impossible for ideas to compete in the marketplace if no forum for
By: Vijay Auluck, Shelagh Callahan and Abhay Dharmadhikari
As the world around us grows increasingly digital, so do the identities we use for each other, as well as the identities of devices, processes, and organizations. Most of us have digital identities associated with multiple devices, networks, services and organizations. What we lack is a good way to manage these identities, including the credentials used to access our devices and services, and the policies controlling where and how we expose our identities. This white paper explores a client-based approach to this problem: Intelâ€™s Manageable Identities. Manageable Identities (MID) technology is intended to complement infrastructure-based identity management solutions under development - in standards like the Liberty Alliance and products like Tivoli Identity Manager and others. By providing a consistent, user-focused view, Intelâ€™s Manageable Identities facilitate the ways people interact with the devices, networks and services they use every day.
Introduction - the Growing Need for Identity Management
The sheer number of identities most people have is reaching the point where theyâ€™re becoming personally and organizationally difficult to manage. For instance, a person might have:
Having so many identities makes it hard to keep track of them all. Whether itâ€™s trying to remember a username and a password, or keying in a wireless access code, people experience problems daily dealing with the multitudinous identities required for access to their devices, networks and services. As a
result, people look for ways to simplify their identities. According to a recent RSA Security survey (February 2004) of 1,000 consumers, 15% use the same password for everything. Others maintain long, easily stolen lists of their usernames and passwords. This is both a real security issue and a sign that people are having trouble coping.
On the enterprise side, as peopleâ€™s identities and devices have proliferated, so have the administrative issues surrounding assigning identities and privileges, as well as verifying them. A worldwide study (State of IT Security 2003) conducted by CIO Magazine and PricewaterhouseCoopers found respondents most frequently employed user passwords (84%), multiple logon/passwords (51%), and levels of authentication based on risk classification (27%) to protect critical data and information systems. They pay dearly for these controls. According to an IBM estimate, companies spend as much as $400 a year to manage a single user and 40% of help-desk costs are password-related.
Todayâ€™s Digital Identity Management Solutions
Most identity management efforts to date have focused on the infrastructure portions of corporate enterprise and service provider solutions. The IT world considers identity management critical for managing access to information and applications scattered across a wide range of internal and external computing systems. The ever-changing number and transient nature of users and devices, both inside and outside the organization, make enterprise identity management extremely challenging.
Research from the META Group (May 2002) shows that organizations with annual enterprise-wide revenue greater than $500 million generally have more than 75 applications, databases and systems that require authentication. This same research reports that the average user spends 16 minutes per day authenticating and signing in. For a 10,000 person organization, thatâ€™s the equivalent of 2666 hours per day. This suggests a significant barrier to ease of use and manageability - as well as a significant hit to the bottom line.
The financial industry once dealt with a similar problem regarding credit cards. Originally credit cards were store-specific. Consumers had to carry many cards (and thus many different identities) in order to do business with a wide variety of stores. Third-party companies like VISA, MasterCard, and American Express changed that. Now itâ€™s possible to have just a few credit card identities which use back-end business agreements to coordinate consumer access.
Some recent identity-management solutions take a similar approach. Federated identities make use of business agreements that permit controlled sharing of identity information between multiple providers. A user can ‘sign-onâ€™ to one provider and have that instance transferred appropriately to another. Examples of such approaches include the Liberty Alliance and the WS-Federation. Both of these approaches make use of security specifications available from OASIS.
Intelâ€™s Interest in Identity Management
Intel believes a client-based approach to identity management could complement infrastructure-based identity management solutions and radically reduce the complexity of identity management for people and devices. This approach - Intelâ€™s Manageable Identities technology - would provide the missing piece of the puzzle.
The benefits of improving identity management would be enormous. Intelâ€™s Manageable Identities technology would help:
Intelâ€™s Manageable Identities Technology
Intel Manageable Identities technology is a client-based approach designed to enable flexible access to any device, network or service through a trusted access environment that cooperates with and extends infrastructure-based solutions, including federated models. This technology - working with the full constellation of cell phones, PCs, PDAs, and other personal and business devices - will enable identities to be shared, transported and locally managed, depending on provider and user policy.
Manageable Identities technology was originally conceived as part of a suite of technologies designed to remove obstacles to the complete mobility of people, devices and services. Complete mobility would require access to content and services anytime, anywhere, from any device. Hence, a major goal for the Manageable Identities Framework is enabling individuals (acting alone or as a member of a group/organization) to choose:
Fundamentally, Manageable Identities enables a consistent view of an identity:
The technology is intended to complete an identity system by filling out the infrastructure view of identities with a coherent, compatible client view.
What makes an identity a manageable identity? Manageable Identities technology uses a contract-based model for identity. To be manageable under Intelâ€™s framework, an identity is considered defined only if thereâ€™s an agreed contract for its use between two or more entities (such as between an individual and an Internet Service Provider (ISP) or an individual and a WLAN). The contract could be relatively informal, such as that between two peers, where the agreement is only a nod between those individuals. Or it could be based on a highly structured business agreement between multiple companies.
The Four Manageable Identity Components
A Manageable Identity consists of four components which define the Manageable Identityâ€™s behavior under the contract between the parties. Parties to such a contract can include individuals (or organizations), devices, or software processes. Figure 2, for instance, uses a person/device as one contractual party and a service provider as the other. The number and type of contractual parties is arbitrary. Hereâ€™s a brief description of the four components.
The Manageable Identities Vision for Identity Usage
The goal of Manageable Identities technology is to make access to devices, networks and services as easy and flexible as possible. Where required, strong, multi-factored authentication may be deployed. On the other hand, Manageable Identities allows the creation of Manageable Identities with lower privacy requirements, which need not be linked to more strongly authenticated identities, thus preserving their privacy.
As a client-based approach, Manageable Identities technology starts with the individual and the constellation of client devices an individual might use at home, office, or on the move. These devices might be connected sporadically or continuously by a variety of interconnects (e.g., Bluetooth*, IR, USB*, WLAN). Any of the local devices may use any of the appropriate Manageable Identities (as permitted by policy) owned by an individual. Some of these Manageable Identities are issued by a remote provider. Others may be managed more informally, locally by the user, for interaction solely within a given domain like the home. For those Manageable Identities issued by a provider, policies between user and provider determine how identities and their management interact locally and within a provider context.
Within a client constellation of devices, depending on provider and user policy, Manageable Identities could be:
Support for Hardware and Software Identities
Intelâ€™s Manageable Identities technology will support the co-existence of hardware and software identities and their existing business models. Hardware identities (identities embedded in processors so they cannot be corrupted) may have Manageable Identity reflections for purposes of integration and management.
Each form of identity has its advantages. Hardware identities provide:
Software Identities provide:
Basic Manageable Identities Functionality
Manageable Identities technology defines a common interface for various operations that control the lifetime of a usable identity. These include:
The existence of a common interface makes it easy to write applications that can use all different kinds of identities without having to know low-level details of how each identity works internally. It also allows the partitioning of rights between a user of an identity and a manager of an identity, while scoping the interaction so that managers and users see only those identity attributes that belong to them.
Manageable Identities technology has the ability to insert assertions about the trustworthiness characteristics of the platform into the mechanism processes. This could include information regarding protected storage, protected execution, encrypted I/O with attached biometric reader, etc. Applications controlling access to very sensitive resources can use this information as part of their decision on whether or not to grant access, make decisions about whether a particular Manageable Identity is transportable, or log the information for regulation compliance audits.
Users are frequently given the same kind of identities for different purposes, such as for accounts with different businesses. The Manageable Identities framework provides a convenient place to store all these identities and search through them to select the right one for the task. It also enables identities held in common, e.g. electronic credit cards, to be used as a common resource and applied to different applications or providers. Whatâ€™s more, as new kinds of identities and devices come up, Manageable Identities technology gives these identities into a common framework so that applications can treat the identities in the same way.
Identities are a sensitive resource requiring control
over who can perform various operations upon them. For example, you may need to limit who may transport an ID to another device or who may share it. Manageable Identities technology includes a simple system of configurable policies that allow you to determine who may perform which operations and who may alter the policies.
Manageable Identities operations are defined in the same manner for all Manageable Identities. For instance, Transport, will always transport a Manageable Identities between devices, leaving no copy behind. Copy will always duplicate a Manageable Identity for transport or as a template for re-use.
This is different than Manageable Identities mechanisms such as authentication and introduction. These mechanisms are defined on an individual, per Manageable Identity basis. This means that some mechanisms, such as the protocol supporting SIM authentication, may be the same among different Manageable Identities, but others might not be and could even be proprietary. In cases where a well-known mechanism is employed, a library reference from a range of mechanisms could be used.
Managtel lobby. Criteria could include wireless service providers with whom the user already has an established account, connection speed, and cost. Users will be presented with a list of choices ranked by the selected criteria.
Manageable Identities Technology in Action
How will Manageable Identities technology improve upon the ways digital identities are used today? To find out, letâ€™s now look at some possible usage scenarios.
Intelâ€™s Manageable Identities technology provides a much needed way to dynamically manage the ever increasing number of digital identities people create, use and eventually terminate in every aspect of their lives. By helping to develop a client-based framework for using this technology in a broad spectrum of devices, Intel is leading the way to helping people and organizations come to grips with a fast-growing problem that will continue to have repercussions throughout society until these identities are better managed and secure. Next steps in Intelâ€™s research and development of Manageable Identities technology include sharing the ideas and technology with the industry to speed development of a solution to the societyâ€™s growing digital identity crisis.
Version 1, February 23, 2005,
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPELS OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice.
Copyright © Intel Corporation 2005
Visit the Authors Web Site
Click Here for The Business Forum Library of White Papers
Search Our Site
Search the ENTIRE Business
Forum site. Search includes the Business