The Identity Governance Framework was a project of the Liberty Alliance for standards to help enterprises determine and control how identity information is used, stored, and propagated using protocols such as LDAP, SAML, and WS-Trust and ID-WSF.
The Identity Governance Framework (IGF) enables organizations to define policies that regulate and control the exchange of identity information between application systems, both internally and with external partners. [1] Identity information may include things like names, addresses, social security numbers or other information that would be otherwise considered related to an individual's identity.
The policy information is both useful to privacy auditors for assessing the use of identity information in applications and to policy enforcement systems for ensuring that appropriate use of identity information takes place.
IGF was originally announced by Oracle in November, 2006 as a joint initiative between CA, HP, Layer 7 Technologies, Novell, Oracle, Ping Identity, Securent, and Sun Microsystems.
In February 2007, the initiative was transferred to the Liberty Alliance to take the draft proposal forward and fully develop the standard.
In July 2007, Liberty announced completion of the Market Requirements Use Case documentation.
In June 2008, Liberty Alliance announced publication of draft specifications for CARML and Privacy Constraints.
In November 2008, Project Aristotle announced release 1.0 of the ArisID API [usurped] implementing the draft specifications for IGF. See project FAQ [usurped] for more information.
In November 2009, Liberty Alliance published final specifications of IGF components CARML (Client Attribute Requirements Markup Language) and IGF Privacy Constraints.
In December 2009, Project Aristotle published ArisID, an implementation of IGF 1.0 release 1.1.
Liberty Alliance published final specifications of IGF components CARML (Client Attribute Requirements Markup Language) and IGF Privacy Constraints in the fall of 2009. Ongoing standards work is now being handled by the Kantara Initiative, LSM Working Group
An implementation of CARML and IGF Privacy Constraints was available through Project Aristotle [usurped] , an Apache 2.0 Licensed open source project. Release 1.1 was released in December 2009.
Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The World Wide Web Consortium's XML 1.0 Specification of 1998 and several other related specifications—all of them free open standards—define XML.
The Sarbanes–Oxley Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations. The act, Pub. L. 107–204 (text)(PDF), 116 Stat. 745, enacted July 30, 2002, also known as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability, Responsibility, and Transparency Act" and more commonly called Sarbanes–Oxley, SOX or Sarbox, contains eleven sections that place requirements on all U.S. public company boards of directors and management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.
Web Services Security is an extension to SOAP to apply security to Web services. It is a member of the Web service specifications and was published by OASIS.
Identity and access management or Identity management (IdM), is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.
The Liberty Alliance Project was an organization formed in September 2001 to establish standards, guidelines and best practices for identity management in computer systems. It grew to more than 150 organizations, including technology vendors, consumer-facing companies, educational organizations and governments. It released frameworks for federation, identity assurance, an Identity Governance Framework, and Identity Web Services.
Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions. SAML is also:
A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.
Shibboleth is a single sign-on log-in system for computer networks and the Internet. It allows people to sign in using just one identity to various systems run by federations of different organizations or institutions. The federations are often universities or public service organizations.
Information technology controls are specific activities performed by persons or systems to ensure that computer systems operate in a way that minimises risk. They are a subset of an organisation's internal control. IT control objectives typically relate to assuring the confidentiality, integrity, and availability of data and the overall management of the IT function. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the hardware, system software, operational processes, access to programs and data, program development and program changes. IT application controls refer to controls to ensure the integrity of the information processed by the IT environment. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches.
Data governance is a term used on both a macro and a micro level. The former is a political concept and forms part of international relations and Internet governance; the latter is a data management concept and forms part of corporate data governance.
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization's financial and operational environment. The financial and operational environment consists of people, processes, and systems working together to support efficient and effective operations. Controls are put in place to address risks within these components. Through continuous monitoring of the operations and controls, weak or poorly designed or implemented controls can be corrected or replaced – thus enhancing the organization's operational risk profile. Investors, governments, the public, and other stakeholders continue to increase their demands for more effective corporate governance and business transparency.
UK corporate governance has influenced corporate governance regulation in the European Union and United States.
WS-Federation is an Identity Federation specification, developed by a group of companies: BEA Systems, BMC Software, CA Inc., IBM, Microsoft, Novell, Hewlett Packard Enterprise, and VeriSign. Part of the larger Web Services Security framework, WS-Federation defines mechanisms for allowing different security realms to broker information on identities, identity attributes and authentication.
Security token service (STS) is a cross-platform open standard core component of the OASIS group's WS-Trust web services single sign-on infrastructure framework specification.cf. Within that claims-based identity framework, a secure token service is responsible for issuing, validating, renewing and cancelling security tokens. The tokens issued by security token services can then be used to identify the holder of the token to services that adhere to the WS-Trust standard. Security token service provides the same functionality as OpenID, but unlike OpenID is not patent encumbered. Together with the rest of the WS-Trust standard, the security token service specification was initially developed by employees of IBM, Microsoft, Nortel and VeriSign.
U-Prove is a free and open-source technology and accompanying software development kit for user-centric identity management. The underlying cryptographic protocols were designed by Dr. Stefan Brands and further developed by Credentica and, subsequently, Microsoft. The technology was developed to allow internet users to disclose only the minimum amount of personal data when making electronic transactions as a way to reduce the likelihood of privacy violations.
The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a US government initiative announced in April 2011 to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the private sector, advocacy groups, government agencies, and other organizations.
Kantara Initiative, Inc. is a non-profit trade association that works to develop standards for identity and personal data management. It focuses on improving the trustworthy use of identity and personal data in digital identity management and data privacy.
The SAML metadata standard belongs to the family of XML-based standards known as the Security Assertion Markup Language (SAML) published by OASIS in 2005. A SAML metadata document describes a SAML deployment such as a SAML identity provider or a SAML service provider. Deployments share metadata to establish a baseline of trust and interoperability.