Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

Similar presentations

Presentation on theme: "The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology."— Presentation transcript:

1 The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology

2 A Few Assertions The Internet is perceived as being inherently anonymous In order to conduct trusted transactions, we need to know with whom we are dealing Transactions must be within reasonable risk limits Trusted electronic credentials provide the means to link an asserted identity in the electronic world to physical entities

3 Facets of Building Trust FacetDescription IdentificationWho are you? AuthenticationHow do I know you are who you claim to be? AuthorizationAre you allowed to perform this transaction? IntegrityIs the data you sent the same as what I received? ConfidentialityAre we sure no one else read the data you sent? AuditingRecord of transactions to assist in looking for security problems? Non-repudiationCan you prove the sender sent it, and the receiver received the identical transaction? Thanks to Karl Best, Director of Technical Operations, OASIS

4 The Challenge of Trust Online Unrealistic expectations Immediacy but with safety, personal autonomy and control Personalization without surveillance Security and privacy without inconvenience, loss of immediacy Privacy Concerns are Real Issuing credentials raises privacy concerns, strong identity proofing increases these concerns Reasonable use extended beyond initial use over time Basic conflict with convenience– the key to security is less data and more control

5 Preconditions for Credential ‘Trustworthiness’ Unique to the person using it Under the sole control of the person using it Capable of verification Credential Pedigree –Institutional Standing of the Provider –Governance –Establishment of Identity –Credential Control

6 Challenges of Identity Management Most identity management systems were built one application at a time –No scalable, holistic means of managing identity, credentials, policy across boundaries –Fragmented identity infrastructure, inconsistent policy frameworks, process discontinuities –Potential security loopholes, expensive to manage Few Agency enterprise approaches exist Infrastructure requirements extend reach and range: –Increase scalability, lower costs –Balance of centralized and distributed management –Infrastructure must be more general-purpose and re-usable

7 E-Authentication In Addition to Policy, Three Focus Areas: Agency Application Risk Analysis  Modified proven process for E-Authentication Needs (eRA)  Focused on Identity Assurance at the Transaction Level Authentication Gateway  Provide validation services for multiple forms of ID credentials  Prototype gateway used to technical understanding of products  Agency business processes to broker identity assurance model  Establish common interfaces for doing electronic transactions Establish Process to Evaluate Electronic Credential Providers

8 Determining Authentication Needs Standardize process to assess the security risk Three primary risks: –Improper disclosure –Program fraud –Image/reputation of Agency Determine transaction risk –Recommend “appropriate” authentication for a given transaction –Examine transaction flow and vulnerabilities –Estimate cost and identify alternatives

9 Conducting eRA –An interdisciplinary team -- comprised of: business or mission-related staff information technology staff –eRA self-directed tool available to guide team through process produce consistent risk report with reduced effort –Provides basis for selecting Assurance Level Basis: SEI

10 eAuthentication Gateway Academia Health Care State or Federal Government Identity Verification Required Identity Verification Not Required Future of the Gateway Federal Agency Relying Parties Credential Providers Citizen Business Agent Direct Access Capability Preserved Credential Validation Process

11 The GATEWAY Concept ECP 1 ECP 2 ECP 3 DCP 2 DCP 1 Technology Mapping Ap1 Ap2 Ap3 Ap4 Ap5 GATEWAY Agency Applications Credential Providers 0 None 1 Medium 2 Substantial 3 Strong FEDBRIDGEFEDBRIDGE

12 Federal Authentication Infrastructures Existing Infrastructures for trusted transactions –E-Authentication Gateway provides a mechanism to evaluate ANY type of electronic Credential –Federal Bridge links together Public Key Infrastructure (PKI) based Trust domains –ACES provides an outsourced common infrastructure and PKI credentials for Trust domain with the public –NFC provides a managed infrastructure and PKI credentials for Trust domain for Agency operations –Common Access Card provides for common, secure platform for maintaining credentials Each has benefits for overall trust relationship

13 The Problem with PKI Concerns about complexity and cost Suitable when strong authentication needed Multiple Public Key Infrastructures operated by Agencies Operational PKIs have incorporated differing – Technical Solutions – Policy Decisions Federal Government also needs a mechanism for reliance on internal and external Trust Domains. Interoperability is the CHALLENGE! – Both Policy and Technical Interoperability

14 Acts as a trust “anchor” Enables digital credentials issued by one agency to be used /trusted at other agencies that have been cross-certified. Benefits of the Federal Bridge: Use of certificate policies and standards-based technologies and processes provides flexiblity Allows all organizations to make one security agreement with the Bridge CA, rather requiring multiple security agreements Allows trust interoperability between organizations and minimizes impact on the organization’s infrastructures and end-user applications Federal Bridge Certification Authority Enables certification between organizations so agencies “trust” each others public key credentials. The Federal Bridge:

15 Federal Bridge Certification Authority Certificate Policy Certificate Repository Certification Authority Certificate Holder Relying Party (Agency) Certificate Policy Certificate Repository Certification Authority Cross Certificate Certificate Policy 7 Certification Authority Relying Party (Agency) Certificate Holder Certificate Repository Path Construction: Kathy  Pink  FBCA  Green  Mike S/MIME EMAIL Kathy Mike

16 Thank You For your Time & Attent ion

Download ppt "The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology."

Similar presentations

Ads by Google