This presentation was prepared by Georgia Tech Research Institute using Federal funds under award 70NANB13H189 from National Institute of Standards and.

Slides:



Advertisements
Similar presentations
Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
1 1 GFIPM Enabling Federated Identity and Single Sign-on John Ruegg LA County Information Systems Advisory Body June 11, 2014.
TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.
Componentization of FICAM TFS into Trustmarks Sample FICAM Trustmark Definition Overview of Trustmark Issuance and Binding Agenda.
John Wandelt Mar National Information Sharing and Safeguarding How can the ISE support? Reduce information sharing frictionReduce information sharing.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.
GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.
FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.
Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Functional Model Workstream 1: Functional Element Development.
The InCommon Federation The U.S. Access and Identity Management Federation
GFIPM Metadata Status Update GFIPM Delivery Team Meeting November 2011.
Tom Clarke VP, Research & Technology National Center for State Courts.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.
TFTM Deliverable Self Assessment and Attestation Program Discussion Deck TFTM Committee June 25, IDESG TFTM Committee1.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
TUESDAY, 4:00 – 4:20PM WEDNESDAY, 4:00 – 4:20PM Douglas Hill, NHIN Implementation Lead (Contractor), Office of the National Coordinator for Health IT Vanessa.
Session ID: Session Classification: Dr. Michael Willett OASIS and WillettWorks DSP-R35A General Interest OASIS Privacy Management Reference Model (PMRM)
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
SEARCH Membership Group Systems & Technology PAC Global Justice XML Data Model (GJXDM) Update January 29, 2005.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
Enforcement mechanisms for distributed authorization across domains in UMA – aka “UMA trust” Eve Maler | 22 Aug 2012 draft.
GRA Implementations using Open Source Technologies Mark Perbix and Yogesh Chawla SEARCH.
United States Department of Justice Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg,
Improving Integration of Learning and Management Systems Paul Shoesmith Director of Technical Strategy Becta.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
United States Department of Justice Global Security Working Group Update Global Advisory Committee November 2, 2006 Washington, D.C.
NIEM Information Exchange Package Documentation (IEPD) Mini Kanwal NIEM Technical Advisor Department of Homeland Security September, 7 th 2006.
GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.
United States Department of Justice Achieving Information Interoperability and Business Agility The Justice Reference Architecture:
Interoperable Trust Networks Chris Rogers California Dept of Justice February 16, 2005.
Status Update on Other GFIPM Activity Threads GFIPM Delivery Team Meeting November 2011.
Data Registry to support HIPAA standards The Health Insurance Portability and Accountability Act of 1996 Title II - Subtitle F Administrative Simplification.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Electronic Submission of Medical Documentation (esMD)
Decoding the Alphabet Soup: Global JIS Standards 101.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
Don Thibeau, Executive Director, OpenID Foundation (OIDF) Drummond Reed, Executive Director, Information Card Foundation (ICF)
Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Networks ∙ Services ∙ People eduGAIN Townhall Meeting Nicole Harris (or updating the eduGAIN policy suite) “Unicorns can be sued in Wales”
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation
Realize the Power of Information IJIS Institute Briefing June 24, 2014.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Access Policy - Federation March 23, 2016
GEOSS Federated Single Sign-On
Higher Education’s Role in the Identity Ecosystem
InCommon Steward Program: Community Review
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
THE STEPS TO MANAGE THE GRID
A Case Study: WI DOJ Wisconsin Digital Government Summit 2007 November 28 Presentation Shared Service Models and Architectures.
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

This presentation was prepared by Georgia Tech Research Institute using Federal funds under award 70NANB13H189 from National Institute of Standards and Technology, U.S. Department of Commerce. The statements, findings, conclusions, and recommendations are those of the author(s) and do not necessarily reflect the view of the National Institute of Standards and Technology or U.S. Department of Commerce.

A Perspective from the LE Community Desire to share data across jurisdictions Law Enforcement COI has over 1 million people in the US alone 18,000 US LE agencies LE agencies are autonomous (NOT centrally funded) LE agencies are autonomous (NOT centrally funded) Trust between agencies is a fundamental requirement But must obey applicable access controls when sharing Includes trusted transactions with private sector participants. Federal Agencies State Agencies Local Agencies Public Sector Public Sector Task Forces Fusion Centers LE agencies are highly heterogeneous with legacy investments Legitimate business need to interact with many other COIs Desire to reuse their existing credentials if possible 2

Global Information Sharing FACA Program started in 2005 Funded by DOJ, DHS, & PM-ISE, others The need for standards, profiles, reference implementations, conformance testing, technical assistance. Complete standards-based solution to federated ID and authorization Continued evolution and maturation based on operational experience and new technologies 3

National Identity Exchange Federation (NIEF) Objectives Share user identity and attribute information for authentication, identification, authorization, auditing Share agency and resource metadata information Provide onramp and roadmap other relevant ICAM initiatives Provide an operational trust framework for doing the above Educate and provide technical assistance Established in 2008 as an outgrowth of the Global Federated Identity and Privilege Management (GFIPM) Initiative with a focus on justice and public safety agencies at the federal, state, and local level. Today, NIEF is beginning to expand support other communities of interest. 4

NIEF As a Trust Framework Technical Interoperability Technical Trust & Crypto COI Attribute Vocabulary Legal Agreement Certificate Policy Audit Policy End-User Privacy Policy Membership Lifecycle Policy Bona Fides Policy 5

NIEF Onboarding and Trust Fabric Common Artifacts Application Form Authority to Operate Doc(s) Local Security Policy FIPS 200 Checklist IDPO Artifacts Signed IDPO Agreement Local User Agreement Local User Vetting Policy IDPO Attribute Map IDP Implementation Doc Form Publish 6

Scaling Challenges 7

Achieving Cross-Framework Trust ISE A IDP AP RP IDP RP Federation B Federation B IDP AP RP IDP RP Community of Interest C Community of Interest C IDP AP RP IDP RP Suppose this user needs access to this RP. ID Trust Framework A ID Trust Framework B ID Trust Framework C 8

Challenges with “Inter-federation” Federation IDP RP Federation IDP RP 1. No two TFs are the same, so mapping trust and interop requirements between them is hard. Think protocols, attributes, policies, etc. Why? 2. TFs are moving targets, which further complicates the mapping process. 3. Transitive trust is diluted trust, so inter-federation trust cannot be as strong as intra-federation trust. 4. Contractual obligations usually cannot be transferred or assigned to 3 rd parties, which makes inter-federation legal agreements difficult or impossible to execute. (Many other issues exist.) 9

Our Approach: Componentization …then we get: If the frameworks were modular… Greater transparency of trust framework requirements Greater ease of comparability between frameworks Greater potential for reusability of framework components Greater potential for participation in multiple trust frameworks by ID Ecosystem members with incremental effort and cost And, most importantly: ID Trust Framework B ID Trust Framework A NIST LOA 3 NIST LOA 3 OAuth ID Trust Framework C FIPS 200 FICAM SAML SSO FIPPs OpenID 10

A Trustmark Framework ID Trust Framework B ID Trust Framework A NIST LOA 3 NIST LOA 3 ID Trust Framework C FICAM SAML SSO FIPPs OAuth OpenID FIPS 200 These modular components are called Trustmarks. Think of trustmarks as mini reusable certifications. These modular components are called Trustmarks. Think of trustmarks as mini reusable certifications. 11

FICAM SAML SSO Profile NIST / FICAM LOA 3 Identity Fair Information Practice Principles (FIPPs) FIPS 200 Security Practices GFIPM Metadata Registry (User Attributes) Scope of Trustmarks Trustmark Policies & Trustmark Agreements 12

Bundling of Components for Business Context Components COI A Federation B Trust Framework C Privacy Security Interoperability Legal Business Continuity Personnel Other Component Types (Examples) 13

A Trustmark-Based Ecosystem IDP AP RP IDP AP RP IDP RP IDP RP IDP RP AP IDP ID Trust Framework B ID Trust Framework A ID Trust Framework C Existing Trust Frameworks could be expressed as a set of components called a TIP. Trust Interoperability Profile B Trust Interoperability Profile A Trust Interoperability Profile C 14

A Trustmark-Based Ecosystem IDP AP RP IDP AP RP IDP RP IDP RP IDP RP AP IDP Then each member of the community can acquire the necessary Trustmarks based on the TIP. TIP B TIP A TIP C Trustmarks can be acquired through a Trustmark Provider. Trustmark Provider There can be many Trustmark Providers in the ID Ecosystem. Trustmark Provider 15

A Trustmark-Based Ecosystem IDP AP RP IDP AP RP IDP RP IDP RP IDP RP AP IDP Trustmarks can be stored in a searchable Trustmark Registries or shared directly with partners. TIP B TIP A TIP C Trustmark Registry IDP X: RP Y: Etc. Trustmark Registry IDP X: RP Y: Etc. Trustmark Registry IDP X: RP Y: Etc. 16

Roles and Responsibilities of the Actors Stakeholder Community Requirements Defines Complying Party Complying Party Interested Parties Listing, Certification, Audit Letter, Etc. Listing, Certification, Audit Letter, Etc. Is Used By Is Required By Is Trusted By Requirements Assessor Is Relied on By Issues

Trustmark Defining Organization Stakeholder Community Trustmark Definition Is Represented By Defines Trustmark Recipient Trustmark Relying Parties Org. 1 Org. 2 End User Trust Interop Profile Trustmark A Trustmark B Trustmark C Is Used By Is Required By Is Trusted By Trustmark Provider Is Required By Issues The Trustmark Framework Normative Specs Required

Trustmark Definitions Metadata: Publisher: U.S. General Services Administration Name: NIST/FICAM LOA 2 IDPO TD URL: Description and Intended Purpose: … Target Stakeholder Audience: … Date of Publication: 15 Apr 2014 Version: 1.0 Visual Icon: Metadata: Publisher: U.S. General Services Administration Name: NIST/FICAM LOA 2 IDPO TD URL: Description and Intended Purpose: … Target Stakeholder Audience: … Date of Publication: 15 Apr 2014 Version: 1.0 Visual Icon: Conformance Criteria: Conformance to the Identity Provider Organization (IDPO) conformance target of this TD requires the following. 1.The IDPO MUST … 2.The IDPO MUST … 3.The IDPO MAY … 4.… Conformance Criteria: Conformance to the Identity Provider Organization (IDPO) conformance target of this TD requires the following. 1.The IDPO MUST … 2.The IDPO MUST … 3.The IDPO MAY … 4.… Assessment Process: Before issuing a trustmark subject to this TD, a Trustmark Provider MUST complete the following assessment steps. 1.The TP MUST … 2.The TP MUST … 3.The TP MUST … Assessment Process: Before issuing a trustmark subject to this TD, a Trustmark Provider MUST complete the following assessment steps. 1.The TP MUST … 2.The TP MUST … 3.The TP MUST … Certification as a Trustmark Provider: Before an entity may issue trustmarks subject to this TD, it MUST complete the following certification process. 1.The entity MUST … 2.The entity MUST … 3.The entity MUST … Certification as a Trustmark Provider: Before an entity may issue trustmarks subject to this TD, it MUST complete the following certification process. 1.The entity MUST … 2.The entity MUST … 3.The entity MUST … Trustmark Extension Schema: Trustmarks issued subject to this TD MUST conform to the Trustmark Base Schema, and MUST also conform to the following Trustmark Extension Schema. Trustmark Extension Schema: Trustmarks issued subject to this TD MUST conform to the Trustmark Base Schema, and MUST also conform to the following Trustmark Extension Schema. XSD XML ?

Sample Trustmark Definition

Example Conformance Criteria: Registration and Issuance 21

Example Assessment Steps: Registration and Issuance 22

Trust Interoperability Profile (TIP): Bundling Trustmarks for Business Context Metadata: Publisher: U.S. Dept. of Justice URL: Name: U.S. Law Enforcement Community Info Sharing TIP Description and Intended Purpose: … Date of Publication: 15 Jun 2014 Version: 1.0 Digital Signature of Issuer: Metadata: Publisher: U.S. Dept. of Justice URL: Name: U.S. Law Enforcement Community Info Sharing TIP Description and Intended Purpose: … Date of Publication: 15 Jun 2014 Version: 1.0 Digital Signature of Issuer: Trust and Interoperability Criteria: Identity Provider Organization (IDPO) Trustmark Requirements: Service Provider Organization (SPO) Trustmark Requirements: Trust and Interoperability Criteria: Identity Provider Organization (IDPO) Trustmark Requirements: Service Provider Organization (SPO) Trustmark Requirements: XML TrustmarkRequirementApproved Trustmark Providers FICAM SAML SSO IDP MUST HAVENIEF or IJIS NIEF/FICAM LOA 2 IDPO MUST HAVENIEF or Kantara NIEF Attribute Profile IDPO MUST HAVE(ANY) XYZ Privacy Policy IDPO SHOULD HAVE(ANY) TrustmarkRequirementApproved Trustmark Providers FICAM SAML SSO SP MUST HAVENIEF or IJIS NIEF Attribute Profile SPO MUST HAVE(ANY) XYZ Privacy Policy SPO MUST HAVE(ANY)

Trustmark Assessment Tool Process Flow Trustmark Assessment Tool Database Trustmark Assessment Tool Registration and Issuance Requirements TD Registration and Issuance Requirements TD Trustmark Provider Trustmark Recipient Candidate Trustmark Definitions 1. Load TDs into Assessment Tool 2. Receive request for trustmark from Trustmark Recipient Candidate 3. Perform assessment of Trustmark Recipient Candidate 4. Store assessment artifacts / evidence in database 5. Issue trustmark to Trustmark Recipient

Sample Screen Shot from Trustmark Assessment Tool

Trustmark Binding Trustmark 1 Trustmark 2 Trustmark N Endpoint Metadata TM1 Attr TM2 Attr TMN Attr [3 rd Party] Issued Trustmarks Trustmark Relying Party (TRP) Trustmark Definition 1 Attribute Definition Trustmark Definition 2 Attribute Definition Trustmark Definition N Attribute Definition Other Attrs Trustmark Attributes expressed in Endpoint Metadata -We do this today in SAML -Metadata structure could be that of [OIDC Disc], [OIDC DCR], or [OAuth DCR] Trustmark Attribute values are URLs of locations of issued Trustmarks Trustmark Attributes defined by Trustmark Definitions

“Levels” of Trustmark Reliance Trustmark 1 Trustmark 2 Trustmark N Endpoint Metadata TM1 Attr TM2 Attr TMN Attr Trustmark Relying Party (TRP) Trustmark Definition 1 Attribute Definition Trustmark Definition 2 Attribute Definition Trustmark Definition N Attribute Definition Other Attrs 0. TRP does not have to rely on Trustmarks (backwards- compatibility). 1. TRP can check for presence of appropriate Trustmark Attributes according to TDs it cares about. 2. TRP can follow Trustmark links and verify Trustmark legitimacy and Binding legitimacy.

NIEF Trustmark Issuance and Binding NIEF Trust Fabric Registry NIEF Trust Fabric Registry NIEF Trustmark Assessment Processes Trustmark 1 Trustmark 2 Trustmark N NIEF Trust Fabric Entry Trustmark 1 Trustmark 2 Trustmark N Signed by NIEF NIEF Member Agency (Trustmark Recipient) NIEF Member Agency (Trustmark Recipient) Trustmark Assessment Tool Trust Fabric Entry Editor Trust Fabric Registry Manager Tool

NIEF Trustmark Usage by TRPs NIEF Trust Fabric Registry NIEF Trust Fabric Registry Trustmark Relying Party 1. Query for trust fabric entries with required trustmarks, in accordance with local TIP Trust Interoperability Profile (TIP) 2. Receive matching trust fabric entries 3. Install entries in local product

Trustmark Legal Framework Trustmark Provider Trustmark Recipient Trustmark Relying Party Trustmark Policy Trustmark Trustmark Recipient Agreement Trustmark Relying Party Agreement Explicit Relationship Explicit Relationship Implicit Relationship Explicit Reference

Development & Refinement of Trustmark Concept Technical Framework framework/1.0/ framework/1.0/ NIEF Trustmark (Component) Definitions (62) definitions/ definitions/ NIEF Trust Interoperability Profiles (10) interoperability-profiles/ interoperability-profiles/ Development of Software Tools Trustmark Assessor Tool, Trust Fabric Registry, & Others Socialization of Trustmark Concept Trustmark Pilot Website: Conducting Operational Pilots Progress to Date

Some Trustmark Pilot Participants

To Learn More…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.