Transcript Identity Management
Mount Airey Group, Inc.
MAG SECURITY PRODUCTS & SERVICES
Actively supporting U.S. Federal Government since 2002.
Designed and managed the Signature Delivery Service for U.S.
Recognized leaders in the area of Identity Management, Public
Key Infrastructure, Biometrics, HSPD-12, Public Key
Enablement, and secure authorization and privilege
Closely work with standards bodies in the development of new
standards related to identity and authorization management.
Experienced with the full life cycle of applications within
various federal agencies including supporting IT-CCB
Provide thought leadership on IT security and HSPD-12 in
support of federal agency missions both domestic and abroad.
Offer security products to quickly enable secure authentication
What’s a role proof?
Secure Identity Management Systems
IDENTITY MANAGEMENT - TERMINOLOGY
Identity Management (IdM)
Identity & Access Management (IAM)
Federated Identity Management (FIdM)
Identity, Credential, & Access Management
Federal ICAM (FICAM)
Personal Identity Information (PII)
Health Insurance Portability & Accountability Act
IDENTITY MANAGEMENT - ORIGINS
Information Technology (IT) security
Public Key Infrastructure (PKI)
Smart chips and cards
Personal Identity Verification (PIV), Common Access Card
(CAC), Transportation Worker Identification Credential
(TWIC), state driver licenses, electronic passports
Cloud, Mobility, Big Data, Social Networking
Federal Information Processing Standard (FIPS) 140-2
Homeland Security Presidential Directive 12 (HSPD-12)
Who are you? Prove it. Authentication is
verifying you are who you say you are.
What you know (e.g., password, passphrase, PIN)
What you have (e.g., badge, origination documents)
What you are (e.g., biometrics, behavior)
PKI (Digital Signatures, encryption, policies)
Hardware tokens and chips
Global, national, local, and private database systems
What are you allowed to do? Let’s check.
Authorization is determining what you are allowed to
Access control lists
Flat files and Database lookups
Directories (e.g., Active Directory, X500)
Risk Adaptive Access Control (RAdAC)
Role Based Access Control (RBAC)
Attribute Based Access Control (ABAC)
Extensible access control markup language (XACML 3.0)
Policy Based Access Control (PBAC)
Published rights that are secured (cryptographically)
independently of the applications that rely on them.
WHAT’S A ROLE PROOF?
Proof Unique ID
Not Before Time
Not After Time
User Digest Lists
Each proof represents an application
or organizational role and has a
Proofs are generated for each role
repeatedly with each having only
a short life.
Proofs reference other proofs for
delegation. This can be done across
Each contains a list of certificates,
referenced by their hash to show
Each is digitally signed to give it
SECURE IDENTITY MANAGEMENT SYSTEMS
Authentication Authorization Reason
• Authorizations can be administered with authentication credentials
• No security separation between authentication and authorization
(unnecessary to have atomic authorizations)
• This level of security is expected for systems that need
accountability and prevention, but data compromise presents
• Separation of duties between those providing authentication
credentials and those determining authorizations.
• Non non-atomic authorizations may be acceptable (e.g., Separate
X.500 directory for authorizations)
• Atomic authorizations may be used as a strategic step to provide a
migration for future security enhancement.
• Authorizations must be atomic in order to have congruent security.
• This level of security is required when the compromise of sensitive
CAC/PIV or PKI Atomic
data would cause significant damage and/or transactions occurring
on the system require non-repudiation.
U.S. State Department access to federal systems
PIV card issuance and verification
Physical Access Control System (PACS)
Logical Access Control System using BLADE
Border security with DHS US-VISIT
Electronic passports (ePassport) and documents
Creation using digital signatures
Validation at ports of entry
International Civil Aviation Organization (ICAO)