The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
Kantara May 2012
1. Trust Frameworks: Tools to build Identity Ecosystems
It takes a village!
support@kantarainitiative.org
2. Agenda:
• Overview of Kantara Initiative
• Federation and Trust Frameworks
• Identity Assurance Framework
• Accreditation / Certification
• Next Steps
2012 Kantara Initiative - Trust Frameworks: A Global Context 2
3. Kantara Initiative: Overview
Values
• Trust:
Operating Accreditation, Approval and Certification programs
to ensure trusted network environments are available to support
generative growth within the Internet.
• Privacy:
Developing solutions for secure, identity-based, privacy-respecting
online interactions.
• Community:
Bridging technology and policy requirements to enable verified
trust in online identity credentials and services.
2012 Kantara Initiative - Trust Frameworks: A Global Context 3
4. Kantara Initiative: Overview
Federation, Compliance, and Interoperability
Kantara Builds Bridges
Focusing on trust harmonization
by developing compliance criteria
based on requirements of end-
users, relying parties and identity
providers.
Operating compliance programs
for multiple solutions that fit a
variety of requirements and
jurisdictions.
2012 Kantara Initiative - Trust Frameworks: A Global Context 4
5. Trustees
Government Facing
Government of Canada
Credential Services
Verticals - Health, Telco, Entertainment, Finance
Audit and Testing
Research and Education
Technical and User Community Organizations
6. Kantara Initiative: Overview
Governance Model
Board of Trustees
Assurance Leadership
Review Board Council
Interoperability Consists of: Work
Review Board and Discussion
Group
Operates Compliance Leadership
Programs
Develops Requirements
and Practices
2012 Kantara Initiative - Trust Frameworks: A Global Context 6
7. Kantara Initiative: Overview
Liaisons and Governments
• ISO: 29115, 29100, 29191, 27001, 27002, etc
• ITU-T: X.1254 (was X.EAA), OITF
• OASIS: eGovernment, SAML SSTC, PMRM, etc
• OECD Internet Technical Advisory Committee (ITAC)
• Governments
• Providing neutral forum for Government Programs and Agencies
to share information and identify common goals
• Performing confidential and non-confidential program reviews
upon request for specific international governments and
government agencies
2012 Kantara Initiative - Trust Frameworks: A Global Context 7
8. Kantara Initiative: Overview
Work and Discussion Groups
KANTARA INITIATIVE WORK AND DISCUSSION GROUPS
POLICY JURISDICTION USER-FOCUSED WORK & DISCUSSION GROUP ACRONYMS:
• (AM) Attribute Management
• (BCTF) Business Cases for Trusted
Federations
eGOV AM Consumer
eGOV • (Consumer ID) Consumer Identity
ID
• (eGOV) eGovernment
• (FI) Federation Interoperability
HIA P3 HIA InfoShare • (HIA) Heath Identity Assurance
• (IA) Identity Assurance
• (Info Sharing WG) Information Sharing
InfoShare • (Japan) Japan
IA WG JAPAN UMA
• (P3) Privacy and Public Policy
• (Telco ID) Telecommunication Identification
• (UMA) User Managed Access
TELCO ID
AM
2012 Kantara Initiative - Trust Frameworks: A Global Context 8
9. Kantara Initiative: Overview
Groups and Programs
KANTARA INITIATIVE PROGRAMS
WORK & DISCUSSION GROUP ACRONYMS:
NON-
COMPLIANCE and CERTIFICATION • (BCTF) Business Cases for Trusted
CERTIFICATION Federation
• (eGOV) eGovernment
INTEROPERABILITY ASSURANCE HARMONIZATION • (FI) Federation Interoperability
Interop Review Board (IRB) Assurance Review Board (ARB) User-Centric, Jurisdiction and
• (IOP) Interoperability
Vertical Based
• Certification, Verification • Certification
• (HIA) Heath Identity Assurance
• Tools, Demos • Accreditation
• (IA) Identity Assurance
• (Info Sharing) Information Sharing
HIA Consumer
ID • (OSSI) Open Source Strategic Initiative
• (P3) Privacy and Public Policy
eGOV IA Japan • (Consumer ID) Consumer Identity
• (Japan) Japan
• (Telco ID) Telecommunication
InfoShare Telco ID Identification
FI
• (UMA) User Managed Access
P3
UMA
OSSI
2012 Kantara Initiative - Trust Frameworks: A Global Context 9
10. Federation and Trust Frameworks
What does Federation look like?
Identity
BANK
Authentication
Provider
Trust
INSURANCE
Service
COMPANY
Access
Service
Provider
2012 Kantara Initiative - Trust Frameworks: A Global Context 10
11. Kantara Initiative: Overview
What does a Trust Framework look like?
Relying Parties / End-Users
Rules
• Process
• Policy
Input Kantara and
Requirements • Practice
end-user
in to Kantara stakeholders • Privacy
develop criteria
Groups / sectors who for assessment Tools
share common
• OpenID
requirements to enable
trust in identity systems. • SAML
• SmartCard
• OAuth2.0
• Other
Trust Kantara
Accredited
Assessors
perform
assessments
2012 Kantara Initiative - Trust Frameworks: A Global Context 11
12. Kantara Initiative: Overview
What does a Trust Framework look like?
Input Kantara and
Relying Parties Requirements
Criteria for IdP /
end-user
& in to Kantara stakeholders
CSP Assessment
End-Users develop criteria to verify Trust
for assessment
Trust Kantara
Accredited
Assessors
perform
assessments
2012 Kantara Initiative - Trust Frameworks: A Global Context 12
13. Federation and Trust Frameworks
Leveraging Scale-Free Networks
“Inter-Federation”
Trust Frameworks enable inter-Federation
- Connecting Federations
- Leveraging Scale-Free Networks
2012 Kantara Initiative - Trust Frameworks: A Global Context 13
14. Federation and Trust Frameworks
Target Audience & Value Proposition
Target Audience
• Enable End-users (Enterprise, Governments, Verticals, Communities)
to trust credentials proofed and issued by Identity Providers / Credential
Service Providers
Value Proposition
• Increased security
• Compliance with laws, regulations, and standards
• Improved interoperability
• Enhanced customer service
• Elimination of redundancy
• Increase in protection of Personally Identifiable Information (PII)
2012 Kantara Initiative - Trust Frameworks: A Global Context 14
15. Federation and Trust Frameworks
Based on Levels of Assurance : Illustrated
2012 Kantara Initiative - Trust Frameworks: A Global Context 15
16. Trust Framework Model
Trust Status
Assessment Listing Service
Verification
Registration
Interested
Certification Parties
Process Trust Status Listing
Service, Registry, White List
2012 Kantara Initiative - Trust Frameworks: A Global Context 16
17. Identity Assurance Framework:
Documents
Note: a Trust Framework
may apply specific profiles
IAF 1000 - Overview
for specific Technology Overview of of the IAF documents and structure
and Privacy Constraints
used to achieve Levels of
Assurance IAF 1100 - Glossary
Glossary of terms used in the IAF documents
IAF 1200 – Levels of Assurance
Overview in detail of the Levels of Assurance
IAF 1300 – Assurance Assessment Scheme
Process of how the Assurance Program operates
IAF 1400 – Service Assessment Scheme
Criteria that a Service will need to provide compliance to for
Service Approval at the different Levels of Assurance
IAF 1600 – Assessor Qualifications and Requirements
Qualifications that an Assessor must prove to become
Accredited to perform IAF assessments
2012 Kantara Initiative - Trust Frameworks: A Global Context 17
18. Identity Assurance Framework:
Actors
KANTARA INITIATIVE IAF APPROVED APRIL 2010
http://kantarainitiative.org/confluence/x/e4R7Ag
CREDENTIAL FEDERATION IDENTITY ASSURANCE
ASSESSORS
SERVICE PROVIDERS OPERATORS FRAMEWORK 2.0 MAP
NON-NORMATIVE:
Get accredited by Get assessed by a Define criteria for identity
Kantara as an assessor Kantara Accredited assurance for their • (IAF 1000) Overview
against the IAF 1600 AQR Assessor for IAF federation • (IAF 1100) Glossary
certification against the
• (IAF 1200) Assurance Levels
Leverage demonstrable IAF 1400 SACs Map policy against IAF
competencies to expedite SAC and IAF profiles NORMATIVE:
certification Submit certification
• (IAF 1300) Assurance Assessment
application to Kantara’s Accept or recommend Scheme
Assurance Review Board IAF certification to its
(ARB) • (IAF 1400) Service Assessment
constituents
Criteria
Obtain and maintain • (IAF 1600) Assessor Qualifications
compliance and & Requirements
certification
2012 Kantara Initiative - Trust Frameworks: A Global Context 18
19. Kantara Trust Framework
Trust Status
Published to:
Board of
Trustees
Assurance Review Reviews & Verifies External Assessment
Board (ARB)
Identity Assurance Manages the Set of IAF Documents
Work Group (IAWG)
Identity Assurance
Framework (IAF) Complete Set of IAF Documents
Assurance Assessor Service
Assessment Qualifications & Assessment
Core IAF Document Set
Scheme Requirements Criteria
(AAS) (AQR) (SAC)
2012 Kantara Initiative - Trust Frameworks: A Global Context 19
20. Kantara Trust Framework
Board of
Trustees
Assurance Review Reviews & Verifies External Assessment
Board (ARB)
Identity Assurance Manages the Set of IAF Documents
Work Group (IAWG)
Identity Assurance
Framework (IAF) Complete Set of IAF Documents
Assurance Assessor Service
Assessment Qualifications & Assessment
Core IAF Document Set
Scheme Requirements Criteria
(AAS) (AQR) (SAC)
2012 Kantara Initiative - Trust Frameworks: A Global Context 20
21. Multiple Trust Frameworks
• Technical
• SAML + Others
• OpenID
• OAuth2.0
• Verticals
• Healthcare
• Banking
• Entertainment
• Jurisdictions
• National Governments
• Local Governments
2012 Kantara Initiative - Trust Frameworks: A Global Context 21
22. Kantara Trust Framework:
Progress
Kantara Accredited to LoA 1-4 Kantara Approved to LoA 3 non-crpyto
Verizon Universal Identity Service (VUIS)*
* ICAM Trust Framework Approval
Registered Applicants
• Accreditation:
• Service Approval:
2012 Kantara Initiative - Trust Frameworks: A Global Context 22
23. Trust Framework Profiles
Common, Well-Vetted Complete Assessment
Foundation Criteria
Core Technical Privacy Final
Framework Profile Profile Framework
Specific Technical Specific Policy /
Deployment Rules Regulation Rules
2012 Kantara Initiative - Trust Frameworks: A Global Context 23
24. Building on the Core
• Identity Assurance:
Building in service module approach enabling Identity Proofing,
Credential Management and Organizational component
assessments
• Privacy Assurance:
Building upon the Kantara US Federal Privacy Profile the Privacy
and Public Policy (P3) WG is building Privacy Assessment Criteria
(PAC) for audit controls applied in a Privacy Assessment.
• Attribute Management (AM) Assurance:
Performed landscape review of varying AM standards and
development activities in Identity focused communities
2012 Kantara Initiative - Trust Frameworks: A Global Context 24
25. Status and Lessons Learned
• Status:
• Operational SAML Framework
• Operational Organization
• Approved for US Government Use through LOA 3
• Referenced by eGov communities including Canada, New
Zealand, Sweden
• Assessments in progress
• International Partners
• Lessons Learned So Far:
• Need Additional Members, Participants, and Customers
• Need Additional Technical Frameworks
• Need Additional Levels of Assurance
• Need Additional Privacy Profiles
2012 Kantara Initiative - Trust Frameworks: A Global Context 25
26. Shaping the Future of Digital Identity
• Kantara Initiative Website:
• http://kantarainitiative.org
• Community Mail List:
• http://kantarainitiative.org/listinfo/community
• Assurance Certification Center:
• http://kantarainitiative.org/confluence/x/EYCYAQ
• Membership Documents:
• http://kantarainitiative.org/wordpress/membership/
2012 Kantara Initiative - Trust Frameworks: A Global Context 26