Identity, Credential, and Access Management - Home | … · Identity, Credential, and Access...
-
Upload
truongngoc -
Category
Documents
-
view
224 -
download
1
Transcript of Identity, Credential, and Access Management - Home | … · Identity, Credential, and Access...
Identity, Credential, and Access Management
Federal CIO Council Information Security and Identity Management Committee
Open Solutions for Open Government
Judith Spencer Co-Chair, ICAM Subcommittee Office of Governmentwide Policy GSA [email protected]
www.idmanagement.gov
Identity, Credential, and Access Management
What is ICAM?
ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach.
Key ICAM Service Areas Include: Digital Identity Credentialing Privilege Management Authentication Authorization & Access Cryptography Auditing and Reporting
Identity, Credential, and Access Management
ICAM Scope
Identity, Credential, and Access Management
4
Enabling Policy and Guidance
The Mandate: HSPD-12
August 27, 2004
The Standard: FIPS-201
February 25, 2005
The Implementing Guidance:
OMB M-05-24 August 5, 2005
Federal PKI Common Policy
Framework
Special Publications Technical Specs.
The E-Gov Act 0f 2002
The Implementing Guidance:
OMB M-04-04 December 16, 2003
The Technical Spec: SP 800-63 June 2004
The Government Paperwork Elimination
Act 0f 1998
Federal Bridge Model Policy
The Implementing Guidance:
OMB M-05-05 December 20, 2004
The Implementing Guidance:
OMB M-00-10 April 25, 2000
Identity, Credential, and Access Management
ICAM Drivers Increasing Cybersecurity threats
There is no National, International, Industry “standard” approach to individual identity on the network. (CyberSecurity Policy Review)
Security weaknesses found across agencies included the areas of user identification and authentication, encryption of sensitive data, logging and auditing, and physical access (GAO-09-701T)
Need for improved physical security Lag in providing government services electronically Vulnerability of Personally Identifiable Information (PII) Lack of interoperability
“The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions.” (President’s FY2010 Budget)
High costs for duplicative processes and data management
5
Identity, Credential, and Access Management
The development process involves coordination and collaboration with Federal Agencies, industry partners, and cross-government working groups.
The Roadmap team identified the key outputs of the Federal Segment Architecture Methodology (FSAM) needed for an ICAM segment architecture and coordinated these groups to develop workable approaches to enable cross-government solutions.
6
Interagency Security Committee (ISC) Information Sharing Environment (ISE) White House National Science and
Technology Council (NSTC) Committee for National Security Systems
(CNSS) Office of Management and Budget National Institute of Standards and
Technology (NIST) Office of National Coordinator (ONC) for
Health IT Multiple agencies represented within the
CIO council subcommittees and working groups
FICAM Development Process
Identity, Credential, and Access Management
FICAM Roadmap & Implementation Guidance Overview The Federal ICAM Roadmap outlines a strategic vision for identity, credential, and
access management efforts within the Executive Branch of the Federal Government and how the Executive Branch of the Federal Government will interact with external organizations and individuals.
ICAM Segment Architecture. Standards-based architecture that outlines a cohesive target state to ensure alignment, clarity, and interoperability across agency initiatives.
ICAM Use Cases. Illustrate the as-is and target states of high level ICAM functions and frame a gap analysis between the as-is and target states.
Transition Roadmap and Milestones. Defines a series of logical steps or phases that enable the implementation of the target architecture.
ICAM Implementation Planning. Augments standard life cycle methodologies as they relate to specific planning considerations common across ICAM programs.
Implementation Guidance. Provides guidance to agencies on how to implement the transition roadmap initiatives identified in the segment architecture, including best practices and lessons learned.
7
PART A: ICAM Segment Architecture (Phase 1 of the effort)
PART B: Implementation Guidance (Phase 2 of the effort)
Identity, Credential, and Access Management
Measuring Success
Identity, Credential, and Access Management
Increasing the Trusted Credential Community
Back to Basics – M-04-04 and NIST 800-63 are still the foundational policy/technical guidance for identity management in the Federal government.
Establish unified architecture for Identity Management
Outreach to communities of interest Explore natural affinities
Increase the community of trust through innovative inter-federation at all levels of assurance
Promote strong credential usage through Federal PKI partnerships with industry providers
Identity, Credential, and Access Management
M-04-04:E-Authentication Guidance for Federal Agencies
OMB Guidance establishes 4 authentication assurance levels
Level 4 Level 3 Level 2 Level 1 Little or no confidence
in asserted identity Some confidence in
asserted identity High confidence in asserted identity
Very high confidence in the asserted
identity
Assurance Levels
Self-assertion minimum records
On-line, instant qualification – out-of-
band follow-up
On-line with out-of-band verification for
qualification Cryptographic solution
In person proofing Record a biometric
Cryptographic Solution Hardware Token
Assertion-based Crypto-based
Identity, Credential, and Access Management
FIPS 199 Risk/Impact Profiles Assurance Level Impact Profiles
Potential Impact Categories for Authentication Errors 1 2 3 4
Inconvenience, distress or damage to standing or reputation
Low Mod Mod High
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High Unauthorized release of sensitive information
N/A Low Mod High
Personal Safety N/A N/A Low Mod
High Civil or criminal violations N/A Low Mod High
Maximum Potential Impacts
Identity, Credential, and Access Management
ICAM Identity Assurance Governance
• PIV Credentials
• PIV-Interoperable Credentials
• Open Solutions - OpenID - iCard - SAML - WSFed - Etc.
Federal PKI
Trust Frameworks
Identity, Credential, and Access Management
PIV Interoperability
The scope of HSPD-12 is restricted to “establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees).”
FIPS 201 standard is “applicable to identification issued by Federal departments and agencies to Federal employees and contractors (including contractor employees) for gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.”
Organizations external to the U.S. Federal government have expressed a desire to establish identity credentials that are interoperable with the Federal Personal Identity Verification (PIV) card.
Identity, Credential, and Access Management
PIV Interoperability for Non Federal Issuers Guidance
Provides guidance to non-Federal issuers on attaining technical interoperability and enabling trust
Presupposes that the technical requirements of SP 800-73 are met
Answers the three questions: How do we perform identity proofing? How do we enable digital credentials? How do we satisfy the unique identifier requirements?
Does not put any requirements on Federal agencies concerning the acceptance/trust of NFI PIV interoperable credentials
Identity, Credential, and Access Management
Continuing Activity - PIV-I “Certification” ICAM PIV-Interoperability Tiger Team (PIVITT) is
developing a change proposal to the Federal Bridge CA Certificate Policy Additional definition around Identity Proofing Additional definition concerning Hardware Token UUID usage information New certificate profile
New Policy object identifiers proposed for: PIV-I Authentication – equivalent to PIV-Authentication PIV-I Card Authentication – equivalent to PIV Card Authentication PIV-I Content Signing
A set of “Frequently Asked Questions” concerning PIV-I will be released in the near future
Identity, Credential, and Access Management
Trust Frameworks
Leverage Industry credentials for Government use Make Government more transparent to the Public Make it easier for American Public to access government
information Avoid issuance of application-specific credentials Leverage Web 2.0 technologies Demonstrate feasibility with application(s) assessed at
Assurance Level 1 Support applications at higher assurance levels as
appropriate
Identity, Credential, and Access Management
ICAM Identity Assurance Governance
• PIV Credentials
• PIV-Interoperable Credentials
• Open Solutions - OpenID - iCard - SAML - WSFed - Etc.
Federal PKI
Trust Frameworks
Identity, Credential, and Access Management
Approach
Adopt technologies in use by industry (Scheme Adoption) . . .
Adopt industry Trust Models (Trust Framework Adoption) . . .
. . . While ensuring the principles of M-04-04 and SP 800-63 are observed and . . .
. . . In a manner that promotes individual privacy protections
Identity, Credential, and Access Management
Scheme Adoption
Scheme – specific type of authentication token and associated protocols (e.g. user ID & password; PKI; SAML assertion)
Adoption requires reviewing technical processes of an identified “scheme” and developing a “Profile” for use with government.
The Federal Profile defines MUSTs, SHOULDs, SHOULD nots, etc. for identity providers and relying parties
Does not change the existing technical standard
Identity, Credential, and Access Management
Trust Frameworks: Open Solutions for Open Government
Graphic Courtesy of Open Identity Exchange
The ICAMSC: Establishes Federal
Profiles for Open identity solutions
Established Trust Framework Provider Requirements
Worked the CIO Privacy Committee to establish Privacy Principles
Reviews and Approves Trust Frameworks: Kantara Open Identity
Exchange InCommon
Trust Framework Provider
Identity, Credential, and Access Management
Trust Framework Adoption
Trust Framework Provider – organization engaged in the assessment of identity providers to determine assurance level(s) inherent the identity credentials offered and conformance to Federal Scheme Profile
Establishes the ground-rules for industry ‘self-certification’
Federal community will recognize ‘assessor’ organizations through “Trust Framework Adoption”
Considers requirements of NIST SP 800-63 Identity Providers approved via this process will be
placed on a ‘certified identity provider’ list
Identity, Credential, and Access Management
Trust Framework Privacy Principles
1. Opt In Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
Identity, Credential, and Access Management
2. Minimalism – Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile. RP Application attribute requests must be consistent with the data contemplated in their Privacy Impact Assessment (PIA) as required by the E-Government Act of 2002.
Trust Framework Privacy Principles
Identity, Credential, and Access Management
Trust Framework Privacy Principles
3. Activity Tracking – Commercial Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002.
Identity, Credential, and Access Management
4. Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.
Trust Framework Privacy Principles
Identity, Credential, and Access Management
Trust Framework Privacy Principles
5. Non Compulsory – As an alternative to 3rd-party identity providers, agencies should provide alternative access such that the disclosure of End User PII to commercial partners must not be a condition of access to any Federal service.
6. Termination – In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.
Identity, Credential, and Access Management
27
Identity and Access Management Are Foundational to Information Sharing and Collaboration
First release of Trust Framework Provider Approval Process and Identity Scheme Adoption Process available for public review www.idmanagement.gov
Federal Profiles completed for: OpenID IMI 1.0
Industry Partners are Fielding Identity Credentials as well as Creating Federations for Sharing & Collaboration Open ID Foundation infoCard Foundation InCommon Federation
Progress Depends on Public-Private Partnering
Summary