Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

Published bySemaj Hinkley Modified over 9 years ago

Similar presentations

Presentation on theme: "The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology."— Presentation transcript:

1 The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology www.cio.gov/eauthentication www.cio.gov/fpkisc

2 A Few Assertions The Internet is perceived as being inherently anonymous In order to conduct trusted transactions, we need to know with whom we are dealing Transactions must be within reasonable risk limits Trusted electronic credentials provide the means to link an asserted identity in the electronic world to physical entities

3 Facets of Building Trust FacetDescription IdentificationWho are you? AuthenticationHow do I know you are who you claim to be? AuthorizationAre you allowed to perform this transaction? IntegrityIs the data you sent the same as what I received? ConfidentialityAre we sure no one else read the data you sent? AuditingRecord of transactions to assist in looking for security problems? Non-repudiationCan you prove the sender sent it, and the receiver received the identical transaction? Thanks to Karl Best, Director of Technical Operations, OASIS

4 The Challenge of Trust Online Unrealistic expectations Immediacy but with safety, personal autonomy and control Personalization without surveillance Security and privacy without inconvenience, loss of immediacy Privacy Concerns are Real Issuing credentials raises privacy concerns, strong identity proofing increases these concerns Reasonable use extended beyond initial use over time Basic conflict with convenience– the key to security is less data and more control

5 Preconditions for Credential ‘Trustworthiness’ Unique to the person using it Under the sole control of the person using it Capable of verification Credential Pedigree –Institutional Standing of the Provider –Governance –Establishment of Identity –Credential Control

6 Challenges of Identity Management Most identity management systems were built one application at a time –No scalable, holistic means of managing identity, credentials, policy across boundaries –Fragmented identity infrastructure, inconsistent policy frameworks, process discontinuities –Potential security loopholes, expensive to manage Few Agency enterprise approaches exist Infrastructure requirements extend reach and range: –Increase scalability, lower costs –Balance of centralized and distributed management –Infrastructure must be more general-purpose and re-usable

7 E-Authentication In Addition to Policy, Three Focus Areas: Agency Application Risk Analysis  Modified proven process for E-Authentication Needs (eRA)  Focused on Identity Assurance at the Transaction Level Authentication Gateway  Provide validation services for multiple forms of ID credentials  Prototype gateway used to technical understanding of products  Agency business processes to broker identity assurance model  Establish common interfaces for doing electronic transactions Establish Process to Evaluate Electronic Credential Providers

8 Determining Authentication Needs Standardize process to assess the security risk Three primary risks: –Improper disclosure –Program fraud –Image/reputation of Agency Determine transaction risk –Recommend “appropriate” authentication for a given transaction –Examine transaction flow and vulnerabilities –Estimate cost and identify alternatives

9 Conducting eRA –An interdisciplinary team -- comprised of: business or mission-related staff information technology staff –eRA self-directed tool available to guide team through process produce consistent risk report with reduced effort –Provides basis for selecting Assurance Level Basis: SEI

10 eAuthentication Gateway Academia Health Care State or Federal Government Identity Verification Required Identity Verification Not Required Future of the Gateway Federal Agency Relying Parties Credential Providers Citizen Business Agent Direct Access Capability Preserved Credential Validation Process

11 The GATEWAY Concept ECP 1 ECP 2 ECP 3 DCP 2 DCP 1 Technology Mapping Ap1 Ap2 Ap3 Ap4 Ap5 GATEWAY Agency Applications Credential Providers 0 None 1 Medium 2 Substantial 3 Strong FEDBRIDGEFEDBRIDGE

12 Federal Authentication Infrastructures Existing Infrastructures for trusted transactions –E-Authentication Gateway provides a mechanism to evaluate ANY type of electronic Credential –Federal Bridge links together Public Key Infrastructure (PKI) based Trust domains –ACES provides an outsourced common infrastructure and PKI credentials for Trust domain with the public –NFC provides a managed infrastructure and PKI credentials for Trust domain for Agency operations –Common Access Card provides for common, secure platform for maintaining credentials Each has benefits for overall trust relationship

13 The Problem with PKI Concerns about complexity and cost Suitable when strong authentication needed Multiple Public Key Infrastructures operated by Agencies Operational PKIs have incorporated differing – Technical Solutions – Policy Decisions Federal Government also needs a mechanism for reliance on internal and external Trust Domains. Interoperability is the CHALLENGE! – Both Policy and Technical Interoperability

14 Acts as a trust “anchor” Enables digital credentials issued by one agency to be used /trusted at other agencies that have been cross-certified. Benefits of the Federal Bridge: Use of certificate policies and standards-based technologies and processes provides flexiblity Allows all organizations to make one security agreement with the Bridge CA, rather requiring multiple security agreements Allows trust interoperability between organizations and minimizes impact on the organization’s infrastructures and end-user applications Federal Bridge Certification Authority Enables certification between organizations so agencies “trust” each others public key credentials. The Federal Bridge:

15 Federal Bridge Certification Authority Certificate Policy Certificate Repository Certification Authority Certificate Holder Relying Party (Agency) Certificate Policy Certificate Repository Certification Authority Cross Certificate Certificate Policy 7 Certification Authority Relying Party (Agency) Certificate Holder Certificate Repository Path Construction: Kathy  Pink  FBCA  Green  Mike S/MIME EMAIL Kathy Mike

16 Thank You For your Time & Attent ion

Download ppt "The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology."

Similar presentations

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.

1 Leveraging Your Existing Campus Systems to Access Resource Partners: Federated Identity Management and Tales of Campus Participation EDUCAUSE 2006 October.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Copyright Judith Spencer 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Judith Spencer This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.

S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.

1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
Federal Approach to Electronic Credentials For services to citizens, businesses, other governments, and employees Mary J. Mitchell Office of Electronic.

Federal Approach to Electronic Credentials For services to citizens, businesses, other governments, and employees Mary J. Mitchell Office of Electronic.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Electronic Authentication for Flexible Learning Workshop Presentation (5 August 2003) Chris Connolly, CEO, Galexia Consulting.

Electronic Authentication for Flexible Learning Workshop Presentation (5 August 2003) Chris Connolly, CEO, Galexia Consulting.
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.

The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.

Similar presentations

Ads by Google