AGENDA

1
AGENDA

• 800 900 Breakfast
• 900 915 Introductions
• 915 1100 FICAM
• Anil John - Digital Security and Service
  Orientation Expert, GSA
• Rajeev Pillai System Architect, GSA
• 1100 Noon Radiant Logic and FICAM
• Don Graham Senior Account Manager
• Fred Puhan Solutions Architect
• Noon 200 Lunch
• Visit the Spy Museum

2
US Federal ICAM RoadmapImplementation Status
Next Steps

• Anil John Raj Pillai

3
What is ICAM in the Federal Government?

• Processes, Technologies, and Personnel used to
• Create trusted digital identity representations
  of individuals and NPEs
• Bind those identities to credentials that may
  serve as a proxy for the individual or NPE in
  access transactions
• Leverage the credentials to provide authorized
  access to an agencys resources

4
Federal ICAM Program Mission

• Align federal agencies around common practices by
  fostering effective government-wide identity,
  credential and access management 
• Collaborate with federal government and external
  identity management activities (non-federal,
  commercial and more) to leverage best practices
  and enhance interoperability
• Enable trust and interoperability in online
  transactions, through the application of common
  policies and approaches, in activities that cross
  organizational boundaries

5
FICAM Roadmap and Implementation Guidance v2

• Goals
• Comply with Federal Laws Relevant to ICAM
• Facilitate E-government by Streamlining Access to
  Services
• Improve security posture across the Federal
  Enterprise
• Enable Trust and Interoperability
• Reduce costs and increase efficiency

6
FICAM Roadmap and Implementation Guidance v2
7
OMB Policy on Federal ICAM

• OMB M-11-11

The government-wide architecture and completion
of agency transition plans must align as
described in the Federal CIO Councils Federal
Identity, Credential, and Access Management
Roadmap and Implementation Guidance
8
ICAM Services Layer

• Key ICAM Service
• Areas
• Digital Identity
• Credentialing
• Privilege Management
• Authentication
• Authorization Access
• Cryptography
• Auditing Reporting

The ICAM Roadmap, which includes a segment
architecture, provides a standards based approach
for implementing government-wide ICAM initiatives.
9
ICAM Roadmap Initiatives

• Government-wide Governance

• Agency-level Implementation

1. Augment policy and implementation guidance to
   agencies
2. Establish federated identity framework for the
   Federal Government
3. Enhance performance and accountability within
   ICAM initiatives
4. Provide government-wide services for common ICAM
   requirements

1. Streamline collection and sharing of digital
   identity data
2. Fully leverage PIV and PIV-I credentials
3. Modernize PACS infrastructure
4. Modernize LACS infrastructure
5. Implement federated identity capability

10
Guidance

• Provide guidance that targets agency barriers
• Logical Access - Mobile Device Guidance (Derived
  Credentials)
• Federation Relying Party Guidance
• Physical Access EPACS Guidance V2
• Mobility Digital Government Strategy (DGS)
  Milestone Deliverables
• Minimal Security requirements for Mobility
• Develop Reference Architecture for Mobility
• Engage industry partners, the smart card industry

11
ICAM Roadmap Initiatives

• Government-wide Governance

• Agency-level Implementation

1. Augment policy and implementation guidance to
   agencies
2. Establish federated identity framework for the
   Federal Government
3. Enhance performance and accountability within
   ICAM initiatives
4. Provide government-wide services for common ICAM
   requirements

1. Streamline collection and sharing of digital
   identity data
2. Fully leverage PIV and PIV-I credentials
3. Modernize PACS infrastructure
4. Modernize LACS infrastructure
5. Implement federated identity capability

12
FICAM Trust Framework Solutions

• FICAM provided mechanism for the Federal
  Government to accept Credentials from Non-Federal
  and Commercial Identity Providers
• Federal ICAM Trust Framework Provider Adoption
  Process (TFPAP) provides a mechanism to bring an
  Industry Trust Framework for a Comparison
  Evaluation
• Approved Trust Framework Providers
• Kantara Initiative
• Open Identity Exchange (OIX)
• InCommon
• SAFE/BioPharma

13
FICAM Trust Framework Solutions
Privacy Security
Comparability Assessment
Trust Framework Provider
Assurance Processes Privacy Policy Audit
Certification Processes Auditor
Qualifications Organizational Maturity
Approval Assessment
Organizational Maturity Registration Identity
Proofing Processes Credential Issuance
Processes Privacy Policies
http//www.idmanagement.gov/pages.cfm/page/ICAM-Tr
ustFramework
14
ICAM Roadmap Initiatives

• Government-wide Governance

• Agency-level Implementation

1. Augment policy and implementation guidance to
   agencies
2. Establish federated identity framework for the
   Federal Government
3. Enhance performance and accountability within
   ICAM initiatives
4. Provide government-wide services for common ICAM
   requirements

1. Streamline collection and sharing of digital
   identity data
2. Fully leverage PIV and PIV-I credentials
3. Modernize PACS infrastructure
4. Modernize LACS infrastructure
5. Implement federated identity capability

15
Metrics

• FISMA Metrics PIV Card Usage

• Purpose To address implementation of strong
  logical authentication technologies for access to
  federal information systems by federal employees
  and contractors
• Outcome To improve outcome metrics of PIV
  logical authentication across agencies. The TT
  focus is on critical barriers to implementation
  and deliverables that can assist in
  implementation
• Approach
• define metrics that are well understood,
  measurable, and actionable
• Understand and document agency barriers to
  implementation
• Provide target solutions to the barriers
• Identify tools that can be used by agencies to
  automate reporting

To increase the defensive posture of federal
information systems against threats by increasing
the use of strong multi-factor authentication
technologies
16
ICAM Roadmap Initiatives

• Government-wide Governance

• Agency-level Implementation

1. Augment policy and implementation guidance to
   agencies
2. Establish federated identity framework for the
   Federal Government
3. Enhance performance and accountability within
   ICAM initiatives
4. Provide government-wide services for common ICAM
   requirements

1. Streamline collection and sharing of digital
   identity data
2. Fully leverage PIV and PIV-I credentials
3. Modernize PACS infrastructure
4. Modernize LACS infrastructure
5. Implement federated identity capability

17
National Strategy for Trust Identities in
Cyberspace (NSTIC)

• The Federal Government

• Will continue to be a leader through its
  participation in the Identity Ecosystem as both a
  subject and relying party
• Will use existing private-sector Identity
  Ecosystem solutions rather than developing its
  own
• Will encourage the market toward trustworthy and
  interoperable identity solutions

18
OMB 3PC Acceptance Policy
web sites that allow members of the public and
business partners to register or log on must be
enabled to accept externally-issued credentials
in accordance with government-wide requirements
may only accept externally issued credentials
that are issued in accordance with NIST ...
Guidelines, and Federal Chief Information
Officers Council processes
19
What is Needed to Meet Policy Requirements
Citizens
.Government
A Shared Service that
Open ID/LOA1

• eliminates need to connect to each credential
  provider individually
• frees up agency resources to focus on
  mission-critical activities
• ensures interoperability, enabling citizens to
  use one credential across multiple agencies
• ...can translate between different
  eAuthentication protocols (Open ID, PKI, SAML,
  etc.)

OpenID/LOA1
PKI
SAML/LOA3
OpenID/LOA1
OpenID/LOA1
20
Federal Cloud Credential Exchange (FCCX)

• Government Operated Shared Service
• Provides a consistent approach to authentication
  for citizen facing systems and applications
• Utilizes FICAM Approved External Credential
  Providers as well as PIV and CAC Providers
• Secure, privacy-enhancing, efficient, easy-to-use
  and interoperable

21
ICAM Roadmap Initiatives

• Government-wide Governance

• Agency-level Implementation

1. Augment policy and implementation guidance to
   agencies
2. Establish federated identity framework for the
   Federal Government
3. Enhance performance and accountability within
   ICAM initiatives
4. Provide government-wide services for common ICAM
   requirements

1. Streamline collection and sharing of digital
   identity data
2. Fully leverage PIV and PIV-I credentials
3. Modernize PACS infrastructure
4. Modernize LACS infrastructure
5. Implement federated identity capability

22
Streamline Collection and Sharing of Digital
Identity Data
23
Core Concepts

• Enterprise Digital Identity
• Core identity attributes and unique person
  identifiers
• Identifying authoritative sources
• Digital Identity Process Integration
• Business processes for establishing and managing
  the digital identity life cycle
• Authoritative Digital Identity Attribute Exchange
• Enables secure electronic sharing of digital
  identity attributes
• Leverage data models to support effective sharing

24
Elements of Attribute Exchange

• Protocol
• Technical means for exchanging attributes
• Payload
• Attributes exchanged between parties
• Policy
• Governance processes and mechanisms put into
  place to manage the exchange and adjudicate issues

25
(No Transcript)
26
Access Control Attribute Governance Working
Group

• Supports guidance and standards development for
  a common language and understanding of access
  control attributes across the Federal Government

27
ACAG Working Group Functions

• Focus on Person Attributes for Access Control
• Establish initial set of Enterprise Access
  Control Attributes
• Develop processes for modification of the
  Enterprise Access Control Attribute set
• Leverage and, when possible, incorporate best
  practices and lessons learned
• Outreach and collaboration to gather attribute
  use best practices and lessons learned
• Facilitate exchange and trusted use of attributes
  across the Federal Government
• Develop and implement attribute governance
  processes across the Federal Government
• Authoritative-ness

28
Authoritative Attribute Exchange Services (AAES)
Applications
Authoritative Sources
29
AAES Authoritative Attribute Manager

• Correlate attributes from various authoritative
  sources
• De-conflict discrepancies across attribute
  sources
• Implements the person data model
• Provide a consolidated view of the pieces of a
  person gathered from multiple sources

Authoritative Attribute Manager
Authoritative Sources
30
AAES Authoritative Attribute Distributer

• Primary point of query for applications
• Can provide a customized and tailored view of
  data
• Supports requests for attributes from both
  internal and external to agency

Applications
Authoritative Attribute Distributer
31
Implementing an AAES Infrastructure
Agency Systems Applications
Virtual/Meta Directory Engine
Agency Identity and Attribute Sources
32
(No Transcript)
33
FICAM Drivers

• Increasing Cybersecurity threats
• Need for improved physical security
• Lag in providing government services
  electronically
• Vulnerability of Personally Identifiable
  Information (PII)
• Lack of interoperability
• High costs for duplicative processes and data
  management

34
Federal ICAM Conceptual View
35
RADIANT LOGIC

• Radiant Logic
• and
• Federal Identity, Credential, and Access
  Management

36
The FICAM challenge

• GSA FICAM inclusion government-wide
• OMB 11.11
• Agency challenges to achievement
• Lack of time
• Lack of staff
• Lack of budget
• Lack of knowledge
• Current IdM isnt meeting needs of federated
  enterprises
• Based on Push from a single authoritative
  source
• No single authoritative source of Identity
• Need to gather identity information from multiple
  authoritative identity sources both enterprise
  and consumer
• In real time
• And then establish a Pull infrastructure
• Publish
• Always current

37
Authoritative Attribute Exchange Services (AAES)

• Provide a consolidated view of the pieces of a
  person gathered from multiple sources
• Correlate attributes from various authoritative
  sources
• De-conflict discrepancies across attribute
  sources
• Implements the person data model
• Can provide a customized and tailored view of
  data
• Supports requests for attributes from both
  internal and external to agency
• Primary point of query for applications

38
Why BAE?- A Use Case DHS DOD DSCA Event Info
Sharing Pilot
Strong Authentication PKI / X.509
Policy Driven Access Control XACMLoid
DHS Userw/PIV Card
NORTHCOM DSCA Site

1. User is authenticated and identified via FASC-N

Virtual Directory XML Security Gateway

1. NORTHCOM needs off-card information to
   authorize User to access portal. It asks its
   DoD Attribute Authority

1. User is granted access

Auth. AttributeStore

1. DoD Attribute Service pulls user information from
   DHS Attribute Service at moment of need

Standards-based Communication (SAML)
DoD Attribute Service
39
DHS BAE Implementation Architecture- Attribute
correlation across diverse sources
40
How do you achieve AAES?

• Abstraction layer
• Production of attributes (and identities) will be
  separated from consumption of attributes (and
  identities) through the introduction of a virtual
  directory interface
• Applications will externalize authorization to
  policy decision points which can use contextual
  authorization to request attributes in real time
• You can do this with what you have today, with
  added value at each step towards the end goal

41
Back to the future

• We never called it Authoritative Attribute
  Exchange Services (AAES).
• We call it RadiantOne - A Federated Identity
  Service Through Model-Driven Virtualization
• You can do this with what you have today, with
  added value at each step towards the end goal
• Our customers have been doing this with our
  product for years.

42
A member of the IC using our solution

• Federal IC customer for six years
• Fine grained access control
• Requirement for integrating attribute services
• Integrating twelve identity sources including but
  not limited to
• Sun directory
• Microsoft Active Directory
• Oracle
• MYSQL
• Domino
• 40 business units
• Need to build a global profile for user accounts
  from multiple heterogeneous data sources.
• This is the hottest thing weve got
• It now takes us days to do what used to take us
  weeks

43
Legend
Current
In Progress
44
Identity Virtualization at Intel

• Steve Price
• Identity Service Manager
• Intel IT
• July 2010

45
In a Nutshell

• Doing more with less budget
• We now deliver in 3 days what used to take 4
  months
• Tailored, use-case-specific function, while
  reusing existing systems w/o requiring changes to
  infrastructure.
• The projected 3 applications per year turned into
  10 apps in 2 months, more coming
• Enables us to do more with less.
• Using VDS we have lowered our cost by 73

46
Yes, we have arrivedThe RadiantOne Solution

• A Federated Identity Service Through Model-Driven
  Virtualization
• Provides all functions of a complete AAES service
  through an abstraction layer

47
AAES with RadiantOne
Fred Puhan fpuhan_at_radiantlogic.com
48

• Overview / Challenges

49
Situation
AuthoritativeSources
AgencyApplications
External Agency Applications
FederationPartners
HR
PersonnelSecurity
needaccess
LACS
PACS
Payroll
Contracts
IDMS
Other
White Pages
Applications
50
Todays Identity EquationA (apps) x S (sources)
x P (protocols) N links (x )
51
Schemas
HR Database
Security Directory
52
Where are identities stored?
HR Database HR Database
Users James Bond Ethan Hunt Clark Kent Jean-Luc Picard
Protocol SQL
Schema 5 tables Person Assignment Role Citizenship Country
Security Directory Security Directory
Users James Bond Ethan Hunt David Webb Xander Cage
Protocol LDAP
Schema clearancePerson objectclass
53
Challenges

• Identities are spread across multiple
  repositories
• There is overlap of identities between
  repositories
• Different access protocols
• Identities are described differently
• Different security means for authentication

54

• AAES

55
AAES

• AAES ...is a technical solution that enables
  agencies to connect various authoritative data
  sources and share identity and other attributes
  within the shared enterprise infrastructure. To
  support the AAES capability, agencies must
  establish an enterprise digital identity model,
  identify authoritative data sources, and
  streamline the processes used to populate those
  authoritative sources.
• (page 219)

56
AAES

• Authoritative Attribute Exchange Service (AAES)
  consists of two logical components
• Authoritative Attribute Manager (AAM)
• Authoritative Attribute Distributor (AAD)

57
Authoritative Attribute Exchange Service (AAES)
58

• AAM

59
Authoritative Attribute Manager (AAM)

• AAM is ...designed to correlate identity
  attributes from the various authoritative data
  sources within an agency and provide a single
  authoritative source of digital identity. The AAM
  functions as a central hub of attributes,
  aggregating data from the various sources through
  either resource connectors or web services.
• (page 221)

60
A bit of Reality

• Identity "...data is spread across multiple
  authoritative sources within the agency, thereby
  complicating the challenge of exchanging
  attributes between sources and consumers.
• (page 220)

61
Difficulty sharing identity attributes

• The Challenge of Multiple Security Silos
• Services are not flexible and are too tightly
  coupled with the underlying data silos.
• Traditional solutions are a never-ending
  patchwork of custom code and complex
  synchronizations.

Security Domain A
Groups
Roles
Context
Applications
Security Domain B
Groups
Roles
Context
Applications
Security Domain C
Groups
Roles
Context
Applications
62
AAES through Virtualization

• Acting as an abstraction layer between
  applications and the underlying identity silos,
  virtualization isolates applications from the
  complexity of back-ends.

ExternalAgencyApp
Virtualization
Aggregation
Correlation
Integration
Web Services/SOA
FederationPartner
PACS
Groups
Roles
Contexts
Services
LDAP
LACS
WhitePages
SQL
Apps
63
Building the Unique Global List of Identities
64
Building the Global Profile
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Agency Application
RadiantOne
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom FIPS10_4 UK
Security Directory
HR Database
65
Correlate attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
66
Mapping (e.g. Person Data Model)
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
67
Business Logic for values
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
68
De-conflict attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent CountryName United Kingdom Title
Sir
RadiantOne / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName Jim sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
69

• AAD

70
Authoritative Attribute Distributor (AAD)

• AAD ...provide(s) attributes, by request, to
  consumer applications (i.e., applications that
  use identity data for downstream processes), both
  internal and external to the agency.
• The AAD is also used to synchronize data with
  user accounts or local sources.
• (page 223)

71
AAES enables sharing of Identity Attributes
72
Pull model 1
AuthoritativeSources
AgencyApplications
AAES
query
RadiantOne
73
Pull model 2
AuthoritativeSources
AgencyApplications
AAES
query
RadiantOne
RadiantOne, or XML Gateway
74
Push model
AuthoritativeSources
AgencyApplications
AAES
query
push
AAD
RadiantOne
75

• Further Options

76
Further Options

• Caching Strategies
• How to keep the cache fresh?
• TTL?
• Automated Refresh
• Complex Identity Correlation
• When no common unique identifier exists
• Context-rich views

77
Data Modeling / Structure
model
78
What is YOUR next step?

• Make a list of identity sources and attribute
  data
• Identify the owners of those data
• List identities and their attributes
• Understand the schema and data of each source
• Identify collisions and overlap
• Analyze data for correlation
• Understand where you have data discrepancies and
  need to de-conflict
• Determine what applications requirements are in
  terms of
• Payload
• Format
• Protocol
• We will loan you the product to do so. Talk to
  us!

79

• Questions?

80

• Or Spy-Museum?