Thursday, May 15. Track D Security & Access Control

Similar documents
Security Secure Information Sharing

Strategies for the Implementation of PIV I Secure Identity Credentials

Introduction of the Identity Assurance Framework. Defining the framework and its goals

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

FiXs - Federated and Secure Identity Management in Operation

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Helping Meet the OMB Directive

PKI and FICAM Overview and Outlook

Leveraging HSPD-12 to Meet E-authentication E

Establishing Trust Across International Communities

Leveraging the LincPass in USDA

Interagency Advisory Board Meeting Agenda, April 27, 2011

Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Secure Government Computing Initiatives & SecureZIP

U.S. E-Authentication Interoperability Lab Engineer

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

Version 3.4 December 01,

HSPD-12 : The Role of Federal PKI

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Federated Access. Identity & Privacy Protection

Single Secure Credential to Access Facilities and IT Resources

GlobalPlatform Trusted Execution Environment (TEE) for Mobile

Trust Services for Electronic Transactions

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Combating Cyber Risk in the Supply Chain

Introduction to AWS GoldBase

Higher Education PKI Initiatives

Cybersecurity & Privacy Enhancements

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Mobile Validation Solutions

US Federal PKI Bridge. Ram Banerjee VP Vertical Markets

Information Systems Security Requirements for Federal GIS Initiatives

A standard for High-Assurance Identity for Healthcare and Pharmaceutical e-transactions

Interagency Advisory Board Meeting Agenda, February 2, 2009

How does industry drive forward. SAFE-BioPharma Association

TEL2813/IS2820 Security Management

MIS Week 9 Host Hardening

SOC for cybersecurity

ISAO SO Product Outline

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Identity Federation Requirements

Interagency Advisory Board Meeting Agenda, December 7, 2009

Why you should adopt the NIST Cybersecurity Framework

Scaling Interoperable Trust through a Trustmark Marketplace

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Davidson Technologies: A Medium Sized Business Experience with DFARS 7012/NIST

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

SAC PA Security Frameworks - FISMA and NIST

Achieving a FIPS Compliant Wireless Infrastructure using Intel Centrino Mobile Technology Clients

FISMAand the Risk Management Framework

Security Management Models And Practices Feb 5, 2008

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Partner Information Manager Supplier Guide October 2017

White Paper. View cyber and mission-critical data in one dashboard

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

What Why Value Methods

Securing Your Data ATA Spec 42. Regan Brossard - The Boeing Company June 2017

Paul A. Karger

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

SOC 3 for Security and Availability

HIPAA Regulatory Compliance

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

CIPP/G (Certified Information Privacy Professional US Government)

CompTIA CASP (Advanced Security Practitioner)

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

INFORMATION ASSURANCE DIRECTORATE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Axway Validation Authority Suite

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

Jim Brenton Regional Security Coordinator ERCOT Electric Reliability Council of Texas

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

FPKIPA CPWG Antecedent, In-Person Task Group

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

10 Considerations for a Cloud Procurement. March 2017

Emergency Response Official Credentials: An Approach to Attain Trust in Credentials across Multiple Jurisdictions for Disaster Response and Recovery

TEL2813/IS2621 Security Management

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Supply Chain (In)Security

INFORMATION ASSURANCE DIRECTORATE

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Strategies for the Implementation of PIV I Secure Identity Credentials

INFORMATION ASSURANCE DIRECTORATE

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Transcription:

Thursday, May 15 Track D Security & Access Control Session: PKI Logical Access Technology & Applications Time: 10:15 AM 12:00 PM Room: W204 D Moderator: Steve Howard VP, Business Development, Identity Management Thales e-security, Inc. Speakers: Donald Malloy Director, Business Development Incard Technology Iana Bohmer Director, Identity Management Solutions Northrop Grumman (TSCP) Jim Gross SVP Wells Fargo

Secure Access through Federation Iana Bohmer Director, Identity Management Northrop Grumman May 15, 2008 Topics TSCP Membership TSCP Origin TSCP Mission & Vision Common Framework for Secure & Federated Collaboration Challenge of Domain Awareness Certipath Trust Hub for Federation Business Challenges that TSCP Aims to Solve TSCP Specification: Secure E-Mail Upcoming Specifications Summary: Membership Benefits 1

TSCP Membership Government-industry partnership focused on facilitating solutions to the most critical issues in Aerospace and Defense (A&D) today. TSCP Origin Created in 2002 by U.K. MoD, U.S. DoD and global A&D companies, the original goal was to define secure data sharing and collaboration for the entire supply chain, even when it begins with a government customer. The collaboration environment was characterized by: Large defense contracts involving thousands of companies Information sharing across company and country boundaries Different policies/laws in each company and country Increasing risks of data breaches or violating import/export regulations Unproven and inconsistent identity vetting and management Non-existent information and personal profiling 2

TSCP Vision & Mission Vision: International government-a&d industry partnership that seeks: Risk Mitigation. Mitigation of inherent IT risks in large multi-national collaborative programs: Complexity Cost Compliance Frameworks. Establish frameworks for secure collaboration and informationsharing while protecting IP. Interoperability. Cooperative effort to establish interoperability specifications: Determine impediments to sensitive data sharing Define requirements for solution Implement prototype to test the specification Encourage vendors to create compliant solutions Mission: TSCP s mission is to establish an environment in which employees, contractors and suppliers can securely access data required to execute on contracts and programs. Common Framework for Secure & Federated Collaboration Meet government agencies emerging requirements for identity assurance across domains Demonstrate compliance with export control regulations Protect corporate IP in collaborative and other information sharing programs Protect personal privacy data of employees Have collaborative toolsets that will interoperate with customers and suppliers Re-use collaborative capabilities among multiple programs Provide assurance that collaborative partners can be trusted 3

Challenge of Domain Awareness Large, Complex Space. Difficult to monitor a large global space. No Central Authority. No single or centralized authority. Pervasive Threat. Small cells create pervasive threats to large nation states CertiPath Trust Hub for Federation Trust. Mechanism by which member companies and governments can use trusted digital IDs. Identity Assurance. Central, trusted authority that issues CertiPathenabled digital identities, which assures that identities are verified and validated. Interoperability. System that providing interoperability of participants credentials across industry & government. Companies which do not want to operate their own CA s CA Providers: - ARINC - Exostar - SITA Other governments TBD UK MoD (in process) Other industry Bridges (automotive, transportation/cargo, banking, etc.) Boeing Northrop CertiPath BAE Lockheed Martin US Federal Bridge CA EADS DoD NASA DoT DHS Bridge Model 8 4

Business Challenges that TSCP Aims to Solve Mutual Confidence (Trust) Mitigating risk and ensuring quality between parties in the circle of trust can be performed through: Definition of business standards Definition of minimum requirements Enforcement through certification and audits Liability Allocation of liability in the event of failure of a critical transaction due to malfunction of a shared authentication component: Extent of liability Definition of dispute resolution process Risk Pooled Knowledge: sharing of customer information (e.g. # of customers, customer names, etc...) between enterprises Revocation Procedures: increased reliance on third parties for authentication Fraud Protection: broadened potential for fraud if an identity is ever compromised Security Incident Procedures: coordinated effort for analysis and correlation of audit logs among parties involved Compliance Privacy Legislation: ensure privacy terms are not violated when federating an identity between enterprises TSCP Specification: Secure E-mail TSCP has established specification for secure collaborative e-mail: Organizations can trust and identify e-mail senders and recipients Eliminates inherent identity and data transmission security flaws E-mail can only be shared by trusted, vetted parties Based on users and desktops Available to all A&D industry and beyond Free step-by-step guide on TSCP.org Developed with COTS products and open-source software Leverages CertiPath trust federation Controlled Unclassified Information and sensitive program data can be shared among thousands of partners For Microsoft Outlook and Lotus Notes 5

Upcoming Specifications TSCP is working on specifications that will be available in the near future: PKI Authentication: IP protection and export control inside of a (PLM) environment In production in 2008 Information Asset Protection: IP protection and export controls in realtime collaboration, such as online white boarding. Proof of concept in 2008 Document Sharing with Identity Federation (DSIF): Sharing of documents across member domains using federation for authentication of identities. Pilot in 2008 Same process as with Secure E-mail Free step-by-step guide on TSCP.org Developed with COTS products and open-source software Leverages CertiPath trust federation Summary: Membership Benefits TSCP Microsoft meeting Feb 2007. On any given day, over 100 engineers are working on TSCP projects To Governments & Prime Contractors/OEMs Influence to drive a common approach and specifications Efficiency of working together on common problems Mitigation of risk exposure in reference to the insecurity of data sharing Reusable specifications that reduce integration complexity, coordination time and collaboration costs To Solution Providers/Vendors Exposure to motivated customer base and goodwill Defined roadmap and business case Working prototypes that ease development costs Reusable specifications 6

QUESTIONS and DISCUSSION Contact Information: www.tscp.org 7

Identity Convergence: Logical, Physical, Mobile, Virtual Jim Gross Senior Vice President WellsSecure Identity Assurance Page 1 The General Identity Ecology Identity Reliance Commercial Family/ Friends Identity Assertion Employers Comm. Networks People, Entities, Machines More? Industry Financial Government Institutions Page 2 1

Getting More Complex All The Time Family/ Commercial Friends Employers Comm. Networks People, Entities, Machines More? Industry Financial Government Institutions Page 3 And It s About More Than Logging In Family/ Friends Commercial Employers Buying Stuff Comm. Networks People, Entities, Machines More? Industry Getting In The Door My 2.0 Agents Financial Government Institutions Always With Me Page 4 2

My 2.0 Agents Buying Stuff Getting In The Door Always With Me Page 5 It Takes Two To Tango Interoperable Business Policy, Rules and Contractual Framework Interoperable Hardware, Code and Network Specs. Young Adult Gangly Adolescent Common Drive Train Across The Identity Ecology Page 6 3

Key Technology Drivers Toward Mature Convergence For physical: HSPD-12/FIPS 201/PIV twins Finally brought certification to smart card reader interoperability NIST 800-16 (draft out for review) further refines physical access specs. to support identity assurance level For mobile: secure contactless access to SIM chip For Web 2.0: rich metadata To enable a service And, to allow dynamic linkage decisioning Standard identity services are at the top of the list! Page 7 Key Business Driver Towards Mature Convergence Liberty Alliance IAF (Identity Assurance Framework) Objective is to create a framework of baseline policies, business rules and commercial terms against which identity assurance services can be assessed and certified Standard, broadly accepted Levels of Assurance allow relying parties (or their agents) to readily determine, on the fly, their confidence in an identity credential Desired results are: Operational streamlining of identity service provider certification/accreditation processes for entire industry Less complex/more rapid deployment of digital identity services Page 8 4

How IAF Certification Will Unfold Initially focused on the use of credentials for authentication, targeting CSP s (Credential Service Providers) Liberty Alliance (LAP) provides accreditation of assessors who will perform certification assessment Federation Operators will require LAP-accredited assessments Provides guidelines for how all involved parties (relying parties, CSP s and Federation Operators) may work together LAP will maintain the Identity Assurance Framework and provide a current list of accredited assessors Page 9 Converged Use Case: Payments Initiation/release of $1MM wire Basic relying party (e.g. financial institution) requirement: requestor authentication onto network in order to submit request. Existing tools satisfy requirement. Further relying party requirement: requestor authorization to submit request. Existing tools satisfy requirement. But, do I have high assurance that the identity credential submitted can non-repudiably represent the customer? IAF framework and supporting network deliver this capability. Page 10 5

Converged Use Case Physical Physical access to storage facility for negotiable documents Facility maintains directory of identities authorized to enter Person x is authorized to enter, but does not have a facility access card to allow authorized entry Person x does holds a payment card that also holds a high assurance identity credential Person x can be authorized to enter without further effort via assurance level match Page 11 Identity Framework Data Services Will Be Increasingly Essential Identity Infrastructure Personal Identifiable Information (PII) Retained Federal HSPD-12 Credential State/Local FRAC Web-based Public CRLs Trusted : Trusted : Trusted : Private Sector FRAC Assurance Level Assigned Key: AHJ - Authority Having Jurisdiction CRLs - Certificate Revocation Lists FRAC - First Responder Authentication Credential PIV Auth Cert FIPS 201 Personal ID Verification Authorization Certificate Attribute Infrastructure No PII Retained Assurance Level Consumed FEMA Attribute Repository Electronic Attributes Agency or AHJ Attribute Administrator FIPS 201 Cert Valid Valid Valid Validation Infrastructure Validated Information Retained Consolidated Information = PIV Auth Cert + Electronic Attribute Standardized FIPS 201 Credential & Attribute Validation Process For Official Use Only (FOUO) Graphic and content courtesy of Tom Lockwood, DHS Page 12 6

Contact Information Jim Gross Senior Vice President Wells Fargo One Front Street MAC A0195-204 20 th Floor San Francisco, CA V: (415) 222-5007 F: (415) 788-3039 jgross@wellsfargo.com Page 13 7

NOTES

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback