320 likes | 519 Views
Federal IT Summit October 28, 2009. Breakout Session #5 Identity and Access Management. Moderator: Paul Christy, SBA Paul Grant— DoD Owen Unangst , USDA Vance Hitch, USDoJ. Paul D. Grant Special Assistant, Federated IDM and External Partnering Office of the CIO DoD
E N D
Federal IT Summit October 28, 2009 Breakout Session #5 Identity and Access Management Moderator: Paul Christy, SBA Paul Grant—DoD Owen Unangst, USDA Vance Hitch, USDoJ
Paul D. Grant Special Assistant, Federated IDM and External Partnering Office of the CIO DoD Paul.Grant@OSD.Mil Federal IT Summit October 28, 2009 Identity, Credential, and Access Management in and with The Federal Government http://www.IdManagement.Gov
What is ICAM? • ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach. • Key ICAM Service Areas Include: • Digital Identity • Credentialing • Privilege Management • Authentication • Authorization & Access • Cryptography • Auditing and Reporting
Presidents Budget for FY 2010Extract from Section 9. LEVERAGING THE POWER OF TECHNOLOGY TO TRANSFORM THE FEDERAL GOVERNMENT • To support this effort, the Federal Identity, Credential, and Access Management (ICAM) segment architecture provides Federal agencies with a consistent approach for managing the vetting and credentialing of individuals requiring access to Federal information systems and facilities • The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.
ICAM Scope Persons Non-Persons Logical Access Physical Access • Alignment of Federal ICAM and • CNSS Identity and Access Management (National Security Systems) • Interagency Security Committee (Physical Access Control) • Awareness to External Mission Partners for interoperable solutions
FICAM Development Process • The development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government groups. • The Roadmap team has produced the key outputs of the FSAM needed for an ICAM segment architecture, and have coordinated these groups to develop workable approaches to enable cross-government solutions. • Committee for National Security Systems (CNSS) • Interagency Security Council (ISC) • Information Sharing Environment (ISE) • White House National Science and Technology Council (NSTC) • Office of Management and Budget • National Institute of Science and Technology (NIST) • Office of National Coordinator (ONC) for Health IT • Multiple agencies represented within the CIO council subcommittees and working groups
Summary & Conclusions • Strong Identity and Access Management Are Foundational to Secure Information Sharing, Collaboration and Cybersecurity • Shared Guidance is Improving: Much Room for More Improvement • Clear, Concise, Consistent, Credible • For Ourselves and Our Mission Partners • Federal Identity, Credential, and Access Management (ICAM) is providing this consistent approach (with your help) • Mission Partners are Fielding Strong Identity Credentials as well as Creating Federations for Sharing & Collaboration • Progress Depends on Public-Private Partnering • Domestically and • Internationally
Special Publications Technical Specs. Enabling Policy and Guidance The E-Gov Act 0f 2002 The Government Paperwork Elimination Act 0f 1998 Federal Bridge Model Policy The Implementing Guidance: OMB M-00-10 April 25, 2000 The Implementing Guidance: OMB M-04-04 December 16, 2003 Federal PKI Common Policy Framework The Mandate: HSPD-12 August 27, 2004 The Technical Spec: SP 800-63 June 2004 The Standard: FIPS-201 February 25, 2005 The Implementing Guidance: OMB M-05-05 December 20, 2004 The Implementing Guidance: OMB M-05-24 August 5, 2005
Level 1 Level 3 Level 2 Level 4 Little or no confidence in asserted identity High confidence in asserted identity Some confidence in asserted identity Very high confidence in asserted identity Self-assertion minimum standards On-line out-of-band verification for qualification Cryptographic Solution On-line instant qualification, out-of-band follow-up In person proofing Record a biometric Cryptographic solution Hardware Token Identity Assurance Levels (IAL) M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels
FICAM Roadmap & Implementation Guidance Overview PART A: ICAM Segment Architecture (Phase 1 of the effort) PART B: Implementation Guidance (Phase 2 of the effort) Overview of Identity, Credential, and Access Management. Provides an overview of ICAM that includes a discussion of the business and regulatory reasons for agencies to implement ICAM initiatives within their organization. ICAM Segment Architecture. Standards-based architecture that outlines a cohesive target state to ensure alignment, clarity, and interoperability across agency initiatives. ICAM Use Cases. Illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states. Transition Roadmap and Milestones. Defines a series of logical steps or phases that enable the implementation of the target architecture. ICAM Implementation Planning. Augments standard life cycle methodologies as they relate to specific planning considerations common across ICAM programs. Implementation Guidance. Provides guidance to agencies on how to implement the transition roadmap initiatives identified in the segment architecture, including best practices and lessons learned.
Services Framework Categorization Scheme Service Type Provides a layer of categorization that defines the context of a specific set of service components Service Component A self contained business process or service with predetermined and well-defined functionality that may be exposed through a well-defined and documented business or technology interface Service Type Service Component Service Component Service Component Service Component
Services Framework Digital Identity Authentication Cryptography Privilege Management Identity Proofing Encryption/Decryption Credential Validation Account Management* Vetting Digital Signature* Biometric Validation Bind/Unbind Key Management Adjudication Session Management Provisioning Digital Identity Lifecycle Management Federation Auditing and Reporting Privilege Administration Linking/Association* Resource Attribute/Metadata Management Authorization and Access Audit Trail* Authoritative Attribute Exchange Reports Management Credentialing Backend Attribute Retrieval Sponsorship Policy Administration Enrollment/Registration* Policy Decision Issuance Policy Enforcement Credential Lifecycle Management Self-Service*
ICAM SubcommitteeAccomplishments Summary for FY 2009 Issued “Personal Identity Verification Interoperability (PIV-I) for non-Federal Issuers” in May, 2009 providing guidance on achieving identity credentials that are consistent with the PIV Credential and trustable by the Federal community. Initiated work on the ICAM Segment Architecture as Part One of the ICAM Roadmap and Implementation Guidance mandated in the President’s FY-10 Budget. Produced and coordinated multiple drafts. Final release is imminent. Published Federal profiles for the implementation of open identity solutions for interaction with the American Public. Current profiles include OpenID and InfoCard for transactions at identity assurance level one. Worked with Federal PKI Shared Service Providers to extend strong identity credentialing to the external community in support of PIV Interoperability. Published Trusted Framework Providers Adoption Process. Conducted ICAMSC leadership outreach to other identity initiatives in the Federal community, in order to foster a “Clear, Concise, Consistent and Credible” message for ourselves and our external partners; and further socializing this message with state governments and industry through participation in multiple conferences and meetings. Developed ICAM Work Plan for 2010
Owen Unangst Director of Innovation US Department of Agriculture
Rules Engine Identity Management System USDA’s ICAM ModelImplementing Policies, Procedures & Technologies EEMS Auditing and Reporting EmpowHR Workflow Engine eAuthentication Monitoring EEMS Administration NEIS EmpowHR Person Model Enterprise Directory Enterprise SSO Provisioning System Stand-Alone Servers PayPers Mainframe AS/400 Enterprise & Business Apps ePACS HSPD-12 Active Directories VPN/NAC - Available Now (Phase 1) - In Progress (Phase 1a) - FY 10 Deliverables(Phase 2)
Example Utilization: Single Sign-On Desktops Laptops VPN’seAuthentication Whole Disk Encryption Encrypted Thumb Drives
Example Utilization: Physical Access Controls For “Ultimately” 220 MCF’s … National Infrastructure in Place Almost 100 Facilities Already Connected Authentication Controlled Nationally Authorization Controlled Locally
Example Utilization: Role Based Access Control Manual Process: - Over 200 persons to manage roles - 73 to handle audit issues New Process: If “Loan Officer” = True Then Do not add role = “Loan Approver”
Example Utilization: Digital Signatures @ USDA Scope • Adobe Acrobat files and forms – Versions 8 & 9 • Microsoft Office (Word, Excel, PowerPoint) – Versions 2003 & 3007 • Microsoft Outlook – Versions 2003 & 2007 • Business Transactions
Vance Hitch Chief Information Officer US Department of Justice
Today’s Law Enforcement Environment Today’s World Law Enforcement Agencies rely on their numerous systems to provide critical information to officers Some systems are internal to an agency but many more are parts of a national network Internal Records Management systems Regional Information Sharing Networks (LINK’s ,ARGIS etc.) National Systems CJIS NCIC N-Dex IAFIS (NGI) NICS The end goal is to provide the “Right Information to the Right Person, at the Right Times” The end result is to provide officer and analysts with critical information that keeps them and the American Public safe and secure.
How are we accomplishing this mission? We have developed a trusted relationship with limited access points for information sharing We communicate over trusted networks like: CJIS WAN LEO RISS HISN Established through policies and procedures developed by participants and governing boards such as the FBI’s APB Supported through the use of MOU’s signed by all participants that dictate how and what we will share
Problem Today’s world requires users to have Passwords for every system they access. Each system must validate and manage access to their own system There is a need to have individuals’ identities validated, managed and vouched for by trusted organizations in a secure way so that other entities do not have to redo it
Examples of Ongoing Federated Identity Management Initiatives Global Federated Identity & Privilege Management (GFIPM) CJIS Federated Identity Management Services (FIMS) DOJ’s Trusted Broker pilot The DOJ currently provides a “trusted broker” pilot to help enable organizations to connect Identity Providers to Service Providers more simply and inexpensively These initiatives are complementary, not competitive, and are interoperable today
DOJ’s Trusted Broker Pilot • Currently Deployed to 4,400 users at: • DOJ, Chicago PD, RISS, LEO • Service Providers • JABs • HISIN-Intel • LEO-Intelink • RISS-Intelink • Criminal Information Sharing Alliance Network (Southwest Border) • RISSNET Portal • myFX – secure internet file sharing offered by DOJ • New Service Providers in process • N-DEx, Tripwire, Bomb & Arson Tracking Systems (BATS- ATF), NGIC
Federated Identity ManagementUsing a Trusted Broker Solution Benefits More information available to more users Single sign-on (enhanced user experience) Comprehensive audit capability Improved alliances across government entities Streamlined vetting (cost avoidance/reduction) Improved interoperability Improved security Vetting is done closer to user More secure authentication mechanisms Dynamic de-provisioning
Questions? http://www.cio.gov/committees/InformationSecurity.cfm