Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
|
|
- Suzan Houston
- 5 years ago
- Views:
Transcription
1 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
2 LANL s Multi-Factor Authentication (MFA) Initiatives NLIT Summit 2018 Glen Lee Network and Infrastructure Engineering Division Infrastructure Services Group (NIE-IS) glenleee@lanl.gov May 22, :15 AM Location: 104A Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA LA-UR Approved for public release; distribution is unlimited
3 Our MFA Journey Where we were. Where we are. NO STATIC ACTIVE DIRECTORY PASSWORDS Where we are heading. CRYPTOCard Hardware One-Time Password Device Privileged Users Remote Access MIT Kerberos Business Apps Static Active Directory Passwords Active Directory CRYPTOCard Hardware One-Time Password Device Remote Access MIT Kerberos Business Apps Active Directory Single-Sign-On (Federation SAML) PIV Card Static Active Directory Passwords Active Directory Privileged Users NIST SP IAL3/AAL3 Credentials Other IALx/AALx Credentials Remote Access MIT Kerberos Active Directory Single-Sign-On (Federation SAML) Active Directory Business Apps OneID + Temporary Password Self-Service Portal + Temporary Password Self-Service Portal 6/13/2018 3
4 Technical Approach to achieving the DOE and FISMA MFA requirement DOE MFA Requirement Transition FISMA MFA Requirement Disable use of Static AD Password on the User s AD Account Disable use of Static AD Password on the User s AD Account Map both the PIV and the CRYPTOCard to the User s AD Account Multi-value AD attribute: 1. X509: PIV Cert 2. Kerberos: CC Identity Map only the PIV to the User s AD Account Multi-value AD attribute: 1. X509: PIV Cert Add CC to altsecurityidentities 2. Kerberos: CC Identity Need an AD password for some reason? Temporary Password Self-service Portal AD Security Group Active Directory MFA enforced Daily Need to use AD password or CRYPTOCard for some reason? Temporary Password Self-service Portal AD Security Group Active Directory PIV enforced Daily Static re-usable AD passwords are no longer an attack vector at LANL. 6/13/2018 4
5 What about those who don t have a PIV? Uncleared US citizens => PIV Supplemental Directive was signed April 14, 2018 Implementation of Personal Identity Verification For Uncleared Contractors Others (FNs, Interns, Summer Hires, etc.) => PIV-like alternative Identity Assurance Level 3 / Authenticator Assurance Level 3 (IAL3/AAL3) Token Alternatives under consideration include LANL issued credential (more to come on this later) GSA USAccess temporary credential (service expected in September/October timeframe) Work in progress. Mobile devices => Derived Credentials NIST SP Guidelines for Derived Personal Identity Verification (PIV) Credentials Alternatives under consideration include GSA USAccess service (requirements and planning phase) LANL issued (if Enterprise service will not be made available) All users will have a PIV or PIV-like credential to use for authentication. 6/13/2018 5
6 macos MFA Implementation Significant number of Mac systems at LANL Managed by Casper and most are not bound to a directory service (e.g., Active Directory) MFA approach for Mac Disable the use of static Active Directory passwords for access to network resources Leverage Kerberos tickets in lieu of Active Directory passwords Not dependent on the Mac being bound to a directory service Logon to the Mac is not impacted since device authentication is not the subject of the DOE MFA requirement System requirements macos Sierra (or later) macos (and earlier) are not supported NoMAD Menu application to help manage Kerberos tickets Standard on all LANL Mac systems LANL MFA Credential PIV Card, for those who have one CRYPTOCard Smartcard reader (for PIV users) Static Active Directory (AD) passwords are not needed on a Mac 6/13/2018 6
7 PIV on the Mac PIV (smartcards) are natively supported macos Sierra (and later) Utilizes Apple s CryptoTokenKit framework instead the TokenD framework PIV logon to local accounts is supported Optional capability for LANL users The PKI Certification Authority (CA) chains are centrally managed macos keychain configured via JAMF server configuration profiles NoMAD improves user experience with PIV Alert / notification when PIV is left in reader Friendly names displayed to distinguish each certificate PIV works Apple applications without extra configurations Safari, Apple Mail Applications that pose a problem Firefox (requires 3rd party middleware to provide pkcs support for PIV) Adobe (only supports TokenD) Outlook for Mac (will support CryptoTokenKit soon) Remote Desktop Client for Mac (does not support smartcards) PIV does work natively on the Mac, but there are some challenges to overcome 6/13/2018 7
8 Our Approach to Alternative Credentials Compliant With NIST SP Identity Assurance Level 3 (IAL3) Requirements Existing PIV Processes Sponsorship (name, affiliation, etc.) Identity Proofing (who are you?) Enrollment (photo, bio, etc.) Feeds Feeds Authenticator Assurance Level 3 (AAL3) Requirements Verifies Name: John Doe Affiliation: LANL SiteID: Issues NIST Approved Hardware Cryptographic Tokens Supply Chain Credential Management System (CMS) Integrated with Identity Data Source Internal PKI IAL3/AAL3 Credential that is functionally the same as PIV 6/13/2018 8
9 Remote Access Approach 1 2-factor Authentication to initiate remote session: Hey, it s me 2 Remote Access Secondary Challenge: Is this really you? 3 Remote Access Point Access Granted LANL Network 2nd authentication: Yes it is. 4 Establish secure remote access session. Okay, you can have access. Two-step Authentication Two-factor Authentication 2-Step authentication to ensure a LANL user really initiated the original request for access. 6/13/2018 9
10 Transitioning from LANL s Legacy Entrust PKI LANL Dependency on Legacy Entrust PKI Internal (local) applications LANL s Only Locally Trusted (OLT) PKI Full production mode and systems OLT PKI Certificate Tool Full production mode Wireless access LANL s Only Locally Trusted (OLT) PKI Testing with LANL s wireless implementation encryption on the desktop encryption on mobile devices LANL s Approach and Transition Readiness PIV Encryption certificate Native Outlook on Windows and Mac Energy Global Directory Service (EGDS) PIV Address Corrections in GSA USAccess Re-encryption Tool (DOD s MailCrypt) PIV Encryption certificate sans PIV GSA USAccess PIV Encryption Key Recovery Service Mobile Device Management (MDM) solution integrated with GSA / Entrust Service ~95% of Entrust users have PIV Piloting and assessing features Production ready Participating in DOE-wide effort to leverage OneID s connection to GSA Assessing its use at LANL ~75% of Entrust users have mobile Collaborating with DOE and GSA USAccess for both 3 rd Party and Selfservice models Long-term goal in collaboration with DOE and GSA USAccess LANL s MFA implementation facilitates the long-term goal of retiring the Entrust infrastructure and desktop components 6/13/
11 LANL s OneID Integration Authentication Hub (HUB) Attribute Exchange Service (AES) Work in Progress Production Future Federation (SAML) Ping s IdP Component LANL Identity Provider (IdP) Single Sign- On (SSO) Ping s SCIM Attribute Provisioning Component LANL Source(s) of Truth of People Data Lookup Interface LDAP Network/Apps PACS SAML Contract Provision LANL person attributes to OneID Return DUID for storage and future provisioning Request attributes using DUID or SiteID Return attributes for the requested DUID or SiteID LANL anticipates leveraging OneID to streamline the management of both internal and external users access to facilities, networks, and applications. 6/13/
12 Our MFA Destination Authenticate with PIV and PIV-like credentials Strong Authentication (including 2-step authentication) Federation (SAML) Single Sign-On (SSO) LANL Network SSO LANL Applications SSO DOE & Other Government Agency Applications and reading and sending secure is important too! Search & Retrieve users public encryption certificate Energy Global Directory Service (EGDS) Retrieve & Configure Your PIV private encryption key Are we there yet? 6/13/
13 Questions? 6/13/
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA Improving Remote Access Technology at LANL Veronica Martinez vnm@lanl.gov May 22, 2018 10:30 AM Location: 104B Operated
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationApple Product Security
Apple Product Security Meeting IT Security Needs Fed/Ed XIV Washington,DC - December 14, 2006 Shawn Geddis Enterprise Security Consulting Engineer geddis@apple.com December 2006 Certificates and Keys Everywhere
More informationLeveraging the LincPass in USDA
Leveraging the LincPass in USDA Two Factor Authentication, Digital Signature, Enterprise VPN, eauth Single Sign On February 2010 USDA Takes Advantage of the LincPass USDA is taking advantage of the LincPass
More informationU.S. E-Authentication Interoperability Lab Engineer
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI
More informationLeveraging HSPD-12 to Meet E-authentication E
Leveraging HSPD-12 to Meet E-authentication E Policy and an update on PIV Interoperability for Non-Federal Issuers December 2, 2008 Chris Louden IAB 1 Leveraging HSPD-12 to Meet E-Authentication E Policy
More informationNext Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop
Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop PACS Integration into the Identity Infrastructure Salvatore D Agostino CEO, IDmachines LLC 8 th Annual
More informationInteragency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008
Interagency Advisory Board HSPD-12 Insights: Past, Present and Future Carol Bales Office of Management and Budget December 2, 2008 Importance of Identity, Credential and Access Management within the Federal
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith
ArcGIS Enterprise Security: An Introduction Gregory Ponto & Jeff Smith Agenda ArcGIS Enterprise Security Model Portal for ArcGIS Authentication Authorization Building the Enterprise Encryption Collaboration
More informationInteragency Advisory Board Meeting Agenda, February 2, 2009
Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor,
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationGuide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1
Guide to Deploying VMware Workspace ONE DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationDissecting NIST Digital Identity Guidelines
Dissecting NIST 800-63 Digital Identity Guidelines KEY CONSIDERATIONS FOR SELECTING THE RIGHT MULTIFACTOR AUTHENTICATION Embracing Compliance More and more business is being conducted digitally whether
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationStrong Authentication for Physical Access using Mobile Devices
Strong Authentication for Physical Access using Mobile Devices DoD Identity Protection and Management Conference May 15-17, 2012 Dr. Sarbari Gupta, CISSP, CISA sarbari@electrosoft-inc.com 703-437-9451
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationVMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1
VMware Workspace ONE Quick Configuration Guide VMware AirWatch 9.1 A P R I L 2 0 1 7 V 2 Revision Table The following table lists revisions to this guide since the April 2017 release Date April 2017 June
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationGuide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1
Guide to Deploying VMware Workspace ONE VMware Identity Manager 2.9.1 VMware AirWatch 9.1 Guide to Deploying VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware
More informationInteragency Advisory Board Meeting Agenda, Wednesday, February 27, 2013
Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013 1. Opening Remarks 2. Discussion on Revisions Contained in Draft SP 800-63-2 (Bill Burr, NIST) 3. The Objectives and Status of Modern
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationMAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013
MAESON MAHERRY 3 Factor Authentication and what it means to business. Date: 21/10/2013 Concept of identity Access Control User Self-Service Identity and Access Management Authoritive Identity Source User
More informationAXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure
AXIAD IDS CLOUD SOLUTION Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure Logical Access Use Cases ONE BADGE FOR CONVERGED PHYSICAL AND IT ACCESS Corporate ID badge for physical
More informationInCommon Federation: Participant Operational Practices
InCommon Federation: Participant Operational Practices Participation in the InCommon Federation ( Federation ) enables a federation participating organization ( Participant ) to use Shibboleth identity
More informationSAP Single Sign-On 2.0 Overview Presentation
SAP Single Sign-On 2.0 Overview Presentation June 2014 Public Legal disclaimer This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue
More informationCloud Access Manager Overview
Cloud Access Manager 8.1.3 Overview Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: CARLETON UNIVERSITY Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationUsing Workspace ONE PIV-D Manager. VMware Workspace ONE UEM 1811 VMware Workspace ONE PIV-D Manager
Using Workspace ONE PIV-D Manager VMware Workspace ONE UEM 1811 VMware Workspace ONE PIV-D Manager You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationDFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017
DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017 As with most government documents, one often leads to another. And that s the case with DFARS 252.204-7012.
More informationSingle Secure Credential to Access Facilities and IT Resources
Single Secure Credential to Access Facilities and IT Resources HID PIV Solutions Securing access to premises, applications and networks Organizational Challenges Organizations that want to secure access
More informationInteragency Advisory Board Meeting Agenda, Wednesday, May 23, 2012
Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012 1. Opening Remarks (Mr. Tim Baldridge, IAB Chair) 2. Revision of the Digital Signature Standard (Tim Polk, NIST) 3. Update on Content
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationEXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK
EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS 03 EXECUTIVE OVERVIEW 05 INTRODUCTION 07 MORE CLOUD DEPLOYMENTS MEANS MORE ACCESS 09 IDENTITY FEDERATION IN
More informationGuide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE
Guide to Deploying VMware Workspace ONE with VMware Identity Manager SEP 2018 VMware Workspace ONE You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/
More informationYubico with Centrify for Mac - Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Yubico with Centrify for Mac - Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationSAP Security in a Hybrid World. Kiran Kola
SAP Security in a Hybrid World Kiran Kola Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal
More informationPKI is Alive and Well: The Symantec Managed PKI Service
PKI is Alive and Well: The Symantec Managed PKI Service Marty Jost Product Marketing, User Authentication Lance Handorf Technical Enablement, PKI Solutions 1 Agenda 1 2 3 PKI Background: Problems and Solutions
More informationIdentity as the core of enterprise mobility
The current reality Identity as the core of enterprise mobility Azure Active Directory as the control plane Windows Server Active Directory Customers Partners Other directories Self-service Single sign-on
More informationCisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1
Cisco ISE Overview, page 2 Key Functions, page 2 Identity-Based Network Access, page 2 Support for Multiple Deployment Scenarios, page 3 Support for UCS Hardware, page 3 Basic User Authentication and Authorization,
More informationIAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management
IAM for Workday: How to Embrace an 800 Pound Gorilla Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management 10-7-2015 Background IAM Integrations Parting Thoughts Questions Agenda 2 Background
More informationSecure Government Computing Initiatives & SecureZIP
Secure Government Computing Initiatives & SecureZIP T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents Introduction FIPS 140 and SecureZIP Ensuring Software is FIPS 140 Compliant FIPS
More informationAdministering Jive Mobile Apps for ios and Android
Administering Jive Mobile Apps for ios and Android TOC 2 Contents Administering Jive Mobile Apps...3 Configuring Jive for Android and ios...3 Custom App Wrapping for ios...3 Authentication with Mobile
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationManaging PIV Life-cycle & Converging Physical & Logical Access Control
Managing PIV Life-cycle & Converging Physical & Logical Access Control Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationVMware PIV-D Manager Deployment Guide
VMware PIV-D Manager Deployment Guide AirWatch v9.2 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product is protected
More informationENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION
ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION A Guide to Meet NIST SP 800-157 Requirements +1-888-690-2424 entrust.com Table of contents The Need for Mobile Credentials Page 3 Entrust Datacard: The
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationFederated Access. Identity & Privacy Protection
Federated Access Identity & Privacy Protection Presented at: Information Systems Security Association-Northern Virginia (ISSA-NOVA) Chapter Meeting Presented by: Daniel E. Turissini Board Member, Federation
More informationThe Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018
The Long, Long Road to True Single Sign On at Fermilab Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018 About Fermilab Fermilab is America's particle physics and accelerator laboratory. Our
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationToday s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps
Today s workforce is Mobile Most applications are Web-based apps Cloud and SaaSbased applications are being deployed and used faster than ever Hybrid Cloud is the new normal. % plan to migrate >50% of
More informationPKI and FICAM Overview and Outlook
PKI and FICAM Overview and Outlook Stepping Stones 2001 FPKIPA Established Federal Bridge CA established 2003 E-Authentication Program Established M-04-04 E-Authentication Guidance for Federal Agencies
More informationSalesforce1 Mobile Security White Paper. Revised: April 2014
Salesforce1 Mobile Security White Paper Revised: April 2014 Table of Contents Introduction Salesforce1 Architecture Overview Authorization and Permissions Communication Security Authentication OAuth Pairing
More informationMeasuring Authentication: NIST and Vectors of Trust
SESSION ID: IDY-F01 Measuring Authentication: NIST 800-63 and Vectors of Trust auth Sarah Squire Senior Identity Solution Architect Engage Identity @SarahKSquire Eyewitness News 3 A Play in Five Acts
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationRamnish Singh IT Advisor Microsoft Corporation Session Code:
Ramnish Singh IT Advisor Microsoft Corporation Session Code: Agenda Microsoft s Identity and Access Strategy Geneva Claims Based Access User access challenges Identity Metasystem and claims solution Introducing
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: British Columbia Institute of Technology Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation
More informationSecure Lightweight Activation and Lifecycle Management
Secure Lightweight Activation and Lifecycle Management Nick Stoner Senior Program Manager 05/07/2009 Agenda Problem Statement Secure Lightweight Activation and Lifecycle Management Conceptual Solution
More informationHow Next Generation Trusted Identities Can Help Transform Your Business
SESSION ID: SPO-W09B How Next Generation Trusted Identities Can Help Transform Your Business Chris Taylor Senior Product Manager Entrust Datacard @Ctaylor_Entrust Identity underpins our PERSONAL life 2
More informationCloud Secure Integration with ADFS. Deployment Guide
Cloud Secure Integration with ADFS Deployment Guide Product Release 8.3R3 Document Revisions 1.0 Published Date October 2017 Pulse Secure, LLC 2700 Zanker Road, Suite 200 San Jose CA 95134 http://www.pulsesecure.net
More informationWho s Protecting Your Keys? August 2018
Who s Protecting Your Keys? August 2018 Protecting the most vital data from the core to the cloud to the field Trusted, U.S. based source for cyber security solutions We develop, manufacture, sell and
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Okanagan College Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationInteragency Advisory Board Meeting Agenda, July 28, 2010
Interagency Advisory Board Meeting Agenda, July 28, 2010 1. Opening Remarks 2 Research Collaboration in the Cloud: How NCI and Research Partners Are Improving Business Processes using Digital Identities
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Unversity of Regina Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationInteragency Advisory Board Meeting Agenda, February 2, 2009
Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor,
More informationFedRAMP Digital Identity Requirements. Version 1.0
FedRAMP Digital Identity Requirements Version 1.0 January 31, 2018 DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 1/31/2018 1.0 All Initial document FedRAMP PMO i ABOUT THIS DOCUMENT
More informationInteragency Advisory Board Meeting Agenda, Wednesday, April 24, 2013
Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013 1. Opening Remarks 2. A Security Industry Association (SIA) Perspective on the Cost and Methods for Migrating PACS Systems to Use PIV
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name Wilfrid Laurier University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationFEDERATED IDENTITY AT ARGONNE NATIONAL LABORATORY
drhgfdjhngngfmhgmghmghjmghfmf NLIT 2018 FEDERATED IDENTITY AT ARGONNE NATIONAL LABORATORY PETE FRIEDMAN Enterprise Architect Business and Information Services (BIS) Argonne National Laboratory ABOUT THE
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationQuickStart Guide for Mobile Device Management. Version 8.7
QuickStart Guide for Mobile Device Management Version 8.7 JAMF Software, LLC 2013 JAMF Software, LLC. All rights reserved. JAMF Software has made all efforts to ensure that this guide is accurate. JAMF
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationWhat s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services
What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services September 2017 Introduction This document is a summary of what s new in ios 11, macos
More informationCIS Top 20 #5. Controlled Use of Administrative Privileges
CIS Top 20 #5 Controlled Use of Administrative Privileges CIS CSC #5: Controlled use of administrative privileges What is a privileged Account? Why are they Dangerous? What can we do about it? How
More informationMobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013
Mobile Devices as Identity Carriers Pre Conference Workshop October 14 th 2013 Mobile Market Worldwide Smartphones Market by OS (in thousands of units) 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000
More informationCredentialing for InCommon
Credentialing for InCommon Summary/Purpose: This policy describes the means by which user accounts and credentials are managed by the University of Mississippi, as related to participation in the InCommon
More informationInteragency Advisory Board Meeting Agenda, February 2, 2009
Interagency Advisory Board Meeting Agenda, February 2, 2009 1. Opening Remarks (Tim Baldridge, NASA) 2. Mini Tutorial on NIST SP 800-116 AND PIV use in Physical Access Control Systems (Bill MacGregor,
More informationWarm Up to Identity Protocol Soup
Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital
More informationAxway Validation Authority Suite
Axway Validation Authority Suite PKI safeguards for secure applications Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to
More informationSecurity and Certificates
Encryption, page 1 Voice and Video Encryption, page 6 Federal Information Processing Standards, page 6 Certificate Validation, page 6 Required Certificates for On-Premises Servers, page 7 Certificate Requirements
More informationSafeNet Authentication Client
SafeNet Authentication Client Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep
More informationManage SAML Single Sign-On
SAML Single Sign-On Overview, page 1 Opt-In Control for Certificate-Based SSO Authentication for Cisco Jabber on ios, page 1 SAML Single Sign-On Prerequisites, page 2, page 3 SAML Single Sign-On Overview
More informationMobile: Purely a Powerful Platform; Or Panacea?
EBT: The Next Generation 2017 Mobile: Purely a Powerful Platform; Or Panacea? Evan O Regan, Director of Product Management Authentication & Fraud Solutions Entrust Datacard POWERFUL PLATFORM OR PANACEA
More informationOVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5
Citrix SSO Contents OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5 Device level VPN Profiles... 5 Per-App VPN Profiles... 7
More informationAirWatch Mobile Device Management
RSA Ready Implementation Guide for 3rd Party PKI Applications Last Modified: November 26 th, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description
More information<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x
RSA SECURID ACCESS Implementation Guide Pulse Connect Secure 8.x Daniel R. Pintal, RSA Partner Engineering Last Modified: January 24 th, 2018 Solution Summary The Pulse
More informationState of Colorado Cyber Security Policies
TITLE: State of Colorado Cyber Security Policies Access Control Policy Overview This policy document is part of the State of Colorado Cyber Security Policies, created to support the State of Colorado Chief
More informationCertificate Enrollment for the Atlas Platform
Certificate Enrollment for the Atlas Platform Certificate Distribution Challenges Digital certificates can provide a secure second factor for authenticating connections from MAP-wrapped enterprise apps
More information