1 / 11

Emergence of Identity Management: A Federal Perspective

Emergence of Identity Management: A Federal Perspective. Dr. Peter Alterman Chair, Federal PKI Policy Authority. Background. The Drive for e-Government Automation of the government workplace and opening of Internet to commercial entities

shika
Download Presentation

Emergence of Identity Management: A Federal Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority

  2. Background • The Drive for e-Government • Automation of the government workplace and opening of Internet to commercial entities • National Performance Review, Government Paperwork Elimination Act of 1998, eSign Act, Electronic Commerce Act, the Quicksilver Initiatives and e-Gov • Mirrors the emergence of e-Commerce • The Drive for Digital Security • Viruses, Trojan horses, spoofing, spamming, DoS attacks, phishing, hostile international exploits, takedown of DOD websites (oh, my!), HSPD-12 Wilmington, NC November 2005

  3. Identity Requirements for e-Gov • Need: To Know who you’re doing business (or government) with over the Internet • Assumptions: • No national ID card, number or account • Privacy maintenance to the extent possible with positive identity authentication • Levels of identity assurance commensurate with risk • Implications: • Federated identity providers • Policy reasserts itself over technology as the controlling factor in IT communications Wilmington, NC November 2005

  4. The Bureaucracy Responds • Quicksilver initiative spawns list of 24 e-Gov applications and 2 infrastructure support programs (enterprise architecture and e-authentication) • No additional funds • Targets citizen to government applications • E-Gov apps farmed out to Agencies • Infrastructure support programs held by Office of Management and Budget with it’s faithful servant Igor.. the General Services Administration Wilmington, NC November 2005

  5. Current Status of E-Authentication Program Management Office • Substantial accomplishments in policy and procedures • A “full operational architecture” supporting four levels of identity assurance • Levels 1 and 2 assertion-based, Levels 3 and 4 crypto based • Search for government applications leads to requirement for each Agency to offer up one online application for e-authentication enablement in 2005 and one more in 2006 • Aggressive recruitment of credential services providers in private sector • Acknowledgement that the government is setting up an identity federation – and outreach to interoperate with other identity federations Wilmington, NC November 2005

  6. And Then There’s The Enemy Out There • Precursor Initiatives included • FIPS 199, NIST SP 800-63, NIST SP 800-53, Common Policy Framework, FICC work, OMB M-04-04 and 05-05, etc. • Homeland Security Presidential Directive #12: • Spawns FIPS-201, SPs 800-73, -76, -78 • Mandates (for Federal employees and contractors) creation of a positive ID proofing and interoperable PKI-on-a-shingle • To control physical and logical access to resources (buildings, networks, applications) Wilmington, NC November 2005

  7. Raising the Stakes: Everything’s Gone Global • International Collaborative Identity Management Forum (US-NATO Joint Strike Fighter) • Transatlantic Secure Collaboration Project (“reinventing the wheel, one spoke at a time”) • Global PKI Bridge Mesh Forming – Grids and Defense establishments’ PKIs do secure electronic collaborative work (like fighting wars) • Who Owns Chrysler? Who Owns Volvo? Who Owns Mazda? Who owns that green jacket over there? Wilmington, NC November 2005

  8. Summary Before Going On • Governments at all levels want to do electronic transactions with their customers (citizens) securely over the internet. • This requires governments to know with whom they are doing business at levels of assurance justified by structured risk assessments and mitigated by proven procedures and technologies • Without issuing identity credentials, governments rely on the thousands of credential services providers currently out there. Wilmington, NC November 2005

  9. Some Animals Are More Equal Than Others • Identity for security purposes is a straightforward requirement for knowing the sack o’ cells logging on to that secure data network. Authorization follows. Or doesn’t: still a local decision (the good news). • Identity for e-commerce and the civil side of e-government requires much more. Enter attributes: roles, memberships in categories, even portable authorizations. Wilmington, NC November 2005

  10. We’re All Animals • Feds and contractors – a gimme. • Any corporate entity, including institutions of higher education, doing business with the government will have to adopt FIPS-201 identity proofing sooner or later. • Any entity that issues electronic identity credentials (hello – network logons) may experience pressure from their customers to use those credentials for other purposes, like accessing a government online application. Wilmington, NC November 2005

  11. Questions? Disputes? • altermap@mail.nih.gov • www.cio.gov/fpkipa • http://csrc.nist.gov/ • www.cio.gov/eauthentication Wilmington, NC November 2005

More Related