3D/ If You’re Hiring a Student w/a Masters in IDM – What do you think they should know?

From IIW

Hiring a Student with a Masters Degree in IdM

Tuesday 3D

Convener: Kaliya

Notes-taker(s): Kaliya

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

You are Hiring a Student with a Masters Degree in IdM what should they know:

Yoti was in the session - Identity on a Cellphone their goal is to be ubiquitous in the UK. 

Properties of Identifiers

Zookos Triangle - persistent, universal, human understandable.  


What are the cultural practices of identity

amongst the target audience

do they have cel phones - download apps? free apps?

do parents allow their kids to buy stuff

What are their demographics

Technical Landscape

- what are the companies

- what do they do?

- what are the protocols 

Market Analysis

Proof of Ages - clubs

How many gov issued

Photo ID

Will call tickets

Regulatory Landscape

- What legally allowed to do

- What happens in data breach

- PII where when you can hold

Agile Scrumm

Integrate a web service -  Jive just got bought

Need to get integrated with enterprise - token passy thing - setup

Active directory (MSFT) or the Anti-MSFT  Axis descendent of SUN LDAP

API’s Interop-Middlewear 

Product develop balanced with Marketing

Backlog -> get features into product and get it done in right order.

Attend SOUPS / be familar with the latest in Usable Security http://cups.cs.cmu.edu/soups/2015/index.php-

Colin Jaccino submitted the following. 


- Identity as a Concept

The graduate should have a foundation in Identity as a concept, its role in philosophical thought, and in human self-understanding.

  - Roots in Philosophy

  - Roots in Language

  - Roots in Psychology

- Identity: Privacy, Rights, and Ethics

The graduate should understand the grounding of privacy, rights, and ethics as they relate to identity, or by virtue of being an individual.

 - What are the foundations of privacy and different notions of privacy  across nations and cultures.

 - Understanding of identity and privacy in legal contexts.

 - Ethical questions that arise from identity and related.

- Who owns the data
 - who has the right to act on information.  Synthesized information?

 - Implications of systematizing identity data - intended and unintended identification and correlation of attributes.  erosion of anonymity.  bindability of attributes.  “Big Data Analytics” as an well-known example of correlation, and discussion of its desirability.  “Minority Report” scenario and its implications

- Foundations in Security for stewards of organizations

- Easy enough to borrow from CISSP curriculum as a surface level overview

- Enrich with philosophical topics of identity in organizations.  What types of things must be identified.  Evolving organizations rely more and more on outside parties and partners; how does impact organization’s identity programs

- Identity and association.  Membership into groups.  Deprecation of identity when a group is a proxy.  When is this desired, undesired?

Enterprise Identity

Key aspects of enterprise identity systems

 - Identity Management as a data lifecycle topic.  Discussion of identity and data lifecycle.

 - Access Management as a security control employing Identity data and Authorization

 - Authorization Management.  what do we authorize?  How do we manage this?  Problems in authorization management: with a diversity of applications and resources that were not designed to be managed together, how do organizations deal with managing authorizations across the enterprise?

 - Audit: What is it?  Needs that are met through audit.

    - What records do we keep?

    - Challenges to audit?

 - Role management.  What happens when a role changes?  How does this impact the data about the person, authorizations for that person?  How to ensure role separation and division of authorization to preempt conflicts of interest.  Conspiracy and how to manage it.

  - Standards and Compliance regimes:  What are the sources of policy, how is it enforced, and how is it assured?

  - Data and Attribute management, challenges in diverse application environments

  - Federation: Extending organizational identity services to third parties for cross-organizational service delivery.

  - Crypto Services

  - Integration Services

  - Organizational challenges with “Legacy"

  - What does an identity team do?

  - Near-term challenges for enterprises.  GDPR, changing obligations to individuals, regulatory bodies.

Internet and Digital Identity

Use cases differentiating Internet and Digital Identity

History of Digital Identity

Key Organizations contributing to digital and Internet identity

Evolution of the online ID:

- Local Network Access Identifier

- Online Services Identity

- Early Internet and email

- World Wide Web and Web 1.0

- Web 2.0 and cross-site identity

- Highlight on Microsoft (Passport, etc) Google, Facebook, and other commercial online identities

- OpenID, OAuth, OpenID Connect, and adoption

- Current state of Internet Identity, Problems solved, Current Challenges, near-term advances.

Frontiers In Digital Identity

(A sampling of IIW topics and themes)

- Rootless Identity

- Addressing the imbalance between individual users and platform owners.

-  and so on

Identity and Data in Life, Government, and Business

Identification of users, stakeholders, and constituents is not new.  Many ways of identifying parties exist today, and are deeply entrenched.

- What is a background check?  Have you done one on yourself?

- Have you googled yourself?

- Government ID

- What IDs do we have?

- Citizen IDs SSN, Passport, (TSA Precheck)?  E
 - Employment Ids: Enlisted person ID? Government employees? Clearance levels (and associated ID)
 - Organization IDs: EIN, Tax IDs, etc

- Challenges to standardization for citizens - IDs in Enterprises.  Employee IDs. - IDs in commerce and public life:

Phone number? (Mobile telco thinks this is your Identifier.  Lobbies for this to stay entrenched as customer primary ID in standards)  

Financial IDs: Bank account #, Credit Card #.  As with telco, financial institutions want to view identity through this prism.

Institutions with an inherent interest in a set of IDs anchor to identification methods that serve their strategic interests.  Student should understand these organizations’ (problem of legacy uplift, protection of marketplace relevance), and the problems of these positions (not serving the public interest, creating technical obstacles to overall progress solving other problems).

 - IDs in systems.  We identify lots of things, including people.  When we do this, we represent a real (unique?) thing with a unique ID, enabling us to make that real thing the target of digital attribution, association, processes, etc.  We then apply changes in the real world to reflect changes made against the identifier.  We move to/from your bank account, we make a phone call to you using your phone ID. These systems don’t have to be digital, though digital is becoming assumed.  An ID is stronger than a name, but we used to use names when unambiguous… 

 - A discussion of data flows a knowledgeable identity person should know:

  - Types of data and terms

  - Personally-identifying Information (PII)

  - Customer Private Network Information (CPNI)

  - Intrinsic information (DNA?  Fingerprint)

  - Health information

  - Financial

- What info is out there?  Is your purchasing history collected?  Aggregated?  How is it used?
 - Reputation and Credit?  

  - Activity information, Location Information

 - Agreements, Relationships, Associations   - What decisions are others making about what they know about us?

- Whether to offer a loan?


- Whether to make an offer?  Offer a coupon?  Provide a discount?


- Whether to grant or deny membership

  ..  Maybe someone has structured this well..

Identity: Best Practices for The Layman

- Managing your:

  IDs.  When to create.  When to link
    Credentials and Passwords

- Managing Trust

- Spotting when information collection is happening.  Understanding what you are trading.

- How to lead the public toward better habits

- Teaching, training, and communicating about Identity within organizations.

- Identity Fraud, ID fraud protection, and response to fraud.

Identity-related topics (electives?)

• Cryptography

• Authentication, methods, challenges, and the future

• Emerging: Blockchain

• Enterprise ID Foundations: LDAP/Directories, Databases, Kerberos, 2-factor ID tokens, enterprise password recovery, etc etc

• Reputation, Trust, frameworks

• Privacy Law

• Identity and System Integration (APIs, common workflows, managing confidentiality in integration)

• Issues of Identity and IOT

• Technical competencies required for contributing to Identity Innovation.  API development, document definition, what is an ontology, etc etc

Code of ethics for the identity professional.