RADIANT LOGIC PRESENTS Federal Identity, Credential, and Access Management - PowerPoint PPT Presentation

About This Presentation
Title:

RADIANT LOGIC PRESENTS Federal Identity, Credential, and Access Management

Description:

RADIANT LOGIC PRESENTS Federal Identity, Credential, and Access Management Protecting the nation s IT infrastructure and citizens from cyber security threats ... – PowerPoint PPT presentation

Number of Views:384
Avg rating:3.0/5.0
Slides: 75
Provided by: GillesSa
Category:

less

Transcript and Presenter's Notes

Title: RADIANT LOGIC PRESENTS Federal Identity, Credential, and Access Management


1
RADIANT LOGIC PRESENTSFederal Identity,
Credential, and Access Management
  • Protecting the nations IT infrastructure and
    citizens from cyber security threats through a
    federated identity standard.

2
AGENDA
  • 800 900 Breakfast
  • 900 915 Introductions
  • 915 1100 FICAM and AAES
  • Deborah Gallagher - Director of the Identity
    Assurance and Trusted Access Division , GSA
  • Anil John - Digital Security and Service
    Orientation Expert, GSA
  • 1100 Noon Radiant Logic and FICAM
  • Don Graham Senior Account Manager
  • Ulrich Schulz Senior System Engineer
  • Noon 200 Lunch
  • Visit the Spy Museum

3
US Federal ICAM RoadmapOverview
  • Deb Gallagher

4
What is ICAM in the Federal Government?
  • Processes, Technologies, and Personnel used to
  • Create trusted digital identity representations
    of individuals and NPEs
  • Bind those identities to credentials that may
    serve as a proxy for the individual or NPE in
    access transactions
  • Leverage the credentials to provide authorized
    access to an agencys resources

5
FICAM Drivers
  • Increasing Cybersecurity threats
  • Need for improved physical security
  • Lag in providing government services
    electronically
  • Vulnerability of Personally Identifiable
    Information (PII)
  • Lack of interoperability
  • High costs for duplicative processes and data
    management

6
FICAM Roadmap and Implementation Guidance v2
  • Goals
  • Comply with Federal Laws Relevant to ICAM
  • Facilitate E-government by Streamlining Access to
    Services
  • Improve security posture across the Federal
    Enterprise
  • Enable Trust and Interoperability
  • Reduce costs and increase efficiency

7
FICAM Roadmap and Implementation Guidance v2
8
OMB Policy on Federal ICAM
  • OMB M-11-11

The government-wide architecture and completion
of agency transition plans must align as
described in the Federal CIO Councils Federal
Identity, Credential, and Access Management
Roadmap and Implementation Guidance
9
Federal ICAM Conceptual View
10
ICAM Services Layer
  • Key ICAM Service
  • Areas
  • Digital Identity
  • Credentialing
  • Privilege Management
  • Authentication
  • Authorization Access
  • Cryptography
  • Auditing Reporting

The ICAM Roadmap, which includes a segment
architecture, provides a standards based approach
for implementing government-wide ICAM initiatives.
11
ICAM Identity Management Services
  • Assigning Attributes to a Digital Identity
  • Connecting Digital Identity to a Person
  • Lifecycle Management of Authoritative Attribute
    Sources
  • Applies to both People and NPEs

12
ICAM Credential Management Services
  • Credential binds an identity to a token
    possessed and controlled by a person
  • Lifecycle management of the Credential

13
ICAM Access Management Services
  • Management and Control of the ways entities are
    granted access to resources
  • Covers both Logical and Physical Access
  • May be internal to system or externalized

14
ICAM Federation Services
  • How do you vouch for Identities of your people
    when they need to collaborate with external
    organizations?
  • How do you trust identities of people from
    external organizations who need access to your
    systems?

15
ICAM Auditing and Reporting
  • Auditing and Reporting implements Agency
    Continuous Monitoring Capability
  • Supports FISMA requirement to apply IT Risk
    Management Framework as defined in NIST SP-800-37

16
ICAM Roadmap Initiatives
  • Government-wide Governance
  • Agency-level Implementation
  1. Augment policy and implementation guidance to
    agencies
  2. Establish federated identity framework for the
    Federal Government
  3. Enhance performance and accountability within
    ICAM initiatives
  4. Provide government-wide services for common ICAM
    requirements
  1. Streamline collection and sharing of digital
    identity data
  2. Fully leverage PIV and PIV-I credentials
  3. Modernize PACS infrastructure
  4. Modernize LACS infrastructure
  5. Implement federated identity capability

17
(No Transcript)
18
Initiative 5 Streamline Collection and Sharing
of Digital Identity Data
  • Anil John

19
Streamline Collection and Sharing of Digital
Identity Data
20
Core Concepts
  • Enterprise Digital Identity
  • Core identity attributes and unique person
    identifiers
  • Identifying authoritative sources
  • Digital Identity Process Integration
  • Business processes for establishing and managing
    the digital identity life cycle
  • Authoritative Digital Identity Attribute Exchange
  • Enables secure electronic sharing of digital
    identity attributes
  • Leverage data models to support effective sharing

21
Elements of Attribute Exchange
  • Protocol
  • Technical means for exchanging attributes
  • Payload
  • Attributes exchanged between parties
  • Policy
  • Governance processes and mechanisms put into
    place to manage the exchange and adjudicate issues

22
Authoritative Attribute Exchange Services (AAES)
Applications
Authoritative Sources
23
AAES Authoritative Attribute Manager
  • Correlate attributes from various authoritative
    sources
  • De-conflict discrepancies across attribute
    sources
  • Implements the person data model
  • Provide a consolidated view of the pieces of a
    person gathered from multiple sources

Authoritative Attribute Manager
Authoritative Sources
24
AAES Authoritative Attribute Distributer
  • Primary point of query for applications
  • Can provide a customized and tailored view of
    data
  • Supports requests for attributes from both
    internal and external to agency

Applications
Authoritative Attribute Distributer
25
Implementing an AAES Infrastructure
Agency Systems Applications
Virtual/Meta Directory Engine
Agency Identity and Attribute Sources
26
(No Transcript)
27
Federal ICAM Program Mission
  • Align federal agencies around common practices by
    fostering effective government-wide identity,
    credential and access management 
  • Collaborate with federal government and external
    identity management activities (non-federal,
    commercial and more) to leverage best practices
    and enhance interoperability
  • Enable trust and interoperability in online
    transactions, through the application of common
    policies and approaches, in activities that cross
    organizational boundaries

28
Federal ICAM 2012 Execution Priorities
Drive usage of FICAM Approved Credentials Support
Areas Operational Pilots / Shared Services
Demonstrate Value of Policy Driven Access
Control Support Area Attribute Management /
Privacy / ISE
Focused Outreach and Collaboration Support Area
ICAM WG Realignment / Community Engagement
29
RADIANT LOGIC
  • Radiant Logic
  • and
  • Federal Identity, Credential, and Access
    Management

30
IdM Architecture End State- Burton Group
Are we there yet?
The Emerging Architecture of Identity
Management Burton Group, April 2010
31
Yes we have arrived
  • Our customers are already doing this with our
    product, and have been for years.
  • We just never called it Authoritative Attribute
    Exchange Services (AAES)

32
Your challenge
  • GSA FICAM requirement
  • OMB 11.11
  • Agency challenges to achievement
  • Lack of time
  • Lack of staff
  • Lack of budget
  • Lack of knowledge
  • Current IdM isnt meeting needs of federated
    enterprises
  • Based on Push from a single authoritative
    source
  • No single authoritative source of Identity
  • Need to gather identity information from multiple
    authoritative identity sources both enterprise
    and consumer
  • And then establish a Pull infrastructure

33
The good news
  • Abstraction layer
  • Production of identities will be separated from
    consumption of identities through the
    introduction of a virtual directory interface
  • Applications will externalize authorization to
    policy decision points which can use contextual
    authorization to request attributes in real time
  • Will it work?
  • Yes! You can do this with what you have today,
    with value at each step towards the end goal

34
Identity and Context Virtualization
  • Virtualization is occurring at all layers
    across the IT "stack" hardware, operating
    systems, applications, services, processes,
    presentation layer even identities. At its
    core, virtualization is simply a layer of
    abstraction between a layer of consumers and an
    underlying layer of providers. However, this
    simple notion causes powerful shifts in the way
    that security must be managed and will accelerate
    the move to externalized identity services
  • Neil MacDonald Gartner Fellow Everything You
    Know About Identity Management Is Wrong

35
Identity Virtualization at Intel
  • Steve Price
  • Identity Service Manager
  • Intel IT
  • July 2010

36
The Elevator Pitch
  • Cost and complexity of current identity data
    management model is growing.
  • Identity data management is an obstacle to
    business today.
  • Better control of identity data decreases risk.

VDS-based identity systems can resolve these
business problems.
37
Hard cost comparison for 5 apps Current vs. VDS
38
In a Nutshell
  • A 6-month project with an inclusive project team
  • Key first-customers
  • Information security
  • Network engineering
  • Staff engineers
  • Support
  • Monitoring
  • Results
  • We now deliver in 3 days what used to take 4
    months
  • Tailored, use-case-specific function, while
    reusing existing systems w/o requiring changes to
    infrastructure.
  • The projected 3 applications per year turned into
    10 apps in 2 months, more coming
  • Enables us to do more with less.

39
The Intel punch line
  • VDS Surpasses ROI Estimate
  • Projected ROI for first 2 years of operation
    264k
  • Actual ROI for first 2 years of operation
    1.4million
  • In the first year of operation VDS paid for
    itself 3 times over.
  • Using VDS we have lowered our cost by 73

40
One of six members of the IC using our solution
  • Federal IC customer for six years
  • Fine grained access control
  • Integrating twelve dbms including
  • Sun directory
  • Microsoft Active Directory
  • Oracle
  • MYSQL
  • Domino
  • 40 business units
  • Need to build a global profile for user accounts
    from multiple heterogeneous data sources.
  • 25 person view joins
  • The user profile will contain attributes such as
    groups, roles in addition to user-specific
    attribute like fname, lname and empID.
  • VDS is also used to solve the issue of groups and
    roles needing to be dynamically created based
    upon other attributes a user may contain.  

41
One of six members of the IC using our solution
  • This is the hottest thing weve got
  • It now takes us days to do what used to take us
    weeks
  • Weve gone viral
  • Fast and cheap
  • Agile development
  • Management They love us

42
Yes, we have arrivedThe RadiantOne Solution
  • A Federated Identity Service Through Model-Driven
    Virtualization
  • Provides all functions of a complete AAES service
    through an abstraction layer
  • Platform consists of advanced Virtual Directory
    Server (VDS), Identity Synchronization Server
    (ISS), and Cloud Federation Service (CFS)

43
AAES with RadiantOne
Ulrich Schulz uschulz_at_radiantlogic.com
44
  • Overview / Challenges

45
Situation
AuthoritativeSources
AgencyApplications
External Agency Applications
FederationPartners
HR
PersonnelSecurity
needaccess
LACS
PACS
Payroll
Contracts
IDMS
Other
White Pages
Applications
46
Schemas
HR Database
Security Directory
47
Where are identities stored?
HR Database HR Database
Users James Bond Ethan Hunt Clark Kent Jean-Luc Picard
Protocol SQL
Schema 5 tables Person Assignment Role Citizenship Country
Security Directory Security Directory
Users James Bond Ethan Hunt David Webb Xander Cage
Protocol LDAP
Schema clearancePerson objectclass
48
Challenges
  • Identities are spread across multiple
    repositories
  • There is overlap of identities between
    repositories
  • Different access protocols
  • Identities are described differently
  • Different security means for authentication

49
  • AAES

50
AAES
  • AAES ...is a technical solution that enables
    agencies to connect various authoritative data
    sources and share identity and other attributes
    within the shared enterprise infrastructure. To
    support the AAES capability, agencies must
    establish an enterprise digital identity model,
    identify authoritative data sources, and
    streamline the processes used to populate those
    authoritative sources.
  • (page 219)

51
AAES
  • Authoritative Attribute Exchange Service (AAES)
    consists of two logical components
  • Authoritative Attribute Manager (AAM)
  • Authoritative Attribute Distributor (AAD)

52
Authoritative Attribute Exchange Service (AAES)
53
  • AAM

54
Authoritative Attribute Manager (AAM)
  • AAM is ...designed to correlate identity
    attributes from the various authoritative data
    sources within an agency and provide a single
    authoritative source of digital identity. The AAM
    functions as a central hub of attributes,
    aggregating data from the various sources through
    either resource connectors or web services.
  • (page 221)

55
A bit Reality
  • Identity "...data is spread across multiple
    authoritative sources within the agency, thereby
    complicating the challenge of exchanging
    attributes between sources and consumers.
  • (page 220)

56
Difficulty sharing identity attributes
  • The Challenge of Multiple Security Silos
  • Services are not flexible and are too tightly
    coupled with the underlying data silos.
  • Traditional solutions are a never-ending
    patchwork of custom code and complex
    synchronizations.

Security Domain A
Groups
Roles
Context
Applications
Security Domain B
Groups
Roles
Context
Applications
Security Domain C
Groups
Roles
Context
Applications
57
AAES through Virtualization
  • Acting as an abstraction layer between
    applications and the underlying identity silos,
    virtualization isolates applications from the
    complexity of back-ends.

ExternalAgencyApp
Virtualization
Aggregation
Correlation
Integration
LDAP
FederationPartner
PACS
Groups
Roles
Contexts
Services
SQL
LACS
WhitePages
Web Services/SOA
Apps
58
Building the Unique Global List of Identities
59
Building the Global Profile
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Agency Application
VDS
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom FIPS10_4 UK
Security Directory
HR Database
60
Correlate attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
61
Mapping (e.g. Person Data Model)
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
62
Business Logic for values
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
63
De-conflict attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent CountryName United Kingdom Title
Sir
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName Jim sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
64
  • AAD

65
Authoritative Attribute Distributor (AAD)
  • AAD ...provide(s) attributes, by request, to
    consumer applications (i.e., applications that
    use identity data for downstream processes), both
    internal and external to the agency.
  • The AAD is also used to synchronize data with
    user accounts or local sources.
  • (page 223)

66
AAES enables sharing of Identity Attributes
67
Pull model 1
AuthoritativeSources
AgencyApplications
AAES
query
VDS
68
Pull model 2
AuthoritativeSources
AgencyApplications
AAES
query
VDS
VDS, or XML Gateway
69
Push model
AuthoritativeSources
AgencyApplications
AAES
query
push
AAD
VDS
ICS
70
  • Further Options

71
Further Options
  • Caching Strategies
  • Memory vs. Persistent Cache
  • How to keep the cache fresh?
  • Complex Identity Correlation
  • when no common unique identifier exists
  • Context-rich views

72
Data Modeling / Structure
model
73
  • Questions?

74
  • Or Spy-Museum?
Write a Comment
User Comments (0)
About PowerShow.com