Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
IdentityManagementforFirstNet
Identity Management
May 16, 2013
MOTOROLA SOLUTIONS
Adam Lewis
Laura Lozano
Gino Scribano
...
2
IdentityManagementforFirstNet
Agenda
• What is Identity Management and why does it matter?
• How does it apply to Public...
3
IdentityManagementforFirstNet
Introduction
• Background
– Broadband is ushering in new era of applications for first res...
4
IdentityManagementforFirstNet
The Need for Identity
Identity 1.0 is broken
 Siloed approach is an obstruction to usabil...
5
IdentityManagementforFirstNet
Terminology
• Roles
– Resource Owner
• The one that owns the resource or service being req...
6
IdentityManagementforFirstNet
Real-Life Identity (1)
Identify: “Hi, I’m Bob.”
Authenticate: “Prove it.”
(presentation of...
7
IdentityManagementforFirstNet
Real-Life Identity (2)
8
IdentityManagementforFirstNet
Token = Authenticated Attribute Assertions
9
IdentityManagementforFirstNet
Obvious Advantages of Real-Life Identity
• Relying parties (air port security, insurance a...
10
IdentityManagementforFirstNet
Public Safety Identity (1)
Active
Directory
IdM function
Identify: “Hi, I’m Officer Bob.”...
11
IdentityManagementforFirstNet
Public Safety Identity (1)
Agency State/Region/Federal
Status-info
Homepage
CJIS
Web Base...
12
IdentityManagementforFirstNet
Identity Landscape – Government & Industry
SDOs
• IETF
• OASIS
• 3GPP
• ATIS
• TIA
• OIX
...
13
IdentityManagementforFirstNet
Guiding Principles for FirstNet
• An Identity ecosystem should enable single sign-on
• An...
14
IdentityManagementforFirstNet
Guiding Principles (cont.)
• First Responders are typically Identity Proofed and credenti...
15
IdentityManagementforFirstNet
Many Challenges
• First there are the technical hurdles:
– A plethora of standards to cho...
16
IdentityManagementforFirstNet
To Meet the Challenges
A Trust Framework for First Responders is required
• What is a Tru...
17
IdentityManagementforFirstNet
Take Away
Identity will be the plumbing of Interoperable application-
layer communication...
18
IdentityManagementforFirstNet
And in Closing …
• Questions?
• Comments?
• Scrutiny?
• Thank you! :-)
Upcoming SlideShare
Loading in …5
×

FirstNet ICAM

840 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

FirstNet ICAM

  1. 1. 1 IdentityManagementforFirstNet Identity Management May 16, 2013 MOTOROLA SOLUTIONS Adam Lewis Laura Lozano Gino Scribano Steve Upp
  2. 2. 2 IdentityManagementforFirstNet Agenda • What is Identity Management and why does it matter? • How does it apply to Public Safety and FirstNet? • What IdM standards exist in the government today? • Recommended next steps …
  3. 3. 3 IdentityManagementforFirstNet Introduction • Background – Broadband is ushering in new era of applications for first responder • At 4:54 pm ET on Wednesday May 15th, someone downloaded the 50 billionth app from Apple's online App Store – Each application will want to authenticate the responder – Each application will want to provision the responder – Risk associated w/each solution solving this independently – A coordinated and cohesive approach to identifying users is needed • Identity Management solved independently = – overall solution complexity + – inconvenience to both the administrator and the end-user + – weakened security + – obstacle to interoperability There is a fundamental need for an Identity Layer in FirstNet
  4. 4. 4 IdentityManagementforFirstNet The Need for Identity Identity 1.0 is broken  Siloed approach is an obstruction to usability & interoperability - Responder must enter (often different) credentials for every application (again, again, and again) - Credentials required on every resource server first responder needs to access (not scalable, not dynamic)  Passwords have failed to protect us - 5 of 6 attacks on the Internet caused by password breaches Identity 2.0 is needed  Deperimiterization driven by mobile and cloud have caused disruption - Access to data can no longer depend on traditional security controls - User must be able to access data and resources from anyplace – stored anyplace – from any device - Identity is the new perimeter  Separation of Identity Provider (the one that provides your credentials and authenticates you) and Service Provider (the one that provides you with service) enables: - SSO - Strong authentication - Interoperable Identity - Scalable trust - Centralized authentication, distributed authorization *** Alignment with government initiatives and deployments: FICAM, GFIPM, NSTIC ***
  5. 5. 5 IdentityManagementforFirstNet Terminology • Roles – Resource Owner • The one that owns the resource or service being requested – Resource Requestor • The person (or machine) that is requesting access to the resource or service • Authentication – The act of the requestor proving their identity to the resource owner at some Level of Assurance (LOA) • Authorization – The resource owner – after having some level of assurance that the requestor is who they claim to be – determining what resources the requestor is able to access
  6. 6. 6 IdentityManagementforFirstNet Real-Life Identity (1) Identify: “Hi, I’m Bob.” Authenticate: “Prove it.” (presentation of credentials) I have authenticated you, Bob. Here is a token asserting my authentication of you … as well as some attributes of you. Birth certificate Utility bill with Name + Address State DMV “Bob” 1 2
  7. 7. 7 IdentityManagementforFirstNet Real-Life Identity (2)
  8. 8. 8 IdentityManagementforFirstNet Token = Authenticated Attribute Assertions
  9. 9. 9 IdentityManagementforFirstNet Obvious Advantages of Real-Life Identity • Relying parties (air port security, insurance agent, library, other states) do not need a complex authentication process – The consume identity as asserted by DMV, make authorization decisions • Our identity federates to other states (issued by State of Illinois, Trusted by State of Texas) • Our identity can be used to obtain higher identity (e.g. passport) • Our identity carries attributes that can help the service provider / relying part make authorization decisions – Old enough to buy alcohol? – Registered in this state? – Certified to drive an 18-wheeler? – No-fly list? • DMV can move to strong authentication in the future (biometric) without requiring changes to the relying parties
  10. 10. 10 IdentityManagementforFirstNet Public Safety Identity (1) Active Directory IdM function Identify: “Hi, I’m Officer Bob.” Authenticate: “Prove it.” (presentation of credentials) Biometric ********** password Public-private Key pair I have authenticated you, Bob. Here is a token asserting my authentication of you … as well as some attributes of you. Name: Officer Bob Agency: Schaumburg Police Department Role: Sergeant Languages: English, Spanish, Russian Qualifications: Firearms, CPR Contact-mobile: 847-555-1234 Contact-email:bob@schaumburgPD.gov User Authentication: RSA 2-factor Signedby: Village of Schaumburg IdM 1 2
  11. 11. 11 IdentityManagementforFirstNet Public Safety Identity (1) Agency State/Region/Federal Status-info Homepage CJIS Web Based App 2 CAD Records App 3
  12. 12. 12 IdentityManagementforFirstNet Identity Landscape – Government & Industry SDOs • IETF • OASIS • 3GPP • ATIS • TIA • OIX • Kantara Standards • SAML • WS-Trust • OpenID • OAuth • OpenID Connect • UMA • PersonaID • TR 33.980 • TR 33.924 • TR 33.804 • TR 22.895 Government Agencies • White House • GSA • DOJ • USPS • NIST • OMB • DHS • FEMA • FBI Government Initiatives • E-Gov Act 2002 • FICAM • GFIPM • NIEF • NSTIC • Federal PKI • FCCX • FedRAMP • SICAM • BAE • PIV/PIV-I • FRAC • NIMS • NIEM • CJIS • PIV-I/FRAC Technology Transition Working Group Government Publications • NIST SP800- 78 • NIST SP800- 63 • NIST SP800- 76 • NIST FIPS 201 • OMB M-04-04 • HSPD-12 ** This is just a sample to illustrate the amount of work. It is not an exhaustive list.
  13. 13. 13 IdentityManagementforFirstNet Guiding Principles for FirstNet • An Identity ecosystem should enable single sign-on • An identity ecosystem should enable interoperability • An identity ecosystem shall be usable • An identity ecosystem shall be standards-based • An identity ecosystem shall be secure • An identity ecosystem shall be flexible
  14. 14. 14 IdentityManagementforFirstNet Guiding Principles (cont.) • First Responders are typically Identity Proofed and credentialed by their respective agency – The FirstNet system must enable agencies to reuse their existing agency issued identity & credentials – This might include FRAC credentials or passwords – The FirstNet system MUST NOT make first responders remember yet another user ID and password • (or make their IT admin manage yet another set) • The FirstNet system must enable a scalable identity solution for smaller public safety agencies that don’t have sufficient funds to manage their own Identity Management infrastructure – E.g. must enable support of Identity Management as a Service (IdMaaS) – Enables smaller agencies to “shop around” for an identity using an open-marketplace type model – FirstNet may optionally offer their own IdMaaS for smaller agencies (so long as it does not prohibit those agencies from free choice)
  15. 15. 15 IdentityManagementforFirstNet Many Challenges • First there are the technical hurdles: – A plethora of standards to choose from – The standard that is ultimately chosen must be profiled – Solution must account for diverse credentials types (passwords, PIV-I / FRAC, biometric), and diversity in size of various public safety agencies – (and this is the easy part) • And there is so much to do beyond the technology: – Legal (e.g. what are the contractual obligations of the parities?) – Policy (e.g. Levels of Assurance, dispute resolution, privacy requirements, etc.) – Accreditation (e.g. ensure that parties meet the policy) – Continued auditing (e.g. ensure that parties meet the police – over time)
  16. 16. 16 IdentityManagementforFirstNet To Meet the Challenges A Trust Framework for First Responders is required • What is a Trust Framework? – An agreement between stakeholders consisting of: • Selection of standards and profiles of those standards • Identity Proofing • Acceptable credential types • Levels of Assurance • Levels of Protection • Auditing expectations • Legal obligation and liability clauses • Dispute resolution process • Governance structure • Possible venues for defining a Trust Framework for First Responder: – Kantara Initiative – GLOBAL Security WG
  17. 17. 17 IdentityManagementforFirstNet Take Away Identity will be the plumbing of Interoperable application- layer communications between public safety agencies and FirstNet • A scalable Identity Trust Framework for FirstNet is imperative • We must either plan for it now – or it will be a disaster later Recommendation: • Engage public safety stakeholders to develop use cases that reflect real-world identity requirements, resulting in a scalable and interoperable Identity Trust Framework between public safety agencies and the FirstNet national system.
  18. 18. 18 IdentityManagementforFirstNet And in Closing … • Questions? • Comments? • Scrutiny? • Thank you! :-)

×