Transcript Monthly Program Review Template
The E-Authentication Initiative
E-Authentication: Creating an Environment of Trust
David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy
Session Objectives
Identity Federation Basics Why the Federal Government is federating Key infrastructure needed for ID Federation Interoperability and ID Federation E-Authentication Trust Framework The Electronic Authentication Partnership and how it facilitates identity federation 2
The E-Authentication Initiative
The Identity Problem
Individuals have multiple disconnected identities across the internet and other networks, leading to repeated, stand-alone authentications Costly, insecure, inconvenient www.401k.com
User ID: 123-45-6789 Password: my401k My.employer.org
User ID: [email protected]
Password: myjob www.mytravel.com
User ID: frequentflyer Password: etravel 3
The E-Authentication Initiative
Background
Federated identity definition Rules, agreements, standards, technologies that make identity and entitlements portable across autonomous domains Is critical for rich web services environment Federated identity technologies and standards PKI – ISO X.509v3
Security Assertion Markup Language – OASIS SAML 1.0, 1.1. 2.0
Lacking standards • Biometrics • User ID/PIN/Password • Knowledge-based authentication • One-time passwords • Token-based authentication Federated identity specifications (SAML) Liberty Alliance Shibboleth
The E-Authentication Initiative
4
Standards Convergence
SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services
OASIS Standard SAML 2.0
Shibboleth Specification OASIS SAML 1.0, 1.1
The E-Authentication Initiative
Liberty Specifications 5
Four Authentication Assurance Levels to meet multiple risk levels -
Multi Factor Token PKI/ Digital Signature Knowledge -Based Strong Password PIN/User ID Medium Low High Access to Protected Website Applying for a Loan Online Obtaining Govt. Benefits Very High Employee Screening for a High Risk Job
Increased Need for Identity Assurance
The E-Authentication Initiative
6
President’s Management Agenda
• •
1 st Priority: Make Government citizen-centered.
5 Key Government-wide Initiatives
: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance
Expanded Electronic Government
Budget and Performance Integration
The E-Authentication Initiative
7
PMC E-Gov Agenda
Government to Citizen
1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online
Lead
GSA Treasury DoED DOI Labor
Government to Business
1 . Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining
Lead
GSA EPA Treasury HHS SBA DOC
Cross-cutting Infrastructure: eAuthentication GSA Government to Govt.
1. e-Vital (business case) 2. Grants.gov
3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks
Lead
SSA HHS FEMA DOI FEMA
Internal Effectiveness and Efficiency
1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management OPM OPM OPM GSA OPM OPM GSA NARA 8
The E-Authentication Initiative
Key Policy Points
For Governmentwide deployment:
No National ID.
No National unique identifier.
No central registry of personal information, attributes, or authorization privileges. Different authentication assurance levels are needed for different types of transactions.
And for e-Authentication technical approach:
No single proprietary solution Deploy multiple COTS products -- users choice Products must interoperate together Controls must protect privacy of personal information.
9
The E-Authentication Initiative
Central Issue with Federated Identity – Who do you Trust?
Governments
Federal States/Local International
Higher Education
Universities Higher Education PKI Bridge
Healthcare
American Medical Association Patient Safetty Institute 280 Million Americans Millions of Businesses State/local/global Govts
Trust Network
Financial Services Industry
Home Banking Credit/Debit Cards
Travel Industry
Airlines Hotels Car Rental Trusted Traveler Programs
E-Commerce Industry
ISPs Internet Accounts Credit Bureaus eBay
Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels
.
10
The E-Authentication Initiative
Identity Federation – Key Interoperability Needs
Federation Communications (Technical Interoperability) Identity Federations extend beyond current peer-peer, bi-lateral agreements to build common infrastructure shared among multiple parties. Federation Trust (Policy Interoperability) Federation Business Relationships (Business Interoperability) The E-Authentication Initiative
11
Federation Infrastructure
• Interoperable Technology (Communications) Determine intra-Federation communication architecture -- protocols Administer common interface specifications, use cases, profiles Ensure interoperability ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services) • Trust Establish common trust model Administer common identity management/authentication policies for Federation members • Business Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution 12
The E-Authentication Initiative
The Need for Federated Identity Trust and Business Models
Technical issues for sharing identities are being solved, but slowly Federal Interoperability Lab OASIS and Liberty conformance test programs Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards • How robust are the identity verification procedures?
• How strong is this shared identity? • How secure is the infrastructure? Common business rules are needed for federated identity to scale N 2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define: • Trust assurance and credential strength • Roles, responsibilities, of IDPs and relying parties • Liabilities associated with use of 3 rd party credentials • Business relationship costs • Privacy requirements for handling Personally Identifiable Information (PII) 13
The E-Authentication Initiative
E-Authentication Trust Model for Federated Identity
1. Establish e-Authentication risk and assurance levels (OMB M-04-04 Federal Policy Notice, adopted by EAP 2. Establish standard methodology for e-Authentication risk assessment (ERA) 2/04 4. Establish methodology for evaluating credentials/providers on assurance criteria (EAP SAC and Federal CAF 3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance 5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04 6. Establish common business rules for use of trusted 3rd-party credentials 7. Test products and implementations for interoperability
14
The E-Authentication Initiative
The Need for Identity Federation Business Case “Federated identity is economically inevitable…”
Burton Group However, there must be a clear business case that others can understand Business opportunity must be meaningful yet realistic Business partners need to understand the business case The solution must be replicable Start simple, use standard templates, avoid complexity for complexity sake Leverage open standards Should be clear business case for identity federation for: Financial services industry Health care industry Higher education 15
The E-Authentication Initiative
Identity Federation Models
Bi-lateral (peer-to- peer)
ID
Hub & Spoke (unilateral) Circle of Trust (many-to-many)
ID The E-Authentication Initiative ID ID ID ID ID ID ID
16
The Need for the Electronic Authentication Partnership
Federal Government State/Local Governments Industry
Interoperability for:
Policy
•
Authentication
•
Assurance levels
•
Credential Profiles
•
Accreditation
•
Business Rules
•
Privacy Principles Technology
•
Adopted schemes
•
Common specs
•
User Interfaces
•
APIs
•
Interoperable COTS products
•
Authz support IDP IDP Commercial Trust Assurance Services
Policy, Technical, & Business Interoperability
RP IDP RP IDP
Common Business and Operating Rules
http://www.eapartnership.org/
RP
17
The E-Authentication Initiative
What is the EAP
• • • Multi-industry partnership creating a framework for interoperable, trustworthy authentication Incorporated non-profit association with 60 members Product and technology agnostic Goals Provide organizations with a straightforward means of relying on digital credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish bilateral agreements Facilitate the creation of federations through replicable rules Enable federation-to-federation trust In practice this means a federated approach 18
The E-Authentication Initiative
What the EAP is doing now for ID Federation
IDP IDP IDP IDP IDP
Bi-lateral Agreements
SP/RP
Pair-wise Trust Model
SP/RP
Pair-wise Interface Spec and Products
Current State of Industry: Bi-Lateral Pairs SP/RP IDP IDP
Common Business Rules/Agreements Common Trust Model Common Interface Specification Interoperable Products
SP/RP SP/RP SP/RP EAP Objective: Multi-Party, Interoperable Federation The E-Authentication Initiative
19
What the EAP envisions for ID Federation
IDP SP/RP IDP SP/RP IDP Federation 1 SP/RP IDP Federation 2 SP/RP IDP IDP
EAP Common Business Rules/Agreements Common Trust Models Common Basic Interface Specifications Interoperable Products
SP/RP IDP IDP IDP Federation 3 IDP SP/RP SP/RP SP/RP SP/RP SP/RP EAP Vision: Multiple, Interoperable Federations SP/RP
20
The E-Authentication Initiative
For More Information
Phone
David Temoshok 202-208-7655
Websites
http://cio.gov/eauthentication http://www.eapartnership.org/ http://cio.gov/fpkipa http://cio.gov/ficc
The E-Authentication Initiative
21