Cross Domain Identity Management and Entitlement

Current identity management and access control technologies perform identity validation and enforcement of access rights only within a specific domain and are unable to operate within the asymmetric and highly restrictive security policies of cross-domain environments. Operating across domain boundaries is further complicated by the heterogeneous and largely independent nature of the identity and access control capabilities that may already exist within a domain, including the use of different credential formats and the overly restrictive constraints on data-sharing outside a domain.

BBN is designing and prototyping a set of services for automated management of identities and enforcement of fine-grained access control policies across domain boundaries that will enable efficient and effective cross-domain interchanges. Key challenges for cross domain access control include (1) identity & policy mapping to create associations between accessing entities and access control policies in multiple domains in a way that is consistent with information sharing restrictions; (2) rights-based filtering to interpret and enforce entitlements across domain boundaries; and (3) automated and efficient methods to determine the separation between what is permitted and what is not in the composite environment and to construct assurance arguments that the dissemination and sharing is compliant with applicable cross-domain policies.

Thrusts