Scaling Interoperable Trust through a Trustmark Marketplace

Similar documents
PKI and FICAM Overview and Outlook

National Strategy for Trusted Identities in Cyberspace

National Identity Exchange Federation. Terminology Reference. Version 1.0

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

Health Information Exchange - A Critical Assessment: How Does it Work in the US and What Has Been Achieved?

Extending Services with Federated Identity Management

National Identity Exchange Federation. Trustmark Signing Certificate Policy. Version 1.0. Published October 3, 2014 Revised March 30, 2016

Intra-ASEAN Secure Transactions Framework. Pitinan Kooarmornpatana Director of IT Infrastructure Office of ETDA Jun 2015

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

FEDERATED IDENTITY AND SHARING CRIMINAL JUSTICE INFORMATION

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Leveraging HSPD-12 to Meet E-authentication E

Cyber Partnership Blueprint: An Outline

ConCert FAQ s Last revised December 2017

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

National Identity Exchange Federation. Certificate Policy. Version 1.1

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

NIEM in Action: Roadmap to Successful Standards- Based Information- Sharing

InCommon Federation: Participant Operational Practices

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

HIT Policy Committee. Recommendations by the Certification and Adoption Workgroup. Paul Egerman Marc Probst, Intermountain Healthcare.

Federal-State Connections: Opportunities for Coordination and Collaboration

ACF Interoperability Human Services 2.0 Overview. August 2011 David Jenkins Administration for Children and Families

Helping Meet the OMB Directive

National Cybersecurity Center of Excellence

Overview October 2014

Trust Services for Electronic Transactions

Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Government support for Industry Consortia and why it matters. IIS/O5 hosted by DIACC, Ottawa November 2, 2016

Higher Education PKI Initiatives

OIX OIDF IDESG WC3 OASIS CROWDED & NOISY LANDSCAPE. Kantara SGIP ISO EEMA ITU-T FIDO EEMA IETF. InCommon. Kerberos TSCP WEF EFF NSTIC TDL

A Market Solution to Online Identity Trust. Trust Frameworks 101: An Introduction

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

July 13, Via to RE: International Internet Policy Priorities [Docket No ]

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ISAO SO Product Outline

DATA Act Information Model Schema (DAIMS) Architecture. U.S. Department of the Treasury

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

NIEM. National. Information. Exchange Model. NIEM and Information Exchanges. <Insert Picture Here> Deploy. Requirements. Model Data.

National Strategy for Trusted Identities in Cyberspace: Identifying a Trusted Ecosystem

Introduction to AWS GoldBase

State of the Industry and Councils Reports. Access Control Council

Strategies for the Implementation of PIV I Secure Identity Credentials

Dissecting NIST Digital Identity Guidelines

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

RA21. Resource Access in the 21 st Century

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ASEAN e-authentication Workshop Balwinder Sahota

The NIST Cybersecurity Framework

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

No More Excuses: Feds Need to Lead with Strong Authentication!

Data Governance Strategy

Identity Management (IdM) is a crosscutting focus area for DHS

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Universal Trusted Service Provider Identity to Reduce Vulnerabilities

Interagency Advisory Board Meeting Agenda, August 25, 2009

FISMAand the Risk Management Framework

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

SAML-Based SSO Solution

Direct, DirectTrust, and FHIR: A Value Proposition

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

DON XML Achieving Enterprise Interoperability

HITPC Stage 3 Request for Comments Smart Card Alliance Comments January, 14, 2013

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

How does industry drive forward. SAFE-BioPharma Association

An ARIN Update. Susan Hamlin Director of Communications and Member Services

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

Better Mutual Authentication Project

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Canadian Access Federation: Trust Assertion Document (TAD)

Memorandum of Agreement

Interagency Advisory Board Meeting Agenda, April 27, 2011

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

FiXs - Federated and Secure Identity Management in Operation

Identity Management as a Service

The Modeling and Simulation Catalog for Discovery, Knowledge, and Reuse

Stakeholder and community feedback. Trusted Digital Identity Framework

Data Governance. Mark Plessinger / Julie Evans December /7/2017

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

National Cybersecurity Center of Excellence

Connecticut Department of Department of Administrative Services and the Broadband Technology Opportunity Program (BTOP) 8/20/2012 1

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Transcription:

Scaling Interoperable Trust through a Marketplace John Wandelt Georgia Tech Research Institute This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards and Technology

NASCIO Survey on ID Management CIOs say that the most significant barriers to adoption of an enterprise IAM strategy are: The decentralized environment of the state The cost of doing so The complexity of legacy systems The lack of governance

Persons Non-Persons Logical Access Physical Access Scope of FICAM & SICAM

Need to Defy Gravity

Id&AM Frameworks Need to Evolve

Past, Present, and Future Legacy State of Practice State of Technology State of Need Application Enterprise Federation Ecosystem Application Application Specific Access Control Lists Scale Organization and Governance of Interest Enabling VPN, Virtual Technology PKI, SAML, Trust Directories, etc. Authorization Role Based Access Control Community Frameworks, etc. Attribute Based Access Control Cross Sector Marketplace? Framework Policy Based Access Control

NSTIC Pilot Team

In the Beginning Lots of Application-Specific Identity Silos

Along Came Federated Identity Decouple Identities from Applications! Attribute Provider Identity Provider Standard Protocols Application Application (Service Application Provider) (Service Application Provider) (Service Application Provider) (Service Provider) (Service Provider) User So what about Trust, Liability, Security?

And Today Lots of Federated Identity Silos

Current State of the Identity Ecosystem AP Many Each Trust There Frameworks exist requires many are Trust agreement monolithic Frameworks. across and many opaque. dimensions. AP ISE A ID Trust Framework A ID Trust Framework C Community of Interest C AP Federation B ID Trust Framework B

Achieving Cross-Framework Trust Suppose this user needs access to this. AP AP ISE A ID Trust Framework A ID Trust Framework C Community of Interest C AP In today s ID Ecosystem, there are at least five ways to do it Federation B ID Trust Framework B and all of them face challenges.

Challenges with Inter-federation Federation Federation Why? 1. No two TFs are the same, so mapping trust and interop requirements between them is hard. Think protocols, attributes, policies, etc. 2. TFs are moving targets, which further complicates the mapping process. 3. Transitive trust is diluted trust, so inter-federation trust cannot be as strong as intra-federation trust. 4. Contractual obligations usually cannot be transferred or assigned to 3 rd parties, which makes inter-federation legal agreements difficult or impossible to execute. (Many other issues exist.)

The Perspective from the LE Community Law Enforcement COI has over 1 million people in the US alone Over 10,000 US LE agencies Required to share data across jurisdictions But must obey applicable access controls when sharing Trust between agencies is a fundamental requirement LE agencies are autonomous (NOT centrally funded) 3 rd party trust is required due to COI size and complexity Most users must have high-assurance credentials Federal Agencies LE agencies are highly heterogeneous State Agencies Local Agencies Legitimate business need to interact with many other COIs Tribal Agencies Task Forces Fusion Centers

The Perspective from the LE Community

The Perspective from the LE Community State ISE SICAM Critical Infrastructure Health ISE AP AP AP AP AP AP

Many Other Relevant Initiatives FICAM Federal Identity, Credential, and Access Management NIEF Technical specs and policies are aligned with FICAM NIEF has submitted formal application to be approved as a FICAM Trust Framework Provider @ LOA 2 and non-pki LOA 3 SICAM State Identity, Credential, and Access Management SICAM currently only provides high-level guidance Leverages FICAM and FICAM TFP initiatives NIEF working with NASCIO to further mature SICAM through NIEF Quick Start program and NIEF NSTIC pilots BAE Backend Attribute Exchange NIEF one of first operational BAE pilots in partnership with GSA, PM-ISE, TX DPS, RISS, IIR NIEF has adopted BAE profile for Attribute Providers PIV/PIV-I Personal Identity Verification Under the sponsorship of DHS S&T and in partnership with JHAPL, GTRI developed a proof of concept Gateway between the PIV-I community and NIEF. Also Leverages the BAE to collect additional attributes not on the PIV-I card NSTIC National Strategy for Trusted Identities in Cyberspace NIEF selected by NIST to be a NSTIC pilot to demonstrate Scalable Trust and Interoperability through a Marketplace Scope is broader than FICAM but leverages FICAM

Where to from here?

ID Ecosystem Vision Is it OK if the Trust Frameworks in the ID Ecosystem are mostly non-interoperable and non-trusting identity silos?

ID Ecosystem Vision Or is there a viable strategy and framework for trust and interoperability between various COIs, ISEs, and Federations?

What about a Framework? If the frameworks were modular ID Trust Framework A ID Trust Framework B ID Trust Framework C FICAM FIPPs NIST 800-63 OAuth OpenID SAML SSO LOA 3 then we get: FIPS 200 Greater transparency of trust framework requirements Greater ease of comparability between frameworks Greater potential for reusability of framework components And, most importantly: Greater potential for participation in multiple trust frameworks by ID Ecosystem members with incremental effort and cost

What about a Framework? ID Trust Framework A ID Trust Framework B ID Trust Framework C FICAM FIPPs NIST 800-63 OAuth OpenID FIPS 200 SAML SSO LOA 3 These modular components are called s.

Scope of s FICAM SAML SSO Profile NIST 800-63 / FICAM LOA 3 Identity Fair Information Practice Principles (FIPPs) FIPS 200 Security Practices GFIPM Metadata Registry (User Attributes) Policies & Agreements

A -Based ID Ecosystem AP AP AP ID Trust Framework A Trust Interoperability Profile A ID Trust Framework B Trust Interoperability Profile B ID Trust Framework C Trust Interoperability Profile C Rather than requiring each a community monolithic, can formalized define a Trust TIP. Framework

A -Based ID Ecosystem TIP A TIP B TIP C AP AP AP Provider Provider Then each Some There member s can of be the can many community Providers be acquired may can acquire the necessary Providers through specialize s a in the in issuing ID based Ecosystem. Provider. one the TIP. particular. Others may offer many s. Provider Provider Provider Provider Provider Provider Provider Provider Provider Provider

A -Based ID Ecosystem TIP A TIP B TIP C AP AP AP Members of the ID Ecosystem Provider can query a Registry to answer questions such as: Provider What other members This of s collection the ID Ecosystem of can actors be stored have and the entities in a necessary s to meet is searchable the MY trust requirements? Marketplace. Registry. Provider What s must I acquire to meet the trust requirements of <MEMBER>? Provider Provider Provider X: Y: Etc. Registry

What is a trustmark framework? Stakeholder Community Is Used By Provider Issues Is Represented By Trust Interop Profile Defining Organization Recipient A B C Is Trusted By Defines Is Required By Definition Is Required By Org. 1 Relying Parties Org. 2 End User

Parallels between s and PKI Framework Concept Provider Recipient Relying Party Policy Agreement Defining Organization Definition Trust Interoperability Profile Analogous Concept from PKI Certificate Certificate Authority Subscriber Certificate Relying Party / Audience Certificate Policy Subscriber Agreement ITU (Agency that defined X.509) IETF RFC 5280 (X.509 Spec) List of Trusted Certificate Authorities

Defines basic structure of Conforms to Defines structure of Conforms to Defines structure of Conforms to The Framework in More Detail Spec Is used by Definition Spec Trust Interoperability Profile Spec Instance Defines assessment criteria for Definition Instance Is used by Trust Interoperability Profile Instance

Definitions Conformance Criteria: Conformance to the Identity Provider Organization (O) conformance target of this TD requires the following. 1. The O MUST 2. The O MUST 3. The O MAY 4. Assessment Process: XML Metadata: Publisher: U.S. General Services Administration Name: NIST/FICAM LOA 2 O TD URL: <URL> Description and Intended Purpose: Target Stakeholder Audience: Date of Publication: 15 Apr 2014 Version: 1.0 Visual Icon: Before issuing a trustmark subject to this TD, a Provider MUST complete the following assessment steps. 1. The TP MUST 2. The TP MUST 3. The TP MUST Extension Schema: s issued subject to this TD MUST conform to the Base Schema, and MUST also conform to the following Extension Schema. XSD XML Certification as a Provider: Before an entity may issue trustmarks subject to this TD, it MUST complete the following certification process. 1. The entity MUST 2. The entity MUST 3. The entity MUST? XML XML

A Sample TIP Instance Trust and Interoperability Criteria: Identity Provider Organization (O) Requirements: Requirement Approved Providers FICAM SAML SSO MUST HAVE NIEF NIEF/FICAM LOA 2 O NIEF Attribute Profile O MUST HAVE MUST HAVE NIEF or Deloitte (ANY) XML XYZ Privacy Policy O SHOULD HAVE (ANY) Service Provider Organization (SPO) Requirements: Requirement Approved Providers FICAM SAML SSO SP NIEF Attribute Profile SPO XYZ Privacy Policy SPO MUST HAVE MUST HAVE MUST HAVE NIEF (ANY) (ANY) Metadata: Publisher: U.S. Dept. of Justice URL: <URL> Name: U.S. Law Enforcement Community Info Sharing TIP Description and Intended Purpose: Date of Publication: 15 Jun 2014 Version: 1.0 Digital Signature of Issuer: <SIGNATURE>

s What? Where? TDO

Sources of Components

FICAM InCommon NIEF GFIPM CSDII Others Creating Modular Common Components Step 1: Gather trust and interop requirements from many frameworks Step 2: Break down and reassemble requirements into modular, reusable components Transformation Process Step 3: Express modularized requirements in a standard format to encourage broad reuse Definition Definition Definition

GTRI NSTIC Pilot Analysis 94 distinct trustmarks identified (so far) Covers FICAM, NIEF, and Other NSTIC Pilots Also covers FIPPs (privacy) topics

s By Category Identity Assurance Policy Security Policy Privacy Policy Attribute Assurance Policy Technical Interoperability Organizational Integrity / Bona Fides Technical Trust Usability

Scope of the NSTIC Pilot Concept Maturation Concept Presentation Pilot Concept Website Outreach to IDESG Outreach to NIEF Membership Outreach to SICAM Stakeholders Outreach to Other Stakeholders Framework Normative Spec Normative TD Spec Normative TIP Spec Policy Template Agreement Template Sample TDs, TIPs, and s 1 2 3 4 Comm. Protocol TDs & s Identity LOA TDs & s End-User Privacy TDs & s Security Policy TDs & s Other TDs & s Sample TIPs for NIEF Community Sample Tools Assessment Tool for Providers Generating & Publishing Tool for Providers Registry Query Tool NIEF Pilot 5 6 Issue s to Current NIEF Members Modify Tech Framework, Specs, TDs, TIPs, Policies, Agreements, and Tools as Needed Expanded Pilot via NASCIO/SICAM Identify SICAM Use Cases Issue s to More s, APs, and s via a New Provider Demonstrate SICAM Use Cases in a Multiple--Provider Marketplace

NIEF Moving Forward Legacy State of Practice State of Technology State of Need Application Enterprise Federation NIEF Ecosystem Application Application Specific Access Control Lists Scale Organization and Governance of Interest Enabling VPN, Virtual Technology PKI, SAML, OpenID, Directories, etc. Authorization Role Based Access Control Community etc. Attribute Based Access Control Cross Sector Marketplace Framework Policy Based Access Control

The NIEF QuickStart Program Drive broader adoption and implementation GFIPM, FICAM, and NIEF standards among state agencies. Streamline the onboarding process to lower cost and barriers to adoption. Demonstrate the NIEF Framework as a viable approach to cross sector interoperable security, privacy, and trust.

Learn More Here https://trustmark.gtri.gatech.edu

Some NIEF Members

High-Level Project Plan & Timeline Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014 Q1 2015 Q2 2015 Q3 2015 Develop Concept Refine Concept as Needed Develop Framework Develop Sample TDs, s, and TIPs Refine Framework as Needed Refine TDs, s, and TIPs as Needed Develop and Refine Sample Software Tools Develop SICAM Use Cases & Scenarios Refine Use Cases & Scenarios Pilot in NIEF Outreach/Prep for Expanded Pilot Community Outreach Project Oversight & Reporting Expanded Pilot SICAM Demo

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback