Re: [DG-IDPro] Reminder: ID Pro Body of Knowledge Work Stream Meeting TODAY
I recommend that you distinguish “Authorization” from “Access Management” … Authorization is a (logically) off-line activity relative to Access Control … Authorization is closer to Privilege Management (and might be a proper subset of it) … Access Control is a real-time/run-time activity that has to mediate across Authentication, Authorizations (note the plural form), and contextual factors to make an operational grant/deny decision. Here are the supporting definitions from CNSSI 4009 (as reproduced in NIST IR 7298 Revision 1, Glossary of Key Information Security Terms: Access Control The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances). Authorization Access privileges granted to a user, program, or process or the act of granting those privileges. Privilege A right granted to an individual, a program, or a process. Privilege Management The definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems. It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories. YMMV, but I’ve been down this road a number of times and have always encountered the need to distinguish those two concepts/constructs. Avanti, BobN From: dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@kantarainitiative.org] On Behalf Of Andrew Hughes Sent: Monday, November 28, 2016 5:49 PM To: Thorsten H. Niebuhr [WedaCon GmbH] <tniebuhr@wedacon.net> Cc: dg-idpro@kantarainitiative.org Subject: Re: [DG-IDPro] Reminder: ID Pro Body of Knowledge Work Stream Meeting TODAY I created a PPTx and PDF version of the hand-drawn 'visual' taxonomy for debate and discussion It is here http://kantarainitiative.org/confluence/download/attachments/85492303/BoK%20Diagram.pdf?version=1&modificationDate=1480373062000&api=v2 andrew. Andrew Hughes CISM CISSP Independent Consultant In Turn Information Management Consulting o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com<mailto:AndrewHughes3000@gmail.com> ca.linkedin.com/pub/andrew-hughes/a/58/682/<http://ca.linkedin.com/pub/andrew-hughes/a/58/682/> Identity Management | IT Governance | Information Security On Mon, Nov 28, 2016 at 10:14 AM, Thorsten H. Niebuhr [WedaCon GmbH] <tniebuhr@wedacon.net<mailto:tniebuhr@wedacon.net>> wrote: Links to the minutes https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=854925... thx all On 28.11.2016 17:13, Shannon Taylor Kantara wrote: All, A reminder that the ID Pro Body of Knowledge work stream is meeting TODAY at noon eastern. The call details are below. Regards, Shannon ________________________________ Monday, November 28, 2016 12:00pm Eastern 1. Please join my meeting. https://global.gotomeeting.com/join/135593357 Meeting ID: 135-593-357 Audio PIN: Shown after joining the meeting 2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone. United States: +1 (571) 317-3116<tel:%2B1%20%28571%29%20317-3116> Australia: +61 2 8355 1034<tel:%2B61%202%208355%201034> Austria: +43 1 2060 92964 Belgium: +32 (0) 28 08 4372 Canada: +1 (647) 497-9372<tel:%2B1%20%28647%29%20497-9372> Denmark: +45 69 91 84 58<tel:%2B45%2069%2091%2084%2058> Finland: +358 (0) 923 17 0556 France: +33 (0) 170 950 590 Germany: +49 (0) 692 5736 7206<tel:%2B49%20%280%29%20692%205736%207206> Ireland: +353 (0) 19 030 053 Italy: +39 0 699 26 68 65 Netherlands: +31 (0) 208 080 759 New Zealand: +64 9 974 9579<tel:%2B64%209%20974%209579> Norway: +47 21 04 30 59<tel:%2B47%2021%2004%2030%2059> Spain: +34 931 76 1534<tel:%2B34%20931%2076%201534> Sweden: +46 (0) 775 757 471 Switzerland: +41 (0) 435 0026 89 United Kingdom: +44 (0) 20 3713 5011<tel:%2B44%20%280%29%2020%203713%205011> _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro _______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org<mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro
Good points Bob. Group: is there merit in having a distinction between "Management of" versus "Active Control of" for all segments? I'm trying to think through how that might emerge in each segment - Identification / Registration (yes); Credentials (yes); authentication (maybe); privilege management (yes) andrew. *Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting* o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security * On Mon, Nov 28, 2016 at 7:32 PM, Natale, Bob <RNATALE@mitre.org> wrote:
I recommend that you distinguish “Authorization” from “Access Management” … Authorization is a (logically) off-line activity relative to Access Control … Authorization is closer to Privilege Management (and might be a proper subset of it) … Access Control is a real-time/run-time activity that has to mediate across Authentication, Authorizations (note the plural form), and contextual factors to make an operational grant/deny decision.
Here are the supporting definitions from CNSSI 4009 (as reproduced in NIST IR 7298 Revision 1, *Glossary of Key Information Security Terms*:
Access Control
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
Authorization
Access privileges granted to a user, program, or process or the act of granting those privileges.
Privilege
A right granted to an individual, a program, or a process.
Privilege Management
The definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems. It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories.
YMMV, but I’ve been down this road a number of times and have always encountered the need to distinguish those two concepts/constructs.
Avanti,
BobN
*From:* dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@ kantarainitiative.org] *On Behalf Of *Andrew Hughes *Sent:* Monday, November 28, 2016 5:49 PM *To:* Thorsten H. Niebuhr [WedaCon GmbH] <tniebuhr@wedacon.net> *Cc:* dg-idpro@kantarainitiative.org *Subject:* Re: [DG-IDPro] Reminder: ID Pro Body of Knowledge Work Stream Meeting TODAY
I created a PPTx and PDF version of the hand-drawn 'visual' taxonomy for debate and discussion
It is here http://kantarainitiative.org/confluence/download/ attachments/85492303/BoK%20Diagram.pdf?version=1&modificationDate= 1480373062000&api=v2
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Nov 28, 2016 at 10:14 AM, Thorsten H. Niebuhr [WedaCon GmbH] < tniebuhr@wedacon.net> wrote:
Links to the minutes
https://kantarainitiative.org/confluence/pages/viewpage. action?pageId=85492564
thx all
On 28.11.2016 17:13, Shannon Taylor Kantara wrote:
All,
A reminder that the ID Pro Body of Knowledge work stream is *meeting TODAY at noon eastern*. The call details are below.
Regards,
Shannon
------------------------------
*Monday, November 28, 2016*
*12:00pm Eastern*
1. Please join my meeting.
https://global.gotomeeting.com/join/135593357
Meeting ID: 135-593-357
Audio PIN: Shown after joining the meeting
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.
United States: +1 (571) 317-3116
Australia: +61 2 8355 1034
Austria: +43 1 2060 92964
Belgium: +32 (0) 28 08 4372
Canada: +1 (647) 497-9372
Denmark: +45 69 91 84 58
Finland: +358 (0) 923 17 0556
France: +33 (0) 170 950 590
Germany: +49 (0) 692 5736 7206
Ireland: +353 (0) 19 030 053
Italy: +39 0 699 26 68 65
Netherlands: +31 (0) 208 080 759
New Zealand: +64 9 974 9579
Norway: +47 21 04 30 59
Spain: +34 931 76 1534
Sweden: +46 (0) 775 757 471
Switzerland: +41 (0) 435 0026 89
United Kingdom: +44 (0) 20 3713 5011
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
Andrew, first of all: great work! I really like the 'layer' approach allowing us to built upon established process frameworks and concentrate on the Identity stuff. Which brings me to the first question: * Should we concentrate on one process framework (eg COBIT as mentioned in your visualization)? Personally, I think we should NOT, to allow a broader view. But it might make sense to create (not until february, but some day) a reference 'architecture' based on a specific one. While I totally agree on Bob's view (and I especially like the 'mediation across Authentication, Authorizations (note the plural form), and contextual factors', we should concentrate on a more general view here (in the end, it is still our shot on a 'topLevel' Taxonomy.) The first draft of the model included 'Anonymous, Citizen, Employee, Customers', so types of Identities. I am happy that this is not in the new draft, as it is not broad enough. Personally, I often use the term 'Entitiy' for anything that is managed with IAM/IAG Approaches/Goals. Another term could be 'PII linked Artifacts'. Those artifacts need IG (joiner/mover/leaver) and AM (auth-n and auth-z) processes. So if we use the * 'Identification (Registration Management)' as the one representing on and off-boarding (Joiner and Leaver) * 'Credential Management' as the whole 'Mover' Section * Authentication and Authorization as the 'AM' Section We would be able to describe a full lifecycle of a 'PII linked artifact' (always in conjunction with the rings and layers of the model) 1. Join /Register 2. Mover * Authentication * Authorization * Contexts and relations * Attributes 3. Leaver (De-Register) I am totally aware of the unusal 'stretching' of the term 'Mover'.... And the last question: The 'bulls eye' of the board is named 'Information'. I assume this means the PII-Abstract we are dealing with (eg a persons Date-of-Birth)? best Thorsten On 29.11.2016 15:50, Andrew Hughes wrote:
Good points Bob.
Group: is there merit in having a distinction between "Management of" versus "Active Control of" for all segments?
I'm trying to think through how that might emerge in each segment - Identification / Registration (yes); Credentials (yes); authentication (maybe); privilege management (yes)
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 m +1 250.888.9474 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com <mailto:AndrewHughes3000@gmail.com> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <http://ca.linkedin.com/pub/andrew-hughes/a/58/682/> *Identity Management | IT Governance | Information Security *
On Mon, Nov 28, 2016 at 7:32 PM, Natale, Bob <RNATALE@mitre.org <mailto:RNATALE@mitre.org>> wrote:
I recommend that you distinguish “Authorization” from “Access Management” … Authorization is a (logically) off-line activity relative to Access Control … Authorization is closer to Privilege Management (and might be a proper subset of it) … Access Control is a real-time/run-time activity that has to mediate across Authentication, Authorizations (note the plural form), and contextual factors to make an operational grant/deny decision.
Here are the supporting definitions from CNSSI 4009 (as reproduced in NIST IR 7298 Revision 1, /Glossary of Key Information Security Terms/:
Access Control
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
Authorization
Access privileges granted to a user, program, or process or the act of granting those privileges.
Privilege
A right granted to an individual, a program, or a process.
Privilege Management
The definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems. It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories.
YMMV, but I’ve been down this road a number of times and have always encountered the need to distinguish those two concepts/constructs.
Avanti,
BobN
*From:*dg-idpro-bounces@kantarainitiative.org <mailto:dg-idpro-bounces@kantarainitiative.org> [mailto:dg-idpro-bounces@kantarainitiative.org <mailto:dg-idpro-bounces@kantarainitiative.org>] *On Behalf Of *Andrew Hughes *Sent:* Monday, November 28, 2016 5:49 PM *To:* Thorsten H. Niebuhr [WedaCon GmbH] <tniebuhr@wedacon.net <mailto:tniebuhr@wedacon.net>> *Cc:* dg-idpro@kantarainitiative.org <mailto:dg-idpro@kantarainitiative.org> *Subject:* Re: [DG-IDPro] Reminder: ID Pro Body of Knowledge Work Stream Meeting TODAY
I created a PPTx and PDF version of the hand-drawn 'visual' taxonomy for debate and discussion
It is here http://kantarainitiative.org/confluence/download/attachments/85492303/BoK%20Diagram.pdf?version=1&modificationDate=1480373062000&api=v2 <http://kantarainitiative.org/confluence/download/attachments/85492303/BoK%20Diagram.pdf?version=1&modificationDate=1480373062000&api=v2>
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <tel:%2B1%20650.209.7542> m +1 250.888.9474 <tel:%2B1%20250.888.9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com <mailto:AndrewHughes3000@gmail.com> ca.linkedin.com/pub/andrew-hughes/a/58/682/ <http://ca.linkedin.com/pub/andrew-hughes/a/58/682/> *Identity Management | IT Governance | Information Security *
On Mon, Nov 28, 2016 at 10:14 AM, Thorsten H. Niebuhr [WedaCon GmbH] <tniebuhr@wedacon.net <mailto:tniebuhr@wedacon.net>> wrote:
Links to the minutes
https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=854925... <https://kantarainitiative.org/confluence/pages/viewpage.action?pageId=85492564>
thx all
On 28.11.2016 17:13, Shannon Taylor Kantara wrote:
All,
A reminder that the ID Pro Body of Knowledge work stream is *meeting TODAY at noon eastern*. The call details are below.
Regards,
Shannon
------------------------------------------------------------------------
*Monday, November 28, 2016*
*12:00pm Eastern*
1. Please join my meeting.
https://global.gotomeeting.com/join/135593357 <https://global.gotomeeting.com/join/135593357>
Meeting ID: 135-593-357
Audio PIN: Shown after joining the meeting
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.
United States: +1 (571) 317-3116 <tel:%2B1%20%28571%29%20317-3116>
Australia: +61 2 8355 1034 <tel:%2B61%202%208355%201034>
Austria: +43 1 2060 92964
Belgium: +32 (0) 28 08 4372
Canada: +1 (647) 497-9372 <tel:%2B1%20%28647%29%20497-9372>
Denmark: +45 69 91 84 58 <tel:%2B45%2069%2091%2084%2058>
Finland: +358 (0) 923 17 0556
France: +33 (0) 170 950 590
Germany: +49 (0) 692 5736 7206 <tel:%2B49%20%280%29%20692%205736%207206>
Ireland: +353 (0) 19 030 053
Italy: +39 0 699 26 68 65
Netherlands: +31 (0) 208 080 759
New Zealand: +64 9 974 9579 <tel:%2B64%209%20974%209579>
Norway: +47 21 04 30 59 <tel:%2B47%2021%2004%2030%2059>
Spain: +34 931 76 1534 <tel:%2B34%20931%2076%201534>
Sweden: +46 (0) 775 757 471
Switzerland: +41 (0) 435 0026 89
United Kingdom: +44 (0) 20 3713 5011 <tel:%2B44%20%280%29%2020%203713%205011>
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org <mailto:DG-IDPro@kantarainitiative.org>
http://kantarainitiative.org/mailman/listinfo/dg-idpro <http://kantarainitiative.org/mailman/listinfo/dg-idpro>
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org <mailto:DG-IDPro@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/dg-idpro <http://kantarainitiative.org/mailman/listinfo/dg-idpro>
participants (3)
-
Andrew Hughes -
Natale, Bob -
Thorsten H. Niebuhr [WedaCon GmbH]