170 likes | 185 Views
Interoperable Trust Networks. Chris Rogers California Dept of Justice February 16, 2005. Tactical Approaches. VPN / Trusted Certificates/Credentials Customized Gateways Vetted and agreed upon policies and procedures Information exchange model (IEM) XML credentials
E N D
Interoperable Trust Networks Chris Rogers California Dept of Justice February 16, 2005
Tactical Approaches • VPN / Trusted Certificates/Credentials • Customized Gateways • Vetted and agreed upon policies and procedures • Information exchange model (IEM) • XML credentials • System-to-System use case • IVE appliance integrated with infrastructure • Identities propagated throughout network • Tools that delegate the assignment of privileges • Certificate Policy/Practice Statement • User-to-Application use case
Acute Awareness • Primary Impediments to Information Sharing • Incompatible technologies • Identity, authentication, & authorization policies • Factors Affecting Interoperability • Numerous autonomous agencies • Multiple trust domains • Heterogeneous environments • Varied governance structures • Significant investment in legacy environments • Inconsistent or non-existent security policies & procedures • Disparate and incompatible security mechanisms
Fundamentals of Success • Trusted Identities • Identity Management • Addresses the inter-domain security problem with trust and standards • Agreements, standards, technologies make identity and entitlements portable across autonomous domains • An authenticated user can be easily recognized and take part in the services offered by other “federation” service providers • Privilege Management
Addressing the Problem • Nat’l Criminal Intelligence Sharing Plan (NCISP) • Global Justice Information Sharing Initiative • Advisory Committee Membership/Leadership • Advisory Committee Executive Steering Committee • Working Groups • Infrastructure Standards • Security • Global Security Architecture Committee • Intelligence • Privacy and Information Quality
Committee Composition • Criminal Information Sharing Alliance Network (CISAnet) • Regional Information Sharing Systems Network (RISSNET) • Justice Network (JNET) • DHS Homeland Security Information Network (HSIN)/ Joint Regional Information Exchange System (JRIES) • Automated Regional Justice Information System (ARJIS) • California and Wisconsin Departmentsof Justice
Global Security Architecture Committee (GSAC) • Business Problem • Recognized networks and information systems exist that involve substantial investments in technology, governance structures, and trust relationships • Failure to enable interoperability between the available information systems continues impede law enforcement and government officials’ ability to take effective actions when they are not aware of other information that may be known about a person or event
Global Security Architecture Committee (GSAC) • Scope • In response to the implementation of the National Criminal Intelligence Sharing Plan (NCISP) to develop an “overall” NCISP Interoperability Framework • To define of a set of “jointly agreed-upon and standards-based security mechanisms, communications protocols, and message formats”
Initiatives • Federated Identity and Privilege Management Security Interoperability Demonstration (GSAC) • Trusted Credential Project (RISS) • DHS Service Oriented Architecture • Security and Identity Management (IdM) Component (DHS)
“Demonstration” • Scope • Develop and prove an identity and privilege management service that can be used to apply authentication and access controls by disparate systems and networks desiring to make their resources “sharable” • Deliverable • Demonstrate a universal mechanism, implementation-independent and non-vendor specific, designed to share trusted assertions (agreed set of attributes) that can be used to apply authentication and access controls
Demonstration Scope What’s IN What’s OUT • Policies • Process definition • Established baseline • of vetting requirements • User-to-application • use case • Web-based • applications only • Use open source, non- • commercial software • to keep licensing • costs to a minimum
Participation Premise • Participants retain control over their resources (dissemination & access control decisions made locally) • Participants register and administer their subscriber base • Participants can implement local technologies • Participants agree to a minimal set of policies, procedures, and standards allowing for subscriber authentication and privilege information to be passed between participants • Participation does not preclude independent, out-of-band, bilateral agreements between participants
Use Case • User-to-Application • Premise • User “A” of System “A” needs access to the application(s) of System “B” • Problem • So… how do applications made accessible by System B identify, authenticate, authorize, entitle, and ultimately trust,users of System A?
Use Case Characteristics • A valid subscriber of System “A” can access applications of System “B”; a federation participant • A valid subscriber of System “B” can access applications of System “A”; a federation participant • A subscriber is “registered” locally and is not required to re-register to another federation participant’s system or application
Characteristics, cont’d • A subscriber authenticates locally and is not required to re-authenticate to another federation application • even if that subscriber has traversed multiple applications within the federation • Subscriber information is passed to the federation system or application • access control decisions can be made withoutlocal provisioning
Goal/Objective • A multi-directional electronic exchange of criminal intelligence information, achieved through secure systems interoperability between networks/ information systems currently not capable of doing so.
More Information… Christina Rogers CA Department of Justice (916) 227-3124 Christina.Rogers@doj.ca.gov