Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Road to Identity 2.0

513 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Road to Identity 2.0

  1. 1. Adam Lewis Office of the CTO Mike Korus Office of the CTO
  2. 2. IDENTITY 101 3 IDENTIFICATION WHO ARE YOU? AUTHENTICATION CAN YOU PROVE IT? WHAT DEGREE OF ASSURANCE? AUTHORIZATION OK, I BELIEVE YOU. I GET TO DECIDE WHAT YOU GET TO DO OR NOT.
  3. 3. IDENTITY 1.0 AND WHY IT DOESN’T WORK ANYMORE 4
  4. 4. Identity Today: Application SILOS 5 APPLICATION 1 APPLICATION 2 IDENTITY = ALICE.SMITH PASSWORD = 2DAQREF4ERQL PASSWORD CHANGE MANAGEMENT = 30 DAYS Application / Service Provider Application logic APPLICATION 3 IDENTITY = Alice-22 Password = ABC123 PASSWORD CHANGE MANAGEMENT = NEVER Application / Service Provider Application logic IDENTITY = ALICE PASSWORD = ABC123 PASSWORD CHANGE MANAGEMENT = 90 DAYS Application / Service Provider Application logic Each application = Identity provider, Service provider
  5. 5. Why Identity 1.0 is Broken 6 THE USER THE ADMIN THE DEVELOPER
  6. 6. It gets worse.
  7. 7. Credentials Users Mobile. Cloud. The Perimeter has Dissolved. Sharing of Information & Resources. The Good ol’ Days. Users, their credentials, and the information they accessed were all within the secure perimeter of the Enterprise.
  8. 8. WHERE WE HAVE BEEN 9 Home Agency Apps
  9. 9. 10 REGIONAL APPLICATIONS HOME AGENCY APPS
  10. 10. REAL LIFE IDENTITY … AND WHAT WE CAN LEARN FROM IT 11
  11. 11. REAL-LIFE IDENTITY 12 BOB IDENTIFY: “HI, I’M BOB” AUTHENTICATE: “PROVE IT” 1. DMV “I HAVE AUTHENTICATED YOU HERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU AS WELL AS SOME ATTRIBUTES OF YOU” 2.
  12. 12. REAL-LIFE IDENTITY STATE BORDERS
  13. 13. IDENTITY 2.0 … BUILT FOR A DEPERIMITERIZED WORLD
  14. 14. Identity 2.0 IDENTITY: “I AM OFFICER BOB” AUTHENTICATE: “PROVE IT” CREDENTIAL REPOSITORY Agency IdM FUNCTION 1. BIOMETRIC *********** PASSWORD SMART CARD I HAVE AUTHENTICATED YOU, BOB. HERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU …AS WELL AS SOME ATTRIBUTES OF YOU. 2. Name: Officer Bob Agency: Schaumburg Police Department Role: Sergeant Languages: English, Spanish, Russian Qualifications: Firearms, CPR Contact-mobile: 847-555-1234 Contact-email: bob@schaumburgPD.gov User Authentication: RSA 2-factor Signed by: Village of Schaumburg IdM
  15. 15. Identity 2.0 17 Separation of Identity Provider and Service Provider functionality Identity 2.0 is the separation of the Identity Provider from the Service Provider
  16. 16. Centralized Credential Management Single Sign-On Federation Strong Authentication IDENTITY 2.0
  17. 17. Centralized Credential Management 19 IDENTITY PROVIDER APPLICATION 1 Service Provider Application logic Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider APPLICATION 2 Service Provider Application logic Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider Identity = Alice Password = abc123 Attribute-1 (e.g. email) Attribute-2 (e.g. phone number) Attribute-3 (e.g. dept. no) Password change management = 90 days Password complexity rules Password reuse rules Activate account Suspend account Delete account INTEGRATES WITH AGENCY’S EXISTING IDENTITY MANAGEMENT SYSTEM (E.G. ACTIVE DIRECTORY)
  18. 18. Centralized Credential Management Single Sign-On Federation Strong Authentication IDENTITY 2.0
  19. 19. Centralized Credential Management Single Sign-On Federation Strong Authentication IDENTITY 2.0
  20. 20. © 2014 Motorola Solutions, Inc. 23 IDENTITY FEDERATION LOCAL POLICE AGENCY REGIONAL OR NATIONWIDE APPLICATIONS & SERVICES CAD VIDEOPTT LOCAL AUTHORIZATION CONTROL
  21. 21. Centralized Credential Management Single Sign-On Federation Strong Authentication IDENTITY 2.0
  22. 22. • Strong Authentication Strong Authentication 25 76%of 2012 network intrusions exploitedweak or stolen credentials In 2007, ~30 vendors in authentication. Approx imately 12 new vendors have been added per year. Today there are over 100 vendors.
  23. 23. Source: PingIdentity AT WORK AT HOME Memorization One Constant: CHANGE Re-Use Avoid Change The average corporate user maintains 15 passwords within both private and corporate spheres
  24. 24. • Like the cockroach… …passwords will outlive us all • But that does not mean …. …. we shouldn’t try to exterminate them
  25. 25. STRONG AUTHENTICATION 28 SOMETHING I AMSOMETHING I HAVESOMETHING I KNOW CJIS REQUIRES STRONG AUTHENTICATION – MSI HAS SOLUTIONS TO MEET THOSE NEEDS TODAY
  26. 26. • The Identity problem – Who are you – Prove it – how confident are we in the “proofing” • Federal Standards defined “how certain” – Level Of Assurance (LoA) – Defined in M-04-04 (Dec 16, 2003) • EXECUTIVE OFFICE OF THE PRESIDENT, OFFICE OF MANAGEMENT AND BUDGET OMB LoA Description Level 1 Little or no confidence in the asserted identity’s validity. Level 2 Some confidence in the asserted identity’s validity. Level 3 High confidence in the asserted identity’s validity. Level 4 Very high confidence in the asserted identity’s validity.
  27. 27. Centralized Credential Management Single Sign-On Federation Strong Authentication IDENTITY 2.0
  28. 28. AROUND THE WORLD IN 80 DAYS … GLOBAL TRENDS IN IDENTITY
  29. 29. UNITED STATES 32
  30. 30. INTERNATIONAL 33
  31. 31. CLOSING THOUGHTS … AND THINGS TO REMEMBER 34
  32. 32. PILLARS OF IDENTITY 2.0 35 WHAT DO YOU GET? MOBILE FRIENDLY CLOUD READY INDUSTRY DOMINANT OPEN STANDARDS CENTRALIZED CREDENTIAL MANAGEMENT SINGLE SIGN ON FEDERATION: PORTABLE & INTEROPERABLE STRONG AUTHENTICATION
  33. 33. 36 In a deperimiterized mobile & cloud world, where first responders are accessing information – located anywhere – from anywhere – Identity *IS* the new perimeter
  34. 34. 37
  35. 35. July 17, 1996: Emergency services personnel from Suffolk County, NY and the United States Coast Guard respond to a report of a catastrophic explosion and the crash of a passenger airliner over the ocean off the southern coast of Long Island. The initial assumption is a nexus to terrorism. The East Moriches Coast Guard Station is designated as the operations command post, staging area, and evidence collection point. As the incident shifts from response to recovery, personnel from various response disciplines and levels of government stream into the station. Among them is Lieutenant Colonel David Williams of the U.S. Army Reserve. LTC Williams, dressed in his U.S. Army Reserve flight suit, presents identification, enters the site, and assists in the operation by landing helicopters on the designated helipads. On the third day of his work, LTC Williams is questioned concerning his identity and affiliation. Following a brief investigation, LTC Williams is identified as an impostor, escorted from the property, and charged by the Suffolk County Police. September 11, 2001: When the Pentagon was struck it resulted in a massive response of public safety personnel from fire, EMS, and police. Given the technology used at the time, it was impossible to authenticate and validate emergency responders at a pace necessitated by the disaster. While the majority of emergency responders already had identification cards, their credentials were not recognized at all levels of government or by the various jurisdictions. The incident commanders on site either had to assume that people were who they said they were, or they had to deny or delay access of critical emergency personnel to the crash scene. This same scenario could be applied to any disaster at any secured building in any city or state.
  36. 36. • Single Factor: Choose ONE OF SOMETHING I AM SOMETHING I HAVE SOMETHING I KNOW • Multi Factor: Choose TWO OR MORE SOMETHING I AM SOMETHING I HAVE SOMETHING I KNOW
  37. 37. • User Authentication - Factors Something I Know Something I Have Something I Am Pin Smart badge Brainwave (EEG) Password/Phrase OTP Token Heart Rhythm (ECG) Gesture Key Fob (Yubico) Voice Shape Smartphone/Tablet Fingerprint Pattern Bio-stamp/Tattoo Finger/hand vein Wearable Iris scan Facial scan NFC Ring PIVOTP
  38. 38. • 1. REMOTE ACCESS • CJIS MANDATES STRONG AUTHENTICATION • 2. PHYSICAL ACCESS • FRAC CARDS FOR INTEROPERABILITY • 3. DEVICE ACCESS • SENSITIVE DATA ON DEVICES & OPEN SESSIONS Authentication for Public Safety
  39. 39. • Think To Authenticate – Started as “brain fitness” – Your brainwave is unique – Focus on a thought – Some Difficulties • Slow • Focus • Very early research NeuroSky
  40. 40. • Key Stroke to authenticate – Something I know (simplified Password) – Something I am • Dwell time • Flight time – Stops password sharing
  41. 41. • EKG to authenticate – Your EKG is unique – Not affected by caffeine or exercise • Heart rate, yes • EKG characteristics, no. – How many sensors? • Hospital = 12 • Authentication = 2 – Communicates to your device • Bluetooth • NFC Bionym
  42. 42. • Smartbadge Tap to authenticate – Uses NFC Technology • Standard supported by most smartphones – Federal PIV card standards • Personal Identity Verification card • FIPS PUB 201-2 – PIV-I/FRAC cards • First Responder Authentication Credential • Future capability – Smartbadge turns your phone into a badge – Draft NIST SP 800-157 Card emulation on radio Tap Smart Card LOGON
  43. 43. • Continuous authentication – Is it “still you” – Is it “still you” – … – Is it “still you”
  44. 44. Feature extraction & Template creation Database BE BE’ Database Matching Function ID BA BA’User BE’ ID User Enrollment Authentication Feature extraction & Template creation Decision (Y/N) Database Matching Function BI BI’User Identification Feature extraction Identity Sensor Sensor Sensor
  45. 45. Submit Biometric Verifying Access secret Verifies Success = Access secret Application server: “prove you can lock this” with secret Submit factor 1 e.g. biometric biometric never leaves device Challenge/response handshake
  46. 46. Security Cost UX •Tiered to needs •Policies •Federation •Secure elements (TEE, uSD…) •Key for adoption •Unobtrusive/stealthy •Shared Devices (load profiles) • Leverage commercial Tech •Standards Security isn’t an afterthought; it’s a stream of consciousness.
  47. 47. – Back to beginning • It ties into identity management • It’s the “primary authentication” • What you use at work, can be applied to home
  48. 48. Submit Biometric Access secret Verifies Success = Access secret Application server: “prove you can lock this” with secret Submit factor 1 e.g. biometric biometric comparison on device or on card Challenge/response handshake Verifying
  49. 49. • Assets require “user” access controls? – Records management – CAD – CJIS – Location – Messaging – Logging – PTT services (?) – … • Single Factor or Multifactor • Device or User Authentictaion
  50. 50. • Most of this is standards – Standards • NIST • FIDO • Global Platform • Technology Enablers • Secure elements (CRYPTR micro) • TEE • Wireless tokens/secure elements • Wearable Biometrics

×