Identity Governance

Joint work is currently underway within OpenLiberty.org and Liberty's Technology Expert Group exploring identity governance, an issue of particular import in today’s society of identity theft and increasing understanding of the importance of privacy. This work, which embraces previous Privacy Preference Expression Language (PPEL) work done by Liberty, is focused on defining a framework to help enterprises easily determine and control how identity related information, including Personally Identifiable Information (PII), access entitlements, attributes, etc. are used, stored, and propagated between their systems. The Identity Governance Framework (IGF) will enable organizations to define enterprise level policies to securely and confidently share sensitive personal information between applications that need such data, without having to compromise on business agility or efficiency. Furthermore, it will ease the burden of documentation and auditing of these controls, allowing organizations to be able to quickly answer questions on how personal information such as social security numbers and credit card data is being used, by whom, at what time, and for what purpose.

The Identity Governance Framework is designed to allow: (1) application developers to build applications that access identity-related data from a wide range of sources, (2) administrators and deployers to define, enforce, and audit policies concerning the use of identity-related data. As proposed, IGF will have four components: (a) identity attribute service, a service that supports access to many different identity sources and enforces administrative policy (b) CARML: declarative syntax using which clients may specify their attribute requirements, (c) AAPML: declarative syntax which enables providers of identity-related data to express policy on the usage of information, (d) multi-language API (Java, .NET, Perl) for reading and writing identity-related attributes.

If you are interested in being involved in the work or have feedback on the MRD, please fill out our Info Request Form.

Resources of interest:

Additional Resources

Presentation given by Phil Hunt at May 2007 IIW, offering overview of the MRD (Market Requirements Document) work around the Identity Governance Framework within the Liberty Alliance.	Identity Governance Framework Presentation
The secure and appropriate exchange of identity-related information between users and applications and service providers (both internal and external) is the basis of providing deeper and richer functionality for service-oriented architecture. Sensitive identity-related data such as addresses, social security numbers, bank account numbers, and employment details are increasingly the target of legal, regulatory, and enterprise policy. These include, but are not limited to, the European Data Protection Initiative, Sarbanes-Oxley, PCI Security standard, and Gramm-Leach-Bliley as examples. The Id Governance initiative assists entities managing identity data with increased transparency and demonstrable compliance with respect to policies for identity-related data. It would allow corporations to answer questions such as: Under what conditions may user social security numbers be accessed by applications? Which applications had access to customer account numbers on January 27, 2007?	• overview-id-governance-framework-v1.0.pdf 224.41 kB
Aug. 2007 presentation by Phil Hunt and Prateek Mishra of Oracle about the Identity Governance Framework: the use cases it addresses and intended next steps.	An Overview of the Identity Governance Framework: Putting Privacy and Regulatory Compliance First webcast PDF
	The Identity Governance Framework: Liberty Alliance's Privacy Initiative
Enterprise systems are becoming increasingly distributed across internal and external service providers. As we look at this from a SOX and a general governance, risk and compliance perspective, the importance of good quality, accurate, personal and private information becomes a larger issue for enterprises as existing technology solutions become too complex to support. As enterprises consider their formal written policies for the consumption and use of personal information, they should look towards IGF as the best open, standards-based approach to programmatic enforcement of these written policies in the future. IGF provides declarative, request/response metadata (promises and obligations), and policy enforcement that documents and governs the use of identity-related information in networked systems and applications. IGF supports the evolving federation and user-centric protocols, as well as new and evolving governance and privacy legislation. While IGF is still in development, enterprises and software developers are encouraged to get involved and learn more about IGF and its benefits.	• IGF SOX article >
This presentation reviewed the Identity Governance Framework, a technical spec currently being developed parallel track within Liberty's Technology Expert Group, as well as Open Source code released through the OpenLiberty.org activity. A technical walk through is presented, allowing attendees to see that with proper governance, the sharing of personal information can reduce information collection, improve privacy, reduce liability, and improve business accuracy, workflow, and profitability.	• 083010 LAP workshop igf-openliberty Hunt.pdf 714.24 kB
Webcast: Identity Governance Framework: New Standards to Protect Privacy Through Governing Policy	• 080423 igf-openliberty - P Hunt.pdf 5.26 MB