Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability.

Slides:



Advertisements
Similar presentations
Frits Broekema Principal Scientist NATO C3 Agency
Advertisements

Secure Single Sign-On Across Security Domains
0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Identity Management in a Federated Environment. NATO IdM Initiatives SC/4-SC/5 NATO IdM Workshop (2008/09) SC/4-SC/5 NATO IdM Workshop (2008/09) output:
NATO NNEC Core Enterprise Services
NATO Consultation, Command and Control Agency
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.
A formal approach to national CIS validation in support of NATO expeditionary forces certification The Interoperability Experimentation, Testing and Validation.
IEG Portfolio (Scenario A and B)
NATO UNCLASSIFIED. Historical ISAF Mission Networks … NATO UNCLASSIFIED2  ISAF Secret         NATO Managed & Administered CENTRIXS GCTF  US.
Lecture 23 Internet Authentication Applications
A Successful RHIO Implementation
NATO Consultation, Command and Control Agency
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Active Directory: Final Solution to Enterprise System Integration
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services
Security and Policy Enforcement Mark Gibson Dave Northey
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.
UNIS Technical Exchange Meeting December, 1-3, 2009 US-NATO Air C2 Interoperability The Current & The Future Mutlu Uysal C2 Systems Group NATO.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
NATO Collaboration Bodies Einar Thorsen, CTO/CIS
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
1 Advanced Software Architecture Muhammad Bilal Bashir PhD Scholar (Computer Science) Mohammad Ali Jinnah University.
1 The World Bank Internet Services Program Rajan Bhardvaj
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
NATO UNCLASSIFIED NATO Consultation, Command and Control Agency Acquisition Overview Mr. John D. Edell Director of Acquisition 15 June 2006.
S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
Web Services Security Patterns Alex Mackman CM Group Ltd
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
NNEC Shared Space Implementation of NNEC Data Strategy UNIS TEM 6 Outbrief Dr Sven Kuehne CAT-2 Interoperability | NATO C3 Agency - The Hague Tel.: +31.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Leader IPT1 - Architecture
Secure Single Sign-On Across Security Domains
HMA Identity Management Status
Data and Applications Security Developments and Directions
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Microsoft Virtual Academy
Presentation transcript:

Identity Management in a Federated Environment US-NATO TEM December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability | NATO C3 Agency - The Hague Tel.: +31 (0) |

NATO IdM Initiatives  SC/4-SC/5 NATO IdM Workshop (2008/09)  output: NATO IdM Strawman Paper  directory services oriented view  focused on alliance aspect of NATO IdM  identifies IdM use cases in NATO  SC/4 Service Management Infrastructure AHWG (2008/09)  output: SMI Technical Services Definitions working paper  Security Management architecture view  requirements/standards/technology agnostic approach  identifies interfaces with other security management services NATO UNCLASSIFIED2

Terminology  Identity Management is ambiguous!  Identity Management includes:  Identity Assurance  Identity Employment or Utilization  Identity Services  What is an “Identity”  … a PKI certificate?  … a set of attributes?  … the same for every entity in the enterprise?

Different view on IdM  NATO has a two-dimensional challenge:  IdM in the NATO Alliance  28 NATO nations  and partners  constitute a federation  IdM in the NATO Organization  NATO HQs  and NATO agencies  constitute an enterprise (?) NATO UNCLASSIFIED4

Challenges The concept of NATO IdM is in a very early stage of formalizationThe concept of NATO IdM is in a very early stage of formalization Requirements for NATO IdM need to be definedRequirements for NATO IdM need to be defined Two dimensions of the NATO IdM has potential to cause conflicts for IdMTwo dimensions of the NATO IdM has potential to cause conflicts for IdM Emerging technologies (Identity 2.0) not reflected either in NATO IdM Strawman Paper or in SMI working paperEmerging technologies (Identity 2.0) not reflected either in NATO IdM Strawman Paper or in SMI working paper Policy document for NATO IdMPolicy document for NATO IdM Interoperability at all levelsInteroperability at all levels NATO UNCLASSIFIED5

Way forward  What can we accomplish today? ListenListen InformInform Plan for the futurePlan for the future NC3A Identity Management Test Campaign

IdM Concept Validation  Purpose: Identify NATO IdM requirements based on IdM use casesIdentify NATO IdM requirements based on IdM use cases Verify architectures and solutions for identified IdM use casesVerify architectures and solutions for identified IdM use cases  Scope Validation focused on federated scenarios within NATO AllianceValidation focused on federated scenarios within NATO Alliance  Test Facility Classification: NATO UnclassifiedClassification: NATO Unclassified NNEC CES Testbed as an investigation platform on the NATO sideNNEC CES Testbed as an investigation platform on the NATO side National TestbedsNational Testbeds  Procedure VPN Joining InstructionVPN Joining Instruction IdM Joining Instructions (based on ACP145 and ARH forms)IdM Joining Instructions (based on ACP145 and ARH forms)  agreed test scope (use cases) and schedule NATO UNCLASSIFIED7

NNEC CES Testbed Layout NATO UNCLASSIFIED8

IdM Use Cases  IdM use cases defined in NIdM Strawman Paper Access to C2 Data/Services in NATO SECRET DomainAccess to C2 Data/Services in NATO SECRET Domain Single Sign On in Cross-Domain Federation ScenarioSingle Sign On in Cross-Domain Federation Scenario Use of certificates bound to the identityUse of certificates bound to the identity NATO Pass SystemNATO Pass System Use of national military ID-CardUse of national military ID-Card  Technology/Solution specific IdM use cases for testing Cross-domain group managementCross-domain group management Security token based authentication for Web ServicesSecurity token based authentication for Web Services Portal access (based on SharePoint Server)Portal access (based on SharePoint Server) Collaboration tools (based on JChat application)Collaboration tools (based on JChat application) Access to legacy applicationsAccess to legacy applications Others …Others … NATO UNCLASSIFIED9

IdM Strawman and Technology/Solution Driven Use Cases Relevance Mapping NATO UNCLASSIFIED10 Strawman Paper Technology/ Solution Access to C2 Data and Services SSO in Federation Use of certificates NATO Pass System Use of national military ID- Card Group Management Security Token based authentication  Portal Access  Collaboration Tools  Access to Legacy Systems  ???

IdM Use Case Validation Environment NATO UNCLASSIFIED11

Service Components  Information Exchange Gateway scenario B (IEG B)  NATO Enterprise Directory Service (NEDS)  Allied Replication Hub (ARH)  Border Directory Services  NATO Public Key Infrastructure (NPKI) Certificate Authority  Security Token Service (STS)  Policy Enforcement Point (PEP)  Policy Decision Point (PDP)  Web servers/portals and clients  Web Proxy  Web Concentrator  Collaboration tool servers and clients  Identity Data Sources NATO UNCLASSIFIED12

Use Cases Cross-domain group managementCross-domain group management Security token based authentication for Web ServicesSecurity token based authentication for Web Services Portal access (based on SharePoint Server)Portal access (based on SharePoint Server) Collaboration tools (based on JChat application)Collaboration tools (based on JChat application) Access to legacy applicationsAccess to legacy applications

Group Management Use Case  Foundation for other use cases  Foundation for a formal access control mechanism implementation. Access control models being considered: role based access control (RBAC) currently used in many C2 systems, role based access control (RBAC) currently used in many C2 systems, attribute based access control (ABAC) anticipated to be more exploited in future service-oriented systems attribute based access control (ABAC) anticipated to be more exploited in future service-oriented systems  Potential areas of usage (examples) cross-domain group management delegation cross-domain group management delegation cross-domain group mapping cross-domain group mapping  Status directory components installed directory components installed meta-tools installed, configured, jobs implemented meta-tools installed, configured, jobs implemented initial testing completed initial testing completed NATO UNCLASSIFIED14

IdM in Group Management NATO UNCLASSIFIED15

NNEC Hints  “Network of networks” is one of the main concepts of NNEC vision – environment be made up of many separate networks linked together  Community of Interest (CoI) a driver for access control in NNEC  Sharing of identity information between these different networks is crucial for providing access control  Service Oriented Architecture (SOA) based on Web services is a candidate technology to materialize the NNEC vision, where services can be (dynamically) discovered and called by different clients NATO UNCLASSIFIED16

Security Token Based Access Use Case  Simple services can be combined into more complex ones (“orchestration”)  Typically users interact with web services using different kinds of GUIs (web and form based ones).  Service provider/consumer interoperability standard protocols like SOAP, HTTP standard protocols like SOAP, HTTP Web services related standards, including the WS-* stack (e.g. WS- Security, WS-Trust, WS-Federation etc.) Web services related standards, including the WS-* stack (e.g. WS- Security, WS-Trust, WS-Federation etc.)  Secure SOA-based data/services exchange scenarios in a federated environment to be demonstrated  Status: NATO UNCLASSIFIED17 all components installed, all components installed, not all configured yet not all configured yet not all tested yet not all tested yet not integrated with directory yet not integrated with directory yet

Secure Token Based Access NATO UNCLASSIFIED 18

… Integrated with Directory Services NATO UNCLASSIFIED 19

Access to Portal  Web portal access handling is one of the most common and basic information sharing requirements  Access granularity is a desired feature that needs to be implemented in future NATO portals  Microsoft SharePoint is identified as a future NATO portal product. The next version to be integrated with Microsoft's Identity Architecture, and so will be able to act as a relying party to XML security tokens.  Initially, access from national domain to NATO portals is the most expected operational scenario  Status: NATO UNCLASSIFIED20 all components installed all components installed meta-tools installed, configured jobs implemented meta-tools installed, configured jobs implemented initial testing completed initial testing completed implemented different authentication mechanisms for internal/external users implemented different authentication mechanisms for internal/external users hashed passwords for external users populated through ARH hashed passwords for external users populated through ARH

IdM in Access to Portal NATO UNCLASSIFIED21

Collaboration Tools Use Case instant messaging, instant messaging, presence, presence, multi-party chat, multi-party chat, voice and video calls, voice and video calls, collaboration, collaboration, lightweight middleware, lightweight middleware, content syndication, content syndication, generalized routing of XML data. generalized routing of XML data. NATO UNCLASSIFIED22  XMPP is an open technology for real-time communication, which powers a wide range of applications, e.g.:  XMPP is a mandatory collaboration standard for military usage in many NATO nations  JChat application, a standard NATO collaboration tool, to be used on the NATO side  Status: not implemented yet all components installed all components installed meta-tools installed, configured jobs implemented meta-tools installed, configured jobs implemented hashed passwords for external users populated through ARH hashed passwords for external users populated through ARH

IdM in Collaboration Tools NATO UNCLASSIFIED23

Access to Legacy Applications  There are still applications in NATO CIS, which are not PKI and/or Web services enabled  Authentication/Authorization mechanisms: implemented as an integral part of the applications (usernames and passwords stored in a local database), which results in application specific solutions, or implemented as an integral part of the applications (usernames and passwords stored in a local database), which results in application specific solutions, or are not implemented at all are not implemented at all  For completeness of the IdM use case validation picture legacy systems should be included  Status: not implemented yet NATO UNCLASSIFIED24

IdM in Legacy Systems NATO UNCLASSIFIED 25

Summary  The concept of IdM in a federated NATO environment (NATO plus NATO nations) is in an early stage of formalization  List of use cases for IdM is open  NC3A CES/NNEC testbed provides an infrastructure for complex IdM validation to be performed with Alliance partners NATO UNCLASSIFIED26

Why Identity Management matters …

NATO UNCLASSIFIED28 CONTACTING NC3A NC3A Brussels Visiting address: Bâtiment Z Avenue du Bourget 140 B-1110 Brussels Telephone +32 (0) Fax +32 (0) Postal address: NATO C3 Agency Boulevard Leopold III B-1110 Brussels - Belgium NC3A The Hague Visiting address: Oude Waalsdorperweg AK The Hague Telephone +31 (0) Fax +31 (0) Postal address: NATO C3 Agency P.O. Box CD The Hague The Netherlands

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.