RADIANT LOGIC PRESENTS Federal Identity, Credential, and Access Management

1
RADIANT LOGIC PRESENTSFederal Identity,
Credential, and Access Management

• Protecting the nations IT infrastructure and
  citizens from cyber security threats through a
  federated identity standard.

2
AGENDA

• 800 900 Breakfast
• 900 915 Introductions
• 915 1100 FICAM and AAES
• Deborah Gallagher - Director of the Identity
  Assurance and Trusted Access Division , GSA
• Anil John - Digital Security and Service
  Orientation Expert, GSA
• 1100 Noon Radiant Logic and FICAM
• Don Graham Senior Account Manager
• Ulrich Schulz Senior System Engineer
• Noon 200 Lunch
• Visit the Spy Museum

3
US Federal ICAM RoadmapOverview

• Deb Gallagher

4
What is ICAM in the Federal Government?

• Processes, Technologies, and Personnel used to
• Create trusted digital identity representations
  of individuals and NPEs
• Bind those identities to credentials that may
  serve as a proxy for the individual or NPE in
  access transactions
• Leverage the credentials to provide authorized
  access to an agencys resources

5
FICAM Drivers

• Increasing Cybersecurity threats
• Need for improved physical security
• Lag in providing government services
  electronically
• Vulnerability of Personally Identifiable
  Information (PII)
• Lack of interoperability
• High costs for duplicative processes and data
  management

6
FICAM Roadmap and Implementation Guidance v2

• Goals
• Comply with Federal Laws Relevant to ICAM
• Facilitate E-government by Streamlining Access to
  Services
• Improve security posture across the Federal
  Enterprise
• Enable Trust and Interoperability
• Reduce costs and increase efficiency

7
FICAM Roadmap and Implementation Guidance v2
8
OMB Policy on Federal ICAM

• OMB M-11-11

The government-wide architecture and completion
of agency transition plans must align as
described in the Federal CIO Councils Federal
Identity, Credential, and Access Management
Roadmap and Implementation Guidance
9
Federal ICAM Conceptual View
10
ICAM Services Layer

• Key ICAM Service
• Areas
• Digital Identity
• Credentialing
• Privilege Management
• Authentication
• Authorization Access
• Cryptography
• Auditing Reporting

The ICAM Roadmap, which includes a segment
architecture, provides a standards based approach
for implementing government-wide ICAM initiatives.
11
ICAM Identity Management Services

• Assigning Attributes to a Digital Identity
• Connecting Digital Identity to a Person
• Lifecycle Management of Authoritative Attribute
  Sources
• Applies to both People and NPEs

12
ICAM Credential Management Services

• Credential binds an identity to a token
  possessed and controlled by a person
• Lifecycle management of the Credential

13
ICAM Access Management Services

• Management and Control of the ways entities are
  granted access to resources
• Covers both Logical and Physical Access
• May be internal to system or externalized

14
ICAM Federation Services

• How do you vouch for Identities of your people
  when they need to collaborate with external
  organizations?
• How do you trust identities of people from
  external organizations who need access to your
  systems?

15
ICAM Auditing and Reporting

• Auditing and Reporting implements Agency
  Continuous Monitoring Capability
• Supports FISMA requirement to apply IT Risk
  Management Framework as defined in NIST SP-800-37

16
ICAM Roadmap Initiatives

• Government-wide Governance

• Agency-level Implementation

1. Augment policy and implementation guidance to
   agencies
2. Establish federated identity framework for the
   Federal Government
3. Enhance performance and accountability within
   ICAM initiatives
4. Provide government-wide services for common ICAM
   requirements

1. Streamline collection and sharing of digital
   identity data
2. Fully leverage PIV and PIV-I credentials
3. Modernize PACS infrastructure
4. Modernize LACS infrastructure
5. Implement federated identity capability

17
(No Transcript)
18
Initiative 5 Streamline Collection and Sharing
of Digital Identity Data

• Anil John

19
Streamline Collection and Sharing of Digital
Identity Data
20
Core Concepts

• Enterprise Digital Identity
• Core identity attributes and unique person
  identifiers
• Identifying authoritative sources
• Digital Identity Process Integration
• Business processes for establishing and managing
  the digital identity life cycle
• Authoritative Digital Identity Attribute Exchange
• Enables secure electronic sharing of digital
  identity attributes
• Leverage data models to support effective sharing

21
Elements of Attribute Exchange

• Protocol
• Technical means for exchanging attributes
• Payload
• Attributes exchanged between parties
• Policy
• Governance processes and mechanisms put into
  place to manage the exchange and adjudicate issues

22
Authoritative Attribute Exchange Services (AAES)
Applications
Authoritative Sources
23
AAES Authoritative Attribute Manager

• Correlate attributes from various authoritative
  sources
• De-conflict discrepancies across attribute
  sources
• Implements the person data model
• Provide a consolidated view of the pieces of a
  person gathered from multiple sources

Authoritative Attribute Manager
Authoritative Sources
24
AAES Authoritative Attribute Distributer

• Primary point of query for applications
• Can provide a customized and tailored view of
  data
• Supports requests for attributes from both
  internal and external to agency

Applications
Authoritative Attribute Distributer
25
Implementing an AAES Infrastructure
Agency Systems Applications
Virtual/Meta Directory Engine
Agency Identity and Attribute Sources
26
(No Transcript)
27
Federal ICAM Program Mission

• Align federal agencies around common practices by
  fostering effective government-wide identity,
  credential and access management 
• Collaborate with federal government and external
  identity management activities (non-federal,
  commercial and more) to leverage best practices
  and enhance interoperability
• Enable trust and interoperability in online
  transactions, through the application of common
  policies and approaches, in activities that cross
  organizational boundaries

28
Federal ICAM 2012 Execution Priorities
Drive usage of FICAM Approved Credentials Support
Areas Operational Pilots / Shared Services
Demonstrate Value of Policy Driven Access
Control Support Area Attribute Management /
Privacy / ISE
Focused Outreach and Collaboration Support Area
ICAM WG Realignment / Community Engagement
29
RADIANT LOGIC

• Radiant Logic
• and
• Federal Identity, Credential, and Access
  Management

30
IdM Architecture End State- Burton Group
Are we there yet?
The Emerging Architecture of Identity
Management Burton Group, April 2010
31
Yes we have arrived

• Our customers are already doing this with our
  product, and have been for years.
• We just never called it Authoritative Attribute
  Exchange Services (AAES)

32
Your challenge

• GSA FICAM requirement
• OMB 11.11
• Agency challenges to achievement
• Lack of time
• Lack of staff
• Lack of budget
• Lack of knowledge
• Current IdM isnt meeting needs of federated
  enterprises
• Based on Push from a single authoritative
  source
• No single authoritative source of Identity
• Need to gather identity information from multiple
  authoritative identity sources both enterprise
  and consumer
• And then establish a Pull infrastructure

33
The good news

• Abstraction layer
• Production of identities will be separated from
  consumption of identities through the
  introduction of a virtual directory interface
• Applications will externalize authorization to
  policy decision points which can use contextual
  authorization to request attributes in real time
• Will it work?
• Yes! You can do this with what you have today,
  with value at each step towards the end goal

34
Identity and Context Virtualization

• Virtualization is occurring at all layers
  across the IT "stack" hardware, operating
  systems, applications, services, processes,
  presentation layer even identities. At its
  core, virtualization is simply a layer of
  abstraction between a layer of consumers and an
  underlying layer of providers. However, this
  simple notion causes powerful shifts in the way
  that security must be managed and will accelerate
  the move to externalized identity services
• Neil MacDonald Gartner Fellow Everything You
  Know About Identity Management Is Wrong

35
Identity Virtualization at Intel

• Steve Price
• Identity Service Manager
• Intel IT
• July 2010

36
The Elevator Pitch

• Cost and complexity of current identity data
  management model is growing.
• Identity data management is an obstacle to
  business today.
• Better control of identity data decreases risk.

VDS-based identity systems can resolve these
business problems.
37
Hard cost comparison for 5 apps Current vs. VDS
38
In a Nutshell

• A 6-month project with an inclusive project team
• Key first-customers
• Information security
• Network engineering
• Staff engineers
• Support
• Monitoring
• Results
• We now deliver in 3 days what used to take 4
  months
• Tailored, use-case-specific function, while
  reusing existing systems w/o requiring changes to
  infrastructure.
• The projected 3 applications per year turned into
  10 apps in 2 months, more coming
• Enables us to do more with less.

39
The Intel punch line

• VDS Surpasses ROI Estimate
• Projected ROI for first 2 years of operation
  264k
• Actual ROI for first 2 years of operation
  1.4million
• In the first year of operation VDS paid for
  itself 3 times over.
• Using VDS we have lowered our cost by 73

40
One of six members of the IC using our solution

• Federal IC customer for six years
• Fine grained access control
• Integrating twelve dbms including
• Sun directory
• Microsoft Active Directory
• Oracle
• MYSQL
• Domino
• 40 business units
• Need to build a global profile for user accounts
  from multiple heterogeneous data sources.
• 25 person view joins
• The user profile will contain attributes such as
  groups, roles in addition to user-specific
  attribute like fname, lname and empID.
• VDS is also used to solve the issue of groups and
  roles needing to be dynamically created based
  upon other attributes a user may contain.  

41
One of six members of the IC using our solution

• This is the hottest thing weve got
• It now takes us days to do what used to take us
  weeks
• Weve gone viral
• Fast and cheap
• Agile development
• Management They love us

42
Yes, we have arrivedThe RadiantOne Solution

• A Federated Identity Service Through Model-Driven
  Virtualization
• Provides all functions of a complete AAES service
  through an abstraction layer
• Platform consists of advanced Virtual Directory
  Server (VDS), Identity Synchronization Server
  (ISS), and Cloud Federation Service (CFS)

43
AAES with RadiantOne
Ulrich Schulz uschulz_at_radiantlogic.com
44

• Overview / Challenges

45
Situation
AuthoritativeSources
AgencyApplications
External Agency Applications
FederationPartners
HR
PersonnelSecurity
needaccess
LACS
PACS
Payroll
Contracts
IDMS
Other
White Pages
Applications
46
Schemas
HR Database
Security Directory
47
Where are identities stored?
HR Database HR Database
Users James Bond Ethan Hunt Clark Kent Jean-Luc Picard
Protocol SQL
Schema 5 tables Person Assignment Role Citizenship Country
Security Directory Security Directory
Users James Bond Ethan Hunt David Webb Xander Cage
Protocol LDAP
Schema clearancePerson objectclass
48
Challenges

• Identities are spread across multiple
  repositories
• There is overlap of identities between
  repositories
• Different access protocols
• Identities are described differently
• Different security means for authentication

49

• AAES

50
AAES

• AAES ...is a technical solution that enables
  agencies to connect various authoritative data
  sources and share identity and other attributes
  within the shared enterprise infrastructure. To
  support the AAES capability, agencies must
  establish an enterprise digital identity model,
  identify authoritative data sources, and
  streamline the processes used to populate those
  authoritative sources.
• (page 219)

51
AAES

• Authoritative Attribute Exchange Service (AAES)
  consists of two logical components
• Authoritative Attribute Manager (AAM)
• Authoritative Attribute Distributor (AAD)

52
Authoritative Attribute Exchange Service (AAES)
53

• AAM

54
Authoritative Attribute Manager (AAM)

• AAM is ...designed to correlate identity
  attributes from the various authoritative data
  sources within an agency and provide a single
  authoritative source of digital identity. The AAM
  functions as a central hub of attributes,
  aggregating data from the various sources through
  either resource connectors or web services.
• (page 221)

55
A bit Reality

• Identity "...data is spread across multiple
  authoritative sources within the agency, thereby
  complicating the challenge of exchanging
  attributes between sources and consumers.
• (page 220)

56
Difficulty sharing identity attributes

• The Challenge of Multiple Security Silos
• Services are not flexible and are too tightly
  coupled with the underlying data silos.
• Traditional solutions are a never-ending
  patchwork of custom code and complex
  synchronizations.

Security Domain A
Groups
Roles
Context
Applications
Security Domain B
Groups
Roles
Context
Applications
Security Domain C
Groups
Roles
Context
Applications
57
AAES through Virtualization

• Acting as an abstraction layer between
  applications and the underlying identity silos,
  virtualization isolates applications from the
  complexity of back-ends.

ExternalAgencyApp
Virtualization
Aggregation
Correlation
Integration
LDAP
FederationPartner
PACS
Groups
Roles
Contexts
Services
SQL
LACS
WhitePages
Web Services/SOA
Apps
58
Building the Unique Global List of Identities
59
Building the Global Profile
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Agency Application
VDS
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom FIPS10_4 UK
Security Directory
HR Database
60
Correlate attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
61
Mapping (e.g. Person Data Model)
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK personSecurityClearanceCode
Top Secret USCitizenship no uid 007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
62
Business Logic for values
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent Country_Id 1 CountryName United
Kingdom
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName James sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
63
De-conflict attributes
HR
PersonGuid 00000007-0007-0007-0007-000000000007
GivenName James SurName Bond Role_Id 1 Role
Secret Agent CountryName United Kingdom Title
Sir
VDS / AAES
personGuid 00000007-0007-0007-0007-000000000007
cn James Bond personGivenName
James personSurName Bond designatedRole Secret
Agent employeeRankText Commander personcitizenshi
pfips10-4code UK USCitizenship
no personSecurityClearanceCode Top Secret uid
007
Security
uid 007 givenName Jim sn Bond title
Commander employeeNumber 00000007-0007-0007-0007
-00000000007 cn 007 clearanceCode Top
Secret clearanceStatus active
64

• AAD

65
Authoritative Attribute Distributor (AAD)

• AAD ...provide(s) attributes, by request, to
  consumer applications (i.e., applications that
  use identity data for downstream processes), both
  internal and external to the agency.
• The AAD is also used to synchronize data with
  user accounts or local sources.
• (page 223)

66
AAES enables sharing of Identity Attributes
67
Pull model 1
AuthoritativeSources
AgencyApplications
AAES
query
VDS
68
Pull model 2
AuthoritativeSources
AgencyApplications
AAES
query
VDS
VDS, or XML Gateway
69
Push model
AuthoritativeSources
AgencyApplications
AAES
query
push
AAD
VDS
ICS
70

• Further Options

71
Further Options

• Caching Strategies
• Memory vs. Persistent Cache
• How to keep the cache fresh?
• Complex Identity Correlation
• when no common unique identifier exists
• Context-rich views

72
Data Modeling / Structure
model
73

• Questions?

74

• Or Spy-Museum?