User Authentication for Government
-
Upload
carahsoft -
Category
Technology
-
view
925 -
download
0
description
Transcript of User Authentication for Government
User Authentication for Government 20 March 2012
Symantec Government Technology Summit
Nick Piazzola
Sr. Director, Government Authentication [email protected]
E-Authentication in the Federal Government
Players: President, OMB, Federal CIO/CIO Council, FICAM
Policies/Mandates:• HSPD-12 • OMB: M-04-04, M-07-16, M-11-11• Federal CIO Memo
Technical Standards: • FIPS 201• FIPS 199• NIST SP 800-63-1
Implementation Standards/Guidance: • Federal PKI Certificate Policy• Trust Frameworks (Non-PKI)
OMB M-04-04 E-Authentication Guidance
Electronic authentication (E-Authentication) is the process of establishing confidence in identities presented remotely over an open network to an information system.
OMB M-04-04 defines four levels of identity assurance for electronic transactions requiring authentication, where the required level of assurance is defined in terms of the consequences of authentication errors and the misuse of credentials.
Level 1 – Little or no confidence in the asserted identity Level 2 - Some confidence in the asserted identity Level 3 - High confidence in the asserted identity Level 4 - Very high confidence in the asserted identity
OMB M-04-04 E-Authentication Guidance
• Requires agencies to review new and existing electronic transactions to ensure that authentication processes provide the appropriate level of assurance.
1. Conduct a risk assessment of the e-government system. 2. Map identified risks to the applicable assurance level. 3. Select technology based on e-authentication technical guidance. 4. Validate that the implemented system has achieved the required assurance level. 5. Periodically reassess the system to determine technology refresh requirements.
FIPS 199 Risk/Impact Profiles Assurance Level Impact Profiles
Potential Impact Categories for Authentication Errors
1 2 3 4
Inconvenience, distress or damage to standing or reputation
Low Mod Mod High
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High
Unauthorized release of sensitive information N/A Low Mod High
Personal Safety N/A N/A Low ModHigh
Civil or criminal violations N/A Low Mod High
Maximum Potential Impacts
NIST Special Publication SP 800-63-1Electronic Authentication Guideline
• Provides technical guidelines for Federal agencies implementing electronic authentication.
• Defines electronic authentication (e-authentication) as the process of establishing confidence in identities electronically presented to an information system.
• Applies to remote electronic authentication of users over open networks.
• Defines four levels of increasing assurance: Levels 1,2,3,4 and the threats to be mitigated at each of these levels.
• Defines technical requirements in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions.
Strong Authentication
A Combination of Two or More Authentication Factors
Username/PasswordsMother’s Maiden NameTransaction History
Hardware OTP TokenDigital CertificateSmart Card
FingerprintIris Pattern
Something You Know Something You Have Something You Are
Multi-Factor Token
Very High
High
Medium
Low
Employee Screening for a High Risk Job
Obtaining Govt. Benefits
Applying for a Loan
Online
Access to Protected
Website
PIN/User ID
Knowledge
One-Time Password
-Based
PKI/ Digital Signature
HSPD-12 PIV Card
Incre
ase
d S
tren
gth
Increased Need for Identity Assurance
E-Authentication Assurance Levels (OMB M-04-04)
Biometrics
Public Key Infrastructure
PKI service issues certificates for strong authentication,
encryption and digital signing
eCommerce Financial Services
EnterpriseGovernment
User Authentication Product Family
Shared cloud-based two-factor authentication solution offering
multiple token choices
Symantec Identity Protection
RISK SCORE
Rules Eng. Behavior Eng.
Risk-Based authentication and software-based fraud detection
Fraud Detection Service
Symantec Solutions for Authentication
VeriSign® Identity Protection Network(fraud intelligence and shared authentication)
VIP Fraud Detection Service
StrongAuthentication
(User and Site)
Mobile OTP
SMS and Voice
BrowserToolbar
OTP
SSL CertSecure Seal
Digital Certificates
OTP Tokens
OTP Card
USB PKI Tokens
Smartcards
• Provides data integrity and enable non-repudiation for electronic transactions
• Primary integration points: Email, Adobe, and custom applications
• Protect sensitive information whether data is in transit or at rest
• Primary integration points: Email, disk, file/folder, and databases
• Prevent unauthorized access through enhanced authentication
• Primary integration points: Web applications, remote access, desktop logon, and wireless
What PKI Enables…
Strong Authentication
Digital Signatures
Encryption
Managed PKI Services for the Public Sector
– Federal Shared Service Provider PKI Enables Federal agencies to comply with HSPD-12. VeriSign SSP PKI services and Card Management System are certified and on the GSA FIPS-201 Approved Products List (APL)
– Non-Federal Shared Service Provider PKI Enterprise PKI for any organization needing interoperability with the Federal government. Provides interoperability with the Federal PKI at multiple assurance levels through cross-certification with the Federal Bridge Certification Authority (FBCA).
– ECA Certificates Enable organizations, contractors and individuals to securely communicate with Federal, state and local government agencies.
U.S. Government
– U.S. Nuclear Regulatory Commission– U.S. Senate– Dept of State (Millennium Challenge Corporation)
State Government– State of Kansas– State of Colorado– State of California (CA Prison Healthcare Systems)– State of Virginia (Fairfax County Government)
Universities– University of Houston
Government Contractors– Booz Allen & Hamilton -General Dynamics– Noblis (Mitretek) -Dyncorp
Non-Federal SSP PKI Customers
Symantec Validation and ID Protection
Enterprise
Consumer Portal, Business Partner
Extranet
Government Network
VIP Authentication Service
User with Symantec VIP
Token
Symantec Authentication Solution Strategy
VIP OTP Credentialing
Services
VIP Validation Service
Federal/ Non- Federal
SSP PKI
Directory/ OCSP
Validation Services
Federal Bridge Certification Authority
Application Enabling Services
Identity Proofing Services
Levels 2/3/4
Notary
Online KBA Services
Existing Credential
-authentication gateway
-credential verification
-single sign-on (SSO)
Trusted Agent
Agency RA
Commercial Proofing
Service
Symantec/Experian Two Factor Authentication Solution
Symantec OTP Authentication
Service
Symantec OTP Token
Online Government Application
1. NIST Level 3 Remote Identity Proofing using Experian Precise ID.
2. Multiple form-factors for OTP tokens for multiple platforms.
3. Two-Factor Authentication with PIN, OTP and in-the-cloud validation service.
User
Experian Precise ID
(NIST 800-63-1 Level 3)
Summary
• The two primary user authentication technologies in use today are PKI and OTP. Symantec delivers/supports both of these for government customers via cloud services.
• While both PKI and OTP are used for e-authentication, only PKI can deliver a full suite of security services including confidentiality, integrity and non-repudiation.
• OTP solutions are more likely to be used for remote access and external constituent access to government services because of their reduced cost and complexity.
• NIST SP 800-63-1 Level 3 assurance is the target for most applications involving personally identifiable information and/or valuable transactions.
• Experian and Symantec have collaborated to provide a suite of integrated identity proofing and authentication services that supports NIST SP 800-63-1.
• In the future government agencies are expected to transition from being providers of credentials to accepting identity credentials issued by external identity providers.