130 likes | 214 Views
Authorization and Attribute Service Tiger Team (AATT) Update & Status. January 13, 2008 Rodolph.morrison@osd.mil. IC/DoD Authorization & Attribute Service Tiger Team (AATT). December 18, 2007- Established the IC/DoD AATT DoD Co- Chair: Ms. Myra Powell IC Co- Chair: Ms. Amy Reiss
E N D
Authorization and Attribute Service Tiger Team (AATT)Update & Status January 13, 2008 Rodolph.morrison@osd.mil
IC/DoD Authorization & Attribute Service Tiger Team (AATT) December 18, 2007- Established the IC/DoD AATT • DoD Co- Chair: Ms. Myra Powell • IC Co- Chair: Ms. Amy Reiss • Purpose: • Implement Authorization and Attribute Services across the IC & DoD as part of a dynamic information sharing environment that delivers timely information to authorized users • Objective: • Provide Operational user/resource owners the ability to control information sharing • Result: Users gain appropriate access to mission critical & business information without manual pre-registration processes • Identify common interfaces and service specifications that can be used to deploy common authorization and attribute capabilities across the IC & DoD environments Unified security services enabling agile information sharing and collaboration for SIE and GIG
Why Authorization and Attribute Services Attribute Based Access Control can enable: • Dynamic service and data discovery* and access • Unanticipated (but authorized) access to critical information • Resource owners can provide services and data to larger community • Dynamic, agile security posture (policy) change to meet mission tempo
Access Control … Information is virtually ‘trapped’ within systems that require account creation, or addition to a list. Manual process to add EACH user to EACH resource Today SingleUser Manual Resource 1 Add EACH User to List Access List Administrator Request Access Resource 1 Owner Manual Resource 2 Request Access Add EACH User Account Domain Future Users gain access seamlessly- no pre-registration, no delay … Millions of Users Policy Resource 1 Policy Resource 2 … while the services and data remain secure & protected! Attributes
IC/DOD AATT Deliverable Status • Each deliverable is being developed by a subgroup of the AATT. • Each deliverable team is comprised with both IC and DOD membership. • Each deliverable team is co-led by an IC and a DOD representative. • Present day all deliverable teams have been established and have completed or are nearly finished.
AATT Major Contributions • Technical • AATT CONOP • AATT Interface Specification • AATT Authoritative Source and Attribute Service Guidelines • ABAC Pilot Workshop & Pilot alignment • Policy • Recommendations regarding Authorization and Attribute Policy that need to be developed. • Governance • AATT identified the need for ongoing Governance to ensure • Compliance with the AATT CONOP • Compliance with the AATT Interface Specification • Availability of timely, accurate authorization attributes • Maintenance of authorization attribute definitions & acceptable values AATT Deliverables provide significant contribution toward the implementation of secure, agile information sharing
AATT Proposed On-going Tasks • Establish Authorization and Attribute Service Working Group • The Phase I set of AATT deliverables is just the beginning for building ABAC solutions. More work is needed in support of IdAM and ESM. • Authorization Attribute Governance Committee • Process to add and maintain attributes list • Monitor Authoritative Sources • Facilitate Community Service Level Agreements • Additional SAML Profile Work • Presently leveraging only Attribute Assertions • Today: 80% Attribute Service - 20% Authorization Service • Follow-on: 20% Attribute Service - 80% Authorization Service • Expand the AATT WG membership • Identify pilot opportunities that include DoD, IC, Coalition and other Federal efforts. • Address Advanced Dynamic Policy Capabilities • Address Policy (access rule) tools, portability, hierarchy • Address Attributes for Non Person Entities • Users, Systems, Data, Environment, Situation
Resources • Deliverables are available via the following: • High Wiki • http://www.intelink.ic.giv/wiki/IC_Authorization_and_Attribute_Servies_Tiger_Team • Low Wiki • http://www.intelink.gov/wiki/Authorization_and_Attribute_Tiger_Team • DKO AATT Group • https://www.us.army.mil/suite/page/504666
Point of Contact • ABAC Lead Martin Costellic,NII/DoD-CIO • Martin.Costellic@osd.mil
Build on the AATT Foundation Recommended Policy & Governance Deliverable Set • AATT Policy Recommendations. Develop the authorization and attribute service IC and DoD policies recommended in the AATT Policy Recommendation paper. • Advanced Policy Recommendations. Develop policies based on lessons learned from pilots and operational deployment. • Governance. Establish governance arm to maintain the defined Authorization Attribute Set and report to the DoD and IC Governance bodies. • Example Governance topic: Assess and Approve Changes to the Attributes or Attribute Values, based on need for a new attribute, or change to a referenced attribute set. • E.g. OMB Organization Names.
Build on the AATT Foundation Recommended Technical Deliverable Set • Policy (access rules) Development. Provide guidance and examples for the development of policies (access rules). • Develop Solutions for Broad set of Partners. Adapt existing AATT solutions and/or develop solutions to provide authorization and attribute services for broader set of partners. • Develop detailed Profile Definition with Industry. Further definition of standard profiles for the AATT Interface Specification, to ensure interoperability between DoD and IC implementations, as well as profiles for additional partners. • Standards Assessment and Recommendation. Assess emerging standards for applicability and possible adoption by the DoD and IC, to include industry adoption of standards. • Investigate Emerging Standards and Solutions. Assess the utility of secure token service that combines authentication & authorization for the IC & DoD. • Pilot alignment. Continue work to align pilot activities.
Recommended Attributes *Attributes may be available for use prior to the FY 10-15 timeframe.