Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Attribute Exchange and Information Sharing in Action Federal.

Similar presentations


Presentation on theme: "Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Attribute Exchange and Information Sharing in Action Federal."— Presentation transcript:

1 Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Attribute Exchange and Information Sharing in Action Federal ICAM Day June 18, 2013

2 2  Martin Smith, PM-ISE  Ted Sobel, DHS Office of Policy/SCO  David Coxe, ID/DataWeb  Dieter Schuller, Radiant Logic  John Wandelt, GTRI  Anil John, GSA (Moderator) Panel Participants

3 3 An Entity 10- Who is anonymous 20- Using a uid/password 30- Using a software OTP … Using 10- An Org managed PC 20- A Personal PC 30- An Org Smartphone … From 10- Org Network 20- Via VPN 30- Internet … To Access 10- Admin functions 20- An AD integrated App 30- Network Device … When 10- During normal hours 20- During weekends 30- When no AuthZ service …

4 4 Martin Smith, PM-ISE

5 User Attributes for ABAC Authorization Martin Smith, PM-ISE IdAM Coordinator June 18, 2013

6 Some (Rebuttable) Assertions about Person Attributes (for Authz) The more attributes we have, the more data can be responsibly shared ◦ But provisioning high-quality (authoritative, accurate, timely) attributes is expen$ive Responsible sharing across the environment (multiple organizations) requires common syntax/semantics of relevant attributes ◦ But not everyone will use or provision all “registered” attributes Today, a user’s home organization provisions most attributes; but ultimately each attribute is likely to come from a different source ◦ This means attribute aggregators or real-time aggregation via BAE is essential Authorization attributes are not particularly relevant to a major class of use-cases: for access to one’s own personal info (e.g., Social-Security account, bank account.) ◦ But they are essential for controlling access by a user to “OPD” (other people’s data), privileged functions, “need to know” data Governance of attribute provisioning and use has to be as lightweight as possible (but not more so) ◦ Basic strategy is to rely on transparency (disclosure of attribute quality, with audit) so that relying parties can make informed choices about acceptable risk in using an attribute ◦ Initially, attribute quality and suitability (match to “ideal” data) will be poor, but there are incentives for relying parties and attribute providers to meet in the middle

7 7 Ted Sobel, DHS Policy/SCO

8 8 Minimum Standards for the Assertion, Evidence, and Verification of Personal Identity The Identity Proofing and Verification (IDPV) Standard Development Project Ted Sobel DHS Office of Policy/ Screening Coordination Office (SCO) June 2013

9 9 Background: Need  Common practices to support an identity chain of trust  Requirements that align with established risk categories  Evaluating how an organization proofed an identity

10 10 Design: Hierarchy Identi ty Defines an unique identity Attribute Authenticates the asserted attributes Evidence Determines degree of confidence in the evidence Verification Checks

11 11 Design: Example Robert Smith Identi ty Legal First & Last Name Full Date of Birth Attribute Driver’s License Evidence Check DMV records Examine sec. features Manually match photo Verification Checks

12 12 Process: Overview Step 1 – IAL Step 2 – Assertion Step 3 – Verification Step 4 – Determination

13 13 Effectiveness Accessibility Sensitivity Necessity Permanence Selection of Attributes

14 14 Sensitivity Permanence Selection of Attributes Accessibility Effectiveness Necessity

15 15 David Coxe, ID/DataWeb

16 Online Identity Attribute Exchange 2013 Initiatives David Coxe, CEO ID/DataWeb, Inc.

17 The AXN Business Model and Technical Infrastructure Aligns business objectives of the Identity Ecosystem participants –Overcome historical implementation barriers – everyone benefits –Expand RP participation to efficiently service and monetize existing markets –Create new business channels currently underserved by the Identity Ecosystem Enables a neutral Internet-scale credential and attribute monetization platform –Efficient, open, competitive transaction and contractual hub –Unencumbered by legacy business models, regulations, and technologies –Free to users, lowers RP costs, and new market potential for IdPs and APs Promotes user trust, online security, and privacy protective services –Designed to implement and positively transform the online identity ecosystem AXN Business Model © 2013 Criterion Systems, Inc. Proprietary and Confidential Page 17 Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.

18 © 2013 Criterion Systems, Inc. Proprietary and Confidential AXN Services Framework 18 IdP Services CredentialOpenID 2.0, SAML 2.0, IMI 1.0 ProtocolOAuth 2.0, SAML 2.0, Other LOALOA 1-4 Cert/TF FICAM, OIX, Kantara, Other IdP Services CredentialOpenID 2.0, SAML 2.0, IMI 1.0 ProtocolOAuth 2.0, SAML 2.0, Other LOALOA 1-4 Cert/TF FICAM, OIX, Kantara, Other AP Services AttributesNEAT, SS, DOB, Gender, Corp Verification QualityRefresh Rate, Coverage, Sources, Data Types PhysicalDevice ID, BIO, Card, Other PricingPer Transaction, Per User Per Year, Annual License Cert/TFFICAM, OIX, Kantara, Other AP Services AttributesNEAT, SS, DOB, Gender, Corp Verification QualityRefresh Rate, Coverage, Sources, Data Types PhysicalDevice ID, BIO, Card, Other PricingPer Transaction, Per User Per Year, Annual License Cert/TFFICAM, OIX, Kantara, Other RP Services Enroll Business Purpose, Attribute Selection, Claims Refresh Rate, IdP & AP Selections, User Preferences, Contract LOALOA 1-4 AdminLogs, Reporting, Billing, Contract Management Cert/TF FICAM, OIX, Kantara, Other RP Services Enroll Business Purpose, Attribute Selection, Claims Refresh Rate, IdP & AP Selections, User Preferences, Contract LOALOA 1-4 AdminLogs, Reporting, Billing, Contract Management Cert/TF FICAM, OIX, Kantara, Other User Services AttributesNot Stored In AXN, Self Asserted, Data Minimization PDSPII, Preferences, ABAC, Encrypted, External Store MAXUser Only, Personal Control and Security, Acct Linking, Federated Access Via RP User Services AttributesNot Stored In AXN, Self Asserted, Data Minimization PDSPII, Preferences, ABAC, Encrypted, External Store MAXUser Only, Personal Control and Security, Acct Linking, Federated Access Via RP Trust Framework Provider (TFP) Trust Framework Provider (TFP) Identity Providers (IdP) Relying Parties (RP) Assessors & Auditors Dispute Resolvers user Attribute Providers (AP) Attribute Exchange Network (AXN) Proxy AXN Services Billing Pricing and Analytics Acct ManagementService Provisioning ContractingPolicy Management MarketingTransaction Management RegistrationOperations and Security Logs, ReportingAdministration AuditUser Interface AXN Services Billing Pricing and Analytics Acct ManagementService Provisioning ContractingPolicy Management MarketingTransaction Management RegistrationOperations and Security Logs, ReportingAdministration AuditUser Interface Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.

19 AXN Identity Federation Services - My Attribute Exchange - My Attribute Exchange 2.Personal Data Services (PDS) User attribute data is not stored in the AXN PDS data is presented via MAX to create and manage RP accounts User-centric, privacy protective, secure, and federated No cost to user 1.Credential Federation Verified attributes are used to create new or bind to existing user accounts 3.User Management Console (UMC) Authenticated users have federated access at each RP Created when a user first opts in to share their verified attribute claims via the AXN with an RP Users can securely manage PDS attributes shared with an RP service accessed by an IdP credential Enables user to link and unlink multiple IdP credentials Page 19 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.

20 AXN Business Services Credential transaction management services –IDP authenticates user credentials as a service to RPs registered on the AXN –RP credential requirements for a given LOA (e.g., 1 – 4), type (e.g., SAML, OpenID, IDI), and trust framework certifications Personal (Pii) attribute verification and claims management services –RPs designate which Pii attributes they required from users –User asserted, verified attributes and claims are shared with RPs with user permission –Device ID and biometric attributes are verified as required for RP authorization transactions Preference attribute management services –RPs can designate preferences to display for users when interacting with the RP service Attribute Based Access Control (ABAC) management services –RPs select authoritative role-based attributes for users to assert when accessing their service User Managed Access (UMA) attribute services –UMA services define how users (as resource owners) can control protected- resource access by requesting parties © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.

21 Device Attribute Verification Services Mobile Device Verification Services Users log in using a trusted mobile device registered and managed on the AXN via MAX Secure device ID service ensures user RP accounts can only be accessed using a trusted device Computer Verification Services Over 600 million computers with Trusted Platform Modules (TPMs) can be managed via the AXN Windows 8 requires TPMs on a wide range of devices from desktops to smart phones Biometric Attribute Verification Services Cloud-based Voice, Retinal, Photo and Fingerprint Verification Services Daon, CGI, and others Integration with Authoritative AP Services e.g., driver license attributes and photos ABAC Services Fine-grained Policy Authorization Services UMA Services to Dynamically Control Access to RP Data and Services AXN Technology Roadmap Trust Elevation Services AXN Trust Elevation Services Page 21 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.

22 AXN legal agreements –Standardized agreements with regulatory flow down terms from IdPs and APs –Limit PII collection to what is necessary to accomplish the specified purpose(s) –Accountability and audit to protect PII through appropriate safeguards AXN as a proxy - no single service provider can gain a complete picture of a user’s activity The AXN data management design mitigates potential threats –Does not create a central data store of verified user attributes –Security and privacy enhancing technology is built into the AXN infrastructure Users opt-in to each control process for collection, verification, and distribution of attributes –User Management Console for attribute and credential management –Only the minimum necessary information is shared in a transaction (FIPPS) AXN Privacy – By Design 22 © 2013 Criterion Systems, Inc. Proprietary and Confidential Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.

23 23 Dieter Schuller, Radiant Logic

24 Attribute Exchange and Information Sharing in Action Dieter Schuller

25 Authoritative Attribute Exchange Services (AAES) Browser Web services application MobileOther Apps Databases Active Directory LDAP Other Applications Authoritative Sources AAES Infrastructure Authoritative Attribute Manager Authoritative Attribute Distributer

26 How to Avoid This?

27 What You Have…What the Other Party Expects… samAccountName=Ellen_AdamsUID=Ellen_Adams givenName=Ellen, sn=Adams, memberOf=SalesGroup=Seattle employeeType=managersecuritylevel=1 samAccountName=Ellen_AdamsProjectMembers=Ellen_Adams, Joe_Smith, Tom_Leahy st=WAState=Washington And This?

28 Correlation: Same Users-Different IDs No SSO unless you have this RJones RobertaJ Disambiguation: Same IDs – Different Users Potential for authorization based on wrong profile RJones Profile Lookup at Directory Speeds Groups Matching Application Needs Translation of Protocol, Schema, Structure, and Data Scalability and Performance of a Directory Global User List (Union) Complete Profile (Join) Group Management Consumer Specific Views Smart Synch Cache Lessons Learned

29 Data Analysis

30 Identity and Context Virtualization Aggregation Correlation Integration Virtualization Population C Population B Population A Groups Roles LDAP SQL Web Services /SOA App A App B App C App D App E App F Contexts Services SCIM REST

31 How to Get There?

32

33 33 John Wandelt, GTRI

34 34 Enabling Scalable Secure Information Exchange Through Trusted Attributes John Wandelt Georgia Tech Research Institute

35 35 Outreach & Marketing Resources Technical Assistance Resources Communication Profiles Core Tech. Standards & Guidelines Fed. Org. Guidelines OJP Portal Doc Map Term Matrix Web Svc CONOPS Web Site Overview Doc Exec Overview Training Modules Impl Guide Ref Federation U2S Impl Kit S2S Impl Kit Impl Web Portal Join-or- Build? TIB Onboarding Guide Web Browser User-to-System Profile Web Browser User-to-System Profile Web Services System-to-System Profile Web Services System-to-System Profile Metadata 1.0 Metadata 2.0 Crypto Trust Model Fed. CPS Template Fed. Member CP Template Fed. Member CP Template Gov. Guideline Operational Policies & Procedures Guideline Membership Agreements Set Normative Spec Complete & Approved (if applicable) Complete & Approved (if applicable) Under Development (Timeline TBD) Under Development (Timeline TBD) Published or Released Since Pvs. DT Mtg. Likely to be Updated in 2013 Deprecated and/or Out-of- Date Deprecated and/or Out-of- Date GFIPM Standards and Products Mobile CONOPS Mobile Device App Profile REST Web Services System-to-System Profile BAE Profile Federation Audit Policy Federation Attribute Release Policy Alignment CONOPS

36 36

37 37 National Identity Exchange Federation

38 38 GFIPM Metadata 2.0 NIEF Profile MANDATORY (Required for Audit Purposes) Federation Id Given Name Sur Name Address Text Telephone Number Employer Name Identity Provider Id MANDATORY (Required for Audit Purposes) Federation Id Given Name Sur Name Address Text Telephone Number Employer Name Identity Provider Id HIGHLY RECOMMENDED (Required by ≥2 SPs) SLEO Indicator Public Safety Officer Indicator Employer ORI Employer Organization General Category Code Electronic Authentication Assurance Level Code Id Proofing Assurance Level Code 28 CFR Certification Indicator HIGHLY RECOMMENDED (Required by ≥2 SPs) SLEO Indicator Public Safety Officer Indicator Employer ORI Employer Organization General Category Code Electronic Authentication Assurance Level Code Id Proofing Assurance Level Code 28 CFR Certification Indicator RECOMMENDED (Required by 1 SP) NCIC Certification Indicator Counter-Terrorism Data Privilege Indicator * Criminal Investigative Data Privilege Indicator * Criminal Intelligence Data Privilege Indicator * Criminal Justice Data Privilege Indicator * Government Data Privilege Indicator * Local Id N-DEx Privilege Indicator RECOMMENDED (Required by 1 SP) NCIC Certification Indicator Counter-Terrorism Data Privilege Indicator * Criminal Investigative Data Privilege Indicator * Criminal Intelligence Data Privilege Indicator * Criminal Justice Data Privilege Indicator * Government Data Privilege Indicator * Local Id N-DEx Privilege Indicator All other attributes are PERMITTED. * Indicates presence of search privilege on behalf of self in user’s home agency.

39 39 Law enforcement officers from the Texas Department of Public Safety need fast, reliable access to gang and criminal related information while in the field. The Regional Information Sharing System (RISS) has a database of intelligence information that would allow an officer to conduct a quick background check on potential criminal suspects and assess their criminal history and personal information. In order for a law enforcement officer to gain access to the system at RISS, he/she must have successfully completed the 28CFRPart 23 training with the Bureau of Justice Assistance. Use Case Example

40 40 Scenario Technical Overview

41 41 For More Information GFIPM: NIEF: https://nief.gfipm.net/https://nief.gfipm.net/ Global Information Sharing Initiative:

42 42


Download ppt "Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Attribute Exchange and Information Sharing in Action Federal."

Similar presentations


Ads by Google