Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Similar documents
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

SAML-Based SSO Solution

Apple Product Security

Leveraging the LincPass in USDA

U.S. E-Authentication Interoperability Lab Engineer

Leveraging HSPD-12 to Meet E-authentication E

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Interagency Advisory Board Meeting Agenda, February 2, 2009

SAML-Based SSO Solution

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Dissecting NIST Digital Identity Guidelines

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Strong Authentication for Physical Access using Mobile Devices

1. Federation Participant Information DRAFT

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Network Security Essentials

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

InCommon Federation: Participant Operational Practices

SAP Single Sign-On 2.0 Overview Presentation

Cloud Access Manager Overview

Canadian Access Federation: Trust Assertion Document (TAD)

Using Workspace ONE PIV-D Manager. VMware Workspace ONE UEM 1811 VMware Workspace ONE PIV-D Manager

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Single Secure Credential to Access Facilities and IT Resources

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Yubico with Centrify for Mac - Deployment Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

SAP Security in a Hybrid World. Kiran Kola

PKI is Alive and Well: The Symantec Managed PKI Service

Identity as the core of enterprise mobility

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

IAM for Workday: How to Embrace an 800 Pound Gorilla. Michael Brogan & Jonathan Pass UW-IT, Identity & Access Management

Secure Government Computing Initiatives & SecureZIP

Administering Jive Mobile Apps for ios and Android

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Managing PIV Life-cycle & Converging Physical & Logical Access Control

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

VMware PIV-D Manager Deployment Guide

ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Federated Access. Identity & Privacy Protection

The Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

PKI and FICAM Overview and Outlook

Salesforce1 Mobile Security White Paper. Revised: April 2014

Measuring Authentication: NIST and Vectors of Trust

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Canadian Access Federation: Trust Assertion Document (TAD)

Secure Lightweight Activation and Lifecycle Management

How Next Generation Trusted Identities Can Help Transform Your Business

Cloud Secure Integration with ADFS. Deployment Guide

Who s Protecting Your Keys? August 2018

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Interagency Advisory Board Meeting Agenda, July 28, 2010

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Interagency Advisory Board Meeting Agenda, February 2, 2009

FedRAMP Digital Identity Requirements. Version 1.0

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

FEDERATED IDENTITY AT ARGONNE NATIONAL LABORATORY

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

QuickStart Guide for Mobile Device Management. Version 8.7

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services

CIS Top 20 #5. Controlled Use of Administrative Privileges

Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

Credentialing for InCommon

Interagency Advisory Board Meeting Agenda, February 2, 2009

Warm Up to Identity Protocol Soup

Axway Validation Authority Suite

Security and Certificates

SafeNet Authentication Client

Manage SAML Single Sign-On

Mobile: Purely a Powerful Platform; Or Panacea?

OVERVIEW... 3 WHAT'S NEW... 3 COMPATIBILITY WITH MDM PRODUCTS... 5 CONFIGURE AN MDM MANAGED VPN PROFILE FOR CITRIX SSO... 5

AirWatch Mobile Device Management

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

State of Colorado Cyber Security Policies

Certificate Enrollment for the Atlas Platform

Transcription:

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

LANL s Multi-Factor Authentication (MFA) Initiatives NLIT Summit 2018 Glen Lee Network and Infrastructure Engineering Division Infrastructure Services Group (NIE-IS) glenleee@lanl.gov May 22, 2018 11:15 AM Location: 104A Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA LA-UR-18-23969 Approved for public release; distribution is unlimited

Our MFA Journey Where we were. Where we are. NO STATIC ACTIVE DIRECTORY PASSWORDS Where we are heading. CRYPTOCard Hardware One-Time Password Device Privileged Users Remote Access MIT Kerberos Business Apps P@$$w0rd! Static Active Directory Passwords Active Directory CRYPTOCard Hardware One-Time Password Device Remote Access MIT Kerberos Business Apps Active Directory Single-Sign-On (Federation SAML) PIV Card Static Active Directory Passwords Active Directory Privileged Users NIST SP 800-63-3 IAL3/AAL3 Credentials Other IALx/AALx Credentials Remote Access MIT Kerberos Active Directory Single-Sign-On (Federation SAML) Active Directory Business Apps OneID + Temporary Password Self-Service Portal + Temporary Password Self-Service Portal 6/13/2018 3

Technical Approach to achieving the DOE and FISMA MFA requirement DOE MFA Requirement Transition FISMA MFA Requirement Disable use of Static AD Password on the User s AD Account Disable use of Static AD Password on the User s AD Account Map both the PIV and the CRYPTOCard to the User s AD Account Multi-value AD attribute: 1. X509: PIV Cert 2. Kerberos: CC Identity Map only the PIV to the User s AD Account Multi-value AD attribute: 1. X509: PIV Cert Add CC to altsecurityidentities 2. Kerberos: CC Identity Need an AD password for some reason? Temporary Password Self-service Portal AD Security Group Active Directory MFA enforced Daily Need to use AD password or CRYPTOCard for some reason? Temporary Password Self-service Portal AD Security Group Active Directory PIV enforced Daily Static re-usable AD passwords are no longer an attack vector at LANL. 6/13/2018 4

What about those who don t have a PIV? Uncleared US citizens => PIV Supplemental Directive 206.2 was signed April 14, 2018 Implementation of Personal Identity Verification For Uncleared Contractors Others (FNs, Interns, Summer Hires, etc.) => PIV-like alternative Identity Assurance Level 3 / Authenticator Assurance Level 3 (IAL3/AAL3) Token Alternatives under consideration include LANL issued credential (more to come on this later) GSA USAccess temporary credential (service expected in September/October timeframe) Work in progress. Mobile devices => Derived Credentials NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials Alternatives under consideration include GSA USAccess service (requirements and planning phase) LANL issued (if Enterprise service will not be made available) All users will have a PIV or PIV-like credential to use for authentication. 6/13/2018 5

macos MFA Implementation Significant number of Mac systems at LANL Managed by Casper and most are not bound to a directory service (e.g., Active Directory) MFA approach for Mac Disable the use of static Active Directory passwords for access to network resources Leverage Kerberos tickets in lieu of Active Directory passwords Not dependent on the Mac being bound to a directory service Logon to the Mac is not impacted since device authentication is not the subject of the DOE MFA requirement System requirements macos Sierra 10.12.4 (or later) macos 10.11 (and earlier) are not supported NoMAD Menu application to help manage Kerberos tickets Standard on all LANL Mac systems LANL MFA Credential PIV Card, for those who have one CRYPTOCard Smartcard reader (for PIV users) Static Active Directory (AD) passwords are not needed on a Mac 6/13/2018 6

PIV on the Mac PIV (smartcards) are natively supported macos Sierra 10.12 (and later) Utilizes Apple s CryptoTokenKit framework instead the TokenD framework PIV logon to local accounts is supported Optional capability for LANL users The PKI Certification Authority (CA) chains are centrally managed macos keychain configured via JAMF server configuration profiles NoMAD improves user experience with PIV Alert / notification when PIV is left in reader Friendly names displayed to distinguish each certificate PIV works Apple applications without extra configurations Safari, Apple Mail Applications that pose a problem Firefox (requires 3rd party middleware to provide pkcs support for PIV) Adobe (only supports TokenD) Outlook for Mac (will support CryptoTokenKit soon) Remote Desktop Client for Mac (does not support smartcards) PIV does work natively on the Mac, but there are some challenges to overcome 6/13/2018 7

Our Approach to Alternative Credentials Compliant With NIST SP 800-63-3 Identity Assurance Level 3 (IAL3) Requirements Existing PIV Processes Sponsorship (name, affiliation, etc.) Identity Proofing (who are you?) Enrollment (photo, bio, etc.) Feeds Feeds Authenticator Assurance Level 3 (AAL3) Requirements Verifies Name: John Doe Affiliation: LANL SiteID: 123456 Issues NIST Approved Hardware Cryptographic Tokens Supply Chain Credential Management System (CMS) Integrated with Identity Data Source Internal PKI IAL3/AAL3 Credential that is functionally the same as PIV 6/13/2018 8

Remote Access Approach 1 2-factor Authentication to initiate remote session: Hey, it s me 2 Remote Access Secondary Challenge: Is this really you? 3 Remote Access Point Access Granted LANL Network 2nd authentication: Yes it is. 4 Establish secure remote access session. Okay, you can have access. Two-step Authentication Two-factor Authentication 2-Step authentication to ensure a LANL user really initiated the original request for access. 6/13/2018 9

Transitioning from LANL s Legacy Entrust PKI LANL Dependency on Legacy Entrust PKI Internal (local) applications LANL s Only Locally Trusted (OLT) PKI Full production mode and systems OLT PKI Certificate Tool Full production mode Wireless access LANL s Only Locally Trusted (OLT) PKI Testing with LANL s wireless implementation Email encryption on the desktop Email encryption on mobile devices LANL s Approach and Transition Readiness PIV Encryption certificate Native Outlook on Windows and Mac Energy Global Directory Service (EGDS) PIV Email Address Corrections in GSA USAccess Re-encryption Tool (DOD s MailCrypt) PIV Encryption certificate sans PIV GSA USAccess PIV Encryption Key Recovery Service Mobile Device Management (MDM) solution integrated with GSA / Entrust Service ~95% of Entrust users have PIV Piloting and assessing features Production ready Participating in DOE-wide effort to leverage OneID s connection to GSA Assessing its use at LANL ~75% of Entrust users have mobile Collaborating with DOE and GSA USAccess for both 3 rd Party and Selfservice models Long-term goal in collaboration with DOE and GSA USAccess LANL s MFA implementation facilitates the long-term goal of retiring the Entrust infrastructure and desktop components 6/13/2018 10

LANL s OneID Integration Authentication Hub (HUB) Attribute Exchange Service (AES) Work in Progress Production Future Federation (SAML) Ping s IdP Component LANL Identity Provider (IdP) Single Sign- On (SSO) Ping s SCIM Attribute Provisioning Component LANL Source(s) of Truth of People Data Lookup Interface LDAP Network/Apps PACS SAML Contract Provision LANL person attributes to OneID Return DUID for storage and future provisioning Request attributes using DUID or SiteID Return attributes for the requested DUID or SiteID LANL anticipates leveraging OneID to streamline the management of both internal and external users access to facilities, networks, and applications. 6/13/2018 11

Our MFA Destination Authenticate with PIV and PIV-like credentials Strong Authentication (including 2-step authentication) Federation (SAML) Single Sign-On (SSO) LANL Network SSO LANL Applications SSO DOE & Other Government Agency Applications and reading and sending secure email is important too! Search & Retrieve users public encryption certificate Energy Global Directory Service (EGDS) Retrieve & Configure Your PIV private encryption key Are we there yet? 6/13/2018 12

Questions? 6/13/2018 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback