Managing PIV Life-cycle & Converging Physical & Logical Access Control

Similar documents
Single Secure Credential to Access Facilities and IT Resources

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Strategies for the Implementation of PIV I Secure Identity Credentials

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

IMPLEMENTING AN HSPD-12 SOLUTION

CSN38: Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Secure Lightweight Activation and Lifecycle Management

DHS ID & CREDENTIALING INITIATIVE IPT MEETING

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Helping Meet the OMB Directive

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop. Scalability: Dimensions for PACS System Growth

g6 Authentication Platform

Physical Access Control Systems and FIPS 201

Privileged Identity Management

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

Version 3.4 December 01,

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Enhanced Privacy ID (EPID), 156

Interagency Advisory Board Meeting Agenda, Wednesday, June 29, 2011

Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

FPKIPA CPWG Antecedent, In-Person Task Group

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

FiXs - Federated and Secure Identity Management in Operation

Interagency Advisory Board Meeting Agenda, February 2, 2009

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

Biometric Use Case Models for Personal Identity Verification

Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

Cryptologic and Cyber Systems Division

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Strategies for the Implementation of PIV I Secure Identity Credentials

Index. NOTE: Boldface indicates illustrations; t indicates a table. 209

Identity and Authentication PKI Portfolio

WSO2 Identity Management

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

Assuring Identity. The Identity Assurance Framework CTST Conference, New Orleans, May-09

Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation

Who s Protecting Your Keys? August 2018

Regulatory Compliance Using Identity Management

with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

KeyOne. Certification Authority

Mobile Validation Solutions

Security and Certificates

Liberty Alliance Project

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

EnterSpace Data Sheet

Network Security Essentials

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

SAML-Based SSO Solution

1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Novell Access Manager 3.1

Leveraging the LincPass in USDA

Global Reference Architecture: Overview of National Standards. Michael Jacobson, SEARCH Diane Graski, NCSC Oct. 3, 2013 Arizona ewarrants

Canadian Access Federation: Trust Assertion Document (TAD)

CA CloudMinder. Administration Guide 1.52

Canadian Access Federation: Trust Assertion Document (TAD)

Interagency Advisory Board Meeting Agenda, April 27, 2011

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

SAML-Based SSO Solution

FICAM in Brief: A Smart Card Alliance Summary of the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Interagency Advisory Board Meeting Agenda, March 5, 2009

What is orbac? ability to group several authorizations in to profiles to easily add/remove a set of authorizations to an employee

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

TWIC Transportation Worker Identification Credential. Overview

Identity-Enabled Web Services

OpenIAM Identity and Access Manager Technical Architecture Overview

IBM Tivoli Directory Server

Canadian Access Federation: Trust Assertion Document (TAD)

IBM Tivoli Identity Manager V5.1 Fundamentals

Using the Prototype TWIC for Access A System Integrator Perspective

Managed Access Gateway. User Guide

Managing Trust in e-health with Federated Identity Management

DirX Identity V8.7. Identity Management and Governance. User and access management aligned with business processes

Interagency Advisory Board Meeting Agenda, February 2, 2009

KEY DISTRIBUTION AND USER AUTHENTICATION

State of the Industry and Councils Reports. Access Control Council

Indeed Card Management Smart card lifecycle management system

DATA SHEET. ez/piv CARD KEY FEATURES:

Managed Access Gateway. User Guide

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Apple Inc. Certification Authority Certification Practice Statement

000027

Canadian Access Federation: Trust Assertion Document (TAD)

ActiveVOS Technologies

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Virtual Machine Encryption Security & Compliance in the Cloud

New trends in Identity Management

Secure Government Computing Initiatives & SecureZIP

Transcription:

Managing PIV Life-cycle & Converging Physical & Logical Access Control Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC

Setting Expectations What you can take away! Explore the Personal Verification (PIV) Life-cycle and its pre- and post-issuance deployment challenges. Architectural characteristics of managing PIV Life-cycle and converging Physical and Logical Access Control Systems. Role and relevance of adopting to an Management Solution (IDMS) for delivering and managing an end-to-end PIV lifecycle. 2

The PIV Life-cycle PIV Management Activities (From registration to till its retirement) Registration PIV Credential Termination Enrolment & Adjudication PIV Credential Maintenance PIV Credential Issuance PIV Physical & Logical Access Control 3

The PIV Ecosystem Core technology components of a PIV Lifecycle Security Event Monitoring Demographic Data/ Documents Enroll Biometric samples Physical/ Logical Access Control Systems Management Solution Proofing & Adjudication Credentials Issuance ( Smartcard/PKI/ Biometrics) Public-Key Infrastructure 4

PIV Lifecycle: Known Challenges Real-world Pain Points Defining an authoritative source for managing and maintaining PIV information life-cycle. Silos of point solutions and repositories - Biometric/Enroll middleware, CMS, PACS, LACS, SIEM, IAM and more! No single administration console for management. Too many PIV life-cycle events and operations - right from identity registration and till its retirement! Establishing administrative controls, authorization workflows and authority approvals/denials for lifecycle operations. Managing and maintaining authorization workflow, approval/ denial actions and notification. Enforcing segregation of duties (separation of powers). Enforcement of access control policies, Role based Access control (RBAC) and procedures (ex. Emergency access/exit). 5

PIV Lifecycle: Known Challenges continued Real-world Pain points Provisioning and De-Provisioning complexities with disparate PIV/FIPS-201 solutions and downstream applications. Initiating instantaneous Provisioning and De-provisioning of PIV enrollment data and its changes to support lifecycle events - registration to till its termination. Detecting and thwarting dormant/back-door user account creation/modification and circumventing controls. Managing changes and re-verification/re-enrollment issues related to profiles, roles, privileges and policies. attribute changes and propagation to heterogeneous PIV based applications? Supporting re-verification and re-enrollment requirements related to lifecycle events and attribute changes. Certify and attest role and access privileges changes. 6

Converging Physical/Logical Access: Known Challenges Enabling PIV credentials to authenticate disparate Physical Access Control Systems (PACS) and Logical Access Control Systems (LACS). Using PIV credentials such as CHUID, PIN, PKI certificates and Biometrics for authentication. Use PIV credentials based digitally-signed approvals or denials for authorization workflow and maintaining tamper-proof logs/ records of authorization information. Enabling PIV credentials based Single Sign-on (SSO) to IT applications and Desktops and furthering SSO to participate in Federation (eauthentication Scenarios). Integration, extensibility limitations and maintenance issues are common due to proprietary nature of interfaces related to PACS. 7

Converging Physical/Logical Access: Known Challenges. continued Initiating and managing the authentication process using PIV Credentials. PKI certificate validation via OCSP or CRL DPs of the PKI SSP. Enabling PACS authentication using CHUID/PKI/PIN credentials (Based on Contact/Contact-less/Hybrid readers). On/Off-the-card Biometric authentication using Biometric authentication middleware. Managing requests and reporting the status of scenarios such as Forgotten PIN, Temporary card requests and Lost PIV card scenarios? Managing and reporting the status of Lost/Forgotten cardrequests/approvals, certificate revocation, key escrow and recovery operations. 8

Logical PIV Architecture Solution Putting it all together Enrollment and Adjudication Services Registration/ Enrollment Demographic data PIV Document Request w/ Biometric Credentials samples Sponsor approval Proofing/ Adjudication Provisioning De-provisioning Life-cycle Management Services Auditing Logging Compliance Authorization Workflow Signed Approvals Credential Change Management User/Role Management Smartcard Issuance/ Management Services PKI / Biometric Authentication Physical and Logical Access Control Services Physical Access Control Systems IT Applications eauthentication Single Sign-on / Federation Public Key Infrastructure 9

Choosing an IDMS IDMS Requirements for managing PIV lifecycle Automated Provisioning & De-Provisioning and Synchronization Services Automated operations for Creation, Maintenance and Termination of profile (s) and its access privileges. Integration and interoperability with FIPS-201 compliant Biometric middleware, Document verification, CMS, PACS, IAM and other supporting IT applications. Instantaneous provisioning/de-provisioning and synchronization of User profile attributes, PIV credentials (PIN/PKI/Biometrics), roles, status/attribute changes, access privileges, rules and policies to/from target resources. Automated Authorization and Approval/Denial workflows and notifications. Workflow-driven provisioning/de-provisioning/change requests, approvals/denials, notifications and escalations. PIV credentials based digitally-signed approvals and denials. 10

Choosing an IDMS. continued Core IDMS Requirements for managing PIV lifecycle Role Engineering and Management Establish internal controls for enforcing Segregation of Duties and Least privilege. (Ex. FISMA compliance) Auditing, Access Certification and Compliance reporting Who has access? Who accessed it? What went wrong? Who authorized it? When it happened? Periodic access review (Attestation and Recertification) Detect and report potential violations Integration with Security Information and Event monitoring (SIEM). Single administration console and dashboard for all PIV user profile information and status of requests/operations for all target resources. Self-service user administration and delegated administration. Message and Transport-level Security (FIPS-140 mode) 11

Industry Standards Contributing standards for Managing PIV and Convergence of P/LACS OASIS SPML 2.0 - Service Provisioning Markup Language. XML Protocol for Provisioning and De-Provisioning. OASIS SAML 2.0 - Security Assertions Markup Language. XML Protocol for representing Authentication and Authorization assertions. OASIS XACML 2.0 - extensible Access Control Markup Language. XML Protocol for representing Access Control Policies. Liberty Alliance Standards (ID-*) Open Standards for representing Federation across networks. OASIS WS-Security and WS-* Standards for Securing XML Web Services. Finally.FIPS-201 and its related special publications. 12

PIV Solution from Sun and ISV Partners Pre-Integrated, Pre-Verified and Pre-Tested for PIV Deployment Enrollment & Adjudication Aware BioSP CrossMatch Secugen Smartcard Issuance and Management Activ CMS Bell-ID ANDiS Security Information & Event Monitoring (SIEM) ArcSight LogLogic Sun Management Suite Aware BioSP Public-key Infrastructure SSP Entrust Cybertrust Verisign Exostar Physical & Logical Access control Verisign PKI Quantum Secure SAFE Aware BioSP BioBex Activ ESSO 13

Thank You Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback