CIS14: Physical and Logical Access Control Convergence
22
Cloud Identity Summit 2014 Getting Physical: Holistic Identity Management 22 July 2014 Karyn Higa-Smith Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency Science and Technology Directorate Physical and Logical Access Control Convergence
-
Upload
cloudidsummit -
Category
Technology
-
view
181 -
download
1
description
Karyn Higa-Smith, DHS Science and Technology Directorate Presentation including a brief demonstration of what is currently going live in a building in Washington, DC, for logical access for hundreds of users with smart cards, using XACML, an OASIS standard to communication between PACS and LACS.
Transcript of CIS14: Physical and Logical Access Control Convergence
Cloud Identity Summit 2014 Getting Physical: Holistic Identity Management
22 July 2014
Karyn Higa-Smith Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency Science and Technology Directorate
Physical and Logical Access Control Convergence
• Presenter’s Name June 17, 2003
CSD Mission & Strategy
2
REQUIREMENTS
CSD MISSION § Develop and deliver new technologies, tools and techniques to defend and secure current
and future systems and networks § Conduct and support technology transition efforts § Provide R&D leadership and coordination within the government, academia, private sector and
international cybersecurity community
CSD STRATEGY Trustworthy
Cyber Infrastructure
Cybersecurity Research
Infrastructure
Network & System Security and
Investigations
Cyber Physical Systems
Transition and Outreach
Government Venture Capital IT Security
Companies Open
Source International
Background
• Presenter’s Name June 17, 2003
S&T Identity Management Testbed
Attribute Repository WS-Security
Policy Decision
Point
Attribute Aggregator
• Presenter’s Name June 17, 2003 • 5
Identity & Access Management Research & Development
• Presenter’s Name June 17, 2003
§ PIV-I/FRAC Technology Transition Working Group (TTWG) § Public Safety/Emergency Response § Security § Federated Identity for First Responders § National standard, Interoperable,
and trusted ID credential § One voice from the TTWG to policy
makers § Sharing lessons learned § Provide innovative, Cost-efficient
solutions 6
Technology Transition Working Group
• Presenter’s Name June 17, 2003
PIN
Authorization Information: Certifications, Clearance, Job Function, Citizenship…
7
Enrollment Elements
• Presenter’s Name June 17, 2003
Bio: Something
you are
• Something you have
• Something you know ****
• Something you are
8
Authentication
• Presenter’s Name June 17, 2003
Federated Attribute Exchange
• Presenter’s Name June 17, 2003 • 10
End-to-End Standard-Based Attribute Exchange
Authoritative Sources
F/ERO Repository (Attributes) SPML
Service
SPML Gateway
Handheld
Local Workstation
SAML Service
SPML Profile Create, Read, Update, Delete
SPML Read-Only Profile
ERO Entitlements Authoritative Source
SPML Read-Only Request/Response
Smartphone
OASIS: Organization for the Advancement of Structured Information Standards F/ERO: Federal/Emergency Response Official SPML: Service Provisioning Markup Language SAML: Security Assertion Markup Language
Lightweight Protocol JSON over REST
SAML Request/Response
BAE SAML Profile
Tablet
Logical and Physical Access Control Systems
Convergence
*show video*
• Presenter’s Name June 17, 2003
Capability Need: Centralized access
control management; utilize PIV/PIV-I
credentials
Technology: Develop standard interface
between Physical and logical access control
system
Impact: Security,
Remote and Central Access Management,
Granular Access Control, Less
Footprint, Usability, and Reduce Cost
Transition: proof-of-concept pilot, transition to industry
Customer: Fusion Center, FEMA,
CSO/CIO
Execution Model
12
• Presenter’s Name June 17, 2003 13
§ Requirement for access control management using PIV and PIV-I § Interoperability testing at the S&T IdM Testbed
§ Test Physical Access Control System against the “Logical” Policy Decision Point § PACS vendors to integrate software code based on the standard interfaces
§ XACML (Extensible Access Control Markup Language) - open standard access control policy language
1
24
5
3
Policy Enforcement
Point
Policy Decision Point
Requestor
Cyber-Physical Access Control System Convergence
• Presenter’s Name June 17, 2003 14
• Presenter’s Name June 17, 2003 15
Pilot at DC Government
• Presenter’s Name June 17, 2003
Visit Authorization Process
• Presenter’s Name June 17, 2003
Visitor Enrollment Kiosk
• Presenter’s Name June 17, 2003
Take Away
• Security, Interoperability, Efficiency, Enhances Access Control
Benefits
• Team dynamics, dedication, education • Convergence required constant communication and
coordination with many different groups that normally operate independently
Innovation – to - Operations
• Kiosk interface • Speed
Usability
Lessons Learned
• Presenter’s Name June 17, 2003
Future
• Presenter’s Name June 17, 2003
Resources
Websites http://www.ahcusa.org/PIV-I%20TTWG.htm http://www.dhs.gov/csd-idm http://www.dhs.gov/cyber-research Follow us on Twitter at @dhsscitech
• Presenter’s Name June 17, 2003 • 21
Karyn Higa-Smith DHS Science and Technology Directorate Homeland Security Advanced Research Projects Agency Cyber Security Division Identity, Access, Privacy Research Program [email protected]
Questions
§ Additional Resources Location-based Access Control § https://www.youtube.com/watch?v=j3LXxqW160k Data Privacy Research: http://go.usa.gov/8JZ9
