C2 Security Experiment - PowerPoint PPT Presentation

Loading...

PPT – C2 Security Experiment PowerPoint presentation | free to view - id: 1cbd98-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

C2 Security Experiment

Description:

Published Trusted Framework Providers Adoption Process. ... We have developed a trusted relationship with limited access points ... DOJ's Trusted Broker pilot ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 31
Provided by: bria127
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: C2 Security Experiment


1
Federal IT Summit October 28, 2009
Breakout Session 5 Identity and Access Management
Moderator Paul Christy, SBA Paul GrantDoD Owen
Unangst, USDA Vance Hitch, USDoJ
2
Federal IT Summit October 28, 2009
Identity, Credential, and Access Management in
and with The Federal Government
  • Paul D. Grant
  • Special Assistant,
  • Federated IDM and External Partnering
  • Office of the CIO
  • DoD
  • Paul.Grant_at_OSD.Mil

http//www.IdManagement.Gov
3
What is ICAM?
  • ICAM represents the intersection of digital
    identities, credentials, and access control into
    one comprehensive approach.
  • Key ICAM Service Areas Include
  • Digital Identity
  • Credentialing
  • Privilege Management
  • Authentication
  • Authorization Access
  • Cryptography
  • Auditing and Reporting

4
Presidents Budget for FY 2010 Extract from
Section 9. LEVERAGING THE POWER OF TECHNOLOGY
TO TRANSFORM THE FEDERAL GOVERNMENT
  • To support this effort, the Federal Identity,
    Credential, and Access Management (ICAM) segment
    architecture provides Federal agencies with a
    consistent approach for managing the vetting and
    credentialing of individuals requiring access to
    Federal information systems and facilities
  • The ICAM segment architecture will serve as an
    important tool for providing awareness to
    external mission partners and drive the
    development and implementation of interoperable
    solutions.

5
ICAM Scope
Persons Non-Persons
Logical Access Physical Access
  • Alignment of Federal ICAM and
  • CNSS Identity and Access Management (National
    Security Systems)
  • Interagency Security Committee (Physical Access
    Control)
  • Awareness to External Mission Partners for
    interoperable solutions

6
FICAM Development Process
  • The development process involves coordination and
    collaboration with Federal Agencies, industry
    partners, and cross-government groups.
  • The Roadmap team has produced the key outputs of
    the FSAM needed for an ICAM segment architecture,
    and have coordinated these groups to develop
    workable approaches to enable cross-government
    solutions.
  • Committee for National Security Systems (CNSS)
  • Interagency Security Council (ISC)
  • Information Sharing Environment (ISE)
  • White House National Science and Technology
    Council (NSTC)
  • Office of Management and Budget
  • National Institute of Science and Technology
    (NIST)
  • Office of National Coordinator (ONC) for Health
    IT
  • Multiple agencies represented within the CIO
    council subcommittees and working groups

7
Summary Conclusions
  • Strong Identity and Access Management Are
    Foundational to Secure Information Sharing,
    Collaboration and Cybersecurity
  • Shared Guidance is Improving Much Room for More
    Improvement
  • Clear, Concise, Consistent, Credible
  • For Ourselves and Our Mission Partners
  • Federal Identity, Credential, and Access
    Management (ICAM) is providing this consistent
    approach (with your help)
  • Mission Partners are Fielding Strong Identity
    Credentials as well as Creating Federations for
    Sharing Collaboration
  • Progress Depends on Public-Private Partnering
  • Domestically and
  • Internationally

8
Back Up Slides
9
Enabling Policy and Guidance
The E-Gov Act 0f 2002
The Government Paperwork Elimination Act 0f 1998
Federal Bridge Model Policy
The Implementing Guidance OMB M-00-10 April 25,
2000
The Implementing Guidance OMB M-04-04 December
16, 2003
Federal PKI Common Policy Framework
The Mandate HSPD-12 August 27, 2004
The Technical Spec SP 800-63 June 2004
The Standard FIPS-201 February 25, 2005
The Implementing Guidance OMB M-05-05 December
20, 2004
The Implementing Guidance OMB M-05-24 August 5,
2005
10
Identity Assurance Levels (IAL)
M-04-04E-Authentication Guidance for Federal
Agencies OMB Guidance establishes 4
authentication assurance levels
11
FICAM Roadmap Implementation Guidance Overview
  • Overview of Identity, Credential, and Access
    Management. Provides an overview of ICAM that
    includes a discussion of the business and
    regulatory reasons for agencies to implement ICAM
    initiatives within their organization.
  • ICAM Segment Architecture. Standards-based
    architecture that outlines a cohesive target
    state to ensure alignment, clarity, and
    interoperability across agency initiatives.
  • ICAM Use Cases. Illustrate the as-is and target
    states of high level ICAM functions and frame a
    gap analysis between the as-is and target states.
  • Transition Roadmap and Milestones. Defines a
    series of logical steps or phases that enable the
    implementation of the target architecture.
  • ICAM Implementation Planning. Augments standard
    life cycle methodologies as they relate to
    specific planning considerations common across
    ICAM programs.
  • Implementation Guidance. Provides guidance to
    agencies on how to implement the transition
    roadmap initiatives identified in the segment
    architecture, including best practices and
    lessons learned.

PART A ICAM Segment Architecture (Phase 1 of the
effort)
PART B Implementation Guidance (Phase 2 of the
effort)
12
ICAM Overviewfrom ICAM Segment Architecture
13
Services Framework Categorization Scheme
  • Service Type
  • Provides a layer of categorization that defines
    the context of a specific set of service
    components
  • Service Component
  • A self contained business process or service with
    predetermined and well-defined functionality that
    may be exposed through a well-defined and
    documented business or technology interface

Service Type
Service Component
Service Component
Service Component
Service Component
14
Services Framework
15
ICAM SubcommitteeAccomplishments Summary for FY
2009
  • Issued Personal Identity Verification
    Interoperability (PIV-I) for non-Federal Issuers
    in May, 2009 providing guidance on achieving
    identity credentials that are consistent with the
    PIV Credential and trustable by the Federal
    community.
  • Initiated work on the ICAM Segment Architecture
    as Part One of the ICAM Roadmap and
    Implementation Guidance mandated in the
    Presidents FY-10 Budget. Produced and
    coordinated multiple drafts. Final release is
    imminent.
  • Published Federal profiles for the implementation
    of open identity solutions for interaction with
    the American Public. Current profiles include
    OpenID and InfoCard for transactions at identity
    assurance level one.
  • Worked with Federal PKI Shared Service Providers
    to extend strong identity credentialing to the
    external community in support of PIV
    Interoperability. Published Trusted Framework
    Providers Adoption Process.
  • Conducted ICAMSC leadership outreach to other
    identity initiatives in the Federal community, in
    order to foster a Clear, Concise, Consistent and
    Credible message for ourselves and our external
    partners and further socializing this message
    with state governments and industry through
    participation in multiple conferences and
    meetings.
  • Developed ICAM Work Plan for 2010

16
Owen Unangst Director of Innovation US Department
of Agriculture
17
USDAs ICAM Model Implementing Policies,
Procedures Technologies
EEMS
Auditing and Reporting
Workflow Engine
EmpowHR
eAuthentication
Monitoring
EEMS Administration
NEIS
EmpowHR Person Model
Enterprise Directory
Enterprise SSO
Provisioning System
Stand-Alone Servers
PayPers
Mainframe
AS/400
Enterprise Business Apps
ePACS
HSPD-12
Active Directories
VPN/NAC
- Available Now (Phase 1)
- In Progress (Phase 1a)
- FY 10 Deliverables(Phase 2)
18
Example Utilization Single Sign-On
Desktops Laptops VPNseAuthentication Whole
Disk Encryption Encrypted Thumb Drives
19
Example Utilization Physical Access Controls
For Ultimately 220 MCFs National
Infrastructure in Place Almost 100 Facilities
Already Connected Authentication Controlled
Nationally Authorization Controlled Locally
20
Example Utilization Role Based Access Control
Manual Process - Over 200 persons to manage
roles - 73 to handle audit issues
New Process If Loan Officer True Then Do
not add role Loan Approver
21
Example Utilization Network Admission Control
Remote Access
VPN
User Roles
Health Check Pass
Local Access
IDS
Network Access Controller
ASOC Auditing and Reporting
22
Example Utilization Digital Signatures _at_ USDA
  • Scope
  • Adobe Acrobat files and forms Versions 8 9
  • Microsoft Office (Word, Excel, PowerPoint)
    Versions 2003 3007
  • Microsoft Outlook Versions 2003 2007
  • Business Transactions

23
Vance Hitch Chief Information Officer US
Department of Justice
24
Todays Law Enforcement Environment
  • Todays World
  • Law Enforcement Agencies rely on their numerous
    systems to provide critical information to
    officers
  • Some systems are internal to an agency but many
    more are parts of a national network
  • Internal Records Management systems
  • Regional Information Sharing Networks (LINKs
    ,ARGIS etc.)
  • National Systems
  • CJIS
  • NCIC
  • N-Dex
  • IAFIS (NGI)
  • NICS
  • The end goal is to provide the Right Information
    to the Right Person, at the Right Times
  • The end result is to provide officer and analysts
    with critical information that keeps them and the
    American Public safe and secure.

25
How are we accomplishing this mission?
  • We have developed a trusted relationship with
    limited access points for information sharing
  • We communicate over trusted networks like
  • CJIS WAN
  • LEO
  • RISS
  • HISN
  • Established through policies and procedures
    developed by participants and governing boards
    such as the FBIs APB
  • Supported through the use of MOUs signed by all
    participants that dictate how and what we will
    share

26
Problem
  • Todays world requires users to have Passwords
    for every system they access.
  • Each system must validate and manage access to
    their own system
  • There is a need to have individuals identities
    validated, managed and vouched for by trusted
    organizations in a secure way so that other
    entities do not have to redo it

27
Examples of Ongoing Federated Identity Management
Initiatives
  • Global Federated Identity Privilege Management
    (GFIPM)
  • CJIS Federated Identity Management Services
    (FIMS)
  • DOJs Trusted Broker pilot
  • The DOJ currently provides a trusted broker
    pilot to help enable organizations to connect
    Identity Providers to Service Providers more
    simply and inexpensively
  • These initiatives are complementary, not
    competitive, and are interoperable today

28
DOJs Trusted Broker Pilot
  • Currently Deployed to 4,400 users at
  • DOJ, Chicago PD, RISS, LEO
  • Service Providers
  • JABs
  • HISIN-Intel
  • LEO-Intelink
  • RISS-Intelink
  • Criminal Information Sharing Alliance Network
    (Southwest Border)
  • RISSNET Portal
  • myFX secure internet file sharing offered by
    DOJ
  • New Service Providers in process
  • N-DEx, Tripwire, Bomb Arson Tracking Systems
    (BATS- ATF), NGIC

29
Trusted Broker Operation
30
Federated Identity ManagementUsing a Trusted
Broker Solution
  • Benefits
  • More information available to more users
  • Single sign-on (enhanced user experience)
  • Comprehensive audit capability
  • Improved alliances across government entities
  • Streamlined vetting (cost avoidance/reduction)
  • Improved interoperability
  • Improved security
  • Vetting is done closer to user
  • More secure authentication mechanisms
  • Dynamic de-provisioning

31
Questions?
http//www.cio.gov/committees/InformationSecurity.
cfm
About PowerShow.com