Interagency Advisory Board Meeting Agenda, August 25, 2009

Similar documents
Leveraging HSPD-12 to Meet E-authentication E

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

U.S. E-Authentication Interoperability Lab Engineer

Interagency Advisory Board Meeting Agenda, December 7, 2009

PKI and FICAM Overview and Outlook

Federal Identity, Credentialing, and Access Management. OpenID 2.0 Profile. Version Release Candidate

Interagency Advisory Board Meeting Agenda, July 28, 2010

Interagency Advisory Board Meeting Agenda, March 5, 2009

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

NIST E-Authentication Guidance SP

Extending Services with Federated Identity Management

Interagency Advisory Board Meeting Agenda, February 2, 2009

National Strategy for Trusted Identities in Cyberspace

Federal Identity, Credential, and Access Management Trust Framework Solutions

Interagency Advisory Board Meeting Agenda, February 2, 2009

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Interagency Advisory Board Meeting Agenda, February 2, 2009

Canadian Access Federation: Trust Assertion Document (TAD)

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Oracle Utilities Opower Solution Extension Partner SSO

Trust Services for Electronic Transactions

Canadian Access Federation: Trust Assertion Document (TAD)

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Strategies for the Implementation of PIV I Secure Identity Credentials

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Dissecting NIST Digital Identity Guidelines

Canadian Access Federation: Trust Assertion Document (TAD)

Access Management Handbook

Leveraging the LincPass in USDA

Canadian Access Federation: Trust Assertion Document (TAD)

National Identity Exchange Federation. Terminology Reference. Version 1.0

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Cryptologic and Cyber Systems Division

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Establishing Trust Across International Communities

Identity Management. Identity Management Bart Preneel. Finse, Norway, April Outline. What is Identity Management (IDM)?

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

SAML-Based SSO Solution

ISSUES FOR RESPONSIBLE USER-CENTRIC IDENTITY

A Market Solution to Online Identity Trust. Trust Frameworks 101: An Introduction

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Federal Identity Credentialing: State of Play

Authentication in the Cloud. Stefan Seelmann

Interagency Advisory Board Meeting Agenda, December 7, 2009

Canadian Access Federation: Trust Assertion Document (TAD)

SAML-Based SSO Solution

Canadian Access Federation: Trust Assertion Document (TAD)

Secure Government Computing Initiatives & SecureZIP

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Safelayer's Adaptive Authentication: Increased security through context information

Canadian Access Federation: Trust Assertion Document (TAD)

Interagency Advisory Board Meeting Agenda, April 27, 2011

Identity Federation: security for multiple services in a trusted environment.

Canadian Access Federation: Trust Assertion Document (TAD)

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Privacy Enabled Identity Management for C2 Systems

OpenID Security Analysis and Evaluation

Canadian Access Federation: Trust Assertion Document (TAD)

Cyberspace : Privacy and Security Issues

National Identity Exchange Federation. Certificate Policy. Version 1.1

Federated Authentication for E-Infrastructures

Higher Education PKI Initiatives

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Interagency Advisory Board Meeting Agenda, Wednesday, June 29, 2011

Content. Privacy Policy

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Electronic Signature Policy

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

05/31/2010. Smart OpenID

Canadian Access Federation: Trust Assertion Document (TAD)

Warm Up to Identity Protocol Soup

Introduction of the Identity Assurance Framework. Defining the framework and its goals

THE INTEROPERATION BETWEEN CASIDP AND INCOMMON ETC. JIWU JING

Authentication. Katarina

How does industry drive forward. SAFE-BioPharma Association

US Federal PKI Bridge. Ram Banerjee VP Vertical Markets

The NIST Cybersecurity Framework

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Canadian Access Federation: Trust Assertion Document (TAD)

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

OPENID CONNECT 101 WHITE PAPER

Transcription:

Interagency Advisory Board Meeting Agenda, August 25, 2009 1. Opening Remarks 2. Policy, process, regulations, technology, and infrastructure to employ HSPD-12 in USDA (Owen Unangst, USDA) 3. Policy and infrastructure for PIV use for Logical Access (Tim Baldridge, NASA) 4. NIST Update (Bill Macgregor, NIST) a) Recent Publications b) Safeguards built into PIV, and SP 800-116 recommendations 5. Leveraging Open Identity Standards for Gov t Interaction with American citizens (Chris Louden) 6. Closing Remarks

Open Solutions for Open Government Portable Identity Technical Approach Non-PKI, LOA 3 and Below IAB August 25, 2009 Chris Louden 39

Agenda Goals Policy Foundation Approach Technology Trust Privacy Principles Portable Identity Schemes SAML OpenID Information Cards Non-PKI, LOA 3 and Below 40

Goals Make Government more transparent to citizenry Make it easier for citizenry to access government information Avoid issuance of application-specific credentials Leverage Industry credentials for Government use Leverage Web 2.0 technologies 41

Policy Foundation: OMB M04-04 E-Authentication Guidance for Federal Agencies Defines 4 Assurance Levels Agencies should determine assurance levels using the following steps, (described in Section 2.3): 1. Conduct a risk assessment of the e-government system. 2. Map identified risks to the applicable assurance level. 3. Select technology based on e-authentication technical guidance. 4. Validate that the implemented system has achieved the required assurance level. 5. Periodically reassess the system to determine technology refresh requirements. 42

Policy Foundation: OMB M04-04 Risks Potential Impact Categories for Authentication Errors Inconvenience, distress or damage to standing or reputation Assurance Level Impact Profiles 1 2 3 4 Low Mod Mod High Financial loss or agency liability Low Mod Mod High Harm to agency programs or public interests N/A Low Mod High Unauthorized release of sensitive information N/A Low Mod High Personal Safety N/A N/A Low Mod High Civil or criminal violations N/A Low Mod High 43

Policy Foundation: NIST Special Pub 800-63 SP 800-63 Technical Guidance Assurance Level Allowed Token Types 1 2 3 4 Hard crypto token One-time Password Device Soft crypto token Password & PINs 44

Agenda Goals Policy Foundation Approach Technology Trust Privacy Principles Portable Identity Schemes SAML OpenID Information Cards Non-PKI, LOA 3 and Below 45

Approach Adopt technologies in use by industry Scheme Adoption Adopt industry Trust Models Trust Framework Adoption Approach documents posted on http://www.idmanagement.gov 46

Approach: Scheme Adoption Adoption Process 47

Approach: Scheme Adoption Scheme Adoption Scheme specific type of authentication token and associated protocols (e.g. user ID & password; PKI; SAML assertion) Scheme Adoption produces a Federal Profile Profile defines MUSTs, SHOULDs, SHOULD NOTs, etc. for IdPs & RPs Goal is not to change the existing technical standard Profiles in progress for OpenID, Information Card (IMI), and SAML. WS-Federation next Federal ICAM Identity Scheme Adoption Process posted on http://www.idmanagement.gov 48

Approach: Trust Framework Adoption Trust Framework Adoption Adoption of Industry Trust Frameworks Adopts at Assurance Levels (ALs) Considers requirements of NIST SP 800-63 Privacy Principles enforced through the Trust Framework Participation expected from InCommon, OpenID Foundation,, Information Card Foundation, Liberty/Kantara Federal ICAM Trust Framework Provider Adoption Process posted on http://www.idmanagement.gov 49

Trust Framework Privacy Principles 1. Opt In Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction. 2. Minimalism Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile. RP Application attribute requests must be consistent with the data contemplated in their Privacy Impact Assessment (PIA) as required by the E- Government Act of 2002. 50

Trust Framework Privacy Principles 3. Activity Tracking Commercial Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of 2002. 4. Adequate Notice Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process. 51

Trust Framework Privacy Principles 5. Non Compulsory As an alternative to 3rd-party identity providers, agencies should provide alternative access such that the disclosure of End User PII to commercial partners must not be a condition of access to any Federal service. 6. Termination In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII. 52

Agenda Goals Policy Foundation Approach Technology Trust Privacy Principles Portable Identity Schemes SAML OpenID Information Cards Non-PKI, LOA 3 and Below 53

Portable Identity Schemes: SAML SAML OASIS SAML 2.0 Based on E-Gov Profile developed through Liberty Broad COTS support Has been used by government before Federal Profile Requires E-Gov Profile Requires encryption of PII 54

Portable Identity Schemes: SAML End User (Browser) RP (Web Site) IdP (Web Site) 1. User visits web site 2. Login page lists IdPs 3. User chooses an IdP 4. Browser redirected to IdP for login at LOA Authentication Request 5. IdP Challenges user to login to meet LOA 6. User logs in 7. IdP responds to RP with assertion Assertion 8. Validate Assertion 9. End user authenticated (access granted) 55

Portable Identity Schemes: OpenID OpenID Open Source roots OpenID Foundation serves as steward and provides necessary infrastructure Used/supported by JanRain, SixApart, Google, Yahoo, Facebook, AOL, MySpace, Novell, Sun, etc. 1 billion+ OpenID-enabled accounts 40,000+ web sites support OpenID Federal Profile Profile based on OpenID 2.0 Requires SSL/TLS on all endpoints Requires Directed Identity Approach Requires pair-wise unique pseudonymous identifiers Requires short-lived association handles 56

Portable Identity Schemes: OpenID 57

Portable Identity Schemes: Information Card (IMI) Information Card Analogous to the cards you carry in wallet Open Source & industry standards Supported by Azigo, CA, Equifax, Google, Intel, Microsoft, Novell, Oracle, Paypal, etc. Built into MS Vista; option for XP Earlier stage of adoption than OpenID ALs 1 thru 3; possibly AL 4 Federal Profile Profile of Identity Metasystem Interoperability Document 1.0 (IMI) Requires encryption of PII Requires use of optional Private Personal Identifier (PPID) Managed cards only 58

Portable Identity Schemes: Information Cards (IMI) 59

Agenda Goals Policy Foundation Approach Technology Trust Privacy Principles Portable Identity Schemes SAML OpenID Information Cards Approach documents posted on http://www.idmanagement.gov Non-PKI, LOA 3 and Below 60

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback