100 likes | 206 Views
Identity Management. Joe Braceland Mount Airey Group, Inc. MAG Security Products & Services. Actively supporting U.S. Federal Government since 2002. Designed and managed the Signature Delivery Service for U.S. Passports.
E N D
Identity Management Joe Braceland Mount Airey Group, Inc.
MAG Security Products & Services • Actively supporting U.S. Federal Government since 2002. • Designed and managed the Signature Delivery Service for U.S. Passports. • Recognized leaders in the area of Identity Management, Public Key Infrastructure, Biometrics, HSPD-12, Public Key Enablement, and secure authorization and privilege management. • Closely work with standards bodies in the development of new standards related to identity and authorization management. • Experienced with the full life cycle of applications within various federal agencies including supporting IT-CCB processes. • Provide thought leadership on IT security and HSPD-12 in support of federal agency missions both domestic and abroad. • Offer security products to quickly enable secure authentication and authorization. 2
Overview • Identity Management • Terminology • Origins • Secure Authentication • Secure Authorization • What’s a role proof? • Secure Identity Management Systems • Examples • Physical/Logical access • Border security • Electronic documents
Identity Management - Terminology • Identity Management (IdM) • Identity & Access Management (IAM) • Federated Identity Management (FIdM) • Identity, Credential, & Access Management (ICAM) • Federal ICAM (FICAM) • Privacy • Personal Identity Information (PII) • Health Insurance Portability & Accountability Act (HIPAA)
Identity Management - Origins • Information Technology (IT) security • Cyber security • Technologies • Biometrics • Public Key Infrastructure (PKI) • Smart chips and cards • Personal Identity Verification (PIV), Common Access Card (CAC), Transportation Worker Identification Credential (TWIC), state driver licenses, electronic passports • Cloud, Mobility, Big Data, Social Networking • Regulations • Federal Information Processing Standard (FIPS) 140-2 • Homeland Security Presidential Directive 12 (HSPD-12)
Secure Authentication • Who are you? Prove it. Authentication is verifying you are who you say you are. • Multi-factor authentication • What you know (e.g., password, passphrase, PIN) • What you have (e.g., badge, origination documents) • What you are (e.g., biometrics, behavior) • Cryptography • PKI (Digital Signatures, encryption, policies) • Hardware tokens and chips • Identity Validation • Global, national, local, and private database systems • Identity Verification
Secure Authorization • What are you allowed to do? Let’s check. Authorization is determining what you are allowed to do. • Access control lists • Flat files and Database lookups • Directories (e.g., Active Directory, X500) • Access types • Risk Adaptive Access Control (RAdAC) • Role Based Access Control (RBAC) • Attribute Based Access Control (ABAC) • Extensible access control markup language (XACML 3.0) • Policy Based Access Control (PBAC) • Atomic Authorization • Published rights that are secured (cryptographically) independently of the applications that rely on them.
Proofs are generated for each role repeatedly with each having only a short life. Proofs reference other proofs for delegation. This can be done across multiple authorities. Each contains a list of certificates, referenced by their hash to show authorization. Each proof represents an application or organizational role and has a unique ID. Signature Algorithm Not Before Time Signature Value Proof Name Extensions Proof Unique ID Not After Time Next Available Version User Digest Lists 1 References 2 4 3 Each is digitally signed to give it cryptographic authenticity. 5 What’s a role Proof?
Examples • U.S. State Department access to federal systems • PIV card issuance and verification • Physical Access Control System (PACS) • Logical Access Control System using BLADE • Border security with DHS US-VISIT • IDENT program • Exit program • Electronic passports (ePassport) and documents • Creation using digital signatures • Validation at ports of entry • International Civil Aviation Organization (ICAO)