Identity Management
Download
Report
Transcript Identity Management
IDENTITY MANAGEMENT
Joe Braceland
Mount Airey Group, Inc.
MAG SECURITY PRODUCTS & SERVICES
Actively supporting U.S. Federal Government since 2002.
Designed and managed the Signature Delivery Service for U.S.
Passports.
Recognized leaders in the area of Identity Management, Public
Key Infrastructure, Biometrics, HSPD-12, Public Key
Enablement, and secure authorization and privilege
management.
Closely work with standards bodies in the development of new
standards related to identity and authorization management.
Experienced with the full life cycle of applications within
various federal agencies including supporting IT-CCB
processes.
Provide thought leadership on IT security and HSPD-12 in
support of federal agency missions both domestic and abroad.
Offer security products to quickly enable secure authentication
and authorization.
22
OVERVIEW
Identity Management
Terminology
Origins
Secure Authentication
Secure Authorization
What’s a role proof?
Secure Identity Management Systems
Examples
Physical/Logical access
Border security
Electronic documents
IDENTITY MANAGEMENT - TERMINOLOGY
Identity Management (IdM)
Identity & Access Management (IAM)
Federated Identity Management (FIdM)
Identity, Credential, & Access Management
(ICAM)
Federal ICAM (FICAM)
Privacy
Personal Identity Information (PII)
Health Insurance Portability & Accountability Act
(HIPAA)
IDENTITY MANAGEMENT - ORIGINS
Information Technology (IT) security
Cyber security
Technologies
Biometrics
Public Key Infrastructure (PKI)
Smart chips and cards
Personal Identity Verification (PIV), Common Access Card
(CAC), Transportation Worker Identification Credential
(TWIC), state driver licenses, electronic passports
Cloud, Mobility, Big Data, Social Networking
Regulations
Federal Information Processing Standard (FIPS) 140-2
Homeland Security Presidential Directive 12 (HSPD-12)
SECURE AUTHENTICATION
Who are you? Prove it. Authentication is
verifying you are who you say you are.
Multi-factor authentication
What you know (e.g., password, passphrase, PIN)
What you have (e.g., badge, origination documents)
What you are (e.g., biometrics, behavior)
Cryptography
PKI (Digital Signatures, encryption, policies)
Hardware tokens and chips
Identity Validation
Global, national, local, and private database systems
Identity Verification
SECURE AUTHORIZATION
What are you allowed to do? Let’s check.
Authorization is determining what you are allowed to
do.
Access control lists
Flat files and Database lookups
Directories (e.g., Active Directory, X500)
Access types
Risk Adaptive Access Control (RAdAC)
Role Based Access Control (RBAC)
Attribute Based Access Control (ABAC)
Extensible access control markup language (XACML 3.0)
Policy Based Access Control (PBAC)
Atomic Authorization
Published rights that are secured (cryptographically)
independently of the applications that rely on them.
WHAT’S A ROLE PROOF?
Version
Proof Name
Proof Unique ID
Not Before Time
Next Available
Not After Time
References
User Digest Lists
Extensions
Signature Algorithm
Signature Value
2
Each proof represents an application
or organizational role and has a
unique ID.
Proofs are generated for each role
repeatedly with each having only
a short life.
3
Proofs reference other proofs for
delegation. This can be done across
multiple authorities.
4
Each contains a list of certificates,
referenced by their hash to show
authorization.
1
5
Each is digitally signed to give it
cryptographic authenticity.
8
SECURE IDENTITY MANAGEMENT SYSTEMS
Security Level
Low
Medium
High
Authentication Authorization Reason
• Authorizations can be administered with authentication credentials
• No security separation between authentication and authorization
IDs and
(unnecessary to have atomic authorizations)
Passwords
Non-Atomic
• This level of security is expected for systems that need
(Single Factor)
accountability and prevention, but data compromise presents
minimal damage.
Mixed
Mixed
• Separation of duties between those providing authentication
credentials and those determining authorizations.
• Non non-atomic authorizations may be acceptable (e.g., Separate
X.500 directory for authorizations)
• Atomic authorizations may be used as a strategic step to provide a
migration for future security enhancement.
• Authorizations must be atomic in order to have congruent security.
• This level of security is required when the compromise of sensitive
CAC/PIV or PKI Atomic
data would cause significant damage and/or transactions occurring
(Two Factor)
Authorization
on the system require non-repudiation.
9
EXAMPLES
U.S. State Department access to federal systems
PIV card issuance and verification
Physical Access Control System (PACS)
Logical Access Control System using BLADE
Border security with DHS US-VISIT
IDENT program
Exit program
Electronic passports (ePassport) and documents
Creation using digital signatures
Validation at ports of entry
International Civil Aviation Organization (ICAO)