SIMCs Identity Management Initiative

1
SIMCs Identity Management Initiative

• Phase one The problem statement

Eliot M. SolomonPresident and Chaireliot_at_eliotso
lomon.com
For more information www.simc-inc.org
2
About SIMC

• Founded in 1997
• Original mission To improve the quality of
  Middleware delivered to the Securities Industry
• Emphasized reliability, operability,
  recoverability, manageability, scalability,
  extensibility, interoperability
• Encouraged consistency, conformance to standards,
  and open collaboration among IT providers and
  users

3
SIMCs revised mission

• Our mission has evolved over five years
• Our original mission was enterprise oriented
• Our new mission addresses global collaboration
• to improve the Securities Industry's ability to
  interoperate as a global electronic marketplace
  where enterprises of any size and in any
  geographical location can meet and conduct
  business with each other
• We still focus on the details where the devil is

4
Middlewares role

• Middleware is essential to achieving this goal.
• Middleware is no longer just infrastructure. It
  is the key to facilitating information flows for
  application integration and inter-enterprise
  interoperation
• SIMC brings together Securities Industry and
  Vendors to create better understanding of the
  special needs of the Industry. We catalyze
  partnerships that provide solutions based on that
  understanding

5
Our continuing objectives

• Address the Securities Industrys differentiating
  requirements
• using broadly applicable products whenever
  possible
• Achieve cost reductions for us
• and quality improvements for everyone

6
The case at hand

• The Securities industry has requirements for
  firm-to-firm (like B2B) interoperation and
  collaboration requiring
• Authorization, identification, accountability,
  etc.
• Selective sharing of information about
  individuals
• Identity management technology providers claim
  to address these issues

7
But does identity management

• address the correct functional problem?
• What aspects of identity are handled?
• support the appropriate business models?
• Relations among the firms using and sharing
• have the necessary operational characteristics?
• Enterprise- and industry-wide requirements
• Availability, throughput, recoverability,
  administration
• provide a viable business model for itself?
• E.g., If it requires a service provider, how is
  his operation funded

8
SIMCs Identity Management Initiative

• Follow-on to our February 2002 meeting
• Identify the gaps between
• What Identity Management does
• What the Securities Industry needs
• Find ways to fill or bridge the gaps
• With existing technologies wherever possible
• That dont require adopters to start over

9
Phase 1 of the Initiative

• Engage a small number of securities industry
  firms to refine the overall project objectives.
• Define the major categories of requirement that
  the project will identify.
• With illustrative examples and test cases
• Develop high-level plan for the entire project

10
SIMCs Report
Securities IndustryRequirements forIdentity
Management

• Results of Phase 1

11
Goals for Identity Management

• Managing identity
• Individuals as agents of authority
• Policy enforcement
• Supporting trust

12
Managing identity

• Whose identity is of interest
• What about the identity needs to be managed
• How will we use or rely on the identity
• Inside a firm
• Between and among firms
• Who has rights to the information
• Privacy vs. public policy ? Fiduciary
  responsibility
• Customer convenience vs. competitive advantage

13
Whose identity?

• Employees
• Employees with conventional responsibilities
• Employees with substantial discretion
• Individual clients
• Institutional clients
• Trading partners and counterparties
• and others

14
Customers and clients

• Retail customers
• Private banking clients
• Institutional clients
• Individuals who fit into multiple classes
• Employees who are also customers

15
Know Your Customer AML

• We have overlapping requirements for identity
• One is the requirement for supervision of market
  behavior
• Know your Customer is a longstanding obligation
• Now a part of Anti-Money Laundering or AML.

16
Employees as agents

• Many employees act on behalf of the firm
• In highly sensitive and often risky activities
• Often with substantial discretion
• This model of agency is a type of delegation
• This is not impersonation
• The firm delegates the authority to make and act
  on financially significant decisions
• The authority is constrained by policy and context

17
Policy enforcement

• The basic statement of our objective
• Allow firms to grant access to their systems to
  employees and agents of other firms in a way that
  ensures that the policies of both firms are
  properly enforced.

18
Policy independence

• Trust is our business
• Creation of policies is a core competency
• Specific policies are competitive differentiators
• Adoption of common policies is seen to be
  disadvantageous
• Possible consequences
• Standardized roles or groups may be unattainable
• Cross-firm identity authentication may be
  difficult

19
The requirements for trust

• We asked whether and how one firm could "trust"
  an authentication performed by another firm
• There was no single answer all participants could
  agree to
• Different approaches to authentication technology
• Different policies for common technologies
• Concern about operational and administrative
  practices

20
When we can trust

• If each party assumes liability
• For the actions of his agent
• for consequences of reliance by the other party
• This requires contractual or similar arrangements
• The extent of the liability be clearly and
  explicitly defined
• The liability arising from one reliance must be
  small

21
Business scenarios

• We identified a number of scenarios
• Business scenarios currently used in the industry
• Chosen to highlight the challenges for Identity
  Management
• Not identity management scenarios
• We did not assume that Identity Management is the
  way to meet the requirements
• We did include some generic trust and
  authorization scenarios as a baseline

22
Common features

• Multiple parties to each transaction
• Often include multiple intermediaries
• Usually including supervisory or regulatory
  parties
• Long-running, asynchronous transactions
• Principals (users) may not be logged on
• Often transported in async messaging
  infrastructures
• Parallel threads
• Sometimes synchronized, sometimes rendezvous
• Requires traceability to accountable party

23
Some of the scenarios
AcknowledgedAuthority
Anonymous Order Placement
Broker-to-BrokerTrade
TradingHub
24
Anonymous order placement
25
Broker-to-Broker Trade
26
Acknowledged Authority
27
Trading Hub
28
SIMCs Plan
Matching Securities IndustryRequirements
toAvailable Technology

• Beginning Phase 2

29
Phase 2 detailed requirements

• Phase two will engage non-technical
  participants to
• Validate and elaborate the business requirements
• Articulate corporate and regulatory policy issues
• Identify opportunities to improve processes by
  reliance on technical means of identity management

30
Phase 2 Capability and Gap Analysis

• Participants will review available technology
• To identify its ability to address the
  requirements
• Immediately
• In the future
• To identify remaining capability gaps
• In current products
• In architecture, standards, and base technology
• To determine whether adjustments could be made
• Reconsidering requirements that may prove
  intractable

31
Phase 2 Set attainable goals

• Participants will set prioritized goals based on
• Immediate needs of participating firms
• Industry priorities and initiatives
• Applicability and availability of existing
  technology
• Ease of introduction of likely technical
  solutions
• Cost of adoption, deployment, and operation

32
Ideal technology outcomes
Standards or common practices

• Common vocabulary
• What we talk about
• Common syntax
• How we say things
• Common semantics
• What we need to say
• Assertions we need to make

• Common transports and bindings
• Or at least support for all our customary
  transports
• One common, universal token
• World peace

33
Participate in the Initiative

• If you are
• A Securities Industry firm
• An IT vendor or service provider to those firms
• If you can contribute
• Requirements
• Solutions
• Research and analysis

Join SIMC www.simc-inc.org