420 likes | 555 Views
Attribute Exchange and Information Sharing in Action. Federal ICAM Day June 18, 2013. Panel Participants. Martin Smith, PM-ISE Ted Sobel , DHS Office of Policy/SCO David Coxe , ID/ DataWeb Dieter Schuller , Radiant Logic John Wandelt , GTRI Anil John, GSA (Moderator).
E N D
Attribute Exchange andInformation Sharing in Action Federal ICAM Day June 18, 2013
Panel Participants • Martin Smith, PM-ISE • Ted Sobel, DHS Office of Policy/SCO • David Coxe, ID/DataWeb • Dieter Schuller, Radiant Logic • John Wandelt, GTRI • Anil John, GSA (Moderator)
User Attributes for ABAC Authorization Martin Smith, PM-ISE IdAM Coordinator June 18, 2013
Some (Rebuttable) Assertionsabout Person Attributes (for Authz) • The more attributes we have, the more data can be responsibly shared • But provisioning high-quality (authoritative, accurate, timely) attributes is expen$ive • Responsible sharing across the environment (multiple organizations) requires common syntax/semantics of relevant attributes • But not everyone will use or provision all “registered” attributes • Today, a user’s home organization provisions most attributes; but ultimately each attribute is likely to come from a different source • This means attribute aggregators or real-time aggregation via BAE is essential • Authorization attributes are not particularly relevant to a major class of use-cases: for access to one’s own personal info (e.g., Social-Security account, bank account.) • But they are essential for controlling access by a user to “OPD” (other people’s data), privileged functions, “need to know” data • Governance of attribute provisioning and use has to be as lightweight as possible (but not more so) • Basic strategy is to rely on transparency (disclosure of attribute quality, with audit) so that relying parties can make informed choices about acceptable risk in using an attribute • Initially, attribute quality and suitability (match to “ideal” data) will be poor, but there are incentives for relying parties and attribute providers to meet in the middle
Minimum Standards for the Assertion, Evidence, and Verification of Personal Identity The Identity Proofing and Verification (IDPV) Standard Development Project Ted Sobel DHS Office of Policy/ Screening Coordination Office (SCO) June 2013
Background: Need • Common practices to support an identity chain of trust • Requirements that align with established risk categories • Evaluating how an organization proofed an identity
Process: Overview • Step 1 – IAL • Step 2 – Assertion • Step 3 – Verification • Step 4 – Determination
Selection of Attributes Effectiveness Sensitivity Permanence Accessibility Necessity
Selection of Attributes Effectiveness Sensitivity Accessibility Necessity Permanence
Online Identity Attribute Exchange 2013 Initiatives David Coxe, CEO ID/DataWeb, Inc.
AXN Business Model The AXN Business Model and Technical Infrastructure • Aligns business objectives of the Identity Ecosystem participants • Overcome historical implementation barriers – everyone benefits • Expand RP participation to efficiently service and monetize existing markets • Create new business channels currently underserved by the Identity Ecosystem • Enables a neutral Internet-scale credential and attribute monetization platform • Efficient, open, competitive transaction and contractual hub • Unencumbered by legacy business models, regulations, and technologies • Free to users, lowers RP costs, and new market potential for IdPs and APs • Promotes user trust, online security, and privacy protective services • Designed to implement and positively transform the online identity ecosystem Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
AXN Services Framework Trust Framework Provider (TFP) Attribute Providers (AP) Proxy Identity Providers (IdP) Attribute Exchange Network (AXN) Relying Parties (RP) Assessors& Auditors DisputeResolvers IdP Services CredentialOpenID2.0, SAML 2.0, IMI 1.0 ProtocolOAuth2.0, SAML 2.0, Other LOA LOA 1-4 Cert/TF FICAM, OIX, Kantara, Other RP Services Enroll Business Purpose, Attribute Selection, Claims Refresh Rate, IdP & AP Selections, User Preferences, Contract LOA LOA 1-4 Admin Logs, Reporting, Billing, Contract Management Cert/TF FICAM, OIX, Kantara, Other AP Services Attributes NEAT, SS, DOB, Gender, Corp Verification Quality Refresh Rate, Coverage, Sources, Data Types Physical Device ID, BIO, Card, Other Pricing Per Transaction, Per User Per Year, Annual License Cert/TF FICAM, OIX, Kantara, Other AXN Services Billing Pricing and Analytics Acct Management Service Provisioning Contracting Policy Management Marketing Transaction Management Registration Operations and Security Logs, Reporting Administration Audit User Interface User Services Attributes Not Stored In AXN, Self Asserted, Data Minimization PDS PII, Preferences, ABAC, Encrypted, External Store MAX User Only, Personal Control and Security, Acct Linking, Federated Access Via RP user Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
- My Attribute Exchange AXN Identity Federation Services • Credential Federation • Verified attributes are used to create new or bind to existing user accounts • Personal Data Services (PDS) • User attribute data is not stored in the AXN • PDS data is presented via MAX to create and manage RP accounts • User-centric, privacy protective, secure, and federated • No cost to user • User Management Console (UMC) • Authenticated users have federated access at each RP • Created when a user first opts in to share their verified attribute claims via the AXN with an RP • Users can securely manage PDS attributes shared with an RP service accessed by an IdP credential • Enables user to link and unlink multiple IdP credentials Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
AXN Business Services • Credential transaction management services • IDP authenticates user credentials as a service to RPs registered on the AXN • RP credential requirements for a given LOA (e.g., 1 – 4), type (e.g., SAML, OpenID, IDI), and trust framework certifications • Personal (Pii) attribute verification and claims management services • RPs designate which Pii attributes they required from users • User asserted, verified attributes and claims are shared with RPs with user permission • Device ID and biometric attributes are verified as required for RP authorization transactions • Preference attribute management services • RPs can designate preferences to display for users when interacting with the RP service • Attribute Based Access Control(ABAC) management services • RPs select authoritative role-based attributes for users to assert when accessing their service • User Managed Access (UMA) attribute services • UMA services define how users (as resource owners) can control protected-resource access by requesting parties Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
AXN Technology RoadmapTrust Elevation Services AXN Trust Elevation Services Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
AXN Privacy – By Design • AXN legal agreements • Standardized agreements with regulatory flow down terms from IdPs and APs • Limit PII collection to what is necessary to accomplish the specified purpose(s) • Accountability and audit to protect PII through appropriate safeguards • AXN as a proxy - no single service provider can gain a complete picture of a user’s activity • The AXN data management design mitigates potential threats • Does not create a central data store of verified user attributes • Security and privacy enhancing technology is built into the AXN infrastructure • Users opt-in to each control process for collection, verification, and distribution of attributes • User Management Console for attribute and credential management • Only the minimum necessary information is shared in a transaction (FIPPS) Criterion Systems, Inc. retains ownership of its proprietary information in this presentation.
Attribute Exchange and Information Sharing in Action Dieter Schuller
Browser Databases Authoritative Attribute Exchange Services(AAES) Applications Other Apps AAES Infrastructure Authoritative Attribute Manager Authoritative Attribute Distributer Active Directory Authoritative Sources Web services application LDAP Other Mobile
Lessons Learned Smart Synch Cache Scalability and Performance of a Directory Translation of Protocol, Schema, Structure, and Data Consumer Specific Views RJones Groups Matching Application Needs Group Management Profile Lookup at Directory Speeds Complete Profile (Join) • Correlation: • Same Users-Different IDs • No SSO unless you have this Global User List (Union) • Disambiguation: • Same IDs – Different Users • Potential for authorization based on wrong profile RJones RobertaJ RJones
Identity and Context Virtualization Virtualization App A Aggregation Correlation Integration LDAP Population A App B SQL App C Groups Roles Contexts Services Population B App D Web Services/SOA App E SCIM REST Population C App F
Enabling Scalable Secure Information Exchange Through Trusted Attributes John Wandelt Georgia Tech Research Institute
GFIPM Standards and Products Outreach & Marketing Resources Term Matrix OJP Portal Doc Map Web Site Overview Doc Exec Overview Training Modules Web Svc CONOPS Alignment CONOPS Mobile CONOPS Technical Assistance Resources Impl Guide Ref Federation U2S Impl Kit S2S Impl Kit Impl Web Portal Join-or-Build? TIB Onboarding Guide Communication Profiles Web Browser User-to-System Profile Web Services System-to-System Profile Mobile Device App Profile REST Web Services System-to-System Profile BAE Profile Core Tech. Standards & Guidelines Crypto Trust Model Fed. CPS Template Fed. Member CP Template Metadata 1.0 Metadata 2.0 Fed. Org. Guidelines Gov. Guideline Operational Policies & Procedures Guideline Membership Agreements Set Federation Audit Policy Federation Attribute Release Policy Under Development (Timeline TBD) Normative Spec Published or Released Since Pvs. DT Mtg. Deprecated and/or Out-of-Date Complete & Approved (if applicable) Likely to be Updated in 2013
GFIPM Metadata 2.0 NIEF Profile • MANDATORY • (Required for Audit Purposes) • Federation Id • Given Name • Sur Name • Email Address Text • Telephone Number • Employer Name • Identity Provider Id • HIGHLY RECOMMENDED • (Required by ≥2 SPs) • SLEO Indicator • Public Safety Officer Indicator • Employer ORI • Employer Organization General Category Code • Electronic Authentication Assurance Level Code • Id Proofing Assurance Level Code • 28 CFR Certification Indicator • RECOMMENDED • (Required by 1 SP) • NCIC Certification Indicator • Counter-Terrorism Data Privilege Indicator* • Criminal Investigative Data Privilege Indicator* • Criminal Intelligence Data Privilege Indicator* • Criminal Justice Data Privilege Indicator* • Government Data Privilege Indicator* • Local Id • N-DEx Privilege Indicator All other attributes are PERMITTED. * Indicates presence of search privilege on behalf of self in user’s home agency.
Use Case Example Law enforcement officers from the Texas Department of Public Safety need fast, reliable access to gang and criminal related information while in the field. The Regional Information Sharing System (RISS) has a database of intelligence information that would allow an officer to conduct a quick background check on potential criminal suspects and assess their criminal history and personal information. In order for a law enforcement officer to gain access to the system at RISS, he/she must have successfully completed the 28CFRPart 23 training with the Bureau of Justice Assistance.
For More Information • GFIPM: http://www.gfipm.net • NIEF: https://nief.gfipm.net/ • Global Information Sharing Initiative: http://it.ojp.gov/default.aspx?area=globalJustice