usda – identity, credential and access management why the ... · icam segment architecture....
TRANSCRIPT
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
USDA – Identity, Credential and Access Management
Why the FICAM Roadmap is Important!
October, 2009
Complying w/ Laws, Regs, Stds & Governance
Facilitating Electronic Government
Improving USDA’s Security Posture
Enabling Trust & Interoperability
Reducing Costs & Increasing Efficiency
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
16
FICAM Scope
Pers
ons
Pers
ons
NonNon
-- Per
sons
Pers
ons
Logi
cal A
cces
sLo
gica
l Acc
ess
Phys
ical
Acc
ess
Phys
ical
Acc
ess
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
17
FICAM Roadmap & Implementation Guidance Overview
•
Overview of Identity, Credential, and Access Management.
Provides an
overview of ICAM that includes a discussion of the business and regulatory
reasons for agencies to implement ICAM initiatives within their organization.
•
ICAM Segment Architecture.
Standards‐based architecture that outlines a cohesive target state
to ensure alignment, clarity, and interoperability across agency
initiatives.
•
ICAM Use Cases.
Illustrate the as‐is and target states of high level ICAM functions and frame a
gap analysis between the as‐is and target states.
•
Transition Roadmap and Milestones.
Defines a series of logical steps or phases that enable the
implementation of the target architecture.
•
ICAM Implementation Planning.
Augments standard life cycle methodologies as they relate to
specific planning considerations common across ICAM programs.
•
Implementation Guidance.
Provides guidance to agencies on how to implement the transition
roadmap initiatives identified in the segment architecture, including best practices and lessons
learned.
PART A: ICAM Segment Architecture (Phase 1 of the effort)
PART B: Implementation Guidance (Phase 2 of the effort)
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Security: Are We Addressing the Real Issues or Just Skimming the Surface
Do many of our fast “band- aid” answers really address the problem?
18
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Taking Ownership of FICAM’s Work
19
Business Services
Secured transactionsOnline signing of documentsSingle customer identity
ManagementPartnership collaborationSingle Sign-OnSecure telecommutingEmployee organizational
relationship management
EEM
S A
dmin
istr
atio
n
Auditing and Reporting
Mon
itorin
g
Workflow EngineRules Engine
Identity Management System
Provisioning System
Enterprise Directory
Technical infrastructure
Core ICAM Vision
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Defining “Ownership” Improve Identity Mgmt Processes
ActiveSuspendLeaveRetiredTerminatedFired…
EmployeeNon-Employee
…
20
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Defining “Ownership” Update & Complete the Credentialing Processes
21
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Role Management
Entitlement Provisioning
Systems
Applications
• Mainframes• Servers• Workstations• Blackberry devices• ...
• Enterprise aplications• Agency applications• ...
Compliance, Auditing and Reporting
Facilities
• Facilities• Buildings• Rooms• Quarantine Areas • ...
Authorization Authentication
AccessAdministration
Acc
ess
Man
agem
ent A
ccess Enforcement
Defining “Ownership” Improve the Access Control Processes
22
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
23
Defining “Ownership” Glue the Pieces Together
FICAM Roadmap & Implementation Guidance Vers 1.0
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Enterprise SSO
EEMS
EEM
S A
dmin
istr
atio
n
Auditing and Reporting
Mon
itorin
g
Workflow EngineRules Engine
NEIS
PayPers
EmpowHR
Stand- Alone
ServersMainframe
AS/400
Active Directories
ePACSHSPD-12VPN/NAC
eAuthentication
Identity Management System
Provisioning System
Enterprise Directory
Enterprise &Business Apps
24
USDA’s “Glue” – Tying It All Together Implement Updated Policies, Procedures & Technologies
- Available Now (Phase 1) - In Progress (Phase 1a) - FY 10 Deliverables(Phase 2)
EmpowHR
Person Model
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
25
Example Utilization: Single Sign-On
Desktops, Laptops, VPN’s, eAuthentication, etc.
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
26
Example Utilization: Physical Access Controls
For “Ultimately” 220 MCF’s …National Infrastructure in PlaceAlmost 100 Facilities Already ConnectedAuthentication Controlled NationallyAuthorization Controlled Locally
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Example Utilization: Role Based Access Control
27
New Process:If “Loan Officer” = True
ThenDo not add role = “Loan Approver”
Manual Process:
- Over 200 persons to manage roles
- 73 to handle audit issues
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
29
Example Utilization: Digital Signatures @ USDA
Scope
–
Adobe Acrobat files and forms –
Versions 8 & 9
–
Microsoft Office (Word, Excel, PowerPoint)
–
Versions 2003 & 3007
–
Microsoft Outlook –
Versions 2003 & 2007
–
Business Transactions
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Questions?
30
FICAM Provides Us:• Definitions• Goals• Governance• Targets• Use Cases• Transition Concepts• Soon, Implementation Guidance
Why This is Important:• Consistent with FICAM, Chapter 6:
• Stakeholder Mgmt • Risk Mgmt• H/W Purchases• S/W Purchases• Rollout Processes & Costs• O&M• C&A• End User Support