Presentation is loading. Please wait.

Presentation is loading. Please wait.

John Wandelt Mar 2015. National Information Sharing and Safeguarding How can the ISE support? Reduce information sharing frictionReduce information sharing.

Published byAllan Green Modified over 9 years ago

Similar presentations

Presentation on theme: "John Wandelt Mar 2015. National Information Sharing and Safeguarding How can the ISE support? Reduce information sharing frictionReduce information sharing."— Presentation transcript:

1 John Wandelt Mar 2015

2 National Information Sharing and Safeguarding How can the ISE support? Reduce information sharing frictionReduce information sharing friction – increase volume and velocity, reduce cost and time, etc. Reduce RiskReduce Risk – Allow for better risk assessment and decision making - does not mean eliminate risk Increase Agility and ResiliencyIncrease Agility and Resiliency

3 Trusted Information Sharing Between Organizations Requires Agreement Resource Owner Resource Requester Resource Requester 3

4 Agreement Often Necessary Across Many Dimensions Resource Owner Resource Requester An agreement between stakeholders consisting of: Business Requirements Selection of standards and profiles of those standards Identity Proofing Acceptable credential types Levels of Assurance Levels of Protection- Security Controls Privacy Policies Auditing expectations Legal obligation and liability clauses Dispute resolution process Governance structure

5 Direct Trust 3 rd Party Trust Reputational Trust Residual Risk Trust Models and Concepts

6 It Is Challenging to Establish Trust Across a Large Diverse COI or ISE Resource Requester Resource Requester Resource Requester Resource Requester Resource Owner Resource Owner Resource Owner Resource Owner Resource Requester Resource Requester Resource Requester Resource Owner Resource Owner Resource Owner Resource Owner Resource Owner Resource Owner Resource Owner Resource Owner Resource Requester 6

7 Agreement (and Trust) Is Hard To Scale Agreement # of Participants, COIs, Use Cases The Need The Reality

8 Not all use cases are known up front Not all requirements are known up front Not all stakeholders are known up front Must leverage much of what is in place Adoption will happen over an extended period of time in varying degrees and rates By the time we think we get it figured out something will change…. ISE Facts of Life 8

9 Information Sharing Environment Challenge

10 The Perspective from the LE Community Required to share data across jurisdictions Law Enforcement COI has over 1 million people in the US alone 18,000 US LE agencies LE agencies are autonomous (NOT centrally funded) LE agencies are autonomous (NOT centrally funded) Trust between agencies is a fundamental requirement But must obey applicable access controls when sharing 3 rd party trust is required due to COI size and complexity Federal Agencies State Agencies Local Agencies Tribal Agencies Task Forces Fusion Centers LE agencies are highly heterogeneous Legitimate business need to interact with many other COIs Most users must have high-assurance credentials

11 ISE Vision: What if?

12 Realization: “Identity the Great Enabler”

13 Today’s Identity Mgmt. Macro Environment GFIPM is no longer the “only game in town” Must consider GFIPM touch-points to other IdM programs FICAM, SICAM, NSTIC, BAE, FirstNet, etc. Non-operational programs cannot lead the way Must incorporate operational experience into GFIPM specs

14 Identity Federation Implication Application (Service Provider) Application (Service Provider) Identity Provider Identity Provider User Application (Service Provider) Application (Service Provider) Application (Service Provider) Application (Service Provider) Application (Service Provider) Application (Service Provider) Application (Service Provider) Application (Service Provider) Standard Protocols So what about Trust, Liability, Security, Privacy, Interoperability? Decouple Identities from Applications! Attribute Provider Attribute Provider 14

15 15 ABA Trust Framework Perspective Contract: “I Agree” to... Existing Law Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Existing Law Privacy Standards Credential Issuance Authentication Requirements Reliance Rules Audit & Assessment Oversight Credential Management Security Standards Identity Proofing Technical Specifications Enrolment Technical and Operational Specifications Legal Rules Enforcement Element 15

16 Trust Frameworks Business Requirements Selection of standards and profiles of those standards Identity Proofing Acceptable credential types Levels of Assurance Levels of Protection- Security Controls Privacy Policies Auditing expectations Legal obligation and liability clauses Dispute resolution process Governance structure CSDII 16

17 Current State of the Identity Ecosystem ISE A IDP AP RP IDP RP Federation B Federation B IDP AP RP IDP RP Community of Interest C Community of Interest C IDP AP RP IDP RP ID Trust Framework A ID Trust Framework B ID Trust Framework C There exist many Trust Frameworks. Each Trust Framework requires agreement across many dimensions. Many Trust Frameworks are monolithic and opaque. 17

18 Achieving Cross-Framework Trust ISE A IDP AP RP IDP RP Federation B Federation B IDP AP RP IDP RP Community of Interest C Community of Interest C IDP AP RP IDP RP Suppose this user needs access to this RP. ID Trust Framework A ID Trust Framework B ID Trust Framework C 18

19 National Identity Exchange Federation (NIEF) Objectives Share user identity and attribute information for authentication, identification, authorization, auditing Share agency and resource metadata information Provide onramp and roadmap other relevant ICAM initiatives Provide an operational trust framework for doing the above Educate and provide technical assistance Established in 2008 as an outgrowth of the Global Federated Identity and Privilege Management (GFIPM) Initiative with a focus on justice and public safety agencies at the federal, state, and local level. 19

20 NIEF Challenges 20

21 NSTIC Trustmark Pilot Team 21

22 Our Approach: Componentization and Machine Readability (“Trustmarks”) …then we get: If the frameworks were modular… Greater transparency of trust framework requirements Greater ease of comparability between frameworks Greater potential for reusability of framework components Greater potential for participation in multiple trust frameworks by ID Ecosystem members with incremental effort and cost And, most importantly: ID Trust Framework B ID Trust Framework A NIST 800-63 LOA 3 NIST 800-63 LOA 3 OAuth ID Trust Framework C FIPS 200 FICAM SAML SSO FIPPs OpenID

23 A Trustmark Framework ID Trust Framework B ID Trust Framework A NIST 800-63 LOA 3 NIST 800-63 LOA 3 ID Trust Framework C FICAM SAML SSO FIPPs OAuth OpenID FIPS 200 These modular components are called Trustmarks. Think of trustmarks as mini reusable certifications. These modular components are called Trustmarks. Think of trustmarks as mini reusable certifications. 23

24 FICAM SAML SSO Profile NIST 800-63 / FICAM LOA 3 Identity Fair Information Practice Principles (FIPPs) FIPS 200 Security Practices GFIPM Metadata Registry (User Attributes) Scope of Trustmarks Trustmark Policies & Trustmark Agreements 24

25 Bundling of Components for Business Context Components COI A Federation B Trust Framework C Privacy Security Interoperability Legal Business Continuity Personnel Other Component Types (Examples) 25

26 A Trustmark-Based Ecosystem IDP AP RP IDP AP RP IDP RP IDP RP IDP RP AP IDP ID Trust Framework B ID Trust Framework A ID Trust Framework C Existing Trust Frameworks could be expressed as a set of components called a TIP. Trust Interoperability Profile B Trust Interoperability Profile A Trust Interoperability Profile C 26

27 A Trustmark-Based Ecosystem IDP AP RP IDP AP RP IDP RP IDP RP IDP RP AP IDP Then each member of the community can acquire the necessary Trustmarks based on the TIP. TIP B TIP A TIP C Trustmarks can be acquired through a Trustmark Provider. Trustmark Provider There can be many Trustmark Providers in the ID Ecosystem. Trustmark Provider 27

28 A Trustmark-Based Ecosystem IDP AP RP IDP AP RP IDP RP IDP RP IDP RP AP IDP Trustmarks can be stored in a searchable Trustmark Registries or shared directly with partners. TIP B TIP A TIP C Trustmark Registry IDP X: RP Y: Etc. Trustmark Registry IDP X: RP Y: Etc. Trustmark Registry IDP X: RP Y: Etc. 28

29 Trustmark Defining Organization Stakeholder Community Trustmark Definition Is Represented By Defines Trustmark Recipient Trustmark Relying Parties Org. 1 Org. 2 End User Trust Interop Profile Trustmark A Trustmark B Trustmark C Is Used By Is Required By Is Trusted By Trustmark Provider Is Required By Issues The Trustmark Framework Normative Specs Required

30 Trustmark Definitions Metadata: Publisher: U.S. General Services Administration Name: NIST/FICAM LOA 2 IDPO TD URL: Description and Intended Purpose: … Target Stakeholder Audience: … Date of Publication: 15 Apr 2014 Version: 1.0 Visual Icon: Metadata: Publisher: U.S. General Services Administration Name: NIST/FICAM LOA 2 IDPO TD URL: Description and Intended Purpose: … Target Stakeholder Audience: … Date of Publication: 15 Apr 2014 Version: 1.0 Visual Icon: Conformance Criteria: Conformance to the Identity Provider Organization (IDPO) conformance target of this TD requires the following. 1.The IDPO MUST … 2.The IDPO MUST … 3.The IDPO MAY … 4.… Conformance Criteria: Conformance to the Identity Provider Organization (IDPO) conformance target of this TD requires the following. 1.The IDPO MUST … 2.The IDPO MUST … 3.The IDPO MAY … 4.… Assessment Process: Before issuing a trustmark subject to this TD, a Trustmark Provider MUST complete the following assessment steps. 1.The TP MUST … 2.The TP MUST … 3.The TP MUST … Assessment Process: Before issuing a trustmark subject to this TD, a Trustmark Provider MUST complete the following assessment steps. 1.The TP MUST … 2.The TP MUST … 3.The TP MUST … Certification as a Trustmark Provider: Before an entity may issue trustmarks subject to this TD, it MUST complete the following certification process. 1.The entity MUST … 2.The entity MUST … 3.The entity MUST … Certification as a Trustmark Provider: Before an entity may issue trustmarks subject to this TD, it MUST complete the following certification process. 1.The entity MUST … 2.The entity MUST … 3.The entity MUST … Trustmark Extension Schema: Trustmarks issued subject to this TD MUST conform to the Trustmark Base Schema, and MUST also conform to the following Trustmark Extension Schema. Trustmark Extension Schema: Trustmarks issued subject to this TD MUST conform to the Trustmark Base Schema, and MUST also conform to the following Trustmark Extension Schema. XSD XML ?

31 CJISPIV-I GFIPM FICAM NIEF Others Creating Modular Common Components Transformation Process Step 1: Gather trust and interop requirements from many frameworks Step 2: Break down and reassemble requirements into modular, reusable components Step 3: Express modularized requirements in a standard format to encourage broad reuse Trustmark Definition Trustmark Definition Trustmark Definition

32 Sample Trustmark Definition https://trustmark.gtri.gatech.edu/operational-pilot/trustmark-definitions/

33 Example Conformance Criteria: Registration and Issuance 33

34 Example Assessment Steps: Registration and Issuance 34

35 Trust Interoperability Profile (TIP): Bundling Trustmarks for Business Context Metadata: Publisher: U.S. Dept. of Justice URL: Name: U.S. Law Enforcement Community Info Sharing TIP Description and Intended Purpose: … Date of Publication: 15 Jun 2014 Version: 1.0 Digital Signature of Issuer: Metadata: Publisher: U.S. Dept. of Justice URL: Name: U.S. Law Enforcement Community Info Sharing TIP Description and Intended Purpose: … Date of Publication: 15 Jun 2014 Version: 1.0 Digital Signature of Issuer: Trust and Interoperability Criteria: Identity Provider Organization (IDPO) Trustmark Requirements: Service Provider Organization (SPO) Trustmark Requirements: Trust and Interoperability Criteria: Identity Provider Organization (IDPO) Trustmark Requirements: Service Provider Organization (SPO) Trustmark Requirements: XML TrustmarkRequirementApproved Trustmark Providers FICAM SAML SSO IDP MUST HAVENIEF or IJIS NIEF/FICAM LOA 2 IDPO MUST HAVENIEF or Kantara NIEF Attribute Profile IDPO MUST HAVE(ANY) XYZ Privacy Policy IDPO SHOULD HAVE(ANY) TrustmarkRequirementApproved Trustmark Providers FICAM SAML SSO SP MUST HAVENIEF or IJIS NIEF Attribute Profile SPO MUST HAVE(ANY) XYZ Privacy Policy SPO MUST HAVE(ANY)

36 Development & Refinement of Trustmark Concept Technical Framework 1.0 https://trustmark.gtri.gatech.edu/specifications/trustmark- framework/1.0/https://trustmark.gtri.gatech.edu/specifications/trustmark- framework/1.0/ NIEF Trustmark (Component) Definitions (62) https://trustmark.gtri.gatech.edu/operational-pilot/trustmark- definitions/https://trustmark.gtri.gatech.edu/operational-pilot/trustmark- definitions/ NIEF Trust Interoperability Profiles (10) https://trustmark.gtri.gatech.edu/operational-pilot/trust- interoperability-profiles/https://trustmark.gtri.gatech.edu/operational-pilot/trust- interoperability-profiles/ Development of Software Tools Trustmark Assessor Tool, Trust Fabric Registry, & Others Socialization of Trustmark Concept NPO, NIEF, IDESG, & Others Trustmark Pilot Website: https://trustmark.gtri.gatech.eduhttps://trustmark.gtri.gatech.edu Progress to Date

37 The NIEF Trustmark Legal Framework Trustmark Provider Trustmark Recipient Trustmark Relying Party Trustmark Policy Trustmark Trustmark Recipient Agreement Trustmark Relying Party Agreement Explicit Relationship Explicit Relationship Implicit Relationship Explicit Reference

38 Phase1 Trustmark Pilot Participants “As DPS moves toward enabling more services through federated standards, the ability to expose these services via the NIEF trustmark framework will allow DPS to better serve the Texas law enforcement and first responder community.”

39 ALABAMA SECURE SHARING UTILITY for RECIDIVISM ELIMINATION (ASSURE) Goals Improve communication among entities responsible for providing and coordinating mental health and substance use services Improve continuity of care to individuals who move between incarceration and the free world Increase awareness of availability of community-based mental health services Produce a more accurate and complete profile of offenders Increase effectiveness and efficiency of the intake and classification process Reduce reliance on emergency department services Refer people leaving correctional facilities to community-based behavioral health and substance use treatment services Provide clinical information to assist with their treatment Ensure timely access to essential medications for people entering or leaving jail or prison Link correctional health providers to ADMH and community-based behavioral health services Reduce recidivism by ensuring that offenders – whether in a community or incarceration setting – receive services matched to their individual needs such as Educational, Vocational, Rehabilitation and Treatment Justice-to-Health Collaboration Alabama Board of Pardons and Paroles (ABPP) Alabama Department of Corrections (ADOC) Alabama Department of Mental Health (ADMH) Community Mental Health Centers (CMHC) ADMH Substance Abuse Contract Providers Contact Richard Fiore at 334.242.3117 or Richard.Fiore@MyAlabama.gov Purpose Create a secure, web-based portal to share appropriate information regarding clients, probationers and inmates Highlights Based on Global Standards: GRA, NIEM, GFIPM as well as Trustmark framework Funded by BJA 2013-DB-BX-K059 and 2014-DB-BX-K003

40

41 Trustmark Assessment Tool Process Flow Trustmark Assessment Tool Database Trustmark Assessment Tool FICAM LOA 2 Authn Process TD FICAM LOA 2 Authn Process TD Trustmark Provider Trustmark Recipient Candidate Trustmark Definitions 1. Load TDs into Assessment Tool 2. Receive request for trustmark from Trustmark Recipient Candidate 3. Perform assessment of Trustmark Recipient Candidate 4. Store assessment artifacts / evidence in database 5. Issue trustmark to Trustmark Recipient

42 Sample Screen Shot from Trustmark Assessment Tool

43 NIEF Trustmark Issuance and Binding NIEF Trust Fabric Registry NIEF Trust Fabric Registry NIEF Trustmark Assessment Processes Trustmark 1 Trustmark 2 Trustmark N NIEF Trust Fabric Entry Trustmark 1 Trustmark 2 Trustmark N Signed by NIEF NIEF Member Agency (Trustmark Recipient) NIEF Member Agency (Trustmark Recipient) Trustmark Assessment Tool Trust Fabric Entry Editor Trust Fabric Registry Manager Tool

44 NIEF Trustmark Usage by TRPs NIEF Trust Fabric Registry NIEF Trust Fabric Registry Trustmark Relying Party 1. Query for trust fabric entries with required trustmarks, in accordance with local TIP Trust Interoperability Profile (TIP) 2. Receive matching trust fabric entries 3. Install entries in local product https://nief.gfipm.net/trust-fabric/

45 See previous lessons learned and open questions at: https://trustmark.gtri.gatech.edu/trustmark-pilot-results/insights/ Previous Lessons Learned

46 We learned new lessons in the areas of: Trustmark Practicalities and Tradeoffs Trustmark Assessment, Issuance, and Mgmt. Trustmark Legal Agreements Trustmark Binding Some New Lessons Learned

47 Tradeoffs in Decomposition of Requirements Best Practices for Communities in Defining and Documenting Requirements Staged Adoption of Trustmarks Reputational Trust and Residual Risk Reuse of Assessment Results Value of Software Tools Within the Trustmark Framework Value of a Trustmark Framework Technical Spec Handling “Partial” Conformance Realities of Rigorous Trustmark Assessment Legal Framework is Acceptable to NIEF Members Trustmark Binding New Lesson Highlights

48 What does an IDESG Trustmark mean? What is the basis for Trust? How do I use it? How does it relate/map to my COI/TFP/Federation/requirements? Can it be extended and/or constrained? How does it get life-cycle managed? What is the motivation for adoption? Some Questions

49 https://trustmark.gtri.gatech.edu Learn More Here

Download ppt "John Wandelt Mar 2015. National Information Sharing and Safeguarding How can the ISE support? Reduce information sharing frictionReduce information sharing."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014.

1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014.
ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.

ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.
TFTM 01-06 Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, 2014 1-14-2014IDESG TFTM Committee1.

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.

This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair

IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair
Componentization of FICAM TFS into Trustmarks Sample FICAM Trustmark Definition Overview of Trustmark Issuance and Binding Agenda.

Componentization of FICAM TFS into Trustmarks Sample FICAM Trustmark Definition Overview of Trustmark Issuance and Binding Agenda.
Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.

Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.
Framework Planning Draft 1 Jack Suess Ian Glazer Peter Alterman Andrew Hughes Michael Garcia.

Framework Planning Draft 1 Jack Suess Ian Glazer Peter Alterman Andrew Hughes Michael Garcia.
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,

Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
This presentation was prepared by Georgia Tech Research Institute using Federal funds under award 70NANB13H189 from National Institute of Standards and.

This presentation was prepared by Georgia Tech Research Institute using Federal funds under award 70NANB13H189 from National Institute of Standards and.
1 Data Strategy Overview Keith Wilson Session 15.

1 Data Strategy Overview Keith Wilson Session 15.
Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.

Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Similar presentations

Ads by Google