Adoption of PKI Where are we, where should we be, what’s holding us back, and where do we want to go? And: what about authentication vs. authorization?

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

The World Internet Security Company ID Management in e-Health February 2007.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Basic Banking Services - Activity 1

Grid Security. Typical Grid Scenario Users Resources.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Page 1 Issues in and perspectives on electronic authentication of health professionals Pascal POITEVIN Marketing and Communication manager GIP-CPS e-Health.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Security Controls – What Works

1 Johnson & Johnson: Use of Public Key Technology Rich Guida Director, Information Security Rajesh Shah Sr. Consultant, Information Security.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Johnson & Johnson Use of Public Key Technology Brian G. Walsh Senior Analyst, WWIS.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

I DENTITY M ANAGEMENT Joe Braceland Mount Airey Group, Inc.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Public Key Infrastructure Ammar Hasayen ….

Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

1 PKI Update September 2002 CSG Meeting Jim Jokl

Secure Electronic Transaction (SET)

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Internet Security for Small & Medium Business Week 6

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Johnson & Johnson’s Public Key Infrastructure Bob Stahl

© Aladdin Knowledge Systems 2006 Aladdin eToken Overview April 2006 ®

Securing Electronic Transactions University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Information Systems Security

, Josef NollNISnet NISnet meeting Mobile Applied Trusted Computing Josef Noll,

SPH Information Security Update September 10, 2010.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Privacy, Confidentiality, and Security Component 2/Unit 8c.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

MARK B. JONES PKI DEPLOYMENT FORUM MADISON, WI APRIL 16 TH, 2008 Why do I need a Digital ID?

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Electronic Safety and Soundness in Colombia Financial Sector Policy Global Dialogue Series #19 Milton Quiroga

DIGITAL SIGNATURE.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

CIBC Global Services © 2006, Echoworx Corporation Ubiquity of Security Compliance and Content Management Stephen Dodd Director – Enterprise Accounts.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

About Softex Mission Statement: “To provide innovative security software products and solutions for computing devices” Softex was founded in 1992 by IBM.

Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Digital Disruption, Alfresco, and Digital Signatures Brian LaPointe VP Sales, Americas CoSign by ARX.

E sign Requirements: How to make sure an esignature is valid

Implementing and Managing Azure Multi-factor Authentication

Virtual Private Networks (VPN)

E-MARC Recommendations

Legal Framework for Civil Registration, Vital Statistics

E-Commerce for Developing Countries (EC-DC)

E-Lock ProSigner ProSigner means “Professional Signer” signifying the software that can apply legally enforceable Advanced electronic signatures to electronic.

MIT Case Study Notes Paul B. Hill

Presentation transcript:

Adoption of PKI Where are we, where should we be, what’s holding us back, and where do we want to go? And: what about authentication vs. authorization? Rich Guida

What are the framing issues? What applications need authentication, e- signatures, or confidentiality? What applications need authentication, e- signatures, or confidentiality? What determines the degree of need? What determines the degree of need? What is the nature of the population of users an application services? What is the nature of the population of users an application services? What is the span of control of the PKI intended to service that application? What is the span of control of the PKI intended to service that application? Do you justify a PKI based on Return on Investment or something else? Do you justify a PKI based on Return on Investment or something else? Does the PKI handle user authorization or just authentication? Does the PKI handle user authorization or just authentication?

Where are we? PKI is being broadly used for SSL server-side authentication PKI is being broadly used for SSL server-side authentication –Whether it provides all of the security one might like or not PKI is seeing growing acceptance within enterprises as a tool for user authentication, e-signatures, and confidentiality PKI is seeing growing acceptance within enterprises as a tool for user authentication, e-signatures, and confidentiality –Many examples, government and private sector PKI is starting to be used between enterprises and in IPSEC PKI is starting to be used between enterprises and in IPSEC But PKI is NOT being used globally by consumers But PKI is NOT being used globally by consumers –With some notable exceptions (e.g., ScotiaBank) And PKI is also not being used broadly for user authorization And PKI is also not being used broadly for user authorization –Attribute certificates still a “work in progress”

Where should we be? Using PKI broadly for authentication, and ultimately authorization Using PKI broadly for authentication, and ultimately authorization Integrating PKI into the network and enterprise directory services, so it can benefit from them Integrating PKI into the network and enterprise directory services, so it can benefit from them Providing a common look and feel at the application layer for certificate use Providing a common look and feel at the application layer for certificate use Making the use of certificates seamless and “reasonably” invisible to the average user Making the use of certificates seamless and “reasonably” invisible to the average user

What’s really holding us back? Lack of applications that use certificates Lack of applications that use certificates The race to be “second” The race to be “second” Lack of common semantics (e.g., in certificate policies) Lack of common semantics (e.g., in certificate policies) Organizational politics (e.g., Intra-organizational and inter-organizational parochialism, NIH syndrome, namespace control, lawyers) Organizational politics (e.g., Intra-organizational and inter-organizational parochialism, NIH syndrome, namespace control, lawyers) Dealing with legacy application entanglements Dealing with legacy application entanglements Lack of an ability to show ROI (a chimera) Lack of an ability to show ROI (a chimera) And least of all – the technology And least of all – the technology

Where do we want to go? Depends a lot on your perspective Depends a lot on your perspective Some want to see identity-based PKI burgeon for intra-enterprise use first, then inter-enterprise Some want to see identity-based PKI burgeon for intra-enterprise use first, then inter-enterprise Others want to see identity-based PKI burgeon for dealing with consumers or the public Others want to see identity-based PKI burgeon for dealing with consumers or the public Others would like PKI to focus on authorization rather than authentication Others would like PKI to focus on authorization rather than authentication Still others think we should use some other technology entirely Still others think we should use some other technology entirely –But what? Passwords? Biometrics? Each has its own set of problems…

Authentication vs. Authorization If an application needs to do one, it probably also needs to do the other If an application needs to do one, it probably also needs to do the other –Or needs to trust another application (or the network operating system) which has done the other Can do both simultaneously, or separately Can do both simultaneously, or separately –“Should I separate variables before solving this PDE?” –(Normally – yes, especially if the PDE is Navier-Stokes!)

Why do Separately? Intuitively consistent with processes we are all familiar with Intuitively consistent with processes we are all familiar with Required by some (perhaps most) regulations (e.g., FDA 21 CFR Part 11, e-records, and e- signatures) Required by some (perhaps most) regulations (e.g., FDA 21 CFR Part 11, e-records, and e- signatures) Allows PKI to do one while some other process does the other (thus, supports legacy applications that use ACLs) Allows PKI to do one while some other process does the other (thus, supports legacy applications that use ACLs) Sometimes identity is important separate from authorization (or identity is sufficient by itself – such as patient access to his/her records under HIPAA) Sometimes identity is important separate from authorization (or identity is sufficient by itself – such as patient access to his/her records under HIPAA)

Examples Passport Passport –To get one, have to prove who you are (don’t even have to indicate “why”) – but if you want to use it, may need a visa (authorization to visit foreign country) Driver’s license Driver’s license –To get one, had to prove who you are, not just that you can drive a car, and license provides evidence of identity as well as authorization to do something – drive a vehicle Getting a credit card Getting a credit card –To get the card, had to provide evidence of who you are and ability to pay your debts (former needed to establish latter) –Arguably you should be asked to provide stronger evidence than credit card companies require (to combat identity theft) Using a credit card Using a credit card –Some merchants accept card alone for purchase (so it is like an authorization token), but increasingly you have to produce separate identity ID because of problem with fraudulent purchases

Example: Johnson & Johnson PKI Directory-centric Directory-centric –Enterprise directory serves as authoritative source –Certificate contents come solely from directory Two identity certificates (signature, encryption), plus role/group certificates Two identity certificates (signature, encryption), plus role/group certificates Hardware token preference (USB iKey2032) but also support software tokens Hardware token preference (USB iKey2032) but also support software tokens In first phase of deployment (about 500 certificates issued), testing underway In first phase of deployment (about 500 certificates issued), testing underway Second phase (full production) later this year Second phase (full production) later this year –Goal is certs for almost all J&J employees plus, where necessary, customers and business partners –Expect total number ultimately to be >>100,000 –Willing to accept non J&J certs through cross-certification or trust list model

J&J PKI – Key Uses Remote authentication with hardware token only (VPN using Nortel Contivity client) Remote authentication with hardware token only (VPN using Nortel Contivity client) Authentication to enterprise software (e.g., SAP, Siebel, Oracle) Authentication to enterprise software (e.g., SAP, Siebel, Oracle) Digital signatures to comply with FDA 21 CFR Part 11 (authorization established separately) Digital signatures to comply with FDA 21 CFR Part 11 (authorization established separately) Encryption to comply with Healthcare Insurance Portability and Accountability Act Encryption to comply with Healthcare Insurance Portability and Accountability Act Secure (signed/encrypted) for clinical trials, financial data, mergers/acquisitions, law department activities Secure (signed/encrypted) for clinical trials, financial data, mergers/acquisitions, law department activities Automated Lab Instrumentation Management Systems (signatures and encryption) Automated Lab Instrumentation Management Systems (signatures and encryption)