In this episode of the Identity Matters Podcast, Eve Maler presents an overview of the User Managed Access (UMA) Work Group. Eve, the UMA WG chair, starts off with background of the group working within the Kantara Initiative and defines the problem space. She then provides an overview of the process the group is taking as well as where they are in their roadmap toward delivering a specification to the IETF.

From the UMA charter: The purpose of the UMA work at Kantara is to develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementations of these specifications by others.

Podcast: Download MP3 | Episode Length: 0:27:41 | Filesize: 18.5 MB

NOTE: This podcast was produced in collaboration with the Kantara Initiative Identity Community Update Discussion Group.

Eric Sachs, Product Manager Google Security & Chris Messina, Open Web Advocate will discuss the business value of federated login for consumer websites, Enterprise SaaS vendors, and Enterprises. Google joins CA, NTT, Oracle Corporation & Ping Identity for a series of presentations, panels & demonstrations of common Cloud/SaaS scenarios from diverse market leaders. Kantara’s annual workshop takes place March 1, 2010, 8am-5pm at the RSA Conference. View the full agenda online.

Register now for this free workshop.  Please use the code: 1310KANEXPO for the Expo only pass and select Kantara Initiative from the ‘Registration Package’ page.  This pass only allows access to Kantara Initiative workshop on March 1. Read details about the Conference events March 1-5.

We invite you to join us for the second Kantara Initiative Conference, Tuesday-Thursday, March 9-11.  This event is kindly hosted by Intel Corporation at their Hillsboro, Oregon campus.

Early-bird registration price is $195USD until Feb. 12, then $250USD thereafter until March 9.

Event information is available at our conference page.  You can review the agenda, nearby hotel details, maps there.  We have a good sleeping room rate per night for $105USD at the SpringHill Suites by Marriott – review the discount code details at our conference page.

We also encourage you to sign up for our open-for-all dinner Wednesday, March 10, 6:45-8:15pm at Portland’s Oba Restaurant.  The price for our 3-course dinner including one beverage is $45USD.

Looking forward to seeing you soon in Oregon.

We invite you to join us for a UMA Webinar – Making the world safe for User-Managed Access on Jan. 29, 8-9:30am PST.

To benefit from the increasing number of services accessible over the Web, we’re forced to “hand over the data” — data that’s sensitive, valuable, and personal — and we end up paying a price in both privacy and convenience. The new User-Managed Access web protocol promises to help web users share their data more selectively using a central digital footprint dashboard, while helping websites get access to fresher and better-quality data when they need it.  This session will review UMA benefits, progress to date, and next steps.

Register here: https://ieee-isto.webex.com/ieee-isto/j.php?ED=118302377&RG=1&UID=1058077657&RT=MiM0 Note that a maximum of 25 participants is allowed for this webinar, therefore a first-come, first-serve basis for registration.

Please feel free to invite colleagues and friends.  If questions, please contact dervla (at) kantarainitiative (dot) org.

Kantara Initiative holds it’s annual workshop at the RSA Conference, March 1, 2010, 8am-5pm.  Gain state-of-identity insight through a series of presentations, panels & demonstrations of common Cloud/SaaS scenarios from diverse market leaders.

Title: Technology, Policy, and Compliance for Identity Services in 2010 & Beyond
What: Kantara Initiative’s Annual RSA Security Conference Identity Workshop
When: Monday, March 1, 2010, 8:00am-5:00pm, Room 301
Where: Moscone Center, San Francisco, CA, USA

2010 brings new opportunities for identity services in the enterprise & consumer markets. Hear from deployers and providers alike just why distributed applications are poised for Internet-scale adoption given recent developments in assurance, multi-protocol interoperability, liability models, usability, privacy-enablement and service certification.

Register now for our free workshop. Please use the code: 1310KANEXPO for the Expo only pass and select Kantara Initiative from the ‘Registration Package’ page. This pass only allows access to Kantara Initiative workshop on March 1. Read details about the Conference events March 1-5.

Agenda:

Kantara Initiative continues it’s annual workshop at the RSA Conference, March 1, 2010, 8am-5pm.  The workshop titled Technology, Policy, and Compliance for Identity Services in 2010 & Beyond highlights deployers and providers.  Gain state-of-identity insight through a series of presentations, panels & demonstrations of common Cloud/SaaS scenarios from diverse market leaders (CA, NTT, Ping Identity, Oracle Corporation to name a few).   Matthew Gardiner, Director of Product Marketing, CA & Chris Sharp, Director of Application Development, MEDecision will discuss CA’s Identity as Security Glue for the Cloud in the morning portion of the workshop.

Register now for our free workshop.  Please use the code: 1310KANEXPO for the Expo only pass and select Kantara Initiative from the ‘Registration Package’ page.  This pass only allows access to Kantara Initiative workshop on March 1. Read details about the Conference events March 1-5.

(Posted on the behalf of Concordia Discussion Group Leadership – Paul Madsen & Tatsuki Sakushima)

The Concordia DG has created 2 short (~ 10 questions) surveys around assurance & authorization issues.

Authorization is one of the hottest topics in computing security today. Great strides have been made in the area of authentication, but the ultimate purpose of authentication is to provide input to authorization decisions. Security product vendors are offering packages that can serve as centralized authorization systems, or Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs) in XACML parlance. These products generally offer integration kits for various applications and platforms. Many organizations have or are beginning to architect XACML-based, logically-centralized authorization systems. The purpose of this survey is to generate data about both the business and technical drivers for authorization in the enterprise today.

http://www.surveymonkey.com/s/authz_survey

More and more, industries & governments are choosing a ‘Level of Assurance’ (LOA) model as a means to provide federation partners appropriate confidence in identity data received from external 3rd parties. But is the LOA model the only possible mechanism? This survey is intended to tease out real requirements of federated participants – perhaps answering this question.

http://www.surveymonkey.com/s/outsourced_id_data

Please consider taking the surveys yourself, and/or spread the word to partners, colleagues, etc not involved in KI.

Regards

Paul Madsen & Tatsuki Sakushima
Co-Chairs – Concordia DG

The content below is a transcript of testimony that was presented at the Health IT Committee/Nationwide Health Information Network (NHIN) Workgroup public hearing on identity management and authentication on Jan. 7. by Frank Villavicencio, chair of the Identity Assurance Work Group (IAWG). The NHIN is a collection of standards, protocols, legal agreements, specifications, and services that enables the secure exchange of health information over the internet. To learn more about the NHIN please visit their site. If you would like to subscribe to the IAWG mail list or become involved in the IAWG activities visit their home page for further details.

Update on Jan 14, 2010: Frank Villavicencio (IAWG Chair) has also posted some follow-on additional information on his blog here >> http://bit.ly/7Bbc39

Testimony transcript is below —

My name is Frank Villavicencio, and I am here in my capacity of Chair of the Identity Assurance Work Group of the Kantara Initiative. We thank you for this invitation to testify.

The Kantara Initiative is an industry consortium formed by more than 120 different organizations, governments, foundations, associations, and individuals working on various aspects of digital identity.

Kantara’s goal is to develop the mechanisms to support industry development of interoperable identity management frameworks to increase Internet security while making it easier for users to log into multiple services. As such we believe strongly that the current Kantara work offers immediate solutions to healthcare’s security needs.

I believe that a specific program that Kantara has developed, the Identity Assurance Framework, or IAF, can be adopted immediately by the NHIN, it is ready now and is, in fact, already in use. The Identity Assurance Framework is technology agnostic and already supported by a wide range of industries and organizations globally, both within and outside of healthcare. This program allows multiple identity service providers to support the vast array of users in health care.

The Identity Assurance Framework (IAF) has been developed through collaboration and input from members of the global financial services, government, healthcare, biopharmaceutical, IT security, and telecom sectors. It is based on the four levels of assurance defined in NIST SP 800-63 and OMB publication M04-04. It supports different authentication solutions and identity proofing methods at the various levels of assurance. It recognizes the differences between low and high value transactions and, as such, associated risk profiles and trust levels. Specifically, the Kantara Identity Assurance Framework consists of four parts:

The end goal of the IAF work is to provide public and private sector organizations a uniform means of relying on digital credentials issued by a variety of identity assurance providers (credential service providers) to support multiple levels of assurance to facilitate public access to online information. The IAF does not replace any of the existing certificate service providers, nor does it aim to become a Federated Identity Provider. Rather, it provides the criteria to assess and measure compliance with established standards to assure interoperability of e-authentication systems.

Specifically for the focus of this forum, a common set of policies, procedures, and standards to facilitate reliable and secure access to health information is required. Such an approach assures the continued local authorization while using these standards and practices to specify what patient information can be shared, and how the information can be used. To ensure such compliance, yet maintain a level of local autonomy, we suggest the participating members of the NHIN belong to an IAF-compliant Identity Federation. Federation, in this view, is a response to the difficulties presented by the need to maintain decentralized systems with a certain level of local autonomy, yet ensure secure access to critical patient data. Formal federation using a standard set of policies, rules and procedures allows participants to access critical information across the federation.

We believe the adoption of federated identity is key to a viable national health network that protects the privacy and security of all ecosystem participants and helps contain escalating healthcare costs.

The implementation of the IAF supports identity federation that is secure, private, and auditable. It offers businesses, government, employees and consumers a more convenient and reliable way to exchange identity information in today’s digital economy. Please consider the following:

1. The IAF is a finished industry standard—it’s publicly accessible, based on recognized US Government standards and open and available for free use and implementation today.
2. The IAF is cross-industry—there is no need to create a Health-specific project which may or may not be adopted. Indeed, other experts before you today already utilize and/or have contributed to the IAF. It is currently in evaluation by the Federal CIO Council’s Identity Credentialing & Access Management (ICAM) sub-committee as the first US Government recognized Trust Framework.
3. The IAF structure is compatible with the existing NHIN/Connect gateways. It has already been utilized in various proofs of concept by HIMSS and GSA, HISPC, and others, and has been publicly adopted by the Michigan Health Information Exchange and the Minnesota HIE-Bridge Health Information Exchange. Additionally, the three co-chairs of our Healthcare Identity Assurance Workgroup, John Fraser, Pete Palmer, and Rick Moore, through their HIMSS support, led a pilot with the GSA in 2007 showing that six Health Information Exchanges (HIEs) spread across the country—Connecticut, Michigan, Minnesota, Nevada, Ohio and Texas, could use a common authentication framework. It was based on the operational interoperability defined in the IAF. (http://www.himss.org/content/files/GSAwhitepaper.pdf)
4. The IAF is technology agnostic. Through its four NIST-based levels of assurance, it is compatible with federal security architectures. In fact, in a co-funded exercise with the GSA in fall 2008, we mapped NIST 800-63 and the IAF requirements and found them to be compatible and complementary.
5. The IAF can help increase NHIN security, which helps protect patient privacy. This is a core tenant, we believe, to effective identity management—in fact, we have a whole work group dedicated to privacy issues—and we are committed to strong security in all activities.
6. Given all of these factors, use of the IAF will build stronger trust into NHIN, which will accelerate adoption. Widespread use will lead to better consistency of practice, cost savings and increased privacy and security.
7. Consistent process and the operational interoperability achieved via the IAF will help reduce the “fear factor” for health information exchanges (HIEs) to plug in and share. Indeed, the South-East Michigan Health Information Exchange (SEMHIE) has already paved the way to success here.
8. The urgency and importance of making this transformation to a better use of information and related technologies in the health system is very widely appreciated. Dozens of communities and innovative networks across America have begun implementing information exchange solutions – the IAF delivers a common pathway, uniform standards, and a secure, private and consistent basis for information exchange. Use of the IAF as a common framework will maximize the value of other U.S. Government efforts already in progress.

The NHIN can *only* succeed if digital identities are issued and credentials are managed using a common set of rules (policies and procedures). The IAF provides this rule book and has a program to assess and certify compliance. No other standards body provides this kind of comprehensive support for trusted identity management on a national and global scale

–

Abbie Barbir (http://www.oasis-open.org/about/distinguished-contributors.php) has just been elected by his peers to Chair the Kantara Initiative Privacy and Public Policy Work Group (http://kantarainitiative.org/confluence/display/p3wg/Home).

According to Abbie, the Kantara Privacy and Public Policy WG (P3WG) plays an important role in identifying the steps that are needed in the community to help ensure better privacy outcomes for users, data custodians and other stakeholders across the Internet and other public domains. The P3WG intends to be actively engaged with other stakeholders such ISO/IEC JTC1, ITU-T SG 17 and OASIS to ensure that common frameworks, privacy-enabling technology (PET) standards, operational criteria and privacy-enhancing culture, policies and best practices are adopted at the international level. Abbie Barbir invites all interested individuals to participate in this important activity by joining the P3WG today (http://signup.kantarainitiative.org/?selectedGroup=8).