Managing Cyber-Identity, Authorization and Trust (and their inter-relationships)

1
Managing Cyber-Identity, Authorization and
Trust(and their inter-relationships)

• Prof. Ravi Sandhu
• Laboratory for Information Security Technology
• George Mason University
• www.list.gmu.edu
• sandhu_at_gmu.edu

2
Problem Drivers and Consequences

• PROBLEM DRIVERS
• Uncertain threat We always fight the last war
• Technological change B2B integration, Pervasive
  (ubiquitous) computing, Peer-to-peer, grid and
  utility computing, Intels LaGrande and
  Microsofts Longhorn, the next Intel, Microsoft,
  Cisco,
• Business change Outsourcing/globalization,
  Cost/ROI, federated identity (relying party is
  NOT the identity provider), identity grades
  (identity vetting, authentication strength,
  purpose, privacy all vary)
• CONSEQUENCES
• The 3-decade old problem of managing identity,
  authorization and trust is rapidly becoming more
  difficult, challenging and essential
• Real progress requires radical shifts in our
  approach and fundamental advances in basic
  research

3
Radical Shifts get real

• Focus on
• what needs to be done rather than how it is to be
  done
• real-word business requirements rather than
  hypothetical academic scenarios
• the 80 problem rather than the 120 problem
• soft and informal rather than hard and formal
• constructing the policy rather than auditing the
  policy
• constructive safety via policy articulation and
  evolution rather than post-facto algorithmic
  safety
• ordinary consumers as end-users and
  administrators rather than techno-geeks or
  math-geeks

4
Radical Shifts good enough beats perfect
Security geeks
Real-world users
SECURE
EASY
COST
System owner