Managing PIV Life-cycle & Converging Physical & Logical Access Control Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC
Setting Expectations What you can take away! Explore the Personal Verification (PIV) Life-cycle and its pre- and post-issuance deployment challenges. Architectural characteristics of managing PIV Life-cycle and converging Physical and Logical Access Control Systems. Role and relevance of adopting to an Management Solution (IDMS) for delivering and managing an end-to-end PIV lifecycle. 2
The PIV Life-cycle PIV Management Activities (From registration to till its retirement) Registration PIV Credential Termination Enrolment & Adjudication PIV Credential Maintenance PIV Credential Issuance PIV Physical & Logical Access Control 3
The PIV Ecosystem Core technology components of a PIV Lifecycle Security Event Monitoring Demographic Data/ Documents Enroll Biometric samples Physical/ Logical Access Control Systems Management Solution Proofing & Adjudication Credentials Issuance ( Smartcard/PKI/ Biometrics) Public-Key Infrastructure 4
PIV Lifecycle: Known Challenges Real-world Pain Points Defining an authoritative source for managing and maintaining PIV information life-cycle. Silos of point solutions and repositories - Biometric/Enroll middleware, CMS, PACS, LACS, SIEM, IAM and more! No single administration console for management. Too many PIV life-cycle events and operations - right from identity registration and till its retirement! Establishing administrative controls, authorization workflows and authority approvals/denials for lifecycle operations. Managing and maintaining authorization workflow, approval/ denial actions and notification. Enforcing segregation of duties (separation of powers). Enforcement of access control policies, Role based Access control (RBAC) and procedures (ex. Emergency access/exit). 5
PIV Lifecycle: Known Challenges continued Real-world Pain points Provisioning and De-Provisioning complexities with disparate PIV/FIPS-201 solutions and downstream applications. Initiating instantaneous Provisioning and De-provisioning of PIV enrollment data and its changes to support lifecycle events - registration to till its termination. Detecting and thwarting dormant/back-door user account creation/modification and circumventing controls. Managing changes and re-verification/re-enrollment issues related to profiles, roles, privileges and policies. attribute changes and propagation to heterogeneous PIV based applications? Supporting re-verification and re-enrollment requirements related to lifecycle events and attribute changes. Certify and attest role and access privileges changes. 6
Converging Physical/Logical Access: Known Challenges Enabling PIV credentials to authenticate disparate Physical Access Control Systems (PACS) and Logical Access Control Systems (LACS). Using PIV credentials such as CHUID, PIN, PKI certificates and Biometrics for authentication. Use PIV credentials based digitally-signed approvals or denials for authorization workflow and maintaining tamper-proof logs/ records of authorization information. Enabling PIV credentials based Single Sign-on (SSO) to IT applications and Desktops and furthering SSO to participate in Federation (eauthentication Scenarios). Integration, extensibility limitations and maintenance issues are common due to proprietary nature of interfaces related to PACS. 7
Converging Physical/Logical Access: Known Challenges. continued Initiating and managing the authentication process using PIV Credentials. PKI certificate validation via OCSP or CRL DPs of the PKI SSP. Enabling PACS authentication using CHUID/PKI/PIN credentials (Based on Contact/Contact-less/Hybrid readers). On/Off-the-card Biometric authentication using Biometric authentication middleware. Managing requests and reporting the status of scenarios such as Forgotten PIN, Temporary card requests and Lost PIV card scenarios? Managing and reporting the status of Lost/Forgotten cardrequests/approvals, certificate revocation, key escrow and recovery operations. 8
Logical PIV Architecture Solution Putting it all together Enrollment and Adjudication Services Registration/ Enrollment Demographic data PIV Document Request w/ Biometric Credentials samples Sponsor approval Proofing/ Adjudication Provisioning De-provisioning Life-cycle Management Services Auditing Logging Compliance Authorization Workflow Signed Approvals Credential Change Management User/Role Management Smartcard Issuance/ Management Services PKI / Biometric Authentication Physical and Logical Access Control Services Physical Access Control Systems IT Applications eauthentication Single Sign-on / Federation Public Key Infrastructure 9
Choosing an IDMS IDMS Requirements for managing PIV lifecycle Automated Provisioning & De-Provisioning and Synchronization Services Automated operations for Creation, Maintenance and Termination of profile (s) and its access privileges. Integration and interoperability with FIPS-201 compliant Biometric middleware, Document verification, CMS, PACS, IAM and other supporting IT applications. Instantaneous provisioning/de-provisioning and synchronization of User profile attributes, PIV credentials (PIN/PKI/Biometrics), roles, status/attribute changes, access privileges, rules and policies to/from target resources. Automated Authorization and Approval/Denial workflows and notifications. Workflow-driven provisioning/de-provisioning/change requests, approvals/denials, notifications and escalations. PIV credentials based digitally-signed approvals and denials. 10
Choosing an IDMS. continued Core IDMS Requirements for managing PIV lifecycle Role Engineering and Management Establish internal controls for enforcing Segregation of Duties and Least privilege. (Ex. FISMA compliance) Auditing, Access Certification and Compliance reporting Who has access? Who accessed it? What went wrong? Who authorized it? When it happened? Periodic access review (Attestation and Recertification) Detect and report potential violations Integration with Security Information and Event monitoring (SIEM). Single administration console and dashboard for all PIV user profile information and status of requests/operations for all target resources. Self-service user administration and delegated administration. Message and Transport-level Security (FIPS-140 mode) 11
Industry Standards Contributing standards for Managing PIV and Convergence of P/LACS OASIS SPML 2.0 - Service Provisioning Markup Language. XML Protocol for Provisioning and De-Provisioning. OASIS SAML 2.0 - Security Assertions Markup Language. XML Protocol for representing Authentication and Authorization assertions. OASIS XACML 2.0 - extensible Access Control Markup Language. XML Protocol for representing Access Control Policies. Liberty Alliance Standards (ID-*) Open Standards for representing Federation across networks. OASIS WS-Security and WS-* Standards for Securing XML Web Services. Finally.FIPS-201 and its related special publications. 12
PIV Solution from Sun and ISV Partners Pre-Integrated, Pre-Verified and Pre-Tested for PIV Deployment Enrollment & Adjudication Aware BioSP CrossMatch Secugen Smartcard Issuance and Management Activ CMS Bell-ID ANDiS Security Information & Event Monitoring (SIEM) ArcSight LogLogic Sun Management Suite Aware BioSP Public-key Infrastructure SSP Entrust Cybertrust Verisign Exostar Physical & Logical Access control Verisign PKI Quantum Secure SAFE Aware BioSP BioBex Activ ESSO 13
Thank You Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC 14