Slide 1

Continuous Knowing: Know who is in your Network 11921 Freedom Drive, Suite 710, Reston, VA 20190 Phone: (703) 793-7870 | Web: www.certipath.comwww.certipath.com Microsoft and Office are Trademarks of Microsoft Corporation in the United States and/or other countries.

Slide 2

CertiPath: Who We Are Identity focused products and services PKI-based offerings that make identities safer and efficient to use An identity policy hub: the CertiPath Bridge Certified once, trusted by many Secure and efficient information exchange Utilized by LACS and PACS Crafters of Standards and Specifications Authored or Co-Authored many US credential standards and drafted ICAMs PIV in EPACS specification Once a standard/specification is published, we work with vendors and customers to implement it Privately Held Private U.S. investors and employee owned

Slide 3

According to Verizon's 2013 Data Breach Investigation Report, 76 percent of network intrusions exploited weak or stolen credentialsVerizon's 2013 Data Breach Investigation Report "We need to make this the year we eliminate passwords," - Mark Orndorff http://www.federalnewsradio.com/885/3788055/Next-step-for-DoD-cybersecurity-Ditch-passwords-once-and-for- all The new OS will feature enhancements in areas like identity protection, data security, and malware resistance http://www.infoworld.com/article/2838016/operating-systems/windows-10-to-get-twofactor- authentication-builtin.html PKI is Center Stage Right Now

Slide 4

Smartcard Issuance Progress by Agency

Slide 5

Weve Only Just Begun Credentials issued to our community of interest Ability to detect outage in the trust network Ability to detect suspicious credential usage at one application Ability to detect suspicious credential usage across multiple applications Relying party reporting rules to issuer of suspicious activity Ability to update trust lists at relying parties based on suspicion of an issuer

Slide 6

Who Has That Sort of Capability? Credit Cards Network Operations: Extreme fault tolerance and world class network uptime SLAs Credit Card Security: Multiple providers of fraud detection systems based on card usage (e.g. RSA, Falcon, etc.) Suspicious usage at one merchant Suspicious usage across multiple merchants Strong reporting requirements for merchants that backstop auto- detection

Slide 7

Increased reliance on PKI : Criticality of PKIs information Major Consumers: Email Users Websites Enterprise Gateways Physical Access Systems Airplanes Trust fabric sourced information is increasingly the digital trust currency of the internet PKI Monitoring

Slide 8

Monitor the status of the credential and identity infrastructure your applications rely on, even when its hosted externally Take action to continuously monitor against access control requirements Usage Profile: Building & Application Owners

Slide 9

Monitor the service within the SLA you are providing your customers Usage Profile: Certificate Issuers

Slide 10

Continuous monitoring of the health and well being of the members of your community, including peer bridges Usage Profile: Trust Framework Providers

Slide 11

Traditional Auditing relies on management assertions, statical process sampling, and tedious log review Continuous monitoring tracks the compliance of everything all the time. Usage Profile: Internal & External Auditors

Slide 12

High Assurance Transactions JPAS Joint Personnel Adjudication System (JPAS)

Slide 13

User logs in High Assurance Transactions JPAS PKI-Authentication

Slide 14

High Assurance Transactions JPAS When they cant connect, they contact the helpdesk or call center PKI-Authentication*failed* User logs in

Slide 15

High Assurance Transactions A lot can go wrong When they cant connect, they contact the helpdesk or call center PKI-Authentication*failed* High Assurance Transactions JPAS

Slide 16

High Assurance Transactions A lot can go wrong An OCSP Responder is offline Server SSL Cert has expired Server SSL Cert has been revoked Server SSL Cert was tampered with Issuing CA has expired Server SSL Certs CRL is offline Issuing CAs CRL is offline Issuing CA was tampered with OCSP Responder Cert was tampered with OCSP Responder Cert has expired Issuing CAs Cert has been revoked Cross-certificate has a new Name Constraint Cross-certificate has a new Policy Constraint Cross-certificate has expired Cross-certificate was tampered with Unable to build path AiA location offline Issuing CA has been re-keyed Issuing CAs CRL was tampered with Server SSL Certs CRL was tampered with Cross-certificates CRL was tampered with Issuing CAs CRL has expired Server SSL Certs CRL has expired SCA Re-key has occurred SSL Cert has been re-keyed

Slide 17

High Assurance Transactions take many forms High Assurance Transactions A lot can go wrong An OCSP Responder is offline Server SSL Cert has expired Server SSL Cert has been revoked Server SSL Cert was tampered with Issuing CA has expired Server SSL Certs CRL is offline Issuing CAs CRL is offline Issuing CA was tampered with OCSP Responder Cert was tampered with OCSP Responder Cert has expired Issuing CAs Cert has been revoked Cross-certificate has a new Name Constraint Cross-certificate has a new Policy Constraint Cross-certificate has expired Cross-certificate was tampered with Unable to build path AiA location offline Issuing CAs CRL was tampered with Cross-certificates CRL was tampered with Issuing CAs CRL has expired Issuing CA Re-key has occurred SSL Cert has been re-keyed As it relates to High Assurance Credentials, all applications are the same Root CA has been re-keyed Server SSL Certs CRL was tampered with Server SSL Certs CRL has expired

Slide 18

High Assurance Transactions take many forms As it relates to High Assurance Credentials, all applications are the same User Digitally Signs or encrypts an Email PKI-Digital Signature

Slide 19

High Assurance Transactions take many forms User Digitally Signs or attempts to encrypt an Email PKI-Digital Signature PKI-Authentication

Slide 20

High Assurance Transactions take many forms PKI-Authentication An OCSP Responder is offline Server SSL Cert has expired Server SSL Cert has been revoked Server SSL Cert was tampered with Issuing CA has expired Server SSL Certs CRL is offline Issuing CAs CRL is offline Issuing CA was tampered with OCSP Responder Cert was tampered with OCSP Responder Cert has expired Issuing CAs Cert has been revoked Cross-certificate has a new Name Constraint Cross-certificate has a new Policy Constraint Cross-certificate has expired Cross-certificate was tampered with Unable to build path AiA location offline Issuing CA has been re-keyed Issuing CAs CRL was tampered with Server SSL Certs CRL was tampered with Cross-certificates CRL was tampered with Issuing CAs CRL has expired Server SSL Certs CRL has expired SCA Re-key has occurred SSL Cert has been re-keyed

Slide 21

Today: Access is granted to recognized users while security controls focus on traffic for content & behavior. Risk: Identity is a missing component, networks have a blind spot regarding credential status and use. Opportunity: Include identity as a component of the security model to detect insider and external threats. Any legit credential: Password Access Card Infiltration attempts Denial of Service Spoofed credentials Endpoint security protocol source address destination address destination port source port header analysis payload analysis pattern detection web-based malware email attachments SSO systems active directory allowed user safe credential The Next Level: Continuous Credential Vetting

Slide 22

Today: Once issued, credentials are never seen by the issuer. Enterprise Risk: Yet, credentials are trusted because the issuer says they are still good. Issuer Risk: Last to know if a credential has gone bad. Opportunity: TFPs/IdPs/RPs work together to create one or more global clearinghouse(s) for use and reputation based on observed behavior of credentials. ? Provisioning vs. Vetting issue date expiration date revocation misuse continued use missing feedback loop Identity Provisioning vs. Vetting