210 likes | 362 Views
The E-Authentication Initiative. E-Authentication: Creating an Environment of Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy. Session Objectives. Identity Federation Basics Why the Federal Government is federating
E N D
The E-Authentication Initiative E-Authentication: Creating an Environment of TrustDavid Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy
Session Objectives • Identity Federation Basics • Why the Federal Government is federating • Key infrastructure needed for ID Federation • Interoperability and ID Federation • E-Authentication Trust Framework • The Electronic Authentication Partnership and how it facilitates identity federation
The Identity Problem • Individuals have multiple disconnected identities across the internet and other networks, leading to repeated, stand-alone authentications • Costly, insecure, inconvenient www.401k.com User ID: 123-45-6789 Password: my401k My.employer.org User ID: jsmith@work.org Password: myjob www.mytravel.com User ID: frequentflyer Password: etravel
Background • Federated identity definition • Rules, agreements, standards, technologies that make identity and entitlements portable across autonomous domains • Is critical for rich web services environment • Federated identity technologies and standards • PKI – ISO X.509v3 • Security Assertion Markup Language – OASIS SAML 1.0, 1.1. 2.0 • Lacking standards • Biometrics • User ID/PIN/Password • Knowledge-based authentication • One-time passwords • Token-based authentication • Federated identity specifications (SAML) • Liberty Alliance • Shibboleth
Standards Convergence • SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information • Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services OASIS Standard SAML 2.0 Shibboleth Specification Liberty Specifications OASIS SAML 1.0, 1.1
Four Authentication Assurance Levelsto meet multiple risk levels - Increased $ Cost Multi - Factor Token PKI/ Digital Signature Knowledge - Based Very Strong Password High High - PIN/User ID Medium Low Employee Applying Obtaining Access to Screening Govt. for a Loan Protected for a High Benefits Online Website Risk Job Increased Need for Identity Assurance
President’s Management Agenda • 1st Priority: Make Government citizen-centered. • 5 Key Government-wide Initiatives: • Strategic Management of Human Capital • Competitive Sourcing • Improved Financial performance • Expanded Electronic Government • Budget and Performance Integration
PMC E-Gov Agenda Government to Citizen Government to Business Lead GSA Treasury DoED DOI Labor Lead GSA EPA Treasury HHS SBA DOC 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online Cross-cutting Infrastructure:eAuthentication GSA Government to Govt. Internal Effectiveness and Efficiency Lead SSA HHS FEMA DOI FEMA OPM OPM OPM GSA OPM OPM GSA NARA 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks
Key Policy Points For Governmentwide deployment: • No National ID. • No National unique identifier. • No central registry of personal information, attributes, or authorization privileges. • Different authentication assurance levels are needed for different types of transactions. And for e-Authentication technical approach: • No single proprietary solution • Deploy multiple COTS products -- users choice • Products must interoperate together • Controls must protect privacy of personal information.
Central Issue with Federated Identity – Who do you Trust? 280 Million Americans Millions of Businesses State/local/global Govts Governments Federal States/Local International Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Trust Network Higher Education Universities Higher Education PKI Bridge E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay Financial Services Industry Home Banking Credit/Debit Cards Healthcare American Medical Association Patient Safetty Institute Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.
Identity Federation – Key Interoperability Needs Identity Federations extend beyond current peer-peer, bi-lateral agreements to build common infrastructure shared among multiple parties. Federation Trust (Policy Interoperability) Federation Communications (Technical Interoperability) Federation Business Relationships (Business Interoperability)
Federation Infrastructure • Interoperable Technology (Communications) • Determine intra-Federation communication architecture -- protocols • Administer common interface specifications, use cases, profiles • Ensure interoperability ( as needed) according to the specifications • Provide a common portal service (I.e., discovery and interaction services) • Trust • Establish common trust model • Administer common identity management/authentication policies for Federation members • Business Relationships • Establish and administer common business rules • Manage relations among relying parties and CSPs • Manage compliance/dispute resolution
The Need for Federated Identity Trust and Business Models • Technical issues for sharing identities are being solved, but slowly • Federal Interoperability Lab • OASIS and Liberty conformance test programs • Trust is critical issue for deployment of federated identity • Federated ID networks have strong need for trust assurance standards • How robust are the identity verification procedures? • How strong is this shared identity? • How secure is the infrastructure? • Common business rules are needed for federated identity to scale • N2 bi-lateral trust relationships is not a scalable business process • Common business rules are needed to define: • Trust assurance and credential strength • Roles, responsibilities, of IDPs and relying parties • Liabilities associated with use of 3rd party credentials • Business relationship costs • Privacy requirements for handling Personally Identifiable Information (PII)
E-Authentication Trust Model for Federated Identity 1. Establish e-Authentication risk and assurance levels (OMB M-04-04 Federal Policy Notice, adopted by EAP 2. Establish standard methodology for e-Authentication risk assessment (ERA) 2/04 3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance 4. Establish methodology for evaluating credentials/providers on assurance criteria (EAP SAC and Federal CAF 6. Establish common business rules for use of trusted 3rd-party credentials 5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04 7. Test products and implementations for interoperability
The Need for Identity FederationBusiness Case “Federated identity is economically inevitable…” Burton Group • However, there must be a clear business case that others can understand • Business opportunity must be meaningful yet realistic • Business partners need to understand the business case • The solution must be replicable • Start simple, use standard templates, avoid complexity for complexity sake • Leverage open standards • Should be clear business case for identity federation for: • Financial services industry • Health care industry • Higher education
Identity Federation Models • Bi-lateral (peer-to- peer) • Hub & Spoke (unilateral) • Circle of Trust (many-to-many) Federated ID Federated ID Federated ID Federated ID Federated ID Federated Federated Federated ID ID ID Federated ID
The Need for the Electronic Authentication Partnership Interoperability for: Commercial Trust Assurance Services Federal Government • Policy • Authentication • Assurance levels • Credential Profiles • Accreditation • Business Rules • Privacy Principles IDP IDP IDP State/Local Governments Policy, Technical, & Business Interoperability • Technology • Adopted schemes • Common specs • User Interfaces • APIs • Interoperable • COTS products • Authz support RP IDP RP RP Industry Common Business and Operating Rules http://www.eapartnership.org/
What is the EAP • Multi-industry partnership creating a framework for interoperable, trustworthy authentication • Incorporated non-profit association with 60 members • Product and technology agnostic • Goals • Provide organizations with a straightforward means of relying on digital credentials issued by a variety of authentication systems • Eliminate or at least reduce the need for organizations to establish bilateral agreements • Facilitate the creation of federations through replicable rules • Enable federation-to-federation trust • In practice this means a federated approach
What the EAP is doing now for ID Federation Bi-lateral Agreements IDP SP/RP Pair-wise Trust Model SP/RP IDP Pair-wise Interface Spec and Products SP/RP IDP Current State of Industry: Bi-Lateral Pairs IDP IDP IDP Common Business Rules/Agreements Common Trust Model Common Interface Specification Interoperable Products SP/RP IDP SP/RP SP/RP EAP Objective: Multi-Party, Interoperable Federation
What the EAP envisions for ID Federation IDP EAP Common Business Rules/Agreements Common Trust Models Common Basic Interface Specifications Interoperable Products IDP IDP Federation 1 IDP SP/RP SP/RP SP/RP IDP IDP IDP Federation 3 IDP SP/RP IDP SP/RP IDP SP/RP SP/RP Federation 2 SP/RP SP/RP EAP Vision: Multiple, Interoperable Federations SP/RP SP/RP
For More Information Phone E-mail David Temoshok 202-208-7655 david.temoshok@gsa.gov Websites http://cio.gov/eauthentication http://www.eapartnership.org/ http://cio.gov/fpkipa http://cio.gov/ficc