Resource Name, Universally Unique Identifier, Enhancements for Authenticated Identity Management in the Session Initiation Protocol, etc.

• ISO/IEC: ISO/IEC JTC 1/SC 27 (Information Technology – Security Techniques) has approved a new project on IdM.

• ITU-T: a number of Study Groups deal with various aspects of Identity Management. The Telecommunication Standardization Bureau has recently created the Identity Management Global Standards Initiative (IdM-GSI) to focus on developing the detailed standards necessary for deployment of IdM capabilities that enables secure and trustworthy assertions about digital identities used in telecommunications, control networks, and a variety of service offerings. IdM-GSI harmonizes, in collaboration with other bodies, different approaches to IdM worldwide.

• Liberty Alliance Project: Specified an open standard for federated network identity that is intended to support current and emerging network devices, offering a secure way to control digital identity information.

• OASIS (Organization for the Advancement of Structured Information Standards): Developed identity management platforms including: Security Assertion Markup Language, eXtensible Access Control Markup Language, Service Provisioning Markup Language, eXtensible Resource Identifier, and Web Services Security.

• OECD: Identity management in the online environment is seen as a key enabler for electronic business and electronic government because it facilitates the expansion of information systems and network boundaries and increases access points. A workshop was held and brought together experts from government, industry and civil society to explore the main information security and privacy issues surrounding digital identity management.

• Open Mobile Alliance: Developed specifications related to IdM including Identity Management Framework Requirements document.

• World Wide Web Consortium (W3C): Developed recommendations for XML aspects of IdM.

Research activities

• Archival Resource Key is naming scheme is designed to facilitate the high-quality and persistent identification of information objects.

• The European Union / European Commission supports a number of projects relating to IdM, including:

  • Future of Identity in the Information Society (FIDIS): shaping the requirements for the future management of identity in the European Information Society and contributing to the technologies and infrastructures needed;

  • GUIDE: conducting research and technological development with the aim of creating architecture for secure and interoperable e-government electronic identity services and transactions for Europe

  • Privacy and Identity Management for Europe (PRIME): aims to develop a working prototype of a privacy-enhancing Identity Management System

Other IdM related activities

• Higgins: A framework that will enable users and enterprises to integrate identity, profile, and relationship information across multiple systems. Using context providers, existing and new systems such as directories, collaboration spaces, and communications technologies (e.g. Microsoft/IBM WS-*, LDAP, email, IM, etc.) can be plugged into the Higgins framework. Applications written to the Higgins API can virtually integrate the identity, profile, and relationship information across these heterogeneous systems.

• OpenID: open source community solution for IdM. It is a lightweight method of identifying individuals that uses the same technology framework that is used to identify websites.

• Shibboleth: Standards-based, open source middleware software which provides Web Single SignOn (SSO) across or within organizational boundaries. The Shibboleth software implements the OASIS SAML specification, providing a federated Single-SignOn and attribute exchange framework.

This list is only a sample of the many activities underway in the identity management area.  Harmonization of these different approaches, while leveraging research and deployment experiences, is a key goal for the international community.

4.          Conclusions and Recommendations

Security and trust play key roles in enabling the emerging global information society.  Identity management, a cornerstone of establishing trust in the evolving ICT infrastructure, is necessary to control access to services and infrastructures, to protect personal information, to perform online transactions, and to comply with legal and regulatory requirements.  A diverse set of identity management (IdM) solutions existing for specific market segments and perspectives. Many of these solutions are highly distributed and autonomous, resulting in a need to establish a trusted, global, and interoperable IdM capability.

The ITU-T is leading the international community to harmonize IdM solutions through its recently created Identity Management Global Standards Initiative (IdM-GSI). The IdM-GSI is also focused on developing the detailed standards necessary for deployment of IdM capabilities to enable secure and trustworthy assertions about digital identities used in telecommunications, control networks, and a variety of service offerings.

It is recommended that the PCC.I Working Group on Technology consider initiating a study of identity management in the countries of the region. In addition, it is recommended that the PCC.I Rapporteur group on Standards Coordination monitor identity management related activities, especially the work of the IdM-GSI in the ITU-T, with a view of proposing Coordinated Standards Documents when appropriate.

5.          References

[1]         ITU-T Correspondence Group Report on the Definition of the Term “Identity”, draft version 0.7, 22 February 2008.

[2]         ITU-T Focus Group Identity Management Output: Report on Requirements for Global Interoperable Identity Management, September 2007.

[3]         ITU-T Focus Group Identity Management Output: Report on Identity Management Ecosystem and Lexicon, September 2007.

Oscar Avellaneda
Senior Manager, NGN Architecture

and

Lewis Robart
Senior Analyst, IP Telecom and Security