Using&FICAMas&amodel&for&TSCP&BestPrac:ces& in&Physical ... ·...

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management

TSCP Symposium

November 2013

© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.

Quantum Secure’s Focus on FICAM and Related Standards

§  Complete Suite of Physical Iden:ty and Access management tools, which align with FICAM

§  Industry Leadership and Par:cipa:on v  SIA Iden:ty Management CommiOee v  SIA PIV Working Group v  Smart Card Alliance v  Open Security Exchange v  Regular IAB Mee:ng AOendance v  Public GSA EPTWG Par:cipa:on

San Francisco Airport


Pressure Points and Conformance Driving FICAM Alignment

HSPD-‐12

NIST SP 800-‐116 FICAM OMB M-‐11-‐11

FIPS 201-‐2


What is FICAM?

§  Federal Iden:ty, Creden:al and Access Management Roadmap and Guidance, Version 2

§  400+ page Document

§  Authored by Federal CIO Council

§  Best Prac:ces in ─  Governance

─  Defining Target (segment) Architectures

─  Transi:oning from AS-‐IS to Target State

─  Proper creden:al issuance

─  Provisioning iden::es for logical and physical access

─  Lifecycle privilege management for con:nuously updated access authoriza:ons

─  Compliance, Audit, Accountability

4


One Iden'ty

Elimina1on of redundancy Policies & procedures

Improved PIV card interoperability Within, between agencies

Compliance Internal, external controls

Increased security Close security gaps

Enhanced customer service User-‐friendly transac>ons

Visitor

Employee

Contractor

Increased protec1on of PII Secure data, secure access

Goals And Expected Outcomes For FICAM Implementa:on


FICAM Alignment Both Logical and Physical are Held to the Same Standard

PACS Brand A

PACS Brand B

PACS Brand C

Logical Iden>ty Access

Management (LIAM or LACS)

Physical Identity Access

Management (PIAM)

Access Management •  Policy-driven privilege

assignment •  Automated Workflows •  Compliance, Enforcement

Authorita:ve Iden:ty Management HR, LDAP, IdM

PIV/CAC CMS US Access, DEERS, etc.

Authoritative Identity Management •  Card issuance, etc.

Resources: •  Software applications •  Database access •  Door access •  Metal keys •  Asset access

HR, Payroll Produc1vity tools

Email

Web Sites


Primary Themes in FICAM to Achieve Goals PACS are Held to the Same Standard as LACS

§  Privilege Management for Physical Access ─  Policy Automa:on -‐ Automa:c assignment of access based on combina:on of business rules such as role/:tle, training, project or special work assignment, security clearance level, opera:ve, etc.

─  Process Automa:on -‐ Automated workflows requiring human approvals

§  End to End Integra:on ─  Bi-‐direc:onal integra:on with Authorita:ve Database(s) for real :me updates to PACS provisioning

─  Centralized/Transparent support for all PACS (brands) within a given opera:onal en:ty (department, agency, etc.)

§  Result ─  Reduce/eliminate human error

─  Apply uniform access policy across all users and processes

─  Save money


Privilege Management for Physical Access

Physical iden:ty and access management (PIAM) technologies provide authen:ca:on, authoriza:on and provisioning services in order to efficiently streamline the lifecycle of a physical iden:ty within a global organiza:on. PIAM ensures the right Physical ID’s – i.e. employees, visitors, contractors, vendors –are properly authen:cated and have the right access to the right areas, for the right reasons for a specified dura:on of :me.

Right Physical IDs

Right Access

Right Times

Right Reasons

1Gartner Research; Physical Iden:ty and Access Management; Feb 2012

“Physical iden>ty and access management (PIAM) deployments are increasing due to technology and product development, compliance mandates, a greater desire to manage alterna>ve user popula>ons such as on-‐premises visitors and contractors, and a sharp emphasis on >mely and secure access”1


The Current State of Physical Access Management (the As-‐is State)

Contractor Database

LDAP

Corporate HR System

•  Mul:ple disjointed systems – many s:ll non-‐PIV compliant •  Limited use of PIV card for physical & logical access •  Mul:ple (onen manual) processes for iden:ty veong, on-‐/off-‐boarding, creden:aling and enrollment, background checks, etc.

•  Audit & compliance process – manual and costly •  Lack of interoperability •  Common framework for physical & logical security lacking •  Ability to put “internal controls” is manual •  Customer service is manual, slow, complicated, error prone •  Cost of security opera:on -‐ high

Inter-‐Agency or PKI

Infrastructure Mul1ple, Disparate Physical Access Control Systems

Standalone Readers, Locks, Keys, Tokens, Dosimeter

Clearance Management

Training Database

Email

Phone

Email

Email Phone


Case Study for Mapping a COTS product to FICAM Model


SAFE Agents for Authorita1ve Datasources 1

SAFE OCSP/ SCVP/ CRL Agent 3

SAFE Agents for Physical Access Control Systems 2

SAFE Applica1on Modules for FICAM •  Personnel Mgmt/

Cardholder Database •  Privilege/Access Mgmt •  Visitor Mgmt •  Repor1ng (pre-‐defined

reports) •  Rules/Workflow Engine

4

4

Mapping SAFE to the FICAM Target State: Figure 108


SAFE Applica1on – Self-‐service 3

SAFE Applica1ons – Process and Policy Automa1on Privilege/Access Mgmt

2

SAFE Applica1on – Pre-‐defined reports 6

SAFE Agent for Physical Access Control System 4

SAFE Agent for Authorita1ve Source 1

SAFE Agent for email 5

Mapping SAFE to FICAM Privilege Management – Figure 34


Policy Automa:on – No Human Interven:on

Presentation Title and date (update in slide master) 14

Process Automation – Human Driven

•  One end user interface for making all types of physical security requests


Integra:on Framework

Policy Server

Physical Iden:ty & Access Management

Physical Iden:ty and Access Manager

Web Badging

Self Service Portal

Asset Manager

Visitor Iden:ty Manager

Contractor Registra:on Portal

Tenant Management Portal

Compliance & Risk Management

Compliance Regulator §  NERC/FERC §  SOX §  FDA/DEA §  Audit Management

Document Management

Infrac:on Manager

Watch List Manager

AOesta:on Audit

Security Intelligence

Robust Repor:ng

Iden:ty Analy:cs

Alarm Analy:cs

Iden:ty & Event Correla:on

SAFE Event Correla:on Engine

Privilege Management Applica:on Suite


Bringing it All Together: FICAM Security Management System

Source: CIO Council FICAM Roadmap Modernized PACS Brochure - 2011


Payoff for Adop:ng FICAM Best Prac:ces

17

Source: CIO Council FICAM Roadmap Modernized PACS Brochure - 2011


Thank you!

Visit us in the Exposition for more discussion!

Using&FICAMas&amodel&for&TSCP&BestPrac:ces& in&Physical ... ·...

Documents

Transcript of Using&FICAMas&amodel&for&TSCP&BestPrac:ces& in&Physical ... ·...