How does industry drive forward. SAFE-BioPharma Association

Transcription

1 How does industry drive forward SAFE-BioPharma Association

2 Topics! Topic C: Assurance levels, frameworks, interparty liability! Topic D: Device-specific methods: mobile; smartcards; browser DNT, etc. PKI, non-pki 2 SAFE-BioPharma Association

3 Assurance levels, frameworks, interparty liability! OMB Level 1: Little or no confidence in the asserted identity s validity Level 2: Some confidence in the asserted identity s validity Level 3: High confidence in the asserted identity s validity Level 4: Very high confidence in the asserted identity s validity! NIST SP provides additional guidance per level Registration and identity proofing Tokens Token and credential management mechanisms Protocols used to support the authentication mechanism between the Claimant and the Verifier Assertion mechanisms 3 SAFE-BioPharma Association

4 Assurance levels, frameworks, interparty liability! PKI FBCA Six increasing, qualitative levels of assurance: Rudimentary, Basic, Medium, PIV-I Card Authentication, Medium Hardware, and High. Also Medium Hardware Commercial Best Practices (CBP) Assurance Requirements! Non-PKI FICAM Levels SAFE-BioPharma Association

5 4BF Interlinked PKI Network of Trusted Cyber- Communities I Northrop Grumman ARINC Lockeed Martin Boeing SITA CertiPath Common Policy Root CA EADS DoE Raytheon GPO CertiPath Bridge CA DoJ REBCA Federal Bridge CA Exostar VeriSign SAFE Bridge CA Fed Common Policy Root CA VeriSign SSP Citi J&J&J Abbott SAFE:Vz Biz/Chosen/ TranSped GPO SSP US Treasury SSP SA Entrust Merck AZ Other pharmass GSA MSO ORC DoL Exostar VDoT US PTO DoJ E-Commerce DoD Interoperability Root HUD NRC DoT DHS SSA NASA EOP Verizon Bus SSP HHS EPA DEA USPS ACES Dept. of State State of Illinois DoD VA 5 SAFE-BioPharma Association

6 Non-PKI TFPs! FICAM certified LOA 1 OIX LOA 1-2 InCommon LOA 1-3 Kantara! In process LOA 2-3 SAFE-BioPharma Assn Under TFET review 6 SAFE-BioPharma Association

7 Interparty Liability! SAFE-BioPharma Closed membership association Dispute resolution process governs adjudication Agree not to sue but rather arbitrate Liability covered under Operating Policies and Member/Issuer Agreements! Other TFPs Specific caps related to credential management only Does not cover use of credentials Part of why we are here 7 SAFE-BioPharma Association

8 Authentication and credentials! PKI is covered by the FBCA CP and CPS Multiple certificate types Hardware, software and roaming! Non-PKI Roaming currently classed as software by the FBCA Moving to cloud-based solutions SAFE-BioPharma/Verizon offering cloud-based HSM protected certificates NIST SP Issue currently approved version dates to 2006 and is technically out of date and does not recognize non-pki multi-factor tokens Much of industry working with the Dec 2008 (now Jun 2011 draft) Includes much broader definitions of acceptable tokens at various LOAs 8 SAFE-BioPharma Association

9 Token types! Who is doing what and how?! PKI! Smartcards, USB hardware tokens, software tokens on machines/ mobile devices, cloud HSMs! Non-PKI LOA 1&2 memorized secrets, pre-registered knowledge tokens LOA 2 - look up secret, out of band, SF one-time password device, SF crypto device LOA 3 multiple tokens (NIST SP (June 2011 draft), Table 7) 9 SAFE-BioPharma Association