Federated Identity Management in the Norwegian Oil and Gas Industry
MetadataVis full innførsel
The Norwegian oil and gas industry has a highly collaborative, but at the same highly competitive nature. Most of the daily oil and gas production takes place on the Norwegian continental shelf in the North Sea. The production facilities are expensive to develop and maintain, and it is therefore necessary to take advantage of new and innovative solutions; both above and beneath the sea surface. Close collaboration between the operators and the contractors1 is needed. At the same time these companies can be strict competitors in other projects. Information security is thus essential; only information relevant for a given collaboration should be available to the involved parties. Federated identity management (FIM) is a concept that allows cooperation on technologies, processes and policies for identity management, as well as sharing of identity data across organizational boundaries and across security domains. Many current information security challenges within the industry are related to access control and identity management. The goal of this PhD project has been to analyze companies involved in the Norwegian oil and gas production in order to explore their perceived benefits, challenges and other security risks related to adoption of FIM. In order to meet our research goal we have based our research on three research methods: a design science approach, systematic literature reviews, and a case study. Empirical evidence related to the oil and gas industry and its perception of FIM is mainly collected through the case study, using semi-structured interviews to collect data. First, our research shows that a focus on security is needed throughout the whole software development lifecycle when developing identity management solutions. It is especially important to protect the identity assertion. Federated identity management is more than just technology. Collaborators within the federation must agree on common rules and security policies for all phases of the identity management lifecycle. Second, the federated identity research community should spend more effort on empirical research. Great initiatives exist to move the technology into academic perfection, however, little empirical evidence exists to document real world expectations and needs. Third, this research has listed the benefits and challenges of FIM from an academic perspective and from an industry perspective. We have also documented many of the challenges the industry is faced with today related to access control. Our interviews with the industry practitioners show that some of the benefits of FIM are offset by their challenges. However, we believe that some forms of federated identity management will be implemented in some form sooner or later. This research can be used as input to tailor new identity management solutions to the Norwegian oil and gas industry’s needs, it can be used to highlight the need for security in the software development process, and it can be used to understand the strengths, weaknesses, opportunities and threats related to adoption of federated identity management in the industry.
Består avJensen, Jostein; Nyre, Åsmund Ahlmann. SOA security – an experience report. Proceedings of the 2nd Norwegian Security Conference: 185-196, 2009.
Jensen, Jostein; Jaatun, Martin Gilje. Not Ready for Prime Time. International Journal of Secure Software Engineering. (ISSN 1947-3036). 2(4): 49-61, 2011. 10.4018/jsse.2011100104.
Jensen, Jostein. Benefits of Federated Identity Management - A Survey from an Integrated Operations Viewpoint. Lecture Notes in Computer Science. (ISSN 0302-9743). 6908: 1-12, 2011. 10.1007/978-3-642-23300-5_1.
Jensen, Jostein. Federated Identity Management Challenges. Proceedings of the 2012 SEVENTH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES 12): 230-235, 2012. 10.1109/ARES.2012.68.
Jensen, Jostein; Jaatun, Martin Gilje. Federated Identity Management-We Built It; Why Won't They Come?. IEEE Security and Privacy. (ISSN 1540-7993). 11(2): 34-41, 2013. 10.1109/MSP.2012.135.
Jensen, Jostein; Nyre, Åsmund Ahlmann. Federated Identity Management and Usage Control -Obstacles to Industry Adoption. Proceedings of Eighth International Conferenceon Availability, Reliability and Security: 31-41, 2013. 10.1109/ARES.2013.10.
Jensen, Jostein. Identity Management Lifecycle - Exemplifying the Need for Holistic Identity Assurance Frameworks. Lecture Notes in Computer Science. (ISSN 0302-9743)(7804): 343-352, 2013. 10.1007/978-3-642-36818-9_38.