Monday, October 16, 2006

The Identity Management Laws


(and some FAQs at the end)

In this context a "Law" is simply a directive, a rule, a best practice or a design principle.
There are three classes and each class has its own assertion.

They are not a natural or scientific fact such as the law of gravity, basically because we are not born with an identity (although we are born with unique credentials) – we are provided with identities by others through different systems that are intended to assist in authentication and access.

These Identity Management Laws are equally applicable to human (manual) and non-human (computer) systems. It has been my experience that adherence to these laws will result in better systems and services.

They are akin to Assimov’s Laws of Robotics:
1. A robot may not harm a human being, or, through inaction, allow a human being to come to harm.
2. A robot must obey the orders given to it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence, as long as such protection does not conflict with the First or Second Law.

====================
The full set of nine Identity Management Laws are:

Identity Laws
ID LAW 1 . . . An Entity may have many Identities
ID LAW 2 . . . An Identity does not identify an Entity
ID LAW 3 . . . Only an Entity may federate its identities

Authentication Laws
ID LAW 4 . . . An Identity may only provide sufficient information to meet authentication
ID LAW 5 . . . An identity does not need a new credential if it already has one that you can trust
ID LAW 6 . . . A credential should only be authenticated by the issuer

Access Laws
ID LAW 7 . . . Proving an Identity does not grant any access rights
ID LAW 8 . . . Access is a product of identity, credential, role, profile and transaction
ID LAW 9. . . Access rights change dynamically

The nine Identity Management Laws are detailed below.

Note – "An Entity is a unique person or thing, anyone (a natural or legal ‘person’) or anything with a separate existence that can be characterised through the dimension of its original attributes. It cannot be owned."
From The identity Dictionary

====================

Identity Laws :

Assertion: “this is who I am”

ID LAW 1. An Entity may have many Identities
An Identity is an instance of an Entity – examples are a username, a logon-id, a bank account number, an employee number.
Identity is provable, and is owned by the entity that can verify the identity assertion. It is not subjective. A person may have an employment Identity at work, which may be provisioned with an account on the LAN, an account on the mainframe, an email account and several on the Linux development server. The same Entity may also have other identities such as an eBay user ID, a HoTMaiL identity, a drivers licence number, different customer account numbers at several Utilities, numerous contact phone numbers, and so on.

ID LAW 2. An Identity does not identify an Entity
An Identity is able to transact independently of the entity.

Each identity can function on its own. An account at eBay, HoTMaiL or a service provider does not need to be linked to other identities, nor to the Entity. Complete anonymity of the Entity is not possible in any IDM system that seeks non-repudiation (most business applications), but pseudonymity is certainly permissible, and often desirable.

ID LAW 3. Only an Entity may federate its identities
The Entity is the only thing that knows of the link between identities.
Therefore the Entity is the only one with the capability of joining its multiple identities into a single identity, or granting the ability to determine a federated identity. This can achieve improved services to the Entity, such as a single sign-on to several services. It has no effect on the Entity. The entity may wish to be seen as a single customer of a group of financial institutions and may or may not want a new identity with which to unite them.


Authentication Laws :

assertion: “this is who I am and here is the proof”

ID LAW 4. An Identity may only provide sufficient information to meet authentication
An Identity should not need to provide more proof than is necessary to access the service being offered.

You don’t need a digital certificate to ask for basic assistance; you don't need to tell HoTMaiL your birth date to send emails. “Step up” authentication models, as an alternative to “strongest possible” authentication, are a reflection of this law – they are more user friendly, and each credential is more easily administered (cancelled, renewed, upgraded).

ID LAW 5. An identity does not need a new credential if it already has one that you can trust
Additional credentials are both an inconvenience and an unnecessary cost, to the issuer and the identity.
You don’t need to be issued a new drivers licence for a new state if you have a current one from another state – it’s all a matter of trust. The ATM for one bank can trust a credit-card from another financial institution, for certain transactions. Trust and risk are inversely related. The level of trust will be determined by the service provider’s Assurance Framework.

ID LAW 6. A credential should only be authenticated by the issuer
A credential issued by a third-party should preferably be authenticated by that third-party.

For example, a digital certificate should be authenticated by the original Certificate Authority itself, otherwise there may be differences in the authenticity of the credential that can’t be picked up at the time. Also the relying party will be accepting a higher level of risk if it conducts its own additional registration process. Each provider will still have its own Assurance Framework, and therefore assign a trust level to it that may be different to the level other service providers assign.


Access Laws :

assertion: this is who I am, here’s the proof, now what can I do?

ID LAW 7. Proving an Identity does not grant any Access Rights
Authenticating an Identity does not guarantee that the Identity can do anything it wants.
Each site’s Assurance Framework will reflect its view of both the identity issuer’s registration rigour and the credential strength, and will reappraise this for each proposed transaction. For example, I may not be permitted to do any transactions at all, or any above a given $ value unless I present a stronger credential (or perhaps use a different identity).

ID LAW 8. Access is a product of identity, credential, role, profile and transaction

The combination of credential strengths and identity registration strengths will meet a predetermined Assurance Level in the Framework.
In order to gain initial access an Assurance framework should be created, and then the user’s role will further define levels of access. It will also be affected by the channel being used, such as from an internet café, telephone banking, face-to-face (over the counter).

ID LAW 9. Access rights change dynamically
Just because you could do something last time, doesn’t mean that you can continue to do it.

This may happen if a user’s credential expires, is revoked, or an identity attribute changes, or a business rule changes or a new law is enacted. The entitlement to access a service will change in real-time. For example your digital certificate expires, or be added to a revocation list, or you resign from employment, or your drivers licence is revoked. This may also be the case if Law 6 is not adhered to. The owners of resources might set and change the access rules and assign the permissions as they see fit.

=================



HowManyOfMe.com
LogoThere are:
0
people with my name
in the U.S.A.

How many have your name?



================


FAQs

Some questions and answers that may help clarify the use of these laws.
Please refer to The identity Dictionary for definitions of terminology:

Question 1.
Who owns my identity ?

Answer:

You do. But who are you? This question usually means who owns the “me” (the entity, not one of its identities). In general an Entity cannot be owned, in the way that an identity can be owned, except in some legislative sense. Shareholders of a company may claim ‘ownership’, when they in fact only have some legal entitlement to the assets. Animals (eg horses) and humans (eg slaves) cannot actually be owned in the Identity sense, only possessed due to legal arrangements.
a. The definition is the key.
The First Law of Identity Management clarifies the situation: “An entity may have many identities." Others might put it thus: "An Identity can have multiple Digital Identities...". Either way, customers of service providers are Identities (not Entities). Carl Ellison (SUN) is correct when he refers to an Identity as an instance of an Entity. Why does this matter, especially when access credentials are issued to identities, not entities? Because it is the entity that establishes each identity, and it is the entity is legally responsible for the actions of the identity.
b. No one 'owns' it.
No one can 'own' an Entity. But people can and do 'own' Identities. How? By being able to authenticate them (eg know the password). Those identities that you can't authenticate you don't actually own.

Note to those that believe Reputation is an Identity or a Credential; it isn't. I agree with Bob Blakely, although for different reasons: a) a written article is NOT an identity, and it does not affect an Identity. It's just a story and the rest is only semantics. b) Identity does NOT allocate risk, only trust can allocate risk. Trust is created in an Identity Management Assurance Framework, not in a newspaper. c) An Identity's Reputation CAN be a registration strength in your own Assurance Framework, with whatever value you wish to allocate it, but not a credential strength . You can see this in the concept of a "known customer", or in an eBay seller's history.


Question 2.
Which is the real identity, Clark Kent or Superman ?

Answer:
Neither. They are two Identities of the one Entity - the entity called Kal El.
I wonder if he has fingerprints, DNA, or other biometrics.
Iris identification could be an interesting challenge ;-)


Question 3.
What is the best way to implement IAM, to maximise the return on investment ? Or to put it another way, how can each phase of the project pay for the next phase ?
Answer:
Here is the best sequence:
1. Self-service & password reset.
2. Password policy enforcement.
3. Password synchronization.
4. Assurance Framework (User Registration and Credential matrix)
5. Trusted sources & business processes.
6. Data quality
7. Meta-directory & Consolidated Identity.
8. Publish, subscribe and data synchronisation.
9. GUI
10. White pages & contact messaging.
11. User deprovisioning.
12. Delegated administration.
13. Role definition and creation.
14. Role management.
15. RBAC (organisational, functional and resource/entitlement)
16. Workflow and approvals.
17. User provisioning.
18. Self-service role matrix and rights management.
19. Enterprise reduced sign-on.
20. Audit, alerts, archives
21. Event reporting
22. Multifactor strong authentication.
23. Web/enterprise access management.
24. Federated identity management.


Question 4.
What is the the problem with passwords ?
Answer:
On the surface it is a good idea – a password has a False Acceptance Rate of 0% and a False Rejection Rate of 0% (you can’t get any better than that . . . . . unless someone else knows it, then it can't get any worse).
But this methodology speaks for itself :
Step 1 – Pick a unique password for a LogonID, obeying the site rules. A typical example: it must not be a dictionary word, must contain an uppercase Alpha, a numeric, one or more special characters and must be changed every 30 days to a different non-dictionary word that you have never used before. You have about 1 minute to choose one. This guarantees that you cannot easily remember it.
Step 2 – Don’t write it down or record it anywhere . . . or else !
Step 3 – For the next LogonID, go to step 1.

One suggestion is to remember a pasword phrase, such as "My brothers name is John. He is 27 years old" and derive the password from it (MbniJHi27yo). But try changing that every month!

Single Sign-On may be a convenience; it reduces the number of accounts needed, and it therefore reduces the number of passwords to remember. But it only magnifies the password problem. To overcome the inherent unreasonableness or inhumanity of this method, most users who have multiple accounts (and it is not uncommon for users have ten or more accounts) will choose the same password for all accounts and will make sure it is easily remembered. For example it may be their middle-name starting with a capital letter and ending with a number that is incremented by one every time it expires). Then they still write them down because they might forget them. And they do forget them, as they get out of sync due to differing expiry lengths (causing more overheads for password resets).

Users will also prefer to have unexpiring passwords so they don’t need to remember them. This then is the default for the internet, and any service that forces password changing is quickly avoided.

Some sites allow the password to be entered in an unsecure session, and the password is transmitted in a human-readable form.

Lately keystroke-capture virus software has made it difficult to keep the password secure.
The real problem with all of this is that the user is understandably trying to minimise the site rules’ negative effect on their productivity, with the result that it makes it easier for others to guess their password.

More importantly there is a growing trend to admitting that you wrote it down and stuck it on your computer screen (even if you didn't), especially when it means that you can repudiate an accusation that you were the one that took certain actions (because fraud has a longer jail sentence than stupidity).


==============


40 Comments:

Blogger Allan Milgate said...

Also check out The identity Dictionary at http://identityaccessman.blogspot.com/

12:51 AM  
Blogger 煩惱 said...

18成人交友成人影片土豆網韓劇播放一葉晴貼圖區丁字褲美女影片辣妹視訊ess色美媚入口5278免費影片麗的色遊戲gogo2sex日本視訊聊天室八大娛樂網0941視訊交友無限動漫線上視訊聊天777成人18成人動漫畫檳榔西施影片免費成年人影片免費視訊聊天ex

10:54 PM  
Blogger 裕瑤 said...

真是感人肺腑的文章~~........................................

11:47 PM  
Blogger 馬甲 said...

謝謝分享好文章........................................

8:16 PM  
Blogger 精采 said...

思想與理論,貴呼先於行動,但行動較思想或理論更高貴..................................................

3:37 AM  
Blogger 維哲維哲 said...

More haste, less speed...................................................

6:03 AM  
Blogger 吳柏廷 said...

喜歡這裡-支持你的更新 ........................................

11:22 AM  
Blogger TimikaE_Harkey said...

困難的不在於新概念,而在於逃避舊有的概念。......................................................

12:12 AM  
Blogger 瑜吟瑜吟 said...

讓人流連忘返,真期待新文章發表!........................................

9:06 PM  
Blogger 維青 said...

Thx ur share........................................

6:20 AM  
Blogger jon0301astabron said...

I love readding, and thanks for your artical. ........................................

4:22 AM  
Blogger SigridNolen1祐音 said...

A stitch in time saves nine. ....................................................

9:00 PM  
Blogger 智能 said...

能付出愛心就是福;能消除煩惱就是慧。.............................................

10:43 PM  
Blogger 偉誠 said...

想跟你說一聲加油,祝福大家每天開心........................................

10:45 PM  
Blogger 文迪 said...

生命中最美麗的報償之一便是幫助他人的同時,也幫助了自己。 ..................................................

11:27 PM  
Blogger 廖淑凡 said...

自然是上帝最偉大的神來之筆。 ............................................................

10:57 AM  
Blogger huntb said...

世間是非,要如水泥地般水過則乾。......................................................

10:31 PM  
Blogger 芸茂 said...

Where theres a will theres a way. ............................................................

3:49 PM  
Blogger 林建隆 said...

I do like ur article~!!!......................................................................

8:15 AM  
Blogger 許紀廷 said...

幸福不是一切,人還有責任。....................................................................

5:03 PM  
Blogger 韋以韋以 said...

pleasure to find such a good artical! please keep update!!.................................................................

6:44 AM  
Blogger 家銘家銘家銘 said...

人生是故事的創造與遺忘。............................................................

6:22 PM  
Blogger ju吳phe宇te佳ns said...

認清問題就等於已經解決了一半的問題。.................................................................

1:45 AM  
Blogger 吳婷婷 said...

rain before seven; fine before eleven.............................................................

4:23 AM  
Blogger 雲亨雲亨雲亨 said...

上來逛逛,踩個腳印給你~~~..................................................

6:54 AM  
Blogger 趙筱婷terrifields汪華昕 said...

相逢即是有緣~~留個言問候一聲,祝您平安順利............................................................

7:57 PM  
Blogger 雅俊芬凱陳許 said...

寫文章需要心情~~期待你再一次的好文章............................................................

9:04 AM  
Blogger 洪瑋婷洪瑋婷 said...

教育的目的,不在應該思考什麼,而是教吾人怎樣思考............................................................

9:04 PM  
Blogger 陳佑發 said...

人類的聰明,並非以經驗為依歸,而是以接受經驗的行程為依歸。..................................................

12:48 PM  
Blogger 賴maeron曉ichards雨 said...

開心不開心都是一天,祝您能夠笑著面對一切!...............................................................

4:07 AM  
Blogger 蔡苡玄 said...

要照顧身體歐~保重..................................................................

5:51 AM  
Blogger 賴鄭富鑫善帆 said...

從來愛都不知它的深度,非得等到別離的時候..................................................................

7:31 AM  
Blogger 凱許倫 said...

好多很有用資訊...感謝你的分享喔............................................................

10:01 AM  
Blogger 偉曹琬 said...

大師手筆﹐果然不凡..................................................................

1:20 AM  
Blogger 怡屏 said...

Quality is better than quantity...................................................................

3:54 AM  
Blogger 峻胡邦慧v帆 said...

嗯~蠻不錯耶~~我喜歡 ∩ 3∩............................................................

12:43 PM  
Blogger 翊翊翊翊張瑜翊翊翊 said...

到處逛逛~~來繞繞留個言囉~~~~............................................................

5:15 PM  
Blogger 佳張張張張燕張張張張張 said...

Never put off till tomorrow what may be done today..................................................................

10:15 PM  
Blogger 王辛江淑萍康 said...

生存乃是不斷地在內心與靈魂交戰;寫作是坐著審判自己。. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

10:26 AM  
Blogger 江仁趙雲虹昆 said...

我在戀愛著?--------是的,因為我在等待著.....................................................................

2:56 PM  

Post a Comment

<< Home