Federal Identity Credentialing: State of Play

Transcription

1 Federal Identity Credentialing: State of Play Smart Card Alliance Annual Forum October 19, 2004 Judith Spencer U.S. General Services Administration

2 PMC E-Government Agenda Government to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online Managing Partner GSA Treasury DoEd DOI Labor Government to Business 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Compliance 1 Stop 6. Int l Trade Process Streamlining Managing Partner GSA EPA Treasury HHS SBA DOC Cross-cutting Infrastructure: eauthentication GSA, Enterprise Architecture OMB Government to Govt. 1. e-vital (business case) 2. e-grants 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks Managing Partner SSA HHS FEMA DOI FEMA Internal Effectiveness and Efficiency 1. e-training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-travel 5. e-clearance 6. e-payroll 7. Integrated Acquisition 8. e-records Management Managing Partner OPM OPM OPM GSA OPM OPM GSA NARA

3 U.S. Guidance for E-Authentication E-Authentication Guidance for Federal Agencies, issued by the Office of Management & Budget, Dec. 16, About identity authentication, not authorization or access control Incorporates Standards for Security Categorization of Federal Information and Information Systems (FIPS-199) NIST SP800-63: Recommendation for Electronic Authentication Companion to OMB e-authentication guidance Covers conventional token based remote authentication Does not cover Knowledge-Based Authentication

4 Assurance Levels M-04-04:E-Authentication Guidance for Federal Agencies OMB Guidance establishes 4 authentication assurance levels Level 1 Level 2 Level 3 Level 4 Little or no confidence in asserted identity Some confidence in asserted identity High confidence in asserted identity Very high confidence in the asserted identity Self-assertion minimum records On-line, instant qualification out-ofband follow-up On-line with out-ofband verification for qualification In person proofing Record a biometric

5 Maximum Potential Impacts Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors Inconvenience, distress or damage to standing or reputation Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency programs or public interests N/A Low Mod High Unauthorized release of sensitive information N/A Low Mod High Personal Safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High

6 Token Type by Level Assurance Level Allowed Token Types Hard crypto token Soft crypto token Zero knowledge password One-time Password Device Strong password PIN

7 FICC Focus Government to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online Managing Partner GSA Treasury DoEd DOI Labor Government to Business 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Compliance 1 Stop 6. Int l Trade Process Streamlining Managing Partner GSA EPA Treasury HHS SBA DOC Cross-cutting Infrastructure: eauthentication GSA, Enterprise Architecture OMB Government to Govt. 1. e-vital (business case) 2. e-grants 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks Managing Partner SSA HHS FEMA DOI FEMA Internal Effectiveness and Efficiency 1. e-training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-travel 5. e-clearance 6. e-payroll 7. Integrated Acquisition 8. e-records Management Managing Partner OPM OPM OPM GSA OPM OPM GSA NARA

8 FICC Community of Interest FICC applies to any individual requiring access to federal facilities and systems to whom a Federal organization makes the decision to issue an identity credential (badge). Federal Employees On-site Contract Personnel Visiting Scientists Student Interns Allied Personnel

9 FICC Framework Federal personnel require physical access credentials for common access to Federal facilities and resources. Such credentials must embody reasonable protections against misrepresentation by incorporating tamper resistant characteristics, and should serve as secure platforms for electronic credentials. The credential will support both physical and logical access; The credential will be usable for identity authentication and electronic signature; The credential will be usable and interoperable across the Federal government and will implement smart card technology that incorporates both contact-less and contact technology in accordance with the GSC-IS. The credential will be portable; The credential will be issued by a federal government agency The credential will be unique to the person identified by it.

10 FICC: Major Subcomponents Smart Card Interoperability Federal Smart Card Policy available at Minimum requirements for topology, data sets, implementation Aggregated Buy underway PKI Interoperability Common Federal PKI Policy available at Shared Services Provider Certified Bidders List available at There are 3 certified PKI Shared Service Providers to date Identity Assurance Interoperability Guidance on minimum standards for identity assurance in credential issuance FICC Reference Handbook for Implementation

11 And then... HSPD-12: Policy for a Common Identification Standard - Signed by the President August 27, 2004 Requires secure and reliable forms of personal identification: Based on sound criteria to verify an individual employee s identity Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation Rapid electronic verification of personal identity Identity tokens issued only by providers whose reliability has been established by an official accreditation process 11

12 FIPS-201 Time Line November 8, 2004 Public Draft Released for comment December 23, 2004 Comments due to NIST January 20, 2005 Final FIPS-201 forwarded to Secretary of Commerce for signature February 15, 2005 FIPS-201 released

13 The Electronic Authentication Partnership: Federated Identity Trust and Interoperability

14 Background Industry snapshot federated identity Federated identity definition Agreements, standards, technologies that make identity and entitlements portable across loosely coupled, autonomous domains Standards and specifications Security Assertion Markup Language (SAML), Liberty Alliance, Shibboleth, Web services security Adoption Over 200 organizations implementing SAML plus other specifications, in multiple industries Vendors Multiple identity management and other vendors have implemented SAML and federated identity in COTS products Interoperability, trust, deployment still challenging

15 Business Value of Federated Identity Improve the end user s experience Reduce the number of logins Increased effectiveness with wider scope of authorized access Simplify administration, generate cost savings Reduce directory management and administration costs Reduce help desk calls Transfer or mitigate regulatory or security risks Competitive advantage Promote collaboration New applications, new revenue sources New partner acquisition, existing partner retention

16 The Need for Interoperability Interoperability issues Early federations used common code on both ends Then there were standards Then there were more standards (four variants of SAML and counting), specifications, frameworks, and federationspecific profiles Convergence? Liberty Phase 2, 3 SAML 2.0 Liberty ID-FF WS-Federation, WS-* WS-Trust, WS-SC Shibboleth SAML WS-Security Interoperability Who s left holding the bag?

17 Central Issue:Who do you Trust? Governments Federal States/Local International Higher Education Universities Higher Education PKI Bridge Healthcare American Medical Association Patient Safety Institute Trust Network Financial Services Industry Home Banking Credit/Debit Cards Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs E-Commerce Industry ISPs Internet Accounts Credit Bureaus ebay Absent a National ID and unique National Identifier, relying parties will Look to the federation of identity across verticals Trust becomes critical.

18 Trust The Critical link Audit & accreditation Technical assurance Shared policies Assertions Building Blocks undertrusting Correct trust Key management Legal Contracts Business Relationship Correct distrust overtrusting Trust Relationship

19 Federation Infrastructure Interoperability Administering common interface specifications, use cases, profiles Conducting interoperability testing according to the specifications Maintaining a list of approved products Providing a portal service (aka discovery and interaction services) Managing configuration data Planning and developing support for new industry standards Trust Managing relations among relying parties and CSPs Administering identity management/authentication policies Establishing and administering common business rules Performing credential assessments, and authorizing trust list Managing compliance/dispute resolution

20 EAP Trust Framework EAP EAP Governance Accreditation & Certification Credential Assessment Criteria Business Rules & Processes Assurance Levels

21 The E-Authentication Partnership Multi-industry partnership creating a framework for interoperable authentication Plans to establish itself as a member-supported organization, and complete framework by the end of 2004 Goals Provide organizations with a straightforward means of relying on digital credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish bilateral agreements Organizations would operate under common EAP rule set, resulting in multilateral trust Develop a process for certifying service providers In practice this means a federated approach

22 Participating Organizations AMAG Technology AAMVA Alliance Data Systems A&N Associates Bearing Point BeTrusted, Inc. BioKey International ChoicePoint, Inc. Comtech LLC EDS Entergrity Solutions Entrust Experian Fraud Solutions Global Identity Solutions Hollen Group Microsoft Corporation Mortgage Bankers Assoc. NASACT National City Corp. Parkweb Associates Ping ID PESC RJC Associates RSA Security Sagem Morpho, Inc. Smart Card Alliance SSP Litronic Sun Microsystems 3Factor The Shipley Group Trust genix. Inc. University Bank University of Illinois U.s. General Services Admin. Verisign, Inc. Visionshare, Inc. Watchfire, Inc. Wave Systems Corp. Wells Fargo Bank

23 For Additional Information U.S. Federal Identity Credentialing U.S. Government E-Authentication Initiative Electronic Authentication Partnership

24 Questions?