Purpose

Introduce identity assurance concepts, motivate the need for identity assurance support in UW IAM services, describe existing services and planned work.

Identity Assurance

Some information resources and applications are public:  anyone with network access can see the resources and interact with the applications.  Other resources are protected:  access to read, update, or other operations is restricted by policy to authorized users or processes.  Traditionally access to resources has been administered via accounts local to the resource or application.  The resource administrator engaged the users, created the accounts, assigned the passwords, set up permissions, removed accounts when no longer needed, etc.  Each resource or application administrator could decide how much effort to put into these activities to meet the security needs of their system within their security budget.

Today, in response to the common needs of thousands of institutional applications, account management has become an institution-wide service called identity management.  The term "identity", rather than "account", expresses the importance of individuals rather than systems, and the emphasis on managing multiple relationships and characteristics useful in access control.  Resource and application administrators rely on institutional identity management services as a key part of controlling access, and generally appreciate the benefits of doing so.  But administrators still have their own requirements for how accounts are managed to access their systems, perhaps based on local policies or external compliance regimes.  They need to have confidence that the identity management services on which they rely (which may be many different services, in the case of federated applications) are meeting those requirements.

"Identity assurance" is the component of an identity management service that clarifies the processes and controls, both business and technical, that are used to guarantee the accuracy and security of identities used for resource access.  An identity assurance program provides a framework for the alignment of organizational identity management practices and the needs of resource and application owners and users.  Institutions of all kinds are developing formal identity assurance programs to meet the needs of external service providers relying on federated access, where considerations of liability between organizations are significant.  As intra-institutional applications increasingly are obliged to meet external compliance rules, identity assurance is useful internal to the institution as well.

There are many factors related to identity assurance that might be of concern to policy-makers relying on identity management services.  They fall generally into these categories:

One principle of an institutional identity management program is that one size does not fit all.  Some resources are very sensitive and require high-quality, expensive identity management processes and methods (for example, hardware token-based authentication).  Other resources and applications must provide access to hundreds of thousands of users and cope with remote users and those with only a casual contact with the institution.  Identity management services must scale in strength and breadth to meet these varying requirements; identity assurance concepts provide the necessary framework for this to happen coherently.  See NIST Special Publication 800-63, "Electronic Authentication Guideline", for a widely-used identity assurance framework.

Identity Assurance Program Vision

 The UW IAM identity assurance program must support these broad identity management goals:

Supporting these goals implies these elements in the assurance program:

Program Status

Formal identity assurance in the UW IAM service set is in an early stage.  A range of assurance-related services is available today:

Specific work supporting defined identity assurance and compliance includes:

Work is in progress in these areas:

Work is needed to address these issues (this list is representative but incomplete):