Widepoint orc thales webinar 111313d - nov 2013


Published on

For many companies thinking about moving sensitive data to the cloud, security issues remain a significant concern. But one company, Operational Research Consultants Inc. (ORC) a WidePoint Company, is proving that the cloud really can be made as safe or even safer than on-premise deployments even for organizations as security-focused as the U.S. Federal Government.

– A pioneer in federal identity management:
ORC has been a trusted partner of the U.S. government since the mid-‘90s, when the company launched the Navy Acquisition Public Key Infrastructure to support secure interactions with contractors and suppliers. As the government’s emphasis on information assurance expanded over the next two decades, ORC became a go-to partner for security solutions and one of the first companies authorized to provide government-compliant identity management solutions.

Today ORC manages more than three million identities and has issued more than 10 million federal-compliant digital certificates to a variety of employees, contractors, allies, veterans and citizens conducting business with the government.

- The need for secure and interoperable identification and authentication:
In August 2004, the Bush administration issued a Homeland Security Presidential Directive (HSPD-12) to secure federal facilities and resources by establishing a government-wide standard for secure and reliable forms of identification. Going far beyond simply issuing ID badges to government employees, this initiative would focus on the processes needed to issue secure personal credentials, on methods to validate those issuance processes and credentials and on managing risk and quality throughout the lifecycle of the credentials.

The Personal Identity Verification (PIV) program implements these processes, and FIPS (Federal Information Processing Standard) 201 specifies interface and data elements of the PIV smart card. Among the data elements on a PIV card are one or more asymmetric private cryptographic keys. Departments and agencies must use a compliant public key infrastructure (PKI) to issue digital certificates to users. The PIV initiative has also spawned other high assurance credentials that support specific Business-to-Government, Citizen-to-Government and Citizen-to-Business transactions while supporting federated interoperability between the issued credentials. These include various PIV-Interoperable (PIV-I) and PIV variants, such as: Transportation Worker Identification Credential (TWIC®), First Responder Authentication Credentials (FRAC), Commercial Identity Verification (CIV), and External Certificate Authority (ECA) PIV-I that address various regulatory requirements and are built to scale globally. The processes and policies for certificate issuance and the protections afforded to the critical root and issuing certificate authority keys in that PKI are critical factors in the overall assurance level of the system.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Widepoint orc thales webinar 111313d - nov 2013

  1. 1. 11/14/13   1   Identity as a Service – Strong enough for government? Date: November 13, 2013 Time: 11:00 pm EST/ 8:00 am PST Host: Richard Moulds, Thales e-Security VP of Strategy and Product Marketing Guest: Daniel E. Turissini CEO, Operational Research Consultants Defend  Cri.cal  Infrastructure   from  Invasive  A:ack  &   Informa.on  The?   Prevent  Terrorism  &  Promote   Na.onal  Security   Prevent  Cybercrime;  Iden.ty  The?;   Promote  Efficient  Use  of  Technology   Cyber  Security   “One  of  the  most  serious  economic  &  na2onal  security   threats  our  na2on  faces.”    -­‐-­‐  President  Obama   Issues  at  hand:   2   •  Cost-­‐effec.vely  prevent  Cyber-­‐terrorism,  Cyber-­‐ crime,  &  defend  our  na.on’s  cri.cal  infrastructure:   •  Reduce  risk  of  un-­‐authorized  disclosure  of   proprietary  &  privacy  informa.on   •  Share  .mely  informa.on  securely  with  remote   workers,  vendors,  partners  &  customers   •  Ensure  the  accountability  of  all  Cyber-­‐transac.ons   •  Avoid  unnecessary  costs  arising  from  system  “silos”  
  2. 2. 11/14/13   2   Cyber  Approach   Standards-­‐based,  Cyber  IA  Enabling  Infrastructure  (CIEI©)*   for  electronic  authen.ca.on,  valida.on  &  access  control:   3   •  iDen.ty  Management  –  Create  &  maintain  an  iden.ty,  including   discrete  a:ributes,  centralized  administra.on  &  user  self-­‐service   •  E-­‐Authen.ca.on  –  Provide  repositories  for  iden.ty,  network  and/or   resource  profiles;  provide  security  services  that  enable   iden.fica.on,  valida.on  &  support  for  authoriza.on   •  Access  Management  –  Provide  authoriza.on,  audit  &  session   management  func.ons  to  define  individual  access  rights  for   business  partners,  suppliers,  customers  or  employees   •  Provisioning  &  Workflow  –  Business  policies  to  support  greater   automa.on    for  devices  such  as  iden.ty  tokens,  credit  cards,  cell   phones  &  PCs   *  Driven  by  the  Federal  Government  &  Commercial  Cloud  Based  Ini;ates   Exper.se   4   •  Informa.on  security  solu.ons  ensuring  fully  compliant  &  trusted   exchange  &  assurance  of  informa.on   •  Cer.ficate-­‐based  personal  &  non-­‐personal  iden.ty  creden.aling     •  Mul.-­‐level  assurance  managed  ID  services  across  various  domains   (i.e.,  First  Responder,  Healthcare,  Government,  Ci.zen,  etc.)   •  Layered  security  technologies  addressing  best  prac.ce   authen.ca.on,  authoriza.on,  audi.ng  &  encryp.on  methodologies   •  Scalable,  highly  available,  VPN  services  &  suppor.ng  appliances  for   secure  communica.ons  management   •  Markets  leading-­‐edge  secure  cri.cal  response  management   solu.ons  designed  to  improve  coordina.on  within  emergency   services  and  cri.cal  infrastructure  agencies   •  Accountability  solu.ons  for  tailored  to  specific  customer  workflows,   including:  incident  management,  network  device  management,   crime  scene  evidence  control,  mortgage  processing,  etc   In  Produc;on  –  Not  Theore;cal  
  3. 3. 11/14/13   3   Assurance  based  on  who,  not  where!   Most  communi.es  of  interest  concerned  with  Privacy  &  Security  can  no  Longer   be  defined  by  loca.on.  ORC’s  IA  solu.ons  address  access  to  mul.-­‐level  secure   resources  &  message  traffic  based  on  En.ty  Iden.ty,  Roles,  &  Privileges:   5   People,  devices,  servers  ,  objects,  code  ….   Digital  Iden.ty   ORC’s  cyber  iden.ty  creden.als  allow  you  to   SECURELY…   6   •  Access  email  via  the  internet   •  Establish  a  virtual  private  network  with  your  base     network  from  anywhere  in  the  world   •  Move  from  one  applica.on  to  another  without   having  to  key  password  informa.on  -­‐-­‐  without  losing   security  along  the  way   •  Apply  on-­‐line  for  access  rights  and  services  -­‐-­‐  and,   receive  those  services   •  Digitally  sign  memos,  contracts,  delivery  orders,  etc.   •  Digitally  sign  code  for  safe  distribu.on   Privacy  &  cri;cal  infrastructure  protec;on  
  4. 4. 11/14/13   4   Security  Services   7   Physical (e.g. writing a check) –  Confidentiality •  Limited physical access –  Data Integrity •  Inked text –  Non Repudiation •  Cancelled check –  Identification & Authentication •  Drivers license & signature –  Privilege & Authorization •  Check for account validity Digital –  Confidentiality •  Data Encryption –  Data Integrity •  Hashing –  Non-Repudiation •  Digital Signature –  Identification & Authentication •  CA Signature –  Privilege & Authorization •  Access/ Privilege Control Lists A  digital  solu;on  for  cyber  security   What’s  in  a  Digital  Cer.ficate   8   Iden;ty   Cryptographic   Strength   Authorita;ve   Source   Level  of  Assurance   Validity   Legi;mate  Cer;ficate  Authority   Or  Unknown  CA  (Untrusted)   Basic/Medium/High  Confidence   in  Iden;ty   Issued  on  mmddyyy   Expires  on  mmddyyyy   SHA-­‐256,  AES   With  a  robust  revoca;on/  valida;on  infrastructure  
  5. 5. 11/14/13   5   Alterna.ve  Tokens   9   Trusted  Plaporm  Module  (TPM)   SD/MicroSD   Embedded/  Removable  HW  Crypto   FIPS-­‐140/  Common  Criteria   SIM   USB   Smart Card ORC  is  a  leader  in  advanced  technology  opera;ons!   Federated  Trust   10   Subscribers (End-Entities) Trusted Third Parties (Certificate Authorities) The Trust Triangle Relying Parties The  right  Assurance,  Security,  Biometrics  &  PKI  Capabili;es/  Exper;se  
  6. 6. 11/14/13   6   Infrastructure  Based  on   Commercial  Standards     11   Facili.es  to  Provide  Secure  &   Scalable  IT  Services   High  Availability  Data  Centers:   365x7x24,  99.999  up.me,  as   required  by  Federal  Policy   Secure  Network  Opera.ons   Centers  (SNOC):  Five  .er  physical   protec.on   •  Communica.ons  traffic  is  monitored  &   upgraded  bandwidth  available  as  traffic   requirements  dictate  to  maintain  the   customer  services  with  99.999%  up  .me   •  Audited  installa.on  procedures  to  ensure   that  Government  requirements  are  met  &   customer  expecta.ons  exceeded   •  SNOCs  employ  UPS  coupled  with  a  constant   power  generator  &  dedicated  HVAC  -­‐  at  full   load,  power  can  be  maintained  for  more   than  5  days  without  public  power   •  Hardware,  so?ware,  &  vendor  service  level   agreements  associated  with  maintaining   appropriate  firewall  protec.on,  redundant   warehousing,  power  genera.on  &  Internet   connec.vity,  are  leveraged  for  each   customer.   The  know-­‐how  &  access  to  leverage  exis;ng  deployments   Strong  Cer.fica.on  &     Accredita.on  Processes   12   FISMA  Compliant   -­‐-­‐  Prepara(on   -­‐-­‐  No(fica(on  &  Resource  Id   -­‐-­‐  Syst  Security  Baseline,  Analysis,   Update,  &  Acceptance     Ini(a(on   -­‐-­‐  Configura(on  Mgmt  &  Control   -­‐-­‐  Security  Controls  Monitoring   -­‐-­‐  Status  Repor(ng  &  Documenta(on   Con(nuous  Monitoring   -­‐-­‐  Security  Accredita(on  Decision   -­‐-­‐  Security  Accredita(on   Documenta(on   Security  Accredita(on   -­‐-­‐  Security  Controls  Assessment   -­‐-­‐  Security  Cer(fica(on   Documenta(on   Security  Cer(fica(on  
  7. 7. 11/14/13   7   Federated  Solu.ons   13   •  Federated  solu.ons  provide  support  various  strong   electronic  iden.ty  creden.al,  that  can  be  readily   electronically  validated  by  any  logical/physical  access   point  that  allows  the  decision  maker  or  databases  to   make  a  local  specific  privilege  and/or  authorized  access   decision  confident  in:   –  the  iden.ty  of  the  person  a:emp.ng  access;   –  the  iden.ty  of  the  device  a:emp.ng  access;   –  the  iden.ty  of  ve:ed  organiza;on  that  they  represent;   –  that  the  organiza.on  and  the  individual  have  a  legal   rela;onship  to  do  business  with  the  federal  government;  and,   –  that  the  individual  has  been  ve`ed  in  person  and  has   undergone  a  background  inves.ga.on  consistent  with  defined   levels.   Creden;al  assures  you  are  who  you  say  you  are,   Relying  Party  confirms  what  holder  is  permi`ed  to  access!   Federated  Access  for  Enterprise   Applica.ons   14   Relying  Party’s   (Access  Rules)   Trusted  Third  Par;es   [External  Cer;ficate   Authori;es  (ECA)/  PIV-­‐I]   Strong   Access   Control   Subscribers   (Creden;al  Holders)   Strong  Iden(ty   Local   Access   Decisions   Strong  creden;als  with  biometrics  consistent  with  federal  standards  are   essen;al  to  successful  Access  control  
  8. 8. 11/14/13   8   Cer.fied  Creden.al  Enhanced   Access  Control   15   Remote/  Mobile   Client/  WS   1.  Ini;al  Enterprise     Logon   2.  Validate  Device   Cer;ficate   Remote/  Mobile   Client/  WS   3.  Authen;cated  SSL   VPN  Established   4.  Ini;ate     Applica;on  Logon   5.  Validate  ID   Cer;ficate   6.  Access   A`ributes   Remote/  Mobile   Client/  WS   SSL  VPN   h`ps   Border   Server   Border   Server   Border   Server   Applica;on   Server   Applica;on   Server   Valida;on   Data   Valida;on   Data   FDS   More  informa;on  to  make  be`er  access  decisions   Leveraging  A  Common  Infrastructure   Currently  over  25  million  people  have  compliant  creden.als   16   Federal Government Trading Partners & Allies First Responders As  this  number  grows  -­‐    opportuni;es  for  efficiencies  skyrocket!     Veterans Transportation Workers Military Retirees & Dependents
  9. 9. 11/14/13   9   Reduce  Cost  of  Goods  Sold  (COGS)   17   •  Federated  Digital  Solu.on   –  Reduces  High  Help  Desk  Costs   –  Mi.gates  Risks  Associated  with   username  &  passwords   –  Enhances  Fraud  Protec.on   •  Syndicated  Investment/  Syndicated   Risk   •  Federally  Cer.fied  &  Accredited   Products/  Services  Commercially   Priced   Chain of Trust Privacy Interoperability ORC’s  Cyber  Creden.als   18   •  Dis.nguished  as  1  of  only  4  Cer.fied  PKI  Shared  Service  Providers,   currently  providing  PIV  services  to  six  federal  agencies,  with  full   Authority  to  Operate  (ATO)   •  Dis.nguished  as  1  of  only  4  Approved  PIV-­‐Interoperable  Providers   and  is  currently  providing  PIV-­‐I  services  to  three  state  governments   •  Dis.nguished  as  the  1st  designated  DoD  Interim  External  Cer.ficate   Authority  (IECA-­‐1)  &  the  first  US  Government  External  Cer.ficate   Authority  (ECA)   •  Dis.nguished  as  1  of  2  GSA  Access  Cer.ficates  for  Electronic   Services  (ACES)  Trusted  Third  Par.es,  ci.zen  focused  PKI   •  Dis.nguished  as  the  1st  commercial  GSA  E-­‐Authen.ca.on   Federa.on  Creden.al  Service  Provider  at  Level  1,  2,  and  3.   •  Dis.nguished  as  the  PKI  provider  for  the  Transporta.on  Worker   Iden.fica.on  Creden.al  (TWIC)   •  Dis.nguished  as  the  1st  commercial  Creden.al  Issuer  under  The   Federa.on  for  Iden.ty  and  Cross-­‐Creden.aling  Systems  (FiXs)  –   h:p://www.FiXs.org   4M  iden;;es  &  more  than  14M  federal  compliant  digital  cer;ficates    
  10. 10. 11/14/13   10   Customers   19   •  34  of  Fortune  100  Companies   •  22  of  Top  25  Federal  Contractors   •  200+  Colleges  &  Universi.es   •  100+  Municipali.es  &  Schools   •  100+  Private  &  Public  Research  Organiza.ons   •  100+  Healthcare  Organiza.ons   •  40+  Banks  &  Financial  Ins.tu.ons   •  11  Airlines   •  Numerous  Federal  Agencies   Current  Markets  Fueled   by  Government  Mandate  for  Increased   Assurance  Levels   20   Government  Security  Standards  will  be  Driven  Across   the  Business  Con;nuum   Millions  of  Users,   Servers,  Worksta;ons   and  Handheld  Devices   Tens  of  Millions  of   Users,  Servers,   Worksta;ons   and  Handheld  Devices   Global  interoperability  &   Unlimited  Computer   Resources   Ready  for  industry  to  leverage!  
  11. 11. 11/14/13   11   ORC  Solu.ons   Rely  on                    for  key  protec.on   21   Key  provisioning  &   cer;ficate  management   Trusted  ops  &  performance   Key  protec;on  &  a`esta;on   Summary   22   •  Enhanced  Security  -­‐  New  Customer   Mo.vator   •  Reduced  Infrastructural  Support   Costs   •  Minimal  Investment  -­‐  Immediate  ROI   Payback  
  12. 12. 11/14/13   12   23 Thales e-Security Global provider of data protection and key management solutions   Reduce the cost/complexity associated with use of cryptography   Solutions for traditional, virtualized and cloud environments Strategic business value   Secure cardholder data, payments and transactions   Support data privacy obligations   Protect intellectual property   Secure identities and credentials 40 year security track record Strategic business unit of Thales Group 24 Hardware Security Modules What are HSMs?   Hardened cryptographic devices   Isolated from host OS and applications What do HSMs do?   Secure cryptographic operations (encrypt, sign etc.)   Generation and protection of critical cryptographic key material   Enforce policy over use of keys and key management HSM Application Key inside security boundary HSM security boundary Business Application Application Data Decrypted signed/ data Data to be signed/ decrypted Crypto processing engine
  13. 13. 11/14/13   13   25 Dual Controls for Strong Authorization Smart cards deliver strong authentication Sets of smart cards deliver shared responsibility and mutual supervision   Assigned to security personnel   Known as Operator Card Sets (OCS) Authorization based on a “quorum” of cards & card owners   Requires a minimum number of cards from a set, e.g. 3 of 5 cards   Creates natural redundancy and resiliency OCSOCS OCS Authorized Operators 26 The Thales nShield HSM Family nShield Connect Network appliances nShield Solo Embedded PCI card nShield Edge Portable USB device
  14. 14. 11/14/13   14   27 Thank you ! richard.moulds@ thalesesec.com Contact details Dan Turissini +1 703-246-8550 turissd@orc.com www.orc.com Richard Moulds +1 954-888-6258 richard.moulds@thalesesec.com www.thales-esecurity.com