Issa fi xs briefing


Published on

The Federation for Identity and Cross-Credentialing Systems (FiXs) is a coalition of commercial companies, government contractors, and not-for-profit organizations who have established and maintain a worldwide, interoperable identity and cross-credentialing network built on security, privacy, trust, standard operating rules, policies, and technical standards. Founded and incorporated as a not for profit in 2004 and based in Fairfax, Virginia, FiXs was formed to pilot a federated identity transaction model.

FiXs provides a trusted mechanism for federated identity infrastructure within and between public and private sector organizations with accuracy and trust through the application of a Federated Trust Model. The FiXs network capabilities can be accessed worldwide, in remote or fixed environments, wired or wirelessly, and in real-time.

Modeled after the financial industry’s highly-secure and widely-accepted ATM (Automated Teller Machine) approach, the FiXs network is a secure, scalable system that provides trusted, interoperable identity verification and credential authentication for network users accessing a range of government and commercial facilities. The FiXs network meets federally-mandated requirements, supports physical and logical access applications and integrates with an organization’s existing personnel system, while leveraging the network’s economies of scale.

The Federation includes more than 20 members, including systems integrators, financial institutions, and organizations focused on promoting improved workforce protection and systems security for critical infrastructure. The U.S. Department of Defense (DoD) and the General Services Administration (GSA) are participating government organizations. FiXs members contribute ideas, technologies, and best practices for implementing a secure identity cross-credentialing network based on open standards, sound business processes, and proven technologies and security.

The FiXs network uses available identity credential technology in conjunction with biometric identification. FiXs can be used within and between public and private sector organizations and promotes a trusted mechanism for federated identity infrastructures. It is important to note that FiXs does not grant or deny physical or logical access for any credential bearer. Rather, it delivers a trusted infrastructure that provides participating members with an assured means to authenticate the actual identity of individuals presenting FiXs-certified credentials for access to facilities and systems.

FiXs is an open membership organization. Members join to contribute to and influence the evolution and development of the FiXs network, its capabilities, and certified applications, to learn the latest technologies and strategies for robust identity management programs, and to meet and engage in dialogue with compatible business interests.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Issa fi xs briefing

  1. 1. Federated Access Identity & Privacy Protection Presented at: Information Systems Security Association-Northern Virginia (ISSA-NOVA) Chapter Meeting Presented by: Daniel E. Turissini Board Member, Federation for Identity and Cross- Credentialing Systems (FiXs) January 20, 2011
  2. 2. The Federation for Identity & Cross- Credentialing Systems (FiXs) •  A 501(c)6 not-for-profit trade association formed in 2004 in collaboration with the DoD to provide secure and inter- operable use of identity credentials between and among government entities & industry •  A coalition of diverse companies/organizations supporting development & implementation of inter- operable identity cross-credentialing standards and systems •  Members include: government contractors, technology companies, major financial firms, not-for-profit organizations, DoD, GSA, state governments, etc.
  3. 3. Federated Identity Solution •  Federated identity provides a strong, biometrically enabled electronic identity credential, that can be readily electronically validated by any Federal logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized ACCESS decision confident in: –  the identity of the person attempting access; –  the identity of the device attempting access; –  the identity of vetted organization that they represent; –  that the organization and the individual have a legal relationship to do business with the federal government; and, –  that the individual has been vetted in person and has undergone a background investigation consistent with defined levels. Credential assures you are who you say you are, Commander’s confirm what holder is permitted to access!
  4. 4. The Foundation •  FiXs entered into formal Memorandum of Understanding (MOU) with the DoD that established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems in January 2006, updated February 2009: – •  The terms and conditions include: –  Operational framework for inter-operability between DoD &FiXs –  Specific operational responsibilities –  Governance structure •  Authority To Operate Granted by DMDC •  Strong Certification & Accreditation Processes Documentation available online at:
  5. 5. Federated Access DoD Application Relying Party’s (Access Rules) Trusted Third Parties [External Certificate Authorities (ECA)/ PIV-I] Strong credentials with biometrics consistent with federal standards are essential to successful Access control Strong Access Control Subscribers (Credential Holders) Strong Identity Local Access Decisions
  6. 6. TESTED, SPOT – FiXs Inter-operability Pilot •  Successful assessment of the feasibility to utilize commercially - issued credentials in “feeding” the SPOT database – that adhere to FiXs-certified standards •  Issue FiXs-certified credentials - 3,000 contractor personnel •  Credentials authenticated across secure network against federated data stores •  Included “cleared” personnel, non-cleared personnel, first responders, other entities that interact with Army Material Command •  Monitor utilization, increases in productivity, & security profile •  Provided strategic assessment for future activities
  7. 7. FiXs – Chain of Trust
  8. 8. FiXs - Certified Credentials CAC FiXs 2D barcode, 1D barcode & mag-stripe on back 2 RFID antenna Clear Contractor Markings RFID, Barcodes, PIV Applet and Certificate Provide Issuer ID, Sponsor ID, Employee ID, & other Data Processed via Network
  9. 9. Robust Validation Infrastructure Application Servers Local Area Network Client/WS Client/WS Inside and/or Outside the LANClient/WS Alternative Validation Paths (OCSP) 20 + FiXs Compliant PKI Directories 50 + FiXs Compliant CRLs FiXs Validation Service (Site 1) FiXs Validation Service (Site N) CRL Update Path (ldap/ ldaps http/https) https Client/WS OCSP Repeater
  10. 10. STEP 1: Apply Device Administrator goes to & completes online certificate registration application. STEP 3: Print Administrator prints or PDFs the application form. STEP 4: ID Proofing Administrator digitally signs the form & sends or takes the form with two valid forms of ID either to LRA or other Trusted Agent. STEP 2: Submit The device’s key pair is generated in a cryptographic module, associated to device & the device’s public key is submitted to the CA along with the application. STEP 5: Confirmation RA confirms that ID proofing is complete & correct. STEP 7: Download Administrator returns to any-, performs a proof of possession, & downloads their certificate. STEP 6: Issuance An CA issues the certificate & provides out-of-band download instructions to the applicant. STEP 8: Install Administrator installs SD into device & applies tamper evident tape. Device Credential Issuance Process
  11. 11. Device Secure Access Video Application Servers Local Area Network Inside and/or Outside the LAN Validation Paths (OCSP/SCVP) 20 + Federally Compliant PKI Directories 50 + Federally Compliant CRLs Credential Validation Service CRL Update Path (ldap/ ldaps http/https) 3. Authenticated SSL VPN Client/WS Validation Repeater (Optional) 1. Authenticated https Client/WS 2/4. OCSP/SCVP 2. OCSP/SCVP 1.  Mutual Certificate Authentication between Client & Video Server 2.  Mutual Validation of Credentials https session established 3.  Mutual Certificate Authentication between Video Server & Camera 4.  Validation of Credential SSL VPN session established
  12. 12. FiXs Certified Credential Authenticated at DoD Location Company A FiXs Domain Server (FDS) Company B FDS Issuer FDS Companies C, D, E FiXs Trust Broker (FTB) DMDC Trusted Gateway Broker (TGB) DMDC Domain Server (DDS) Authentication Node Defense National Visitor Center (DNVC) Defense Biometric Identification System (DBIDS) FiXs Authentication Stations/ Handhelds Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee Company F FiXs Authentication Node
  13. 13. FiXs Certified Credential Authenticated at FiXs Location Company A FDS Company B FDS Issuer FDS Companies C, D, E Hosted FTB DMDC TGB DMDC DDS DNVC/ DBIDS FiXs Authentication Stations/ Handhelds Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee Company F FiXs Authentication Node
  14. 14. CAC Authentication at FiXs Location Company A FDS Company B FDS Issuer FDS Companies C, D, E Hosted FTB DMDC TGB DMDC DDS DNVC/ DBIDS Company F FiXs Authentication Node FiXs Authentication Stations/ Handhelds Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
  15. 15. FiXs Certified Credential Enhanced Logical Access Control Remote Client/WS 1.  Initial Enterprise Logon 2. Validate Device Certificate Remote Client/WS 3. Authenticated SSL VPN Established 4. Initiate Application Logon 5. Validate ID Certificate 6. Access Attributes Remote Client/WS SSL VPN https Border Server Border Server Border Server Application Server Application Server Validation Data Validation Data FDS
  16. 16. Contact Information Dan Turissini - CTO, WidePoint Corporation, FiXs Board 703 246 8550 Dr. Michael Mestrovich, FiXs President 703 928 3157