Title: David Temoshok Director, Identity PolicyManagement GSA Office of Governmentwide Policy November 21,
1David TemoshokDirector, Identity
Policy/ManagementGSA Office of Governmentwide
Policy November 21, 2002
E-AuthenticationMaking Trust Possible
Authentication The Need for Trusted Credentials
2Defining Identity Management
- A set of policies and supporting processes and
infrastructure, for the creation, maintenance,
and use of identities and their attributes,
credentials, and entitlements - Involves policy, technology and process
- Must enable enterprises to create a manageable
life cycle - Must scale from internally facing systems to
externally facing applications and processes - Goal state general-purpose infrastructure and
authoritative sources, clean integration across
people, process, and technology
3The Challenge for Identity Management
- Todays identity management systems are ad
hocracies, built one application or system at a
time - Apps, databases, OSes lack a scalable, holistic
means of managing identity, credentials, policy
across boundaries - Fragmented identity infrastructure Overlapping
repositories, inconsistent policy frameworks,
process discontinuities - Error prone, creates security loopholes,
expensive to manage - The disappearing perimeter has put identity on
the front burner - Infrastructure requirements extend reach and
range - Increased scalability, lower costs
- Balance of centralized and distributed management
- Infrastructure must become more general-purpose
and re-usable
4Gateway Authentication Support for e-Gov Services
- Authentication The process by which an entity
(such as a person or a computer system)
determines whether another entity is who it
claims to be. - Authentication is different from authorization.
- Proper authentication ensures that a person is
who he or she claims to be, but it says nothing
about the access rights of the individual - Authorization grants access rights, but says
nothing about who you are. - The Gateway provides for authentication, not
authorization.
5U.S. Identity Credentials -How do we know who
you are?
Personal Information Address - Home,
Business Telephone - Home, Business Mobile Genealo
gy - Parents, Relatives References - Friends,
Associates Employment - past/present
Material Relationships Financial Services Bank
accounts Credit card accounts Loan
accounts Insurance Investment accounts Tax
Authorities Federal, State, local Asset
Ownership Vehicles Real estate Other Utilities Edu
cation, Civic groups
Out of Wallet Information User ID,
Passwords Recent Transactions
Government ID/Credentials Birth
Certificate Social Security Number Passport Driver
s License/ID Taxpayer/employer ID Immigration
Identification Military Service Number
Public ID Commercial Digital Certificate Loyalty
Cards Civic, Community - Library
6Identity Management Communities -Who do you
Trust?
Governments DMV, AAMVA Illinois PKI Washington
State PKI EBT Government of Canada and U.K.
Federal Government Social Security
Admin. GSA/DOD - Common Access Card GSA -
ACES DoD, NASA, NFC - PKI Transportation
Security Administration - TWIC INS State
Department Veterans Affairs Dept. Education
Trust Network (Gateway)
Higher Education CREN PKI Higher Education PKI
Bridge
Transportation Industry TWIC Aviation Maritime Rai
lroad Trucking
Healthcare California Medical Association Med
e-Pass WGA Health Passport
Financial Services Industry Identrust/DST VISA/Ma
stercard
7Authentication Technologies and Credentials
- Something you know ( but a stranger is unlikely
to know) - User ID/Passwords
- Knowledge-based authentication
- Social Security Number, Password, place of birth
- Something you possess
- Smart Cards - Card-Based identification
- Public Key Encryption - digital certificates
- Drivers license, private key
- Something you are
- Biometric Profiles
- Policy-Based Credentials
- Public Key Encryption - digital
- certificates
8Gateway Functional Scope in Authentication
Process
- Credentials
- Identity Documents
- Biometrics
- Other Credentials
Gateway Functional Scope
Request Permission to Conduct the Transaction,
Activity or Access
Establish quality of credentials
New Credential
Enrollment
Verification
Allow or Reject Transaction
Validate Credentials
Authorization
Establish Permission to Conduct the Transaction,
Activity or Access
Establish Level of Authorization
Authorize Transaction
9 Transaction Focus for the Gateway
- What credentials/level of authentication
assurance are needed for the agency application? - What credentials are needed during the
transaction process? - Are the credentials valid?
- Can credentials be effectively verified at the
transaction stage? - Can different forms of credentials be trusted for
common assurance levels?
10How Well Does It Work?
- Metrics
- False Positive an imposter is authenticated
and/or granted access to the system - False Negative a valid user is not
authenticated or is denied access to the system. - Estimated 20 of state-issued credentials are
fraudulent - Shared secrets are a problem too
- To improve the numbers and raise the assurance
- Improved credentials
- Multi-factor authentication
- Cost becomes a major factor.
11 Very
High
AuthenticationCost/Risk/Benefit Analysis
High
Medium
Increased Cost
Moderate
Low
Getting an Official ID
Applying for a Loan Online
Access to Protected Website
Surfing the Internet
Employee Screening for a High Risk Job
Increased Need for Authentication Assurance
12Authentication Interoperability and Federation
- What is federated identity management?
- Agreements, standards, technologies that make
identity and entitlements portable across
autonomous domains - Relying parties dont need prior knowledge of
complex system internals or pair-wise mappings
between systems - Federation standards define rules that bind
autonomous domains to a common method of
exchanging identity information - Federation standards provide framework for
negotiating agreements, defining interactions - Heterogeneous systems can map to the federation
standards by applying transformations at the
boundaries between domains - Relying parties can honor each others decisions
and trust each others assertions, but in the
context of their own local policies
13Welcome to the Real World
- Unrealistic expectations are a huge problem
- People want immediacy and safety with personal
autonomy and control - They want personalization without surveillance
- They want security and privacy without any
inconvenience, loss of immediacy - Privacy Concerns are Real
- Credentialing generally raises privacy concerns,
better credentialing makes these concerns bigger - When are anonymity and pseudonymity appropriate?
- Mission creep
- Basic conflict with the policy message people
are told that the key to security is less data
and more control
14Going About the Job of e-Authentication
- Authentication is very hard to do right.
- There may not be conflicts between security and
privacy, but there are definitely conflicts
between security and convenience. - It is easier to create a perception of security
rather than real security, and limits on
credentialing complicate the process. - Risk management requires difficult, uncomfortable
cost-benefit analysis. - Authentication processes must recognize and
reflect limitations of credentialing. - Mission creep has to be managed
- Focus on the problem we are trying to solve --
identity and access management solutions - One tool or even one suite wont solve all
identity and access management problems - Its not a system, but a pervasive infrastructure
- Plan carefully, but be flexible and ready for
change
15For More Information
- Phone E-mail
- David Temoshok
david.temoshok_at_gsa.gov - 202-208-7655
-
Websites http//cio.gov/eauthentication http//cio
.gov/fpkisc http//cio.gov/fpkipa http//egov.gov