2009 it summit federal cio council breakout session #5 identity and access management federal it...
TRANSCRIPT
2009 IT Summit
Federal CIO Council
Breakout Session #5Identity and Access Management
Federal IT SummitOctober 28, 2009
Moderator: Paul Christy, SBAPaul Grant—DoD
Owen Unangst, USDAVance Hitch, USDoJ
2009 IT Summit
Federal CIO Council
Identity, Credential, and Access Management
in and with
The Federal GovernmentPaul D. Grant Special Assistant,
Federated IDM and External PartneringOffice of the CIO
Federal IT SummitOctober 28, 2009
http://www.IdManagement.Gov
3
What is ICAM?
•ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach.•Key ICAM Service Areas Include:
• Digital Identity• Credentialing• Privilege Management• Authentication• Authorization & Access• Cryptography• Auditing and Reporting
4
Presidents Budget for FY 2010 Extract from Section 9.
LEVERAGING THE POWER OF TECHNOLOGY TO TRANSFORM THE FEDERAL GOVERNMENT
• To support this effort, the Federal Identity, Credential, and Access Management (ICAM) segment architecture provides Federal agencies with a consistent approach for managing the vetting and credentialing of individuals requiring access to Federal information systems and facilities
• The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.
5
ICAM Scope
Per
son
sP
erso
ns
No
n-P
erso
ns
No
n-P
erso
ns
Lo
gic
al A
cces
sL
og
ical
Acc
ess
Ph
ysic
al A
cce
ssP
hys
ical
Acc
ess
Alignment of Federal ICAM and• CNSS Identity and Access Management (National Security Systems)• Interagency Security Committee (Physical Access Control)• Awareness to External Mission Partners for interoperable solutions
6
The development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government groups.
The Roadmap team has produced the key outputs of the FSAM needed for an ICAM segment architecture, and have coordinated these groups to develop workable approaches to enable cross-government solutions.
FICAM Development Process
Committee for National Security Systems (CNSS)
Interagency Security Council (ISC) Information Sharing Environment
(ISE) White House National Science and
Technology Council (NSTC) Office of Management and Budget National Institute of Science and
Technology (NIST) Office of National Coordinator (ONC)
for Health IT Multiple agencies represented within
the CIO council subcommittees and working groups
7
Summary & Conclusions
• Strong Identity and Access Management Are Foundational to Secure Information Sharing, Collaboration and Cybersecurity
• Shared Guidance is Improving: Much Room for More Improvement• Clear, Concise, Consistent, Credible• For Ourselves and Our Mission Partners
• Federal Identity, Credential, and Access Management (ICAM) is providing this consistent approach (with your help)
• Mission Partners are Fielding Strong Identity Credentials as well as Creating Federations for Sharing & Collaboration
• Progress Depends on Public-Private Partnering• Domestically and • Internationally
9
Enabling Policy and Guidance
The Mandate:HSPD-12
August 27, 2004
The Standard:FIPS-201
February 25, 2005
The Implementing Guidance:
OMB M-05-24August 5, 2005
Federal PKI Common Policy
Framework
Special PublicationsTechnical Specs.
The E-Gov Act 0f 2002
The Implementing Guidance:
OMB M-04-04December 16, 2003
The Technical Spec:SP 800-63June 2004
The GovernmentPaperwork Elimination
Act 0f 1998
Federal Bridge Model Policy
The Implementing Guidance:
OMB M-05-05December 20, 2004
The Implementing Guidance:
OMB M-00-10April 25, 2000
10
M-04-04:E-Authentication Guidance for Federal Agencies
OMB Guidance establishes 4 authentication assurance levels
Identity Assurance Levels (IAL)
Level 1
Little or no confidence in asserted identity
Self-assertion minimum standards
Level 3
High confidence in asserted identity
On-line out-of-band verification for qualification
Cryptographic Solution
Level 2
Some confidence in asserted identity
On-line instant qualification, out-of-
band follow-up
Level 4
Very high confidence in asserted identity
In person proofing Record a biometric
Cryptographic solution Hardware Token
11
FICAM Roadmap & Implementation Guidance Overview
• Overview of Identity, Credential, and Access Management. Provides an overview of ICAM that includes a discussion of the business and regulatory reasons for agencies to implement ICAM initiatives within their organization.
• ICAM Segment Architecture. Standards-based architecture that outlines a cohesive target state to ensure alignment, clarity, and interoperability across agency initiatives.
• ICAM Use Cases. Illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states.
• Transition Roadmap and Milestones. Defines a series of logical steps or phases that enable the implementation of the target architecture.
• ICAM Implementation Planning. Augments standard life cycle methodologies as they relate to specific planning considerations common across ICAM programs.
• Implementation Guidance. Provides guidance to agencies on how to implement the transition roadmap initiatives identified in the segment architecture, including best practices and lessons learned.
PART A: ICAM Segment Architecture (Phase 1 of the effort)
PART B: Implementation Guidance (Phase 2 of the effort)
13
Services Framework Categorization Scheme
Service TypeProvides a layer of categorization that defines the context of a specific set of service components
Service Component A self contained business process or service with predetermined and well-defined functionality that may be exposed through a well-defined and documented business or technology interface
Service Type
Service Component
Service Component
Service Component
Service Component
14
Credentialing
Issuance
Enrollment/Registration*
Credential Lifecycle Management
Sponsorship
Self-Service*
Auditing and Reporting
Audit Trail*
Reports Management
Authorization and Access
Policy Decision
Policy Enforcement
Policy Administration
Backend Attribute Retrieval
Authentication
Credential Validation
Biometric Validation
Session Management
Federation
Services Framework
Cryptography
Encryption/Decryption
Digital Signature*
Key Management
Privilege Management
Provisioning
Account Management*
Bind/Unbind
Privilege Administration
Resource Attribute/Metadata Management
Digital Identity
Digital Identity Lifecycle Management
Identity Proofing
Linking/Association*
Adjudication
Vetting
Authoritative Attribute Exchange
15
ICAM SubcommitteeAccomplishments Summary for FY 2009
• Issued “Personal Identity Verification Interoperability (PIV-I) for non-Federal Issuers” in May, 2009 providing guidance on achieving identity credentials that are consistent with the PIV Credential and trustable by the Federal community.
• Initiated work on the ICAM Segment Architecture as Part One of the ICAM Roadmap and Implementation Guidance mandated in the President’s FY-10 Budget. Produced and coordinated multiple drafts. Final release is imminent.
• Published Federal profiles for the implementation of open identity solutions for interaction with the American Public. Current profiles include OpenID and InfoCard for transactions at identity assurance level one.
• Worked with Federal PKI Shared Service Providers to extend strong identity credentialing to the external community in support of PIV Interoperability. Published Trusted Framework Providers Adoption Process.
• Conducted ICAMSC leadership outreach to other identity initiatives in the Federal community, in order to foster a “Clear, Concise, Consistent and Credible” message for ourselves and our external partners; and further socializing this message with state governments and industry through participation in multiple conferences and meetings.
• Developed ICAM Work Plan for 2010
Enterprise SSO
EEMS
EE
MS
Ad
min
istr
atio
n
Auditing and Reporting
Mon
itor
ing Workflow Engine Rules Engine
NEIS
PayPers
EmpowHR
Stand-Alone
ServersMainframe
AS/400
Active Directories
ePACSHSPD-12VPN/NAC
eAuthentication
Identity Management System
Provisioning System
Enterprise Directory
Enterprise &Business Apps
17
USDA’s ICAM Model Implementing Policies, Procedures & Technologies
- Available Now (Phase 1) - In Progress (Phase 1a) - FY 10 Deliverables(Phase 2)
EmpowHR
Person Model
18
Example Utilization: Single Sign-On
Desktops
Laptops
VPN’s
eAuthentication
Whole Disk Encryption
Encrypted Thumb Drives
19
Example Utilization: Physical Access Controls
For “Ultimately” 220 MCF’s …National Infrastructure in PlaceAlmost 100 Facilities Already ConnectedAuthentication Controlled NationallyAuthorization Controlled Locally
Example Utilization: Role Based Access Control
20
New Process:If “Loan Officer” = True
Then Do not add role = “Loan Approver”
Manual Process:
- Over 200 persons to manage roles
- 73 to handle audit issues
22
Example Utilization: Digital Signatures @ USDA
Scope
– Adobe Acrobat files and forms – Versions 8
& 9
– Microsoft Office (Word, Excel, PowerPoint)
– Versions 2003 & 3007
– Microsoft Outlook – Versions 2003 & 2007
– Business Transactions
Identity, Credential, and Access Management
Today’s Law Enforcement Environment
Today’s World Law Enforcement Agencies rely on their numerous systems to provide critical
information to officers Some systems are internal to an agency but many more are parts of a national
network– Internal Records Management systems– Regional Information Sharing Networks (LINK’s ,ARGIS etc.)– National Systems
CJIS NCIC N-Dex IAFIS (NGI) NICS
The end goal is to provide the “Right Information to the Right Person, at the Right Times”
The end result is to provide officer and analysts with critical information that keeps them and the American Public safe and secure.
Identity, Credential, and Access Management
How are we accomplishing this mission?
We have developed a trusted relationship with limited access points for information sharing
We communicate over trusted networks like:– CJIS WAN – LEO– RISS– HISN
Established through policies and procedures developed by participants and governing boards such as the FBI’s APB
Supported through the use of MOU’s signed by all participants that dictate how and what we will share
Identity, Credential, and Access Management
Problem
Today’s world requires users to have Passwords for every system they access.
Each system must validate and manage access to their own system
There is a need to have individuals’ identities validated, managed and vouched for by trusted organizations in a secure way so that other entities do not have to redo it
Identity, Credential, and Access Management
Examples of Ongoing Federated Identity Management Initiatives
Global Federated Identity & Privilege Management (GFIPM)
CJIS Federated Identity Management Services (FIMS)
DOJ’s Trusted Broker pilot The DOJ currently provides a “trusted broker” pilot to help
enable organizations to connect Identity Providers to Service Providers more simply and inexpensively
These initiatives are complementary, not competitive, and are interoperable today
Identity, Credential, and Access Management
DOJ’s Trusted Broker Pilot
Currently Deployed to 4,400 users at: DOJ, Chicago PD, RISS, LEO
Service Providers JABs HISIN-Intel LEO-Intelink RISS-Intelink Criminal Information Sharing Alliance Network (Southwest Border) RISSNET Portal myFX – secure internet file sharing offered by DOJ
New Service Providers in process N-DEx, Tripwire, Bomb & Arson Tracking Systems (BATS- ATF),
NGIC
Identity, Credential, and Access Management
Trusted Broker Operation
Standard Process for Access to a Federation Resource
User
IdentityProvider
ServiceProvider
TrustedBroker
SAML(B)
SAML(C)
Authentication(A)
Application(D)
Identity, Credential, and Access Management
Federated Identity ManagementUsing a Trusted Broker Solution
Benefits More information available to more users Single sign-on (enhanced user experience) Comprehensive audit capability Improved alliances across government entities Streamlined vetting (cost avoidance/reduction) Improved interoperability Improved security
– Vetting is done closer to user– More secure authentication mechanisms– Dynamic de-provisioning