Presentation on theme: "Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Attribute Exchange and Information Sharing in Action Federal."— Presentation transcript:
Federal CIO Council Information Security and Identity Management Committee IDManagement.gov Attribute Exchange and Information Sharing in Action Federal ICAM Day June 18, 2013
2 Martin Smith, PM-ISE Ted Sobel, DHS Office of Policy/SCO David Coxe, ID/DataWeb Dieter Schuller, Radiant Logic John Wandelt, GTRI Anil John, GSA (Moderator) Panel Participants
3 An Entity 10- Who is anonymous 20- Using a uid/password 30- Using a software OTP … Using 10- An Org managed PC 20- A Personal PC 30- An Org Smartphone … From 10- Org Network 20- Via VPN 30- Internet … To Access 10- Admin functions 20- An AD integrated App 30- Network Device … When 10- During normal hours 20- During weekends 30- When no AuthZ service …
4 Martin Smith, PM-ISE
User Attributes for ABAC Authorization Martin Smith, PM-ISE IdAM Coordinator June 18, 2013
Some (Rebuttable) Assertions about Person Attributes (for Authz) The more attributes we have, the more data can be responsibly shared ◦ But provisioning high-quality (authoritative, accurate, timely) attributes is expen$ive Responsible sharing across the environment (multiple organizations) requires common syntax/semantics of relevant attributes ◦ But not everyone will use or provision all “registered” attributes Today, a user’s home organization provisions most attributes; but ultimately each attribute is likely to come from a different source ◦ This means attribute aggregators or real-time aggregation via BAE is essential Authorization attributes are not particularly relevant to a major class of use-cases: for access to one’s own personal info (e.g., Social-Security account, bank account.) ◦ But they are essential for controlling access by a user to “OPD” (other people’s data), privileged functions, “need to know” data Governance of attribute provisioning and use has to be as lightweight as possible (but not more so) ◦ Basic strategy is to rely on transparency (disclosure of attribute quality, with audit) so that relying parties can make informed choices about acceptable risk in using an attribute ◦ Initially, attribute quality and suitability (match to “ideal” data) will be poor, but there are incentives for relying parties and attribute providers to meet in the middle
7 Ted Sobel, DHS Policy/SCO
8 Minimum Standards for the Assertion, Evidence, and Verification of Personal Identity The Identity Proofing and Verification (IDPV) Standard Development Project Ted Sobel DHS Office of Policy/ Screening Coordination Office (SCO) June 2013
9 Background: Need Common practices to support an identity chain of trust Requirements that align with established risk categories Evaluating how an organization proofed an identity
10 Design: Hierarchy Identi ty Defines an unique identity Attribute Authenticates the asserted attributes Evidence Determines degree of confidence in the evidence Verification Checks
11 Design: Example Robert Smith Identi ty Legal First & Last Name Full Date of Birth Attribute Driver’s License Evidence Check DMV records Examine sec. features Manually match photo Verification Checks
Attribute Exchange and Information Sharing in Action Dieter Schuller
Authoritative Attribute Exchange Services (AAES) Browser Web services application MobileOther Apps Databases Active Directory LDAP Other Applications Authoritative Sources AAES Infrastructure Authoritative Attribute Manager Authoritative Attribute Distributer
How to Avoid This?
What You Have…What the Other Party Expects… samAccountName=Ellen_AdamsUID=Ellen_Adams givenName=Ellen, sn=Adams, memberOf=SalesGroup=Seattle employeeType=managersecuritylevel=1 samAccountName=Ellen_AdamsProjectMembers=Ellen_Adams, Joe_Smith, Tom_Leahy st=WAState=Washington And This?
Correlation: Same Users-Different IDs No SSO unless you have this RJones RobertaJ Disambiguation: Same IDs – Different Users Potential for authorization based on wrong profile RJones Profile Lookup at Directory Speeds Groups Matching Application Needs Translation of Protocol, Schema, Structure, and Data Scalability and Performance of a Directory Global User List (Union) Complete Profile (Join) Group Management Consumer Specific Views Smart Synch Cache Lessons Learned
Identity and Context Virtualization Aggregation Correlation Integration Virtualization Population C Population B Population A Groups Roles LDAP SQL Web Services /SOA App A App B App C App D App E App F Contexts Services SCIM REST
How to Get There?
33 John Wandelt, GTRI
34 Enabling Scalable Secure Information Exchange Through Trusted Attributes John Wandelt Georgia Tech Research Institute
35 Outreach & Marketing Resources Technical Assistance Resources Communication Profiles Core Tech. Standards & Guidelines Fed. Org. Guidelines OJP Portal Doc Map Term Matrix Web Svc CONOPS Web Site Overview Doc Exec Overview Training Modules Impl Guide Ref Federation U2S Impl Kit S2S Impl Kit Impl Web Portal Join-or- Build? TIB Onboarding Guide Web Browser User-to-System Profile Web Browser User-to-System Profile Web Services System-to-System Profile Web Services System-to-System Profile Metadata 1.0 Metadata 2.0 Crypto Trust Model Fed. CPS Template Fed. Member CP Template Fed. Member CP Template Gov. Guideline Operational Policies & Procedures Guideline Membership Agreements Set Normative Spec Complete & Approved (if applicable) Complete & Approved (if applicable) Under Development (Timeline TBD) Under Development (Timeline TBD) Published or Released Since Pvs. DT Mtg. Likely to be Updated in 2013 Deprecated and/or Out-of- Date Deprecated and/or Out-of- Date GFIPM Standards and Products Mobile CONOPS Mobile Device App Profile REST Web Services System-to-System Profile BAE Profile Federation Audit Policy Federation Attribute Release Policy Alignment CONOPS
37 National Identity Exchange Federation
38 GFIPM Metadata 2.0 NIEF Profile MANDATORY (Required for Audit Purposes) Federation Id Given Name Sur Name Address Text Telephone Number Employer Name Identity Provider Id MANDATORY (Required for Audit Purposes) Federation Id Given Name Sur Name Address Text Telephone Number Employer Name Identity Provider Id HIGHLY RECOMMENDED (Required by ≥2 SPs) SLEO Indicator Public Safety Officer Indicator Employer ORI Employer Organization General Category Code Electronic Authentication Assurance Level Code Id Proofing Assurance Level Code 28 CFR Certification Indicator HIGHLY RECOMMENDED (Required by ≥2 SPs) SLEO Indicator Public Safety Officer Indicator Employer ORI Employer Organization General Category Code Electronic Authentication Assurance Level Code Id Proofing Assurance Level Code 28 CFR Certification Indicator RECOMMENDED (Required by 1 SP) NCIC Certification Indicator Counter-Terrorism Data Privilege Indicator * Criminal Investigative Data Privilege Indicator * Criminal Intelligence Data Privilege Indicator * Criminal Justice Data Privilege Indicator * Government Data Privilege Indicator * Local Id N-DEx Privilege Indicator RECOMMENDED (Required by 1 SP) NCIC Certification Indicator Counter-Terrorism Data Privilege Indicator * Criminal Investigative Data Privilege Indicator * Criminal Intelligence Data Privilege Indicator * Criminal Justice Data Privilege Indicator * Government Data Privilege Indicator * Local Id N-DEx Privilege Indicator All other attributes are PERMITTED. * Indicates presence of search privilege on behalf of self in user’s home agency.
39 Law enforcement officers from the Texas Department of Public Safety need fast, reliable access to gang and criminal related information while in the field. The Regional Information Sharing System (RISS) has a database of intelligence information that would allow an officer to conduct a quick background check on potential criminal suspects and assess their criminal history and personal information. In order for a law enforcement officer to gain access to the system at RISS, he/she must have successfully completed the 28CFRPart 23 training with the Bureau of Justice Assistance. Use Case Example
40 Scenario Technical Overview
41 For More Information GFIPM: NIEF: https://nief.gfipm.net/https://nief.gfipm.net/ Global Information Sharing Initiative: