4. IDEARIO DEL ESTABLECIMIENTO
4.14 EVALUACION PEDAGOGICA DEL ESTABLECIMIENTO
Note: Detailed diagrams are available as .png files, and this table is available as an Excel file.
Name Description
A5 Identity and Access Management Services
Software and services to support Identity and access management (IAM), identifying, controlling and auditing interactions with government assets. This enables the security discipline of authorised access to the right resources at the right times for the right reasons.
A5.01 Identity Governance and Accountability
Software and or services at which entities create, monitor, and enforce rules, guidelines, and requirements for executing the IDESG functional elements across communities or actors. Unlike the administration and operations layer, the governance and accountability layer is specifically intended to address cross entity efforts rather than enterprise or internal governance.
A5.01.01 Policy / Rule / Requirements Development
Software and or services for creating a trust framework including identifying or adopting rules, requirements, and policy for governing the use of identities and identity technology within a specific community.
A5.01.02 Identity Accreditation Software and or services for the evaluation, approval and formal recognition that an entity is capable of carrying out certification or assessment activities for a trust framework.
A5.01.03 Identity Certification Software and or services for the evaluation, approval and formal recognition that an entity is capable of carrying out certification or assessment activities for a trust framework of assessing, validating, and determining that a product or service provider meets the defined requirements of a trust framework.
A5.01.04 Identity Reporting Software and or services to support identity performance reporting; such as revocation lists, user accounts list, incidents, recovery, redress etc.
A5.01.05 Role / Persona Engineering & Modelling
Software and or services to support modelling of personas and roles within an organisation.
A5.01.06 Separation of Duties (SoD) Compliance
Software and or services to enforce separation of duties for tasks where additional fail safes are required or advisable to prevent loss due to fraud or mistake.
A5.01.07 Identity Conformance Software and or services to support the process of reviewing and collecting evidence of an entity’s conformance with enterprise rules, policies, and requirements.
A5.02 Identity Administration and Operations
Software and or services to administer and support the basic operations and functions that may occur in online identity-related interactions — grouped into core operations. Not all elements will be invoked in every identity interaction, and some may be invoked multiple times. While logically some functions are likely to occur before or after others, there is no explicit order specified in the
A5 Identity and Access Management Services A5 Identity and Access Management ServicesA5 Identity and Access Management Services A5 Identity and Access Management Services
A5.04 Authorisation and Access
A5.05 Directory ServiceA5.05 Directory Service A5.05 Directory Service
A5.03 Authentication Service A5.03 Authentication ServiceA5.03 Authentication Service A5.03 Authentication Service A5.02 Identity Administration and
A5.02 Identity Administration andA5.02 Identity Administration and A5.02 Identity Administration and Operations
OperationsOperations Operations
A5.07 Identity Interoperability A5.07 Identity InteroperabilityA5.07 Identity Interoperability A5.07 Identity Interoperability A5.01 Identity Governance and
A5.01 Identity Governance andA5.01 Identity Governance and A5.01 Identity Governance and
A5.06 Identity Functional CoreA5.06 Identity Functional Core A5.06 Identity Functional Core Components
ComponentsComponents Components
A5 Identity and Access Management Services A5 Identity and Access Management ServicesA5 Identity and Access Management Services A5 Identity and Access Management Services
A5.04 Authorisation and Access
A5.03 Authentication ServiceA5.03 Authentication Service A5.03 Authentication Service
A5.06 Identity Functional Core A5.06 Identity Functional CoreA5.06 Identity Functional Core A5.06 Identity Functional Core Components
ComponentsComponents
Components A5.99 Other Identity ServiceA5.99 Other Identity ServiceA5.99 Other Identity ServiceA5.99 Other Identity Service A5.02 Identity Administration and
A5.02 Identity Administration andA5.02 Identity Administration and A5.02 Identity Administration and Operations
OperationsOperations Operations
A5.07 Identity Interoperability A5.07 Identity InteroperabilityA5.07 Identity Interoperability A5.07 Identity Interoperability A5.01 Identity Governance and
A5.01 Identity Governance andA5.01 Identity Governance and A5.01 Identity Governance and Accountability
AccountabilityAccountability Accountability A5.05 Directory Service A5.05 Directory ServiceA5.05 Directory Service A5.05 Directory Service
A5.02.01 Role Management Software and or services providing centralised or federated role management function to a single set of organisations and services regardless of geographic location.
A5.02.02 Identity Workflow Design and Implementation
Software and or services to design and implement workflow solutions to Identity & Access Management requirements.
A5.02.03 Identity Provisioning Software and or services supporting the provisioning of approved identities and access controls such as the creation of accounts on target enterprise
applications in response to a user profile.
A5.02.04 Identity Updates (Periodic & Event Based)
Software and or services by which an entity updates accounts, attributes, credentials, and other identity information to determine eligibility for an entitlement; may be periodic in nature or event based (e.g., marriage, end of subscription, etc.), including revocation.
A5.02.05 Identity Recovery Software and or services to support identity recovery; this includes the continuity of credentials, attributes, and other identity services following a security or privacy event (e.g., data breach, disruption of services, etc.) All ecosystem participants are responsible for executing recovery activities.
A5.02.06 Identity Redress Software and or service that support reconciliation of errors that occur during the operations and processes of an identity system. All ecosystem participants must execute redress activities.
A5.02.07 Identity Assurance Software and or services to determine, with some level of certainty, that a claim to a particular identity by some entity can be trusted to be the claimant's
"true" identity.
A5.02.08 Identity Entitlement &
Access Audit
Software and or services to enable an organisation to certify users, and support the process of reviewing and collecting evidence of an entity’s conformance with the rules, policies, and requirements for a trust framework or community.
This is essentially an audit of the entitlements that personnel hold to ensure they do not have entitlements that they should not hold.
A5.03 Authentication Service Software and or services used to confirm the identity of a user.
A5.03.01 Adaptive Authentication
Software and or service that support a risk based approach to authentication where the complexity of the authentication "challenge" is determined by the risk of the transaction. Factors considered in determining the risk include the profile of the user, connection type, IP geolocation and keystroke dynamics) A5.03.02 Authentication
Brokerage
Software and or service that support centralised responsibility for
authenticating the consumer and issuing them with a credential that can be used to access services.
A5.03.03 Multi-factor Authentication
Software and or service that supports multi-factor authentication that requires the presentation of two or more of the three authentication factors, being the knowledge factor (something the user "knows), the possession factor
(something the user "has") and the inherence factor (something the user "is").
A5.03.04 Out of Band Authentication
Software and or service that supports authentication performed over a network or channel separate from the primary network or channel - used in multi-factor authentication. An example of this is sending users a one-time password via their cell phone, which is required to complete the authentication process.
A5.03.05 Biometrics Software and or service that supports biometrics; biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals.
Biometric authentication is used as a form of identification and access control.
It is also used to identify individuals in groups that are under surveillance.
Biometric identifiers are often categorised as physiological versus behavioural characteristics.
- Physiological characteristics are related to the shape of the body. Examples include, but are not limited to fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and odour/scent.
- Behavioural characteristics are related to the pattern of behaviour of a person, including but not limited to typing rhythm, gait, and voice.
A5.03.06 Simple Key
Management Protocol (SKIP)
Software and or services that support Simple Key Management Protocol (SKIP) - a protocol developed by Sun Microsystems to handle key management across IP networks and VPNs. (http://www.networksorcery.com/enp/rfc/rfc2356.txt) A5.03.07 Web Services Security
(WS Security)
Software and or services that support Web Services Security (WS Security);
describes enhancements to SOAP (Simple Object Access Protocol) messaging to provide message integrity, message confidentiality and single message
authentication.
A5.04 Authorisation and Access Management Service
Software and or services to provide authorised access management to resources.
A5.04.01 Enterprise SSO SSO = Single Sign On.
Software and or services to store and transmit encrypted user credentials across local and network boundaries, including domain boundaries. SSO stores the credentials in the credential database. Because SSO provides a generic single sign on solution, middleware applications and custom adapters can take advantage of SSO to securely store and transmit user credentials across the environment. End users do not have to remember different credentials for different applications.
A5.04.02 Federation Service Software and or services to maintain the relationship between identity providers and service providers whereby authentication is performed by the identity provider and is then used by service providers to make authorisation decisions.
A5.04.03 Access Control Software and or services to support provisioning of user access rights based on their assumed roles or attributes.
A5.04.04 Web Access Management
Software and or services to control access to web resources, providing authentication management, policy based authorisations, and reporting services.
A5.04.05 Web SSO SSO = Single Sign On.
Software and or services to support users to access resources over the internet using a single set of user credentials. The user provides a set of credentials to log onto different web sites that belong to different organisations.
A5.04.06 Delegation Service Software and or services to support a delegation service, such as where consent is provided for legal or financial liable transactional activities.
A5.05 Directory Service Software and or services that store, organize and provide access to information held within a directory, which can be considered a map between ‘objects’ and information about those objects, typically described as ‘attributes’. Attributes of objects can be made secure so that only users with the available permissions are able to access it.
Examples of directory services include Active Directory, Open LDAP, e-Directory and other implementations of the X.500 ISO/IEC 9594 directory services standards.
A5.06 Identity Functional Core Components
Software and or services that provide the basic identity operations that may occur in online identity-related interactions — grouped into core operations.
Not all elements will be invoked in every identity interaction, and some may be invoked multiple times. While logically some functions are likely to occur before or after others, there is no explicit order specified in the model.
A5.06.01 Registration Components
Components that support the process that establishes a digital identity for the purpose of issuing or associating a credential.
A5.06.01.01 Identity Application Supports process by which an entity or agent requests initiation of registration.
A5.06.01.02 Registration Attribute Control
Supports process of managing and releasing attributes for the purposes of registration.
A5.06.01.03 Registration Attribute Verification
Supports process of confirming or denying that claimed identity attributes are correct and meet the pre-determined requirements for accuracy, assurance, etc.
A5.06.01.04 Registration Decision Supports decision that an entity does or does not meet the pre-determined eligibility requirements for a digital identity or credential.
A5.06.02 Credentialing Components
Components that support the process to bind an established digital identity with a credential.
A5.06.02.01 Credential Provisioning Supports process by which ownership of a credential is conferred, confirmed, or associated with a digital identity.
A5.06.02.02 Token Binding Supports process of binding a physical or electronic token to a credential.
A5.06.02.03 Attribute Binding Supports process of binding attributes to a credential.
A5.06.02.04 Identity Revocation Supports process by which an issuing authority renders a digital identity, issued credential, token, or verified attribute invalid for authentication or
authorisation.
A5.06.03 Authentication Components
Components that support the process determining the validity of one or more credentials used to claim a digital identity.
A5.06.03.01 Authentication Request Supports process by which authentication is initiated by an entity.
A5.06.03.02 Credential Presentation Supports process by which an entity submits a credential for the purposes of authentication.
A5.06.03.03 Credential Validation Supports process of establishing the validity of the presented credential.
A5.06.03.04 Authentication Decision Supports decision to accept or not accept the results of the credential validation process.
A5.06.04 Authorisation Components
Components that support the process of granting or denying specific requests for access to resources.
A5.06.04.01 Authorisation Request Supports process by which authorisation is initiated by an entity.
A5.06.04.02 Authorisation Attribute Control
Supports process of managing and releasing attributes for the purposes authorisation.
A5.06.04.03 Authorisation Attribute Verification
Supports process of confirming or denying that claimed attributes are correct and meet the pre-determined requirements for authorisation; typically, these attributes for authorisation have not been bound to the credential or previously available to the organisation making the authorisation decision.
A5.06.04.04 Authorisation Decision Supports decision to grant and deny access to a resource based on the results of the authorisation processes and policies.
A5.06.05 Transaction Intermediation
Processes and procedures that limit linkages between transactions and facilitate credential portability.
A5.06.05.01 Identity Blinding Support process by which service providers involved in a transaction are prevented from observing each other (i.e., a relying party does not know which credential service provider an entity is utilizing in a transaction or vice versa).
Based upon the transaction type and the number of service providers involved, blinding may be done to prevent a single, multiple, or all transactional partners from viewing the other participating services.
A5.06.05.02 Identity Pseduonymisation Supports process by which an intermediary prevents service providers from linking a digital identity with a particular person or entity.
A5.06.05.03 Transaction Consent Supports process by which consent is granted to an intermediary, such as in conducting liability transactions (Land Online, Lawyers, Accountants etc.), or sharing personal information.
A5.07 Identity Interoperability Software and services to support processes and procedures that limit linkages between transactions and facilitate credential portability. This allows entities in the identity ecosystem establish and maintain the ability to communicate and exchange identity data.
A5.07.01 Identity Mapping Software and or service to support the mapping of different identities on various platforms, user repositories and applications to a single identity. It can be used with a range of authentication mechanisms to allow one repository to authenticate the user and for this to be passed to another platform for authorisation even when the identities differ.
A5.07.02 Identity Credential Exchange
Software and or service to support the process of facilitating technical (including semantic) interoperability to support credential portability between participants within a specific community or across the identity ecosystem.
A5.07.03 Identity Policy / Rule Exchange
Software and or service to exchange policy and rules for governing the use of identities and identity technology.
A5.07.04 Identity Translation Software and or service by which one identity format is translated to another for consumption by different entities involved in a transaction.
A5.07.05 Security Assertion Markup Language (SAML)
Software and or services that support Security Assertion Markup Language (SAML) - an XML-based framework for exchanging security information expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain.
SAML is expected to play a key role in the federal-wide e-Authentication initiative and is supported by both the Liberty Alliance and WS Security.
A5.99 Other Identity Service Other identity service and or software without a specific application area or application category.