Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Similar documents
Introduction of the Identity Assurance Framework. Defining the framework and its goals

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

ISO9001:2015 LEAD IMPLEMENTER & LEAD AUDITOR

The Value of ANSI Accreditation. Top 10 Advantages. of accredited third-party conformity assessment

Building an Assurance Foundation for 21 st Century Information Systems and Networks

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

IMPLEMENTING AN HSPD-12 SOLUTION

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

NOW IS THE TIME. to secure our future

Certification Commission for Healthcare Information Technology. CCHIT A Catalyst for EHR Adoption

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

Solutions Technology, Inc. (STI) Corporate Capability Brief

Conference for Food Protection. Standards for Accreditation of Food Protection Manager Certification Programs. Frequently Asked Questions

PRIOR LEARNING ASSESSMENT AND RECOGNITION (PLAR)

FedRAMP Digital Identity Requirements. Version 1.0

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Accreditation Body Evaluation Procedure for AASHTO R18 Accreditation

PKI and FICAM Overview and Outlook

Accelerate Your Enterprise Private Cloud Initiative

RESEARCH QUESTIONS. Question What Data Will We Need? Where Will We Obtain this Data? Identify common characteristics and uses

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

2018 CANADIAN ELECTRICAL CODE UPDATE TRAINING PROVIDER PROGRAM Guidelines

OG0-091 Q&As TOGAF 9 Part 1

Introduction to AWS GoldBase

SOC for cybersecurity

Authorized Training Provider Application Process

Identity Assurance Profiles Bronze and Silver. January 14, 2013 Version 1.2 Rev. 5 Release Candidate

Nuts-n-Bolts of Product Testing and Certification Session #112, March 7, 2018 Steven Posnack MS MHS, Dir. Office of Standards and Technology, ONC, US

FOUNDED GOAL of New ORGANIZATION. CLEAR Annual Educational Conference Getting the Most Out of CLEAR. St. Louis October 3-5, 2013

Introduction to Device Trust Architecture

Governmental acceptance supported by accredited certification. Presentation to the GLOBALG.A.P SUMMIT 2012

PECB Change Log Form

Leveraging the LincPass in USDA

The International Laboratory Accreditation Cooperation (ILAC) & The International Accreditation Forum (IAF)

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

CORE Voluntary Certification: Certification from the Testing Vendor s Perspective. February 18, :00 3:00pm ET

DirectTrust Accredited Trust Anchor Bundle Standard Operating Procedure

Peer Collaboration The Next Best Practice for Third Party Risk Management

CERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015

DirectTrust Accredited Trust Anchor Bundle Standard Operating Procedure

ASEAN MRA: The Philippine Compliance

Certified Forester WHERE WE ARE, WHERE WE RE GOING. Greg Hay, CF Chair, Certification Review Board Society of American Foresters

What Makes PMI Certifications Stand Apart?

First Session of the Asia Pacific Information Superhighway Steering Committee, 1 2 November 2017, Dhaka, Bangladesh.

ISSP Sustainability Professional Certifications UPDATE: November 20, 2017

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

PARTNERING WITH THE REGULATORS: The Role for 3rd Party Accreditation in Food Safety

Kantara Identity Assurance Framework Catalyzing an Identity Services Marketplace

ITIL 2011 Foundation Course

The Swirl logo is a trade mark of the Cabinet Office ITIL is a registered trade mark of the Cabinet Office

Technical Trust Policy

TIPA Lead Assessor for ITIL

2016 Global Identity Summit Pre-Conference Paper Hardening Authentication Technologies

FileMaker Business Alliance. Program Guide

Session 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

National Information Assurance Partnership (NIAP) 2017 Report. PPs Completed in CY2017

Site Data Protection (SDP) Program Update

Practitioner Certificate in Business Continuity Management (PCBCM) Course Description. 10 th December, 2015 Version 2.0

ConCert FAQ s Last revised December 2017

OIML-CS PD-08 Edition 1

Security Architecture

FIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies

The Business of Security in the Cloud

Trust Services for Electronic Transactions

Federal Communication Commission (FCC) Office of Engineering and Technology (OET) Program Accreditation Procedure

1.1 Levels of qualification

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

Frequently Asked Questions

A NEW MODEL FOR AUTHENTICATION

Who What Why

Federated Authentication for E-Infrastructures

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift

Managing Trust in e-health with Federated Identity Management

Professional Evaluation and Certification Board Frequently Asked Questions

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

TEL2813/IS2820 Security Management

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

GUIDELINES FOR APPROVAL OF CONTINUING EDUCATION COURSES and SEMINARS. Accredited Course Providers

ISAO SO Product Outline

OIX DDP. Open-IX Document Development Process draft July 2017

Trend Micro Professional Services Partner Program

PROTERRA CERTIFICATION PROTOCOL V2.2

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Information Technology (CCHIT): Report on Activities and Progress

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

ACCREDITATION COMMISSION FOR CONFORMITY ASSESSMENT BODIES

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Trust. Trustworthiness Trusted. Trust: Who? What? When? Why? How?

CITP Credential handbook

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Transcription:

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition Sept. 8, 2008 Liberty Alliance 1

Welcome! Introduction of speakers Introduction of attendees Your organization s interest in identity assurance What do you want to learn today? Goals for the session

Introduction of the Identity Assurance Framework Defining the framework and its goals Peter Alterman GSA

IAEG Charter Formed August 2007 to develop a global standard framework and necessary support programs for validating trusted identity assurance service providers in a way that scales, empowers business processes and benefits individual users of identity assurance services Move beyond pure policy development and into development of actionable and measurable programs including certification education, awareness and broad market promotion Provide public and private organizations with a uniform means of relying on digital credentials issued by a variety of providers in order to advance trusted identity federation and thereby facilitate access to online services and information First version of the IAF specification was officially released and published June 22, 2008 Certification program will be available by end 2008

Identity Assurance Framework What is it? Framework supporting mutual acceptance, validation and lifecycle maintenance across identity federations EAP Trust Framework and US e-authentication Federation Credential Assessment Framework as baseline Harmonized, best-of-breed industry identity assurance standard Identity credential policy Business procedure and rule set Baseline commercial terms Guideline to foster inter-federation on a global scale It consists of 4 parts: Assurance Levels Service Assessment Criteria Accreditation and Certification Model Business Rules

The IAF Ecosystem Authentication Technology Vendors Accredited Assessors List IAF s Initial Focus Federated Identity Credential Service Provider Assessor End user (subscriber) Identity Credentials Network Operator Federated Network Relying Parties (Applications)

IAF Assurance Levels Definition: Level of trust associated with a credential measured by the strength and rigor of the identity-proofing process, the inherent strength of the credential and the policy and practice statements employed by the Credential Service Provider (CSP) Four Primary Levels of Assurance Level 1 little or no confidence in asserted identity s validity Level 2 Some confidence Level 3 Signficant level of confidence Level 4 Very high level of confidence Use of Assurance Level is determined by level of authentication necessary to mitigate risk in the transaction, as determined by the Relying Party CSPs are certified by Federation Operators to a specific Level(s)

IAF Assurance Levels Illustrated Assurance Level Example Assessment Criteria Organization Assessment Criteria Identity Proofing Assessment Criteria Credential Mgmt AL 1 Registration to a news website Minimal Organizational criteria Minimal criteria - Self assertion PIN and Password AL 2 Change of address of record by beneficiary Moderate organizational criteria Moderate criteria - Attestation of Govt. ID Single factor; Prove control of token through authentication protocol AL 3 Access to an online brokerage account Stringent organizational criteria Stringent criteria stronger attestation and verification of records Multi-factor auth; Cryptographic protocol; soft, hard, or OTP tokens AL 4 Dispensation of a controlled drug or $1mm bank wire Stringent organizational criteria More stringent criteria stronger attestation and verification Multi-factor auth w/hard tokens only; crypto protocol w/keys bound to auth process Note: Assurance level criteria as posited by the OMB M-04-04 and NIST Special Publication 800-63

IAF Service Assessment Criteria (SAC) The SAC is how the framework materializes in practice 3 SAC areas: Common Organization - The general business and organizational conformity of services and their providers Identity Proofing - The functional conformity of identity proofing services Credential Management - The functional conformity of credential management services and their providers

IAF Certification / Accreditation Model High-level Description Program for assessors to become accredited Provide candidate CSPs with guidelines for certifying against IAF Enables Federation operators to certify members against IAF Liberty Alliance to provide governance over accreditation process Phase one certification process for CPSs defined in Framework Accreditation Program is current focus Opportunity to contribute and collaborate Planned availability by end of 2008, if not sooner!

IAF Business Rules Focused on the use of credentials for authentication, initially targeting CSPs Liberty Alliance provides accreditation of assessors who will perform certification assessment Federation Operators will require Liberty-accredited assessments Provides guidelines for how all involved parties (relying parties, CSPs and Federation Operators) may work together Liberty Alliance will maintain the Identity Assurance Framework and provide a current list of accredited assessors

Questions? Questions?

Identity Assurance Accreditation Frank Villavicencio Citigroup Global Transaction Services

Background As presented, Liberty Alliance has developed and published an Identity Assurance Framework (IAF) An IAF operational governance model for deployment needed to be created Including standards for assessment of credential issuers and consumers Accreditation of assessors An accredication and certification model must co-exist with existing controls programs

Accreditation Goals Standards conformity Certification by any authority has equivalence the four defined assurance levels Broad adoption Not specific to any business model Not geographically aligned Leverages existing control frameworks

Value Proposition For Assessors Business opportunities in new digital identity realm Deepen relationship with existing clients For Credential Issuers Reduces/Eliminates need for unique and one-off assessments by credential consumers Makes identity services more marketable For Credential Consumers Creates a level playing field for an identity marketplace Reduces/eliminates need to assess issuers

Liberty Accreditation Model Pre-requisites for recognition Must hold accreditation from national accreditation body (UKAS, AICPA/CICA, EA, ANAB/Int l Accreditation Forum) Experience w/ ISO 27001 general controls review Experience w/ Web Trust, or similar specific controls review Familiarity w/ assessment provisions outlined in ISO 19011 Completion of Liberty-sponsored IAF expertise online exam Required Documentation Application for Accreditation Qualification Document Annual re-accreditation

Assessor Accreditation Process Submit application for accreditation designation to Liberty Submit Qualification Document for review and approval by Liberty Qualifications/assessments vary by Assurance Level Register designated expert resources for Libertysponsored, online IAF compliance exam Successfully complete exam Sign Liberty Trademark License Agreement Annual re-accreditation Onsite assessment not required

Accreditation Process Flow Accredited Assessor Submits application with pre-requisite information to IAEG Complete Qualificati on Doc. Submit required documents to Liberty Appeal IAEG No Complete Application? Yes Approve Assessor App. Direct Assessor to sample required documents IAEG reviews materials Fail Pass Apply Accredited Assessor designation Federation Operator Acknowledge IAEG-accredited Assessors Credential Service Provider Request certification assessments from only IAEGaccredited Assessors

Ongoing Participant Checklist RP FO CSP Liberty Assessor Application submission Sign Trademark License Agreement Provide pre-requisite information Annual re-accreditation Designate resources for examination Support Application process Maintain list of participating CSPs and Federations Draft sample accreditation material Maintain currency of IAF and Accreditation program Provide updated Assessor list Publish and maintain Operating document Identify IAEG-accredited Assessors Request IAEG certification Provide assessment from IAEG-accredited body to Federation Operator(s) Acknowledge IAEG-accredited Assessors Request only CSP assessments by IAEG-accredited Assessors for IAEG certification Provide ongoing list of IAEG-certified CSPs to Liberty Establish acceptance policies with respect to IAEG-certified CSPs Officially acknowledge Federations to which they subscribe

Implementation Roadmap 1. Industry Analysis Analysis of existing accreditation programs Research standards bodies existing programs 2. Process Design Identify business model Create process flow diagram Identify roles and responsibilities Write process checklist Develop IAEG development checklist 3. Development Write Assessor Application Draft sample documents Develop online exam Draft Operating document Draft TMLA Create sub-committee 4. Validation Publish process for review with feedback gathering Stakeholder approval Liberty Board approval Plan for official launch Identify initial candidate 5. Launch Post application and sample docs on site Press release Analyst road show Engage feedback process Maintain currency of IAF and Accreditation program First assessor accredited Outside Consulting Input from IA EG and SIG Liberty Infrastructure

Questions? Questions?

Planning for the Future Peter Alterman, GSA and Frank Villavicencio, Citigroup Global Transaction Services

Roadmap Launch Accreditation Program to accompany the Certification Program Available by end of 2008 Scope and define Phases 2 and 3 for Relying Parties and Federation Operators Refine Service Assessment Criteria (SAC) introduced in IAF document SAC Development Process for reviewing and approving new criteria to keep up with technological advances SAC Requirements Matrix Mapping project IAF and US Government e-authentication Credential Assessment Framework & NIST Special Publication 800-63 to streamline government adoption Complete by Oct. 2008

Roadmap (cont.) Work with the ITU-T Expansion to RP focus? Others? Group discussion on where your priorities are

For More Information Visit our site: http://projectliberty.org/liberty/strategic_initiatives/identity_assurance Read the IAF specification: http://projectliberty.org/liberty/content/download/4315/28869/file/libertyidentity-assurance-framework-v1.1.pdf Get involved with the public Identity Assurance Special Interest Group: http://wiki.projectliberty.org/index.php/iasig Contact Frank Villavicencio (frank.villavicencio@citi.com) or Peter Alterman (peter.alterman@gsa.gov) Attend kick off keynote session for DIDW featuring Identity Assurance panel

Questions? Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback