Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability.

Published byDrusilla Josephine Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability."— Presentation transcript:

1 Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability | NATO C3 Agency - The Hague Tel.: +31 (0)70 374 3562 | E-mail: sven.kuehne@nc3a.nato.int sven.kuehne@nc3a.nato.int

2 NATO IdM Initiatives  SC/4-SC/5 NATO IdM Workshop (2008/09)  output: NATO IdM Strawman Paper  directory services oriented view  focused on alliance aspect of NATO IdM  identifies IdM use cases in NATO  SC/4 Service Management Infrastructure AHWG (2008/09)  output: SMI Technical Services Definitions working paper  Security Management architecture view  requirements/standards/technology agnostic approach  identifies interfaces with other security management services NATO UNCLASSIFIED2

3 Terminology  Identity Management is ambiguous!  Identity Management includes:  Identity Assurance  Identity Employment or Utilization  Identity Services  What is an “Identity”  … a PKI certificate?  … a set of attributes?  … the same for every entity in the enterprise?

4 Different view on IdM  NATO has a two-dimensional challenge:  IdM in the NATO Alliance  28 NATO nations  and partners  constitute a federation  IdM in the NATO Organization  NATO HQs  and NATO agencies  constitute an enterprise (?) NATO UNCLASSIFIED4

5 Challenges The concept of NATO IdM is in a very early stage of formalizationThe concept of NATO IdM is in a very early stage of formalization Requirements for NATO IdM need to be definedRequirements for NATO IdM need to be defined Two dimensions of the NATO IdM has potential to cause conflicts for IdMTwo dimensions of the NATO IdM has potential to cause conflicts for IdM Emerging technologies (Identity 2.0) not reflected either in NATO IdM Strawman Paper or in SMI working paperEmerging technologies (Identity 2.0) not reflected either in NATO IdM Strawman Paper or in SMI working paper Policy document for NATO IdMPolicy document for NATO IdM Interoperability at all levelsInteroperability at all levels NATO UNCLASSIFIED5

6 Way forward  What can we accomplish today? ListenListen InformInform Plan for the futurePlan for the future NC3A Identity Management Test Campaign

7 IdM Concept Validation  Purpose: Identify NATO IdM requirements based on IdM use casesIdentify NATO IdM requirements based on IdM use cases Verify architectures and solutions for identified IdM use casesVerify architectures and solutions for identified IdM use cases  Scope Validation focused on federated scenarios within NATO AllianceValidation focused on federated scenarios within NATO Alliance  Test Facility Classification: NATO UnclassifiedClassification: NATO Unclassified NNEC CES Testbed as an investigation platform on the NATO sideNNEC CES Testbed as an investigation platform on the NATO side National TestbedsNational Testbeds  Procedure VPN Joining InstructionVPN Joining Instruction IdM Joining Instructions (based on ACP145 and ARH forms)IdM Joining Instructions (based on ACP145 and ARH forms)  agreed test scope (use cases) and schedule NATO UNCLASSIFIED7

8 NNEC CES Testbed Layout NATO UNCLASSIFIED8

9 IdM Use Cases  IdM use cases defined in NIdM Strawman Paper Access to C2 Data/Services in NATO SECRET DomainAccess to C2 Data/Services in NATO SECRET Domain Single Sign On in Cross-Domain Federation ScenarioSingle Sign On in Cross-Domain Federation Scenario Use of certificates bound to the identityUse of certificates bound to the identity NATO Pass SystemNATO Pass System Use of national military ID-CardUse of national military ID-Card  Technology/Solution specific IdM use cases for testing Cross-domain group managementCross-domain group management Security token based authentication for Web ServicesSecurity token based authentication for Web Services Portal access (based on SharePoint Server)Portal access (based on SharePoint Server) Collaboration tools (based on JChat application)Collaboration tools (based on JChat application) Access to legacy applicationsAccess to legacy applications Others …Others … NATO UNCLASSIFIED9

10 IdM Strawman and Technology/Solution Driven Use Cases Relevance Mapping NATO UNCLASSIFIED10 Strawman Paper Technology/ Solution Access to C2 Data and Services SSO in Federation Use of certificates NATO Pass System Use of national military ID- Card Group Management Security Token based authentication  Portal Access  Collaboration Tools  Access to Legacy Systems  ???

11 IdM Use Case Validation Environment NATO UNCLASSIFIED11

12 Service Components  Information Exchange Gateway scenario B (IEG B)  NATO Enterprise Directory Service (NEDS)  Allied Replication Hub (ARH)  Border Directory Services  NATO Public Key Infrastructure (NPKI) Certificate Authority  Security Token Service (STS)  Policy Enforcement Point (PEP)  Policy Decision Point (PDP)  Web servers/portals and clients  Web Proxy  Web Concentrator  Collaboration tool servers and clients  Identity Data Sources NATO UNCLASSIFIED12

13 Use Cases Cross-domain group managementCross-domain group management Security token based authentication for Web ServicesSecurity token based authentication for Web Services Portal access (based on SharePoint Server)Portal access (based on SharePoint Server) Collaboration tools (based on JChat application)Collaboration tools (based on JChat application) Access to legacy applicationsAccess to legacy applications

14 Group Management Use Case  Foundation for other use cases  Foundation for a formal access control mechanism implementation. Access control models being considered: role based access control (RBAC) currently used in many C2 systems, role based access control (RBAC) currently used in many C2 systems, attribute based access control (ABAC) anticipated to be more exploited in future service-oriented systems attribute based access control (ABAC) anticipated to be more exploited in future service-oriented systems  Potential areas of usage (examples) cross-domain group management delegation cross-domain group management delegation cross-domain group mapping cross-domain group mapping  Status directory components installed directory components installed meta-tools installed, configured, jobs implemented meta-tools installed, configured, jobs implemented initial testing completed initial testing completed NATO UNCLASSIFIED14

15 IdM in Group Management NATO UNCLASSIFIED15

16 NNEC Hints  “Network of networks” is one of the main concepts of NNEC vision – environment be made up of many separate networks linked together  Community of Interest (CoI) a driver for access control in NNEC  Sharing of identity information between these different networks is crucial for providing access control  Service Oriented Architecture (SOA) based on Web services is a candidate technology to materialize the NNEC vision, where services can be (dynamically) discovered and called by different clients NATO UNCLASSIFIED16

17 Security Token Based Access Use Case  Simple services can be combined into more complex ones (“orchestration”)  Typically users interact with web services using different kinds of GUIs (web and form based ones).  Service provider/consumer interoperability standard protocols like SOAP, HTTP standard protocols like SOAP, HTTP Web services related standards, including the WS-* stack (e.g. WS- Security, WS-Trust, WS-Federation etc.) Web services related standards, including the WS-* stack (e.g. WS- Security, WS-Trust, WS-Federation etc.)  Secure SOA-based data/services exchange scenarios in a federated environment to be demonstrated  Status: NATO UNCLASSIFIED17 all components installed, all components installed, not all configured yet not all configured yet not all tested yet not all tested yet not integrated with directory yet not integrated with directory yet

18 Secure Token Based Access NATO UNCLASSIFIED 18

19 … Integrated with Directory Services NATO UNCLASSIFIED 19

20 Access to Portal  Web portal access handling is one of the most common and basic information sharing requirements  Access granularity is a desired feature that needs to be implemented in future NATO portals  Microsoft SharePoint is identified as a future NATO portal product. The next version to be integrated with Microsoft's Identity Architecture, and so will be able to act as a relying party to XML security tokens.  Initially, access from national domain to NATO portals is the most expected operational scenario  Status: NATO UNCLASSIFIED20 all components installed all components installed meta-tools installed, configured jobs implemented meta-tools installed, configured jobs implemented initial testing completed initial testing completed implemented different authentication mechanisms for internal/external users implemented different authentication mechanisms for internal/external users hashed passwords for external users populated through ARH hashed passwords for external users populated through ARH

21 IdM in Access to Portal NATO UNCLASSIFIED21

22 Collaboration Tools Use Case instant messaging, instant messaging, presence, presence, multi-party chat, multi-party chat, voice and video calls, voice and video calls, collaboration, collaboration, lightweight middleware, lightweight middleware, content syndication, content syndication, generalized routing of XML data. generalized routing of XML data. NATO UNCLASSIFIED22  XMPP is an open technology for real-time communication, which powers a wide range of applications, e.g.:  XMPP is a mandatory collaboration standard for military usage in many NATO nations  JChat application, a standard NATO collaboration tool, to be used on the NATO side  Status: not implemented yet all components installed all components installed meta-tools installed, configured jobs implemented meta-tools installed, configured jobs implemented hashed passwords for external users populated through ARH hashed passwords for external users populated through ARH

23 IdM in Collaboration Tools NATO UNCLASSIFIED23

24 Access to Legacy Applications  There are still applications in NATO CIS, which are not PKI and/or Web services enabled  Authentication/Authorization mechanisms: implemented as an integral part of the applications (usernames and passwords stored in a local database), which results in application specific solutions, or implemented as an integral part of the applications (usernames and passwords stored in a local database), which results in application specific solutions, or are not implemented at all are not implemented at all  For completeness of the IdM use case validation picture legacy systems should be included  Status: not implemented yet NATO UNCLASSIFIED24

25 IdM in Legacy Systems NATO UNCLASSIFIED 25

26 Summary  The concept of IdM in a federated NATO environment (NATO plus NATO nations) is in an early stage of formalization  List of use cases for IdM is open  NC3A CES/NNEC testbed provides an infrastructure for complex IdM validation to be performed with Alliance partners NATO UNCLASSIFIED26

27 Why Identity Management matters …

28 NATO UNCLASSIFIED28 CONTACTING NC3A NC3A Brussels Visiting address: Bâtiment Z Avenue du Bourget 140 B-1110 Brussels Telephone +32 (0)2 7074111 Fax +32 (0)2 7078770 Postal address: NATO C3 Agency Boulevard Leopold III B-1110 Brussels - Belgium NC3A The Hague Visiting address: Oude Waalsdorperweg 61 2597 AK The Hague Telephone +31 (0)70 3743000 Fax +31 (0)70 3743239 Postal address: NATO C3 Agency P.O. Box 174 2501 CD The Hague The Netherlands

Download ppt "Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability."

Similar presentations

Frits Broekema Principal Scientist NATO C3 Agency

Frits Broekema Principal Scientist NATO C3 Agency
Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Identity Management in a Federated Environment. NATO IdM Initiatives SC/4-SC/5 NATO IdM Workshop (2008/09) SC/4-SC/5 NATO IdM Workshop (2008/09) output:

Identity Management in a Federated Environment. NATO IdM Initiatives SC/4-SC/5 NATO IdM Workshop (2008/09) SC/4-SC/5 NATO IdM Workshop (2008/09) output:
NATO NNEC Core Enterprise Services

NATO NNEC Core Enterprise Services
NATO Consultation, Command and Control Agency

NATO Consultation, Command and Control Agency
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.
A formal approach to national CIS validation in support of NATO expeditionary forces certification The Interoperability Experimentation, Testing and Validation.

A formal approach to national CIS validation in support of NATO expeditionary forces certification The Interoperability Experimentation, Testing and Validation.
IEG Portfolio (Scenario A and B)

IEG Portfolio (Scenario A and B)
NATO UNCLASSIFIED. Historical ISAF Mission Networks … NATO UNCLASSIFIED2  ISAF Secret         NATO Managed & Administered CENTRIXS GCTF  US.

NATO UNCLASSIFIED. Historical ISAF Mission Networks … NATO UNCLASSIFIED2  ISAF Secret         NATO Managed & Administered CENTRIXS GCTF  US.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
A Successful RHIO Implementation

A Successful RHIO Implementation
NATO Consultation, Command and Control Agency

NATO Consultation, Command and Control Agency
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration

Similar presentations

Ads by Google