Assurance for federated identity management

Federated identity management is an emerging paradigm that is rightly getting a lot of standardization and research attention. One aspect that is not receiving enough attention is assurance. Given the challenges enterprises faced trying to demonstrate appropriate control of their internal and monolithic identity management systems, the problem of how to provide assurance to multiple stakeholders that controls, operations and technologies that cut across organisational boundaries, are appropriately mitigating risk, looks daunting. The paper provides an exposition of the assurance process, how it applies to identity management and particularly to federated identity management. Our contribution is to show technology can be used to overcome many of trust, transparency and information reconciliation problems. Specifically we show how declarative assurance models can orchestrate and automate much of the assurance work, how certain enforcement technologies can radically improve identity assurance, and how an assurance framework can provide a basis for judging the assurance value of security technologies.

[1]  R. Berliner,et al.  COMMENTS ON PCAOB PROPOSED AUDITING STANDARD An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements and Related Proposals , 2007 .

[2]  Simon Shiu,et al.  Using assurance models to aid the risk and governance life cycle , 2007 .

[3]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[4]  Using Assurance Models in IT Audit Engagements , 2006 .

[5]  Marco Casassa Mont,et al.  Privacy Enforcement with HP Select Access for Regulatory Compliance , 2005 .

[6]  Gail-Joon Ahn,et al.  Ensuring information assurance in federated identity management , 2004, IEEE International Conference on Performance, Computing, and Communications, 2004.

[7]  John Mylopoulos,et al.  Requirements Engineering Meets Trust Management: Model, Methodology, and Reasoning , 2004, iTrust.

[8]  Simon Shiu,et al.  Enabling shared audit data , 2004, International Journal of Information Security.

[9]  Günther Pernul,et al.  Trust and Privacy in Digital Business , 2004, Lecture Notes in Computer Science.

[10]  Marco Casassa Mont,et al.  Dealing with Privacy Obligations in Enterprises , 2004, ISSE.

[11]  Siani Pearson,et al.  Towards Accountable Management of Privacy and Identity Information , 2003, ESORICS.

[12]  Siani Pearson,et al.  Towards accountable management of identity and privacy: sticky policies and enforceable tracing services , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[13]  Marco Casassa Mont,et al.  On Adaptive Identity Management: The Next Generation of Identity Management Technologies , 2003 .

[14]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[15]  Ogc Planning to Implement Service Management , 2002 .