Securing Access Through a Multi-Purpose Credential and Digital ID


Published on

Breakout Session at the 2014 IRM Summit in Phoenix, Arizona by Stephan Papadopulos, Managing Director at the Triage Group.

Published in: Software, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing Access Through a Multi-Purpose Credential and Digital ID

  1. 1. Securing Access through a Multi-Purpose Credential and Digital ID ForgeRock Identity Relationship Management Summit June 4, 2014
  2. 2. • Stephan Papadopulos, Managing Director, The Triage Group • Washington, DC-based Woman- Owned Business • Healthcare and Emergency Response IT and Business Consulting Firm • ForgeRock Systems Integration Partner with deep Identity and Access Management experience Introduction 2 PAPADOPULOS, STEPHAN
  3. 3. Challenge Multiple Agencies, Multiple Cards
  4. 4. • The DC One Card is designed to give cardholders convenient access to DC government facilities, resources and programs • Provides immediate benefits by incorporating WMATA SmarTrip® capabilities • Reduces citywide credentialing inefficiencies and reduces costs • Establishes single trusted identity for DC stakeholders • Consolidates Constituent Touch Points DC One Card Overview 4
  5. 5. DC One Card Program Physical and Digital Credentials 5 Citizens have multiple ID Cards Citizens have multiple online identities Objectives • Convenience • Physical and Digital ID Consolidation • Improved Constituent Relationships • Security • Cost Savings • Fraud Reduction • Improved Access DC One ID Username: Password: DCPS Google Apps Login Connect using your DC One ID or
  6. 6. How it Works 6 Physical Credential Features Online Digital Identity Features Single digital identity can be used to access multiple online systems – eliminating users to remember numerous passwords 12-digit barcode number ties to individual and can be easily read with a basic scanner Embedded chips can be used to control physical access to facilities and transit The PIV-I with Smart Chip secures access to high risk systems and facilities Mag Stripe for future banking use DC One ID Username: Password: Connect using your DC One ID or
  7. 7. How it Works Creating Digital Account 7
  8. 8. 8 DCPS Google Apps Login Connect using your DC One ID or forgot username? DCPS Google Apps Login Connect using your DC One ID or How it Works Federated Identity for SSO
  9. 9. DC1C IAM Framework 9 Identity Administration • User Provisioning • Password Management • Role Management Identity Auditing • Reporting • Fraud Detection • Identity Reconciliation Identity Management Services Credential Management Services Access Management Services Identity Verification • Identity Proofing • User Authentication Logical Access Management • Authentication • Application Authorization • Single Sign-on and Federation • Virtual Directory Synchronization Advanced Security / Key Management • Certificate Authority • Encryption • Digital Signatures • PKI enabled authentication • OCSP / Validation Governance, Policies and Procedures Policy Management • Policy Administration • Policy Enforcement • Organizational Alignment Security Services • Platform Security • Web Services Security Service Management • Service Desk Integration • Service Operations Credential Management • Card / Token Issuance Lifecycle • Revoke / Reissue Cards / Tokens Credential Application Definition Management • PIV / PIV-I • HID • Other Physical Access • Facility Entitlements • Situational Controls Local Agency Systems Centralized Systems Centralized / Managed Services Centralized Directory Management • Directory / SSO Services • Metadata Management • Virtual Directory Management
  10. 10. Converged IAM Platform Logical Architecture Identity Management Employees (HCM) IAM Txn Database LDAP Access Management (OpenAM) Physical Control Systems Logical Apps Contractors Credential Issuance IdentitySources SSOandAccess Enforcement IAM Platform Public / Visitors BAE Schools
  11. 11. 11 Single Sign-on Authentication Mechanisms DC One ID DC One Card IAM Platform
  12. 12. Case Study: PIV/PIV-I PACS/LACS
  13. 13. Case Study: Entitlements • Access Policies Set in OpenAM • IdM Manages PIV-I Issuance • PIV Registered After Issuance
  14. 14. Case Study: Enrollment Kiosk • Authenticates and Validates Visitor Credential • Matches Card Data to Entitlement Policy
  15. 15. Case Study: Lobby Entry • Reads, Authenticates and Validates PIV Credential • Sends XACML Access and Attribute Request to OpenAM • Opens Turnstile on Permit Decision
  16. 16. 16 Deanwood Customer Service Center One Judiciary Square Customer Service Center Wilson Customer Service Center DCPS Secondary Schools (DCPS Student and Staff DC One Cards Only) Ever in Washington, DC Get a DC One Card, they’re Free!
  17. 17. Conclusion Good, Fast, Cheap – Pick Two
  18. 18. Conclusion Questions?