Cryptologic and Cyber Systems Division

Similar documents
Helping Meet the OMB Directive

FiXs - Federated and Secure Identity Management in Operation

DoD Identity & Access Management (IdAM) Portfolio Overview

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Strategies for the Implementation of PIV I Secure Identity Credentials

Leveraging the LincPass in USDA

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Interagency Advisory Board Meeting Agenda, April 27, 2011

PKI and FICAM Overview and Outlook

INFORMATION ASSURANCE DIRECTORATE

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

INFORMATION ASSURANCE DIRECTORATE

Interagency Advisory Board Meeting Agenda, December 7, 2009

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Dissecting NIST Digital Identity Guidelines

INFORMATION ASSURANCE DIRECTORATE

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Interagency Advisory Board Meeting Agenda, March 5, 2009

CNATRAINST A N6 3 Mar 16. Subj: CNATRA ELECTRONIC MAIL DIGITAL SIGNATURE AND ENCRYPTION POLICY

Single Secure Credential to Access Facilities and IT Resources

Leveraging HSPD-12 to Meet E-authentication E

FPKIPA CPWG Antecedent, In-Person Task Group

eidas Regulation eid and assurance levels Outcome of eias study

Secure Lightweight Activation and Lifecycle Management

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Innovations in Identity & Access Management (IdAM)

FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

No More Excuses: Feds Need to Lead with Strong Authentication!

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

A NEW MODEL FOR AUTHENTICATION

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Interagency Advisory Board Meeting Agenda, August 25, 2009

SWAMID Person-Proofed Multi-Factor Profile

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP (HSPD 12) in a Trusted FICAM Platform

HIPAA Compliance Checklist

Interagency Advisory Board Meeting Agenda, February 2, 2009

Trust Services for Electronic Transactions

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

DATA SHEET. ez/piv CARD KEY FEATURES:

CertiPath TrustVisitor and TrustManager. The need for visitor management in FICAM Compliant PACS

IMPLEMENTING AN HSPD-12 SOLUTION

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Secure Government Computing Initiatives & SecureZIP

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Interagency Advisory Board Meeting Agenda, February 2, 2009

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

In today s online environment, a typical organization. ICAM: A Foundation for Trusted Identities in Cyberspace. Feature: IdentIty ManageMent

Interagency Advisory Board Meeting Agenda, July 28, 2010

NIST E-Authentication Guidance SP

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Enterprise Adoption Best Practices

NESSO QUICKSTART GUIDE

DHS ID & CREDENTIALING INITIATIVE IPT MEETING

INFORMATION ASSURANCE DIRECTORATE

Federal PKI. Trust Store Management Guide

Version 3.4 December 01,

CERTIFICATE POLICY CIGNA PKI Certificates

IBM Multi-Factor Authentication for z/os A Product Review and Update

Federated Access. Identity & Privacy Protection

Certification Authority

DoD Common Access Card Convergence of Technology Access/E-Commerce/Biometrics

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Revision 2 of FIPS 201 and its Associated Special Publications

000027

Strong Authentication for Physical Access using Mobile Devices

The Leader in Unified Access and Intrusion

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

There is an increasing desire and need to combine the logical access and physical access functions of major organizations.

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Extending Services with Federated Identity Management

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

Services Directorate Dual Persona User Guide for DoD Enterprise Portal Service Military Sealift Command Version September 8, 2016

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

Integrated Access Management Solutions. Access Televentures

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

SAC PA Security Frameworks - FISMA and NIST

g6 Authentication Platform

FIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies

Prepared by. On behalf of The California HealthCare Foundation. Nov. 24, Sujansky & Associates, LLC 1

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Authentication. Katarina

State of the Industry and Councils Reports. Access Control Council

FOR OFFICIAL USE ONLY DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE NETWORK INTEGRATION CENTER (AFNIC) SCOTT AIR FORCE BASE ILLINOIS

Security Strategy for Mobile ID GSMA Mobile Connect Summit

1. Federation Participant Information DRAFT

INFORMATION ASSURANCE DIRECTORATE

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Chapter 3: User Authentication

Identity Synchronization Service Machine Interface (IdMI) NIPRNet Customer Interface Specification Between. <<Component>> and

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Indeed Card Management Smart card lifecycle management system

Securing the New Perimeter:

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

How does industry drive forward. SAFE-BioPharma Association

Transcription:

Cryptologic and Cyber Systems Division OVERALL BRIEFING IS Someone Scraped My Identity! Is There a Doctrine in the House? AF Identity, Credential, and Access Management (ICAM) August 2018 Mr. Richard Moon, GG-14 Ms. Andrea Kunz, MITRE AFLCMC/HNCDI DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited. Other requests for this document shall be referred to AFLCMC/HNC, 230 Hall Blvd. Bldg 2028, San Antonio, TX 78243. Providing the Warfighter s Edge

Overview BLUF Federal ICAM Services Framework ICAM Components ICAM Capability Example PKI ICAM Capability Areas & Gaps Summary 2

BLUF Problem: Weak identity verification and inadequate data protection puts our people, networks, and data at risk of exploit Current State: AF has solutions in place but they need to be strengthened and support increasingly diverse operating environments Future State: An Identity Credential and Access Management (ICAM) strategy to evolve the AF 3

Authentication Technologies RSA Token Yubikey SafeNet Token One-Time Password 4

ICAM What Is ICAM? the set of security disciplines that allows an organization to enable the right individual to access the right resource at the right time for the right reason 1 Is There a Doctrine In The House? Yes. Federal ICAM Roadmap and Implementation Guidance, Dec 2011 DoD ICAM Strategy (final draft) NIST SP 800-63, Digital Identity Guidelines, Dec 2017 Air Force Manual 17-1304, AF ICAM (draft) 1 Federal ICAM Architecture 5

Federal ICAM Services Framework Source: Federal ICAM Architecture and is current as of 26 Jun 18 6

ICAM Landscape Identity Identity Life Cycle Establish identity using trusted evidence Create identity account Provision account with required attributes Update identity account over lifecycle De-provision and delete identity Source: Federal ICAM Architecture and is current as of 26 Jun 18 Governance: NIST SP 800-63, Digital Identity Guidelines NIST SP 800-63A, Enrollment and Identity Proofing Air Force Directory Services External Data Dictionary 7

Identity Attributes Auth Src 1 Air Force Directory Services Auth Src 2 USAF Auth Src 3 Auth Src 4 Harvest Authoritative Data Auth Src 5 Auth Src 6 Auth Src 7 DoD Auth Src 8 Auth Src 1 Auth Src 1 Auth Src 2 Auth Src 7 Auth Src 4 Auth Src 7 Auth Src 5 Auth Src 9 Rank Name IA Date Citizenship E4C Email EDIPI Duty Phone Authoritative Attribute Data Sources Digital Identity Record 8

ICAM Landscape Credential Credential Life Cycle Establish sponsor need for user credential Register user in identity database Issue credential Maintain credential for required duration Revoke credentials and add to revocation list Source: Federal ICAM Architecture and is current as of 26 Jun 18 Governance: DoDI 8520.03, Identity Authentication for Information Systems NIST SP 800-63, Digital Identity Guidelines 9

ICAM Landscape Access Access Management is the set of practices and services for ensuring only those with proper permissions can interact with a given resource Access Control policies at all levels govern requirements for access Authentication verifies that a claimed identity is genuine based on valid credentials Source: Federal ICAM Architecture and is current as of 26 Jun 18 Authorization is the decision to grant or deny access to a resource based on policy 10

Authentication Validating Identity Three Authentication Factors Something you know (e.g., password, PIN) Something you have (e.g., ID badge) Something you are (e.g., fingerprint) Authentication Frameworks Current: Active Directory / PKI Emerging: Fast Identity Online (FIDO) OAuth OpenID Connect Governance: DoDI 8520.02, Public Key Infrastructure & Public Key Enabling NIST SP 800-63B, Authentication & Lifecycle Management 11

Authorization Access Decision Access control policies define who / what may act upon a resource The authorization service validates identity attributes to ensure the claimant is allowed to access a resource Authorization Frameworks Current: Active Directory / Role-Based Common Computing Environment (CCE) / Global Content Delivery Service (GCDS) Future: Attribute-Based / Enterprise Level Security Governance: Enterprise Identity Attribute Service (EIAS) Air Force Directory Services External Data Dictionary 12

ICAM Capability Example PKI PKI framework for trust within an environment User Verifying Official (VO) Certification Authority (CA) PKI issued certificate credential digitally binds user s identity to their public key Certificate credential stored on the CAC used to assert identity during authentication Identity assertion used to verify attributes prior to authorization decision 13

CAC Not Going Away Public Key technology is Primary DoD-approved Credential used EVERYWHERE Large infrastructures exist Department of Defense Federal Government Foreign Governments (i.e., Asia) Policies mandate its use HSPD 12 DoD Directives Health Insurance Portability and Accountability Act (HIPAA) CAC is the anchor for logical & physical access within DoD for foreseeable future CAC ENABLES us to use other form factors for mobile and tactical environments! 14

ICAM Capability Areas & Gaps Identity Management Credential Management Access Management Existing Capabilities Trust Governance DoD PE / NPE digital identities Core DoD identity attributes Data Exchange Services (enterprise identity attribute data exchange services) Capability Gaps Biometrics Federated Identity Behavior-Based Access Control (BBAC) Existing Capabilities CAC Issuance (DEERS/RAPIDS) SHA-256 Smart Card Logon SIPR Tokens ALTs Derived Credentials Capability Gaps Use of PIV, PIV-I, and other DoD-approved credentials Privileged access Alternate Form Factors Mobility Authentication Existing Capabilities AF NPE PKI (AFNET / COCOMs) Two Factor AuthN Capability Gaps Direct / Indirect AuthN Authorization Existing Capabilities AFDS: AF Authoritative Attribute Store Capability Gaps Attribute-Based Access Control (ABAC) Operational AuthZ Policy Decisions AuthZ Policy Management Data Tagging IDENTIFICATION AUTHENTICATION AUTHORIZATION 15

Summary AF partner in DoD ICAM evolution Working to address mission needs Close capability gaps Standards-based approach for interoperability Future of authentication: bring your own device? Find more and better ways to provide secure access assured identities defense against unauthorized entities and make ICAM work for you! 16

For more information, contact the Air Force PKI Help Desk at Commercial: (210) 925-2521 DSN: 945-2521 afpki.helpdesk@us.af.mil 17

Sources Federal Identity, Credential, and Access Management (FICAM) Architecture DoD Cybersecurity Discipline Implementation Plan, Feb 2016 DoD IdAM Portfolio Description v2.0, Aug 2015 DoDD 8521.01E, DoD Biometrics, Aug 2017 DoD Identity and Access Management (IdAM) Strategy v1.0, Nov 2014 DoDI 8500.01, Cybersecurity, Mar 2014 DoDI 8520.02, Public Key Infrastructure and Public Key Enabling, May 2011 DoDI 8520.03, Identity Authentication for Information Systems, May 2011 NIST SP 800-63, Digital Identity Guidelines, Dec 2017 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback