Identity Management

Report
IDENTITY MANAGEMENT
Joe Braceland
Mount Airey Group, Inc.
MAG SECURITY PRODUCTS & SERVICES







Actively supporting U.S. Federal Government since 2002.
Designed and managed the Signature Delivery Service for U.S.
Passports.
Recognized leaders in the area of Identity Management, Public
Key Infrastructure, Biometrics, HSPD-12, Public Key
Enablement, and secure authorization and privilege
management.
Closely work with standards bodies in the development of new
standards related to identity and authorization management.
Experienced with the full life cycle of applications within
various federal agencies including supporting IT-CCB
processes.
Provide thought leadership on IT security and HSPD-12 in
support of federal agency missions both domestic and abroad.
Offer security products to quickly enable secure authentication
and authorization.
22
OVERVIEW

Identity Management
Terminology
 Origins
 Secure Authentication
 Secure Authorization




What’s a role proof?
Secure Identity Management Systems
Examples
Physical/Logical access
 Border security
 Electronic documents

IDENTITY MANAGEMENT - TERMINOLOGY

Identity Management (IdM)
Identity & Access Management (IAM)
 Federated Identity Management (FIdM)


Identity, Credential, & Access Management
(ICAM)


Federal ICAM (FICAM)
Privacy
Personal Identity Information (PII)
 Health Insurance Portability & Accountability Act
(HIPAA)

IDENTITY MANAGEMENT - ORIGINS



Information Technology (IT) security
Cyber security
Technologies
Biometrics
 Public Key Infrastructure (PKI)
 Smart chips and cards




Personal Identity Verification (PIV), Common Access Card
(CAC), Transportation Worker Identification Credential
(TWIC), state driver licenses, electronic passports
Cloud, Mobility, Big Data, Social Networking
Regulations
Federal Information Processing Standard (FIPS) 140-2
 Homeland Security Presidential Directive 12 (HSPD-12)

SECURE AUTHENTICATION
Who are you? Prove it. Authentication is
verifying you are who you say you are.
 Multi-factor authentication

What you know (e.g., password, passphrase, PIN)
 What you have (e.g., badge, origination documents)
 What you are (e.g., biometrics, behavior)


Cryptography
PKI (Digital Signatures, encryption, policies)
 Hardware tokens and chips


Identity Validation


Global, national, local, and private database systems
Identity Verification
SECURE AUTHORIZATION


What are you allowed to do? Let’s check.
Authorization is determining what you are allowed to
do.
Access control lists
Flat files and Database lookups
 Directories (e.g., Active Directory, X500)


Access types
Risk Adaptive Access Control (RAdAC)
 Role Based Access Control (RBAC)
 Attribute Based Access Control (ABAC)




Extensible access control markup language (XACML 3.0)
Policy Based Access Control (PBAC)
Atomic Authorization

Published rights that are secured (cryptographically)
independently of the applications that rely on them.
WHAT’S A ROLE PROOF?
Version
Proof Name
Proof Unique ID
Not Before Time
Next Available
Not After Time
References
User Digest Lists
Extensions
Signature Algorithm
Signature Value
2
Each proof represents an application
or organizational role and has a
unique ID.
Proofs are generated for each role
repeatedly with each having only
a short life.
3
Proofs reference other proofs for
delegation. This can be done across
multiple authorities.
4
Each contains a list of certificates,
referenced by their hash to show
authorization.
1
5
Each is digitally signed to give it
cryptographic authenticity.
8
SECURE IDENTITY MANAGEMENT SYSTEMS
Security Level
Low
Medium
High
Authentication Authorization Reason
• Authorizations can be administered with authentication credentials
• No security separation between authentication and authorization
IDs and
(unnecessary to have atomic authorizations)
Passwords
Non-Atomic
• This level of security is expected for systems that need
(Single Factor)
accountability and prevention, but data compromise presents
minimal damage.
Mixed
Mixed
• Separation of duties between those providing authentication
credentials and those determining authorizations.
• Non non-atomic authorizations may be acceptable (e.g., Separate
X.500 directory for authorizations)
• Atomic authorizations may be used as a strategic step to provide a
migration for future security enhancement.
• Authorizations must be atomic in order to have congruent security.
• This level of security is required when the compromise of sensitive
CAC/PIV or PKI Atomic
data would cause significant damage and/or transactions occurring
(Two Factor)
Authorization
on the system require non-repudiation.
9
EXAMPLES

U.S. State Department access to federal systems
PIV card issuance and verification
 Physical Access Control System (PACS)
 Logical Access Control System using BLADE


Border security with DHS US-VISIT
IDENT program
 Exit program


Electronic passports (ePassport) and documents
Creation using digital signatures
 Validation at ports of entry
 International Civil Aviation Organization (ICAO)


similar documents