Committed to connecting the world

Question 10/17

​Identity management architecture and mechanisms

(Continuation of Q10/17)

Motivation

Identity management (IdM) is the management of the life cycle and use (creation, maintenance, utilization, provisioning, and revocation) of credentials, identifiers, attributes, authentication, attestation, and patterns by which entities (e.g., service providers, end-user, social networks, organizations, network devices, applications and services) are known with some level of trust. Depending on the context, multiple identities may exist for a single entity at differing security requirements, and at multiple locations. In the cloud and public networks, IdM discusses trusted information exchange between authorized entities that is based on validation and assertion of identities across distributed systems. IdM enables the protection of information and ensures that only authorized information is disseminated. IdM is a key component to the proper operations of telecommunication/ICT networks, (e.g., Internet of Things (IoT), cloud and mobile computing, services, and products) because it supports establishing and maintaining trusted communications. It not only supports authentication of an entity's identity, it also permits authorization of privileges, easy change of privileges when an entity's role changes, delegation, nomadicity, and other significant identity-based services.
IdM is a critical component in managing network security and enabling the nomadic, on-demand access to networks and e-services that end-users' expect today. Along with other defensive mechanisms, IdM helps to prevent fraud and identity theft and thereby increases users' confidence that e-transactions are secure and reliable (e.g., IoT, and cloud and mobile computing systems that are not directly controlled by the user organization).
National/regional specific IdM specifications and solution will exist and continue to evolve. Harmonization of the different national/regional IdM approaches, specifications and solution variants is very important for global communications. In order to accomplish this objective, IdM standards that utilize developer friendly environments, promotes the wide scale development of applications and tools using various web technologies (i.e., HTTP, JSON, OAUTH, and OpenID Connect) are needed.
This Question is dedicated to the vision setting and the coordination and organization of the entire range of IdM activities within ITU-T. A top-down approach to the IdM will be used with collaboration with other study groups, other standards development organizations (SDOs) and consortia. It is recognized that other Questions will be involved in specific aspects of IdM (i.e., protocols, requirements and network device identifiers).
Recommendations and Supplements under responsibility of this Question as of 23 March 2016: X.1250, X.1251, X.1252, X.1253, X.1254, X.1255, X.1256, X.1257, X.1275, and Supplement X.Suppl.7.
Texts under development: X.1258 (X.eaaa), and X.te.

Question

Study items to be considered include, but are not limited to:
a) What are the functional concepts for a common identity management (IdM) infrastructure?
b) What is an appropriate IdM model that is independent of network technologies, supports user-centric involvement, represents IdM information and supports the secure exchange of IdM information between involved entities (e.g., users, relying parties and identity providers)?
c) What are the components needed to bring social, mobile and enterprise IdM together in a way that promotes safer digital transactions?
d) What are the functional aspects of IdM models?
e) What are the specific IdM requirements of service providers and service consumers?
f) What are the attributes of identities that can be shared by identity providers within trust frameworks?
g) What are requirements, capabilities and possible strategies for achieving interoperability between different IdM systems (e.g., identity assurance, inter-working)?
h) What are the candidate mechanisms for IdM interoperability to include identifying and defining applicable profiles to minimize interoperability issues?
i) What are the requirements and mechanisms for protecting and preventing disclosure of personally identifiable information (PII)?
j) What are the requirements to protect IdM systems from cyber attacks?
k) What IdM capabilities can be used against cyber attacks?
l) How should IdM be integrated with advanced security technologies?
m) What unique IdM requirements are associated with cloud computing?
n) What unique IdM requirements are associated with mobile computing?
o) What unique IdM requirements are associated with various distributed environments such as IoT and cloud?
p) How can identity proofing be integrated in IdM systems?
q) How can secure credential management be integrated in IdM systems?
r) How can authentication technologies be integrated in IdM systems?

Tasks

Tasks include, but are not limited to:
a) Specify an IdM framework that supports discovery, policy and trust model, authentication and authorization, assertions, and credential lifecycle management required for IdM in evolving environments.
b) Define functional IdM architectural concepts to include IdM bridging among networks and among IdM systems taking into account advanced security technologies.
c) Specify requirements and propose mechanisms for identity assurance. Establish criteria for mapping/interworking among different identity assurance methods that might be adopted in various networks. In this context, identity assurance includes identity patterns and reputation.
d) Propose guidelines for interoperability of IdM systems.
e) Specify requirements (and propose mechanisms) to protect IdM systems including how to use IdM capabilities as a means for service providers to coordinate and exchange information regarding cyber attacks.
f) Maintain and coordinate IdM terminologies and definitions living list and to continue the on-going work.
g) Study and specify IdM security risks and threats.

Relationships

Recommendations:
• X- and Y-series.
Questions:
• ITU-T Qs 1/17, 3/17, 4/17, 6/17, 7/17 and 8/17.
Study Groups:
• ITU-D SGs 1, 2; ITU-T SGs 2, 3, 11, 13, 16 and 20; TSAG.
Standardization bodies:
• Internet Engineering Task Force (IETF); European Telecommunications Standards Institute (ETSI); ISO/IEC JTC 1 SCs 6, 27 and 37.
Other bodies:
• National Institute of Standards and Technology (NIST); Organization for the Advancement of Structured Information Standards (OASIS); Third Generation Partnership Project (3GPP); Third Generation Partnership Project 2 (3GPP2).