User Identity Management

USER IDENTITY MANAGEMENT


What is User Identity Management?

User Identity Management describes the service components required to accurately identify users of an IT system.

Included are tasks such as: registering users; assigning roles that define their access privileges; and managing changes in user status (i.e. creation, deletion and modification of user identity data).


Under what circumstances is Identity Management required?

A user identity management regime should be used at any time when confidence is required that access to information is only given to specific authorised users.

For shared IT systems that cater for a number of users, user identity management it is a critical process because it enables different users of the shared system to be identified with confidence, and access to be subsequently and appropriately granted to data items held on the system only to qualified users.


How is Identity Management achieved?

From a technical perspective, user identity management is achieved by having a ‘namespace’ (an IT system, e.g. a file system etc) that holds the named objects that represent the real-life ‘identified’ identities (e.g. people). Control mechanisms are also usually associated (e.g. not allowing more than one user to have the same username).


What is Federated User Identity Management?

On shared software services (e.g. med.data.edu.au) that cater to users across a number of separate organisations (e.g. Universities and MRIs), identity management can be managed across the collective of organisations. This is termed ‘Federated’ User Identity Management.

In this setup, one system acts as the identity provider (e.g. a University’s User Identity Management system) and other system acts as the service provider (e.g. med.data.edu.au). When a user needs to access a service controlled by the service provider, he/she first authenticates against his/her own identity provider. Upon successful authentication, the identity provider sends a secure “assertion” to the service provider.

Security Assertion Markup Language (SAML) is the data format used to exchange authentication and authorisation data between the identity provider and service provider. Before delivering the identity assertion to the service provider, the identity provider may request some authentication information from the user – such as a user name and password – in order to authenticate the user.

Note that an established and mature federated user identity management system across the university and research sector in Australia is provided by the Australian Access Federation (AAF). A wide range of universities and research institutions subscribe to the AAF as does each Node operator of med.data.edu.au. When using AAF-enabled software tools and services accessed through med.data.edu.au, for users from an AAF subscribing institution, their own institution delivers the identity provider service.


What are the Australian Standards for Identity Management?

The Australian Signals Directorate (ASD) provides extensive guidance to Commonwealth entities surrounding standards to safeguard data ranging in different levels of sensitivity, from “unclassified but sensitive or official information not intended for public release” (UD), through “protected” (P), to “Top Secret” (TS). Associated security controls are outlined in the ASD’s Information Security Manual (ISM).

Whilst it is only Australian Government agencies that are required to adopt the ASD controls outlined in the ISM, the controls also provide a useful framework for non-government organisations to consider when protecting data that ranges across various levels of sensitivity. Data of this type includes Personal Health Information that contains identifying aspects which is considered to be both “sensitive”[1] and “protected”[2].

The following ASD controls are issued for agencies in protecting data that are considered “unclassified but sensitive or official information not intended for public release” (UD) or “protected” (P).

Policies and procedures

ASD Control: 0413; Revision: 4, states that a set of policies and procedures covering user identification, authentication and authorisation must be developed and maintained, as well as communicated to and understood by users.

User Identification

ASD Control: 0414; Revision: 2, states that agencies must ensure that all users are:

  •  uniquely identifiable
  •  authenticated on each occasion that access is granted to a system.

ASD Control: 0407; Revision: 2, states that agencies should maintain a secure record of:

  • all personnel authorised to a system
  • their user identification
  • who provided the authorisation to access the system
  • when the authorisation was granted
  • when the access was reviewed
  • when the access was removed.
  • maintain the record for the life of the system to which access is granted.

ASD Control: 0973; Revision: 3, states that agencies should not use shared non user–specific accounts.

ASD Control: 0416; Revision: 2, states that if agencies choose to allow shared non-user specific accounts, another method of attributing actions undertaken by such accounts to specific personnel must be implemented.

ASD Control: 0976; Revision: 3, states that agencies must ensure users provide sufficient evidence to verify their identity when requesting a passphrase reset for their system account. This evidence could be in the form of the user either:

  • physically presenting themselves and their security pass to service desk personnel who then reset their passphrase;
  • physically presenting themselves to a known colleague who uses an approved online tool to reset their passphrase;
  • establishing their identity by responding correctly to a number of challenge response questions before resetting their own passphrase.

[1] The Commonwealth Privacy Act (1988) http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act) defines what is considered personal and sensitive information in Australia. Personal Information means information about an identified individual, or an individual who is reasonably identifiable, and of relevance to med.data, Sensitive Information includes: Information about an individual’s Racial or ethnic origin or Sexual orientation or practices; Health information; Genetic information and Biometric information.
[2] The US HIPPA Privacy Rule (http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html ) defines protected health information” as individually identifiable health information, including identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. Genetic information is considered to be health information.

User Identity Management

USER IDENTITY MANAGEMENT


What is User Identity Management?

User Identity Management describes the service components required to accurately identify users of an IT system.

Included are tasks such as: registering users; assigning roles that define their access privileges; and managing changes in user status (i.e. creation, deletion and modification of user identity data).


Under what circumstances is Identity Management required?

A user identity management regime should be used at any time when confidence is required that access to information is only given to specific authorised users.

For shared IT systems that cater for a number of users, user identity management it is a critical process because it enables different users of the shared system to be identified with confidence, and access to be subsequently and appropriately granted to data items held on the system only to qualified users.


How is Identity Management achieved?

From a technical perspective, user identity management is achieved by having a ‘namespace’ (an IT system, e.g. a file system etc) that holds the named objects that represent the real-life ‘identified’ identities (e.g. people). Control mechanisms are also usually associated (e.g. not allowing more than one user to have the same username).


What is Federated User Identity Management?

On shared software services (e.g. med.data.edu.au) that cater to users across a number of separate organisations (e.g. Universities and MRIs), identity management can be managed across the collective of organisations. This is termed ‘Federated’ User Identity Management.

In this setup, one system acts as the identity provider (e.g. a University’s User Identity Management system) and other system acts as the service provider (e.g. med.data.edu.au). When a user needs to access a service controlled by the service provider, he/she first authenticates against his/her own identity provider. Upon successful authentication, the identity provider sends a secure “assertion” to the service provider.

Security Assertion Markup Language (SAML) is the data format used to exchange authentication and authorisation data between the identity provider and service provider. Before delivering the identity assertion to the service provider, the identity provider may request some authentication information from the user – such as a user name and password – in order to authenticate the user.

Note that an established and mature federated user identity management system across the university and research sector in Australia is provided by the Australian Access Federation (AAF). A wide range of universities and research institutions subscribe to the AAF as does each Node operator of med.data.edu.au. When using AAF-enabled software tools and services accessed through med.data.edu.au, for users from an AAF subscribing institution, their own institution delivers the identity provider service.


What are the Australian Standards for Identity Management?

The Australian Signals Directorate (ASD) provides extensive guidance to Commonwealth entities surrounding standards to safeguard data ranging in different levels of sensitivity, from “unclassified but sensitive or official information not intended for public release” (UD), through “protected” (P), to “Top Secret” (TS). Associated security controls are outlined in the ASD’s Information Security Manual (ISM).

Whilst it is only Australian Government agencies that are required to adopt the ASD controls outlined in the ISM, the controls also provide a useful framework for non-government organisations to consider when protecting data that ranges across various levels of sensitivity. Data of this type includes Personal Health Information that contains identifying aspects which is considered to be both “sensitive”[1] and “protected”[2].

The following ASD controls are issued for agencies in protecting data that are considered “unclassified but sensitive or official information not intended for public release” (UD) or “protected” (P).

Policies and procedures

ASD Control: 0413; Revision: 4, states that a set of policies and procedures covering user identification, authentication and authorisation must be developed and maintained, as well as communicated to and understood by users.

User Identification

ASD Control: 0414; Revision: 2, states that agencies must ensure that all users are:

  •  uniquely identifiable
  •  authenticated on each occasion that access is granted to a system.

ASD Control: 0407; Revision: 2, states that agencies should maintain a secure record of:

  • all personnel authorised to a system
  • their user identification
  • who provided the authorisation to access the system
  • when the authorisation was granted
  • when the access was reviewed
  • when the access was removed.
  • maintain the record for the life of the system to which access is granted.

ASD Control: 0973; Revision: 3, states that agencies should not use shared non user–specific accounts.

ASD Control: 0416; Revision: 2, states that if agencies choose to allow shared non-user specific accounts, another method of attributing actions undertaken by such accounts to specific personnel must be implemented.

ASD Control: 0976; Revision: 3, states that agencies must ensure users provide sufficient evidence to verify their identity when requesting a passphrase reset for their system account. This evidence could be in the form of the user either:

  • physically presenting themselves and their security pass to service desk personnel who then reset their passphrase;
  • physically presenting themselves to a known colleague who uses an approved online tool to reset their passphrase;
  • establishing their identity by responding correctly to a number of challenge response questions before resetting their own passphrase.

[1] The Commonwealth Privacy Act (1988) http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act) defines what is considered personal and sensitive information in Australia. Personal Information means information about an identified individual, or an individual who is reasonably identifiable, and of relevance to med.data, Sensitive Information includes: Information about an individual’s Racial or ethnic origin or Sexual orientation or practices; Health information; Genetic information and Biometric information.
[2] The US HIPPA Privacy Rule (http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html ) defines protected health information” as individually identifiable health information, including identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. Genetic information is considered to be health information.