AGENDA - PowerPoint PPT Presentation

1 / 75
About This Presentation
Title:

AGENDA

Description:

AGENDA * * Click to edit master title style * Click to edit master title style * * Click to edit master title style * http://www.IDManagement.gov ICAM Mission Align ... – PowerPoint PPT presentation

Number of Views:161
Avg rating:3.0/5.0
Slides: 76
Provided by: GillesSa
Category:
Tags: agenda | saas | technical

less

Transcript and Presenter's Notes

Title: AGENDA


1
AGENDA
  • 800 900 Breakfast
  • 900 915 Introductions
  • 915 1100 FICAM
  • Anil John - Digital Security and Service
    Orientation Expert, GSA
  • Rajeev Pillai System Architect, GSA
  • 1100 Noon Radiant Logic and FICAM
  • Don Graham Senior Account Manager
  • Fred Puhan Solutions Architect
  • Noon 200 Lunch
  • Visit the Spy Museum

2
US Federal ICAM RoadmapImplementation Status
Next Steps
  • Anil John Raj Pillai

3
What is ICAM in the Federal Government?
  • Processes, Technologies, and Personnel used to
  • Create trusted digital identity representations
    of individuals and NPEs
  • Bind those identities to credentials that may
    serve as a proxy for the individual or NPE in
    access transactions
  • Leverage the credentials to provide authorized
    access to an agencys resources

4
Federal ICAM Program Mission
  • Align federal agencies around common practices by
    fostering effective government-wide identity,
    credential and access management 
  • Collaborate with federal government and external
    identity management activities (non-federal,
    commercial and more) to leverage best practices
    and enhance interoperability
  • Enable trust and interoperability in online
    transactions, through the application of common
    policies and approaches, in activities that cross
    organizational boundaries

5
FICAM Roadmap and Implementation Guidance v2
  • Goals
  • Comply with Federal Laws Relevant to ICAM
  • Facilitate E-government by Streamlining Access to
    Services
  • Improve security posture across the Federal
    Enterprise
  • Enable Trust and Interoperability
  • Reduce costs and increase efficiency

6
FICAM Roadmap and Implementation Guidance v2
7
OMB Policy on Federal ICAM
  • OMB M-11-11

The government-wide architecture and completion
of agency transition plans must align as
described in the Federal CIO Councils Federal
Identity, Credential, and Access Management
Roadmap and Implementation Guidance
8
ICAM Services Layer
  • Key ICAM Service
  • Areas
  • Digital Identity
  • Credentialing
  • Privilege Management
  • Authentication
  • Authorization Access
  • Cryptography
  • Auditing Reporting

The ICAM Roadmap, which includes a segment
architecture, provides a standards based approach
for implementing government-wide ICAM initiatives.
9
ICAM Roadmap Initiatives
  • Government-wide Governance
  • Agency-level Implementation
  1. Augment policy and implementation guidance to
    agencies
  2. Establish federated identity framework for the
    Federal Government
  3. Enhance performance and accountability within
    ICAM initiatives
  4. Provide government-wide services for common ICAM
    requirements
  1. Streamline collection and sharing of digital
    identity data
  2. Fully leverage PIV and PIV-I credentials
  3. Modernize PACS infrastructure
  4. Modernize LACS infrastructure
  5. Implement federated identity capability

10
Guidance
  • Provide guidance that targets agency barriers
  • Logical Access - Mobile Device Guidance (Derived
    Credentials)
  • Federation Relying Party Guidance
  • Physical Access EPACS Guidance V2
  • Mobility Digital Government Strategy (DGS)
    Milestone Deliverables
  • Minimal Security requirements for Mobility
  • Develop Reference Architecture for Mobility
  • Engage industry partners, the smart card industry

11
ICAM Roadmap Initiatives
  • Government-wide Governance
  • Agency-level Implementation
  1. Augment policy and implementation guidance to
    agencies
  2. Establish federated identity framework for the
    Federal Government
  3. Enhance performance and accountability within
    ICAM initiatives
  4. Provide government-wide services for common ICAM
    requirements
  1. Streamline collection and sharing of digital
    identity data
  2. Fully leverage PIV and PIV-I credentials
  3. Modernize PACS infrastructure
  4. Modernize LACS infrastructure
  5. Implement federated identity capability

12
FICAM Trust Framework Solutions
  • FICAM provided mechanism for the Federal
    Government to accept Credentials from Non-Federal
    and Commercial Identity Providers
  • Federal ICAM Trust Framework Provider Adoption
    Process (TFPAP) provides a mechanism to bring an
    Industry Trust Framework for a Comparison
    Evaluation
  • Approved Trust Framework Providers
  • Kantara Initiative
  • Open Identity Exchange (OIX)
  • InCommon
  • SAFE/BioPharma

13
FICAM Trust Framework Solutions
Privacy Security
Comparability Assessment
Trust Framework Provider
Assurance Processes Privacy Policy Audit
Certification Processes Auditor
Qualifications Organizational Maturity
Approval Assessment
Organizational Maturity Registration Identity
Proofing Processes Credential Issuance
Processes Privacy Policies
http//www.idmanagement.gov/pages.cfm/page/ICAM-Tr
ustFramework
14
ICAM Roadmap Initiatives
  • Government-wide Governance
  • Agency-level Implementation
  1. Augment policy and implementation guidance to
    agencies
  2. Establish federated identity framework for the
    Federal Government
  3. Enhance performance and accountability within
    ICAM initiatives
  4. Provide government-wide services for common ICAM
    requirements
  1. Streamline collection and sharing of digital
    identity data
  2. Fully leverage PIV and PIV-I credentials
  3. Modernize PACS infrastructure
  4. Modernize LACS infrastructure
  5. Implement federated identity capability

15
Metrics
  • FISMA Metrics PIV Card Usage
  • Purpose To address implementation of strong
    logical authentication technologies for access to
    federal information systems by federal employees
    and contractors
  • Outcome To improve outcome metrics of PIV
    logical authentication across agencies. The TT
    focus is on critical barriers to implementation
    and deliverables that can assist in
    implementation
  • Approach
  • define metrics that are well understood,
    measurable, and actionable
  • Understand and document agency barriers to
    implementation
  • Provide target solutions to the barriers
  • Identify tools that can be used by agencies to
    automate reporting

To increase the defensive posture of federal
information systems against threats by increasing
the use of strong multi-factor authentication
technologies
16
ICAM Roadmap Initiatives
  • Government-wide Governance
  • Agency-level Implementation
  1. Augment policy and implementation guidance to
    agencies
  2. Establish federated identity framework for the
    Federal Government
  3. Enhance performance and accountability within
    ICAM initiatives
  4. Provide government-wide services for common ICAM
    requirements
  1. Streamline collection and sharing of digital
    identity data
  2. Fully leverage PIV and PIV-I credentials
  3. Modernize PACS infrastructure
  4. Modernize LACS infrastructure
  5. Implement federated identity capability

17
National Strategy for Trust Identities in
Cyberspace (NSTIC)
  • The Federal Government
  • Will continue to be a leader through its
    participation in the Identity Ecosystem as both a
    subject and relying party
  • Will use existing private-sector Identity
    Ecosystem solutions rather than developing its
    own
  • Will encourage the market toward trustworthy and
    interoperable identity solutions

18
OMB 3PC Acceptance Policy
web sites that allow members of the public and
business partners to register or log on must be
enabled to accept externally-issued credentials
in accordance with government-wide requirements
may only accept externally issued credentials
that are issued in accordance with NIST ...
Guidelines, and Federal Chief Information
Officers Council processes
19
What is Needed to Meet Policy Requirements
Citizens
.Government
A Shared Service that
Open ID/LOA1
  • eliminates need to connect to each credential
    provider individually
  • frees up agency resources to focus on
    mission-critical activities
  • ensures interoperability, enabling citizens to
    use one credential across multiple agencies
  • ...can translate between different
    eAuthentication protocols (Open ID, PKI, SAML,
    etc.)

OpenID/LOA1
PKI
SAML/LOA3
OpenID/LOA1
OpenID/LOA1
20
Federal Cloud Credential Exchange (FCCX)
  • Government Operated Shared Service
  • Provides a consistent approach to authentication
    for citizen facing systems and applications
  • Utilizes FICAM Approved External Credential
    Providers as well as PIV and CAC Providers
  • Secure, privacy-enhancing, efficient, easy-to-use
    and interoperable

21
ICAM Roadmap Initiatives
  • Government-wide Governance
  • Agency-level Implementation
  1. Augment policy and implementation guidance to
    agencies
  2. Establish federated identity framework for the
    Federal Government
  3. Enhance performance and accountability within
    ICAM initiatives
  4. Provide government-wide services for common ICAM
    requirements
  1. Streamline collection and sharing of digital
    identity data
  2. Fully leverage PIV and PIV-I credentials
  3. Modernize PACS infrastructure
  4. Modernize LACS infrastructure
  5. Implement federated identity capability

22
Streamline Collection and Sharing of Digital
Identity Data
23
Core Concepts
  • Enterprise Digital Identity
  • Core identity attributes and unique person
    identifiers
  • Identifying authoritative sources
  • Digital Identity Process Integration
  • Business processes for establishing and managing
    the digital identity life cycle
  • Authoritative Digital Identity Attribute Exchange
  • Enables secure electronic sharing of digital
    identity attributes
  • Leverage data models to support effective sharing

24
Elements of Attribute Exchange
  • Protocol
  • Technical means for exchanging attributes
  • Payload
  • Attributes exchanged between parties
  • Policy
  • Governance processes and mechanisms put into
    place to manage the exchange and adjudicate issues

25
(No Transcript)
26
Access Control Attribute Governance Working
Group
  • Supports guidance and standards development for
    a common language and understanding of access
    control attributes across the Federal Government

27
ACAG Working Group Functions
  • Focus on Person Attributes for Access Control
  • Establish initial set of Enterprise Access
    Control Attributes
  • Develop processes for modification of the
    Enterprise Access Control Attribute set
  • Leverage and, when possible, incorporate best
    practices and lessons learned
  • Outreach and collaboration to gather attribute
    use best practices and lessons learned
  • Facilitate exchange and trusted use of attributes
    across the Federal Government
  • Develop and implement attribute governance
    processes across the Federal Government
  • Authoritative-ness

28
Authoritative Attribute Exchange Services (AAES)
Applications
Authoritative Sources
29
AAES Authoritative Attribute Manager
  • Correlate attributes from various authoritative
    sources
  • De-conflict discrepancies across attribute
    sources
  • Implements the person data model
  • Provide a consolidated view of the pieces of a
    person gathered from multiple sources

Authoritative Attribute Manager
Authoritative Sources
30
AAES Authoritative Attribute Distributer
  • Primary point of query for applications
  • Can provide a customized and tailored view of
    data
  • Supports requests for attributes from both
    internal and external to agency

Applications
Authoritative Attribute Distributer
31
Implementing an AAES Infrastructure
Agency Systems Applications
Virtual/Meta Directory Engine
Agency Identity and Attribute Sources
32
(No Transcript)
33
FICAM Drivers
  • Increasing Cybersecurity threats
  • Need for improved physical security
  • Lag in providing government services
    electronically
  • Vulnerability of Personally Identifiable
    Information (PII)
  • Lack of interoperability
  • High costs for duplicative processes and data
    management

34
Federal ICAM Conceptual View
35
RADIANT LOGIC
  • Radiant Logic
  • and
  • Federal Identity, Credential, and Access
    Management

36
The FICAM challenge
  • GSA FICAM inclusion government-wide
  • OMB 11.11
  • Agency challenges to achievement
  • Lack of time
  • Lack of staff
  • Lack of budget
  • Lack of knowledge
  • Current IdM isnt meeting needs of federated
    enterprises
  • Based on Push from a single authoritative
    source
  • No single authoritative source of Identity
  • Need to gather identity information from multiple
    authoritative identity sources both enterprise
    and consumer
  • In real time
  • And then establish a Pull infrastructure
  • Publish
  • Always current

37
Authoritative Attribute Exchange Services (AAES)
  • Provide a consolidated view of the pieces of a
    person gathered from multiple sources
  • Correlate attributes from various authoritative
    sources
  • De-conflict discrepancies across attribute
    sources
  • Implements the person data model
  • Can provide a customized and tailored view of
    data
  • Supports requests for attributes from both
    internal and external to agency
  • Primary point of query for applications

38
Why BAE?- A Use Case DHS DOD DSCA Event Info
Sharing Pilot
Strong Authentication PKI / X.509
Policy Driven Access Control XACMLoid
DHS Userw/PIV Card
NORTHCOM DSCA Site
  1. User is authenticated and identified via FASC-N

Virtual Directory XML Security Gateway
  1. NORTHCOM needs off-card information to
    authorize User to access portal. It asks its
    DoD Attribute Authority
  1. User is granted access

Auth. AttributeStore
  1. DoD Attribute Service pulls user information from
    DHS Attribute Service at moment of need

Standards-based Communication (SAML)
DoD Attribute Service
39
DHS BAE Implementation Architecture- Attribute
correlation across diverse sources
40
How do you achieve AAES?
  • Abstraction layer
  • Production of attributes (and identities) will be
    separated from consumption of attributes (and
    identities) through the introduction of a virtual
    directory interface
  • Applications will externalize authorization to
    policy decision points which can use contextual
    authorization to request attributes in real time
  • You can do this with what you have today, with
    added value at each step towards the end goal

41
Back to the future
  • We never called it Authoritative Attribute
    Exchange Services (AAES).
  • We call it RadiantOne - A Federated Identity
    Service Through Model-Driven Virtualization
  • You can do this with what you have today, with
    added value at each step towards the end goal
  • Our customers have been doing this with our
    product for years.

42
A member of the IC using our solution
  • Federal IC customer for six years
  • Fine grained access control
  • Requirement for integrating attribute services
  • Integrating twelve identity sources including but
    not limited to
  • Sun directory
  • Microsoft Active Directory
  • Oracle
  • MYSQL
  • Domino
  • 40 business units
  • Need to build a global profile for user accounts
    from multiple heterogeneous data sources.
  • This is the hottest thing weve got
  • It now takes us days to do what used to take us
    weeks

43
Legend
Current
In Progress
44
Identity Virtualization at Intel
  • Steve Price
  • Identity Service Manager
  • Intel IT
  • July 2010

45
In a Nutshell
  • Doing more with less budget
  • We now deliver in 3 days what used to take 4
    months
  • Tailored, use-case-specific function, while
    reusing existing systems w/o requiring changes to
    infrastructure.
  • The projected 3 applications per year turned into
    10 apps in 2 months, more coming
  • Enables us to do more with less.
  • Using VDS we have lowered our cost by 73

46
Yes, we have arrivedThe RadiantOne Solution
  • A Federated Identity Service Through Model-Driven
    Virtualization
  • Provides all functions of a complete AAES service
    through an abstraction layer

47
AAES with RadiantOne
Fred Puhan fpuhan_at_radiantlogic.com
48
  • Overview / Challenges

49
Situation
AuthoritativeSources
AgencyApplications
External Agency Applications
FederationPartners
HR
PersonnelSecurity
needaccess
LACS
PACS
Payroll
Contracts
IDMS
Other
White Pages
Applications
50
Todays Identity EquationA (apps) x S (sources)
x P (protocols) N links (x )
51
Schemas
HR Database
Security Directory
52
Where are identities stored?
HR Database HR Database
Users James Bond Ethan Hunt Clark Kent Jean-Luc Picard
Protocol SQL
Schema 5 tables Person Assignment Role Citizenship Country
Security Directory Security Directory
Users James Bond Ethan Hunt David Webb Xander Cage
Protocol LDAP
Schema clearancePerson objectclass
53
Challenges
  • Identities are spread across multiple
    repositories
  • There is overlap of identities between
    repositories
  • Different access protocols
  • Identities are described differently
  • Different security means for authentication

54
  • AAES

55
AAES
  • AAES ...is a technical solution that enables
    agencies to connect various authoritative data
    sources and share identity and other attributes
    within the shared enterprise infrastructure. To
    support the AAES capability, agencies must
    establish an enterprise digital identity model,
    identify authoritative data sources, and
    streamline the processes used to populate those
    authoritative sources.
  • (page 219)

56
AAES
  • Authoritative Attribute Exchange Service (AAES)
    consists of two logical components
  • Authoritative Attribute Manager (AAM)
  • Authoritative Attribute Distributor (AAD)

57
Authoritative Attribute Exchange Service (AAES)
58
  • AAM

59
Authoritative Attribute Manager (AAM)
  • AAM is ...designed to correlate identity
    attributes from the various authoritative data
    sources within an agency and provide a single
    authoritative source of digital identity. The AAM
    functions as a central hub of attributes,
    aggregating data from the various sources through
    either resource connectors or web services.
  • (page 221)

60
A bit of Reality
  • Identity "...data is spread across multiple
    authoritative sources within the agency, thereby
    complicating the challenge of exchanging
    attributes between sources and consumers.
  • (page 220)

61
Difficulty sharing identity attributes
  • The Challenge of Multiple Security Silos
  • Services are not flexible and are too tightly
    coupled with the underlying data silos.
  • Traditional solutions are a never-ending
    patchwork of custom code and complex
    synchronizations.

Security Domain A
Groups
Roles
Context
Applications
Security Domain B
Groups
Roles
Context
Applications
Security Domain C
Groups
Roles
Context
Applications
62
AAES through Virtualization
  • Acting as an abstraction layer between
    applications and the underlying identity silos,
    virtualization isolates applications from the
    complexity of back-ends.

ExternalAgencyApp
Virtualization
Aggregation
Correlation
Integration
Web Services/SOA
FederationPartner
PACS
Groups
Roles
Contexts
Services
LDAP
LACS
WhitePages
SQL
Apps
63
Building the Unique Global List of Identities
64
Building the Global Profile
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Agency Application
RadiantOne
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom FIPS10_4 UK
Security Directory
HR Database
65
Correlate attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
66
Mapping (e.g. Person Data Model)
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
67
Business Logic for values
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
68
De-conflict attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent CountryName United Kingdom Title
Sir
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName Jim sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
69
  • AAD

70
Authoritative Attribute Distributor (AAD)
  • AAD ...provide(s) attributes, by request, to
    consumer applications (i.e., applications that
    use identity data for downstream processes), both
    internal and external to the agency.
  • The AAD is also used to synchronize data with
    user accounts or local sources.
  • (page 223)

71
AAES enables sharing of Identity Attributes
72
Pull model 1
AuthoritativeSources
AgencyApplications
AAES
query
RadiantOne
73
Pull model 2
AuthoritativeSources
AgencyApplications
AAES
query
RadiantOne
RadiantOne, or XML Gateway
74
Push model
AuthoritativeSources
AgencyApplications
AAES
query
push
AAD
RadiantOne
75
  • Further Options

76
Further Options
  • Caching Strategies
  • How to keep the cache fresh?
  • TTL?
  • Automated Refresh
  • Complex Identity Correlation
  • When no common unique identifier exists
  • Context-rich views

77
Data Modeling / Structure
model
78
What is YOUR next step?
  • Make a list of identity sources and attribute
    data
  • Identify the owners of those data
  • List identities and their attributes
  • Understand the schema and data of each source
  • Identify collisions and overlap
  • Analyze data for correlation
  • Understand where you have data discrepancies and
    need to de-conflict
  • Determine what applications requirements are in
    terms of
  • Payload
  • Format
  • Protocol
  • We will loan you the product to do so. Talk to
    us!

79
  • Questions?

80
  • Or Spy-Museum?
Write a Comment
User Comments (0)
About PowerShow.com