130 likes | 173 Views
PIV 1. Ketan Mehta Ketan.mehta@nist.gov May 5, 2005. PIV 1. What does it mean to agencies Role-based vs System-based Models Moving forward. What does PIV I mean to agencies?. PIV I requires. PIV I does not specify.
E N D
PIV 1 Ketan Mehta Ketan.mehta@nist.gov May 5, 2005
PIV 1 • What does it mean to agencies • Role-based vs System-based Models • Moving forward
What does PIV I mean to agencies? PIV I requires PIV I does not specify • Credentials may be issued by authorized entity only to individuals whose true identity has been verified • Only an individual with a background investigation on record may be issued a credential; • Fraudulent identity source documents are not accepted as genuine and unaltered; • A person suspected or known to the government as being a terrorist is not issued a credential; • No substitution occurs in the identity proofing process; • No credential is issued unless requested by proper authority; • A credential remains serviceable only up to its expiration date; • A single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential; • An issued credential is not modified, duplicated, or forged. Separation of roles • A particular card technology • Requirements for fingerprint biometrics • Composition of the Identity Credentials • Roles within an agency • Identity proofing process or implementation models • Integration of Physical and Logical access security
Role-based Model Applicant—The individual to whom a PIV credential needs to be issued. PIV Sponsor—The individual who substantiates the need for a PIV credential to be issued to the Applicant, and provides sponsorship to the Applicant. The PIV Sponsor requests the issuance of a PIV credential to the Applicant. PIV Registrar—The entity responsible for identity proofing of the Applicant and ensuring the successful completion of the background checks. The PIV Registrar provides the final approval for the issuance of a PIV credential to the Applicant. PIV Issuer—The entity that performs credential personalization operations and issues the identity credential to the Applicant after all identity proofing, background checks, and related approvals have been completed. The PIV Issuer is also responsible for maintaining records and controls for PIV credential stock to ensure that stock is only used to issue valid credentials.
Identity Management System (IDMS) / Issuer Enrollment /Registrar Identity Verification • 1:n biometric search • Confirm employment • ID Validation through standard government wide services • Government DB’s • Threat risk Card Production & Personalization /Issuer System-based Model Approval Authority / Registrar 1 2 3 Employer/ Sponsorship / Sponsor 5 Employee Application Employee Enrolls 6 7 4 8 Issuer -Card Activation / Issuer Numbers Indicate Functional Areas of Responsibility Green functions manageChain of Trust for Identity Verification
Understand your current environment Employees Employees Partners Partners Administrator Customers Customers User information fragmented, duplicated and obsolete; Redundant processes; Little to no visibility or auditability Administrator Administrator Administrator Timesheets Email Engineering HR Expense Customers Applications and Data Information Systems Resources
Agencies should look to bring coherence to user identities, roles, privileges, and policies User Management Sets up and maintainsuser accounts and privileges (Digital Identities) Credentialing Assigns and manages attributes used to validate a user’s identity (Credentials) Storage Stores user credentials,privileges, and other attributes Authentication Validates identities basedon their credentials (Who you are) Authorization Grants user access to resources based on a secondary set of attributes (What you can access) Users Resources
Agencies that adopt a strategy based approach to their PIV investments will achieve the best return on their investment Strategy Based Approach Produces Maximum ROI Architect the Solution Manage Construction Define The Need What is your current environment? What form will your solution take? How will you implement? • What is your current baseline? • Who are responsible for identity management in your agency? • What are the current processes? • What FIPS 201 objectives are not met in the current environment? • What are the gap areas? • What are your architecture choices? • Insource / Outsource • Federation vs. Not Fed • Trust Path • What is your migration strategy? • What stages will your implementation follow? • How will you leverage prototypes and pilots? How will you manage? • How will you mange the change program? • How will you communicate changes to the organization? • How will you mitigate program risks?