ICAM Target Architecture
-
Upload
joel-rader-cissp -
Category
Government & Nonprofit
-
view
116 -
download
0
Transcript of ICAM Target Architecture
Starting Off Phase I - Identity vs. Digital Identity
► Identity
Who you are as an individual
Does not change nor expire
► Digital Identity
Digital representation of your identity
Represented by identifiers, credentials, and attributes
Can expire, depending on context
1
Important Considerations of a Digital Identity
► Context
Must be useful, relevant, trustworthy
Must uniquely identify a subject within a given context
In our case, within a specific Agency
► Consistent
Must be able to be referenced uniformly across applications
Where unique identifiers are not supported, mappings must be established
► High Assurance
Trust that a Digital Identity represents an Identity
Requires Identity Proofing, Vetting, and Adjudication
2
Building a Digital Identity – Step 1
► Create an Identifier
UUID – Universally Unique Identifier
Unique for all in-scope personnel
► Open Question – 1:1 Mapping?
Should an Identity within the Agency map to one, and only one Digital Identity?
When to assign UUID?
Collisions/Duplications?
Merging/reconciliation process?
Benefits of 1:1 Mapping
Increased security & assurance
Simplified maintenance
3
Building a Digital Identity – Step 2
► Establish Authoritative Attribute Sources
On-Boarding Systems
Background Investigations
Others?
► Important Considerations:
Should only be one source per attribute
Are policies in place defining which source is “authoritative”?
4
Building a Digital Identity – Step 3
► Build Credentials
PKI Certificate(s)
PIV Card
FAC – Facility Access Card
FLAC – Facility & Logical Access Card
► Open Question – Include UUID?
Would map back to Digital Identity
Requires modifications of current processes
If done, would help streamline credentialing process
► These credentials would become Authoritative Attributes in a Digital Identity
5
Building a Digital Identity – Step 4
► Application/System Specific Attributes
Only referenced within a specific context
User ID
Role
Legacy/proprietary application support
► Next: What does an ICAM Target Architecture look like?
Authoritative Identity Service (AIS)
6
ICAM Target Architecture – Putting Digital Identities to Work
7
ICAM Target Architecture – Digital Identity Records
8
Adjudication Results
Human Resources Attributes
Personal Identity Verification (PIV) Credential Attributes
ClearanceCriminal Background
Sponsor
Name
Address
Hire Date
PositionMedical Compensation
Dependents
Clearance
Unique Identifier
Human Resources (HR) Information
UUID
Cardholder Unique Identifier (CHUID)
Issue Date
FASC-NExpiration Date
Active Directory AttributesDisplay Name
Application #1
Application #2
Digital Identity Record
Application #2 AttributesUser ID Role
PKI AttributesIssue Date
Expiration DateCertificate
HiringReport
CredentialReport
Accountsand
Privileges
Title
Data Pull
Data Pull
Data Push
Da
ta C
on
nec
tio
n &
Exc
han
ge
Email Company Department
Office
City
Public Key Infrastructure (PKI) Issuance System
Global Address List (GAL)
Standardization Report
Data Pull
Identity Management System
(IDMS)
Active Directory
Authoritative Attribute Sources
Systems and Services
Auditing and Reporting
Att
rib
ute
Dis
cove
ry
Unique Identifier Generation System
Federal Background Investigation Systems
Phase 2 & 3 Attributes
Future Application #1Attribute 1
Attribute 2Attribute 3
Future Application #2Attribute 1 Attribute 2
Target Architecture Overview – PIV Credential Management
9
Target Architecture Overview – Logical Access Management
10