SlideShare a Scribd company logo

Lessons Learned from Federal ICAM - User Group

J
Joel Rader, CISSP

- Federal policies like HSPD-12 and OMB M-11-11 established a common credentialing standard using Personal Identity Verification (PIV) cards, but implementation challenges remain. Identity, not just credentials, should be the focus. - A digital identity record pulls together identity attributes from various sources to uniquely identify individuals across different contexts and applications. Examples of digital identity records and attribute sharing were presented. - Use cases demonstrated challenges with classified environments, credentialing non-federal employees, and integrating physical access control systems at an enterprise level while keeping local facility control. Lessons

Government & Nonprofit
1 of 16
Download to read offline
Lessons Learned from Federal ICAM Applications of Identity, Credentialing, and Access Management Joel Rader, CISSP – Solutions Architect
Agenda • Introductions – Myself, and your interests as an interactive audience • Federal History with ICAM – How we arrived at today • Enterprise Support – Identity as a Cornerstone • Use Cases – Problems, Solutions, Lessons Learned
Introductions – Joel Rader • 10 Years in Military and Federal Consulting – Enterprise Architecture: Focus on identity management – PIV/CAC Credentials: Logical and physical access • Biometrics (fingerprint, iris) – Federation: Sharing of information among trusted partners – Radiant Logic: Why I’m Here Affiliation Employee Agency/Department Agency Name Expires 2015JAN31 Contact Chip Lastname Firstname, MI. JAN2015 United States Government
Introductions – Audience Questions • What Applications of ICAM Interest You? – Enterprise Architecture? Fundamentals? – Smart Cards, compatibility with other organizations? • Other credentials? – Physical and Logical Access Convergence? – Federation and Data Exchange? – Interaction with Federal/State Government, Military? – Federal Policy? Difficulties in Practical Implementation? – How RadiantOne Can Enable Your Success? – Internet of Things?
Federal History with ICAM HSPD-12 & OMB M-11-11 • HSPD-12 – Released in August 2004, describes need for common identification standard – Leads to development of FIPS-201 (‘05) & PIV Card – Defines common credentialing standard for Federal Employees & Contractors • OMB M-11-11 – Released in February 2011, requires PIV usage for physical and logical access – Agencies must accept and electronically verify other agency PIV credentials – Standardization as a way to reduce costs and leverage buying power
Federal History with ICAM FICAM Highlights • FICAM Roadmap and Implementation Guidance – Version 1.0 released in November 2009, Version 2.0 in December 2011 – Describes a Segment Architecture, Use Cases, and Implementation Guidance – Drives the development and implementation of interoperable solutions – Builds out a Transition Roadmap and Implementation Guidance – Goes beyond just using a standard credential, presents a high-level vision for the government – NIST 800 series for guidelines, recommendations, and reference materials Key Takeaway (FICAM Roadmap): “ICAM efforts within the Federal Government are a key enabler for addressing the nation’s cybersecurity need.”
Federal History with ICAM So Where Are We Today? • Credential issuance is generally well understood • Varying levels of implementation progress • Guidance from HSPD-12, OMB M-11-11, FICAM, others • Significant educational progress across industry But…. we’re not at a ideal state. Why?
Federal History with ICAM Challenges in Actual Implementation • Many choices in vendor solutions, architecture designs, etc. • Significant roadblocks in legacy system integration • Every organization has unique population demographics • Cybersecurity failings are a constant distraction – OMB data breach (20+M records) and cyber “sprints” • Disconnect between theory and reality – Pretty pictures and architecture models aren’t actually helpful – Enterprise architects need to tell you how at a finite level – That said, DoDAF is a good documentation model to emulate Department of Defense Architecture Framework
Identity as a Cornerstone What Happened to the “I” in ICAM? • PIV is a credential, not an identity • Identity should the primary focus for an organization • Necessary to have high level support, from both technology and policy • You have to build a proper foundation first Key Takeaway: Identity is the cornerstone of an organization’s ICAM infrastructure Identity Management System Notification & Reporting Performance Metric Analysis Policy & Process Management Authoritative Attribute Exchange Identity Record Database Data Segmentation
Identity as a Cornerstone Building a Digital Identity Record • Context – Must be useful, relevant, trustworthy – Must uniquely identify a subject within a given context • Consistent – Must be able to be referenced uniformly across applications – Where unique identifiers are not supported, mappings must be established • High Assurance – Trust that a Digital Identity represents an Identity – Requires Identity Proofing, Vetting, and Adjudication
Identity as a Cornerstone What a Digital Identity Record Looks Like • Building a Digital Identity Record – Generating unique identifiers (RFC 4122, UUID) • Add in credentialing and organization data blocks – Biographic, Biometric, and Application • Storing Identity Records – Authoritative Identity Service – Federation Support – Data Sharing – Policy, Payload, and Protocol Adjudication Results Human Resources Attributes Personal Identity Verification (PIV) Credential Attributes Clearance Criminal Sponsor Name Address Hire Date Position Medical Compensation Dependents Status Unique IdentifierUUID AgencyIssue Date FASC-NExpiration Date Active Directory Attributes Full Name Digital Identity Record Application #1 Attributes User ID Role TitleEmail Company Department Office City
Identity as a Cornerstone What a Digital Identity Record Looks Like Auditing and Reporting Systems and Services CONUS Employee or Contractor Application #1 Application #2 Human Resources (HR) Information Data Transfer Standards (XML, SOAP, REST, TLS, SAML 2.0, etc.) D1 D2 D3Data Elements Policy (Purpose, Owners, Legal, Data) Phase 2 Create Digital Identity Notify Application #3 (Phases 2 & 3) Authoritative Identity Service System or Service Active Directory Authoritative Identity Service Authoritative Attribute Sources External User Data Connection & Exchange Details Phase 3 OCONUS User Identity Management System (IDMS) External Source (Phases 2 & 3) Identity Digital Identity Universally Unique Identifier Database (UUID) Federal Background Investigation Systems Digital Identity Records On-Boarding Store Send/Receive AttributesProvide Attributes Credential Report Access Report Hiring Report Accounts and Privileges • Key Areas – Onboarding/Offboarding Processes – Authoritative Sources of Data – Application Usage – Auditing/Reporting • Policy, Payload, and Protocol – Why we’re sharing – What we’re sharing – How we’re sharing • Designed for Department of State
Identity as a Cornerstone What a Digital Identity Record Looks Like Adjudication Results Human Resources Attributes Personal Identity Verification (PIV) Credential Attributes Clearance CriminalBackground Sponsor Name Address Hire Date Position Medical Compensation Dependents Clearance Unique Identifier Human Resources (HR) Information UUID Cardholder Unique Identifier (CHUID) IssueDate FASC-NExpiration Date Active Directory Attributes Display Name Application #1 Application #2 Digital Identity Record Application #2 Attributes User ID Role PKI Attributes IssueDate Expiration Date Certificate Hiring Report Credential Report Accounts and Privileges Title Data Pull Data Pull Data Push DataConnection&Exchange Email Company Department Office City Public Key Infrastructure (PKI) IssuanceSystem GlobalAddress List (GAL) Standardization Report Data Pull Identity Management System (IDMS) Active Directory Authoritative Attribute Sources Systems and Services Auditing and Reporting AttributeDiscovery Unique Identifier Generation System Federal Background Investigation Systems Phase 2 & 3 Attributes Future Application #1 Attribute 1 Attribute 2 Attribute 3 Future Application #2Attribute 1 Attribute 2 • Building Digital Identity Record • Attribute Discovery • Data Exchanges • Applications can be both sources and sinks for attributes
Use Cases Credentialing in a Classified Environment Unclassified Access - PIN #1, Proximity, Contactless • Unclassified Physical Access • Unclassified Logical Access via Unclassified PKI Certificate Classified Access - PIN #2 + Biometric (Iris or Fingerprint) • Classified Logical Access via Classified PKI Certificate Benefits  Maintains unclassified physical topology for privacy  PIV interoperability in unclassified environments  Single credential to track and support  Allows for multi-factor classified access  No direct link between identities if card compromised  Maintains separate PKI certificate revocation status Affiliation Employee Agency/Department Agency Name Expires 2015JAN31 Contact Chip Lastname Firstname, MI. JAN2015 United States Government Customized chip firmware & middleware
Use Cases Amtrak Enhanced Employee ID (EID) Affiliation Employee Agency/Department National Railway Passenger Corporation Expires 2015JAN31 Contact Chip Lastname Firstname, MI. 16026722-1A 44742 IF FOUND, PLEASE RETURN BY DROPPING INA MAILBOX. RETURN POSTAGE GUARANTEED Return To: National Railroad Passenger Corporation (AMTRAK) P.O. Box 2597 Washington, DC 20013 Backof Contact Chip To report a crime or suspicious activity, call the AMTRAK Police at 1-800-331-0008 • Problem: Need a modern credential to replace legacy • PIV Card or TWIC? • Why choose PIV? Need compatibility • PIV Card, PIV-I, PIV-C, what are the differences? • Design considerations for security and roles • Non-Federal Credential Decisions • Form factor • Multi-factor authentication • Mobile devices
Use Cases Enterprise Physical Access Control Systems (ePACS) Data Cache & Reconciliation 1:N Facility PACS Server PIV / PIV-I Readers Enterprise SAFE Identity Data Active Directory PIV System / Non-PIIStore Credential Management System ENTERPRISE SYSTEMS ENTERPRISE PACS MANAGEMENT Door & Panel Hardware Single PACS Facility Validation Authority RS-485 Facility PACS Server (Virtualized) Local SAFE PACS Head-End Local Facility Data *optional Other Facility PACS Local Enrollment Console(s) Personnel Dashboard *optional Enterprise Local Facilities SAFE NOTES:  Local SAFE (Optional) – Allows for future connectivity to an enterprise version of SAFE to be streamlined  Top PACS Server – A “reference” build can be established for new sites to allow for quick deployment and integration NOTES:  Data Cache and Reconciliation – Allows for authoritative data to be provided for PACS  Enterprise SAFE – Allows for Facility PACS to stay local, but leverage Enterprise data

Recommended

ICAM Target Architecture
ICAM Target ArchitectureICAM Target Architecture
ICAM Target ArchitectureJoel Rader, CISSP
 
Privacy in Business Processes by User-Centric Identity Management
Privacy in Business Processes by User-Centric Identity ManagementPrivacy in Business Processes by User-Centric Identity Management
Privacy in Business Processes by User-Centric Identity ManagementSven Wohlgemuth
 
Securing Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDSecuring Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDForgeRock
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102Jean-François LOMBARDO
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Compliance & Identity access management
Compliance & Identity access management Compliance & Identity access management
Compliance & Identity access management Prof. Jacques Folon (Ph.D)
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Systems, Inc.
 

Recommended

ICAM Target Architecture
ICAM Target ArchitectureICAM Target Architecture
ICAM Target ArchitectureJoel Rader, CISSP
 
Privacy in Business Processes by User-Centric Identity Management
Privacy in Business Processes by User-Centric Identity ManagementPrivacy in Business Processes by User-Centric Identity Management
Privacy in Business Processes by User-Centric Identity ManagementSven Wohlgemuth
 
Securing Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDSecuring Access Through a Multi-Purpose Credential and Digital ID
Securing Access Through a Multi-Purpose Credential and Digital IDForgeRock
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102Jean-François LOMBARDO
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Compliance & Identity access management
Compliance & Identity access management Compliance & Identity access management
Compliance & Identity access management Prof. Jacques Folon (Ph.D)
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0Adam Lewis
 
Identity Access Management
Identity Access ManagementIdentity Access Management
Identity Access Managementson09remotely
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionCA API Management
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trainings
 
Identity Management: Front and Center for Healthcare Providers
Identity Management: Front and Center for Healthcare ProvidersIdentity Management: Front and Center for Healthcare Providers
Identity Management: Front and Center for Healthcare ProvidersAndrew Ames
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Identity Management
Identity ManagementIdentity Management
Identity ManagementVenkatesh Jambulingam
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
IDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things LandscapeIDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Computer security
Computer securityComputer security
Computer securityps14016
 
Securing Citizen Facing Applications
Securing Citizen Facing ApplicationsSecuring Citizen Facing Applications
Securing Citizen Facing Applicationsedwinlorenzana
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Priyanka Aash
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTProf. Jacques Folon (Ph.D)
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceEduserv Foundation
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CloudIDSummit
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active DirectoryAhmad Haghighi
 

More Related Content

What's hot

The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0Adam Lewis
 
Identity Access Management
Identity Access ManagementIdentity Access Management
Identity Access Managementson09remotely
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionCA API Management
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTGlobal Online Trainings
 
Identity Management: Front and Center for Healthcare Providers
Identity Management: Front and Center for Healthcare ProvidersIdentity Management: Front and Center for Healthcare Providers
Identity Management: Front and Center for Healthcare ProvidersAndrew Ames
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
IDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things LandscapeIDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things Landscapekantarainitiative
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Computer security
Computer securityComputer security
Computer securityps14016
 
Securing Citizen Facing Applications
Securing Citizen Facing ApplicationsSecuring Citizen Facing Applications
Securing Citizen Facing Applicationsedwinlorenzana
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Priyanka Aash
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceEduserv Foundation
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 

What's hot (20)

The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
 
Identity Access Management
Identity Access ManagementIdentity Access Management
Identity Access Management
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT Mission
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
 
Identity Management: Front and Center for Healthcare Providers
Identity Management: Front and Center for Healthcare ProvidersIdentity Management: Front and Center for Healthcare Providers
Identity Management: Front and Center for Healthcare Providers
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Identity Management
Identity ManagementIdentity Management
Identity Management
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
 
IDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things LandscapeIDoT: Challenges from the IDentities of Things Landscape
IDoT: Challenges from the IDentities of Things Landscape
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Computer security
Computer securityComputer security
Computer security
 
Securing Citizen Facing Applications
Securing Citizen Facing ApplicationsSecuring Citizen Facing Applications
Securing Citizen Facing Applications
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access management
 
Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?Can Blockchain Enable Identity Management?
Can Blockchain Enable Identity Management?
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENT
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
 
Experiences in federated access control for UK e-Science
Experiences in federated access control for UK e-ScienceExperiences in federated access control for UK e-Science
Experiences in federated access control for UK e-Science
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 

Viewers also liked

CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CloudIDSummit
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active DirectoryAhmad Haghighi
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap ProtocolGlen Plantz
 

Viewers also liked (6)

CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
CIS13: A Breakthrough in Directory Technology: Meet the Elephant in the Room ...
 
Open LDAP vs. Active Directory
Open LDAP vs. Active DirectoryOpen LDAP vs. Active Directory
Open LDAP vs. Active Directory
 
Spring Ldap
Spring LdapSpring Ldap
Spring Ldap
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 
Ldap intro
Ldap introLdap intro
Ldap intro
 
LDAP Theory
LDAP TheoryLDAP Theory
LDAP Theory
 

Similar to Lessons Learned from Federal ICAM - User Group

Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity ProgramDan Houser
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Edge Pereira
 
Data-centric market status, case studies and outlook
Data-centric market status, case studies and outlookData-centric market status, case studies and outlook
Data-centric market status, case studies and outlookAlan Morrison
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Edge Pereira
 
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsC01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsEdge Pereira
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborationsjbasney
 
DoD Data Quality Challenges
DoD Data Quality ChallengesDoD Data Quality Challenges
DoD Data Quality ChallengesJay j
 
Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarConcept Searching, Inc
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkPrecisely
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...Priyanka Aash
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 
Finding Data at Risk for CCPA Compliance
Finding Data at Risk for CCPA ComplianceFinding Data at Risk for CCPA Compliance
Finding Data at Risk for CCPA CompliancePrecisely
 
ZIGRAM Introduction September 2020
ZIGRAM Introduction September 2020ZIGRAM Introduction September 2020
ZIGRAM Introduction September 2020ZIGRAM
 
Electronic credential authentication_standard
Electronic credential authentication_standardElectronic credential authentication_standard
Electronic credential authentication_standardHai Nguyen
 

Similar to Lessons Learned from Federal ICAM - User Group (20)

IAM
IAMIAM
IAM
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Building & Running A Successful Identity Program
Building & Running A Successful Identity ProgramBuilding & Running A Successful Identity Program
Building & Running A Successful Identity Program
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...
 
Data-centric market status, case studies and outlook
Data-centric market status, case studies and outlookData-centric market status, case studies and outlook
Data-centric market status, case studies and outlook
 
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
Office 365 Data Leakage Protection, DLP, Data Loss Prevention, Privacy, Comp...
 
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulationsC01 office 365, DLP data loss preventions, privacy, compliance, regulations
C01 office 365, DLP data loss preventions, privacy, compliance, regulations
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborations
 
DoD Data Quality Challenges
DoD Data Quality ChallengesDoD Data Quality Challenges
DoD Data Quality Challenges
 
Data Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint WebinarData Breaches and Security Rights in SharePoint Webinar
Data Breaches and Security Rights in SharePoint Webinar
 
Improve IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in SplunkImprove IT Security and Compliance with Mainframe Data in Splunk
Improve IT Security and Compliance with Mainframe Data in Splunk
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
(SACON) Ramkumar Narayanan - Personal Data Discovery & Mapping - Challenges f...
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
Finding Data at Risk for CCPA Compliance
Finding Data at Risk for CCPA ComplianceFinding Data at Risk for CCPA Compliance
Finding Data at Risk for CCPA Compliance
 
ZIGRAM Introduction September 2020
ZIGRAM Introduction September 2020ZIGRAM Introduction September 2020
ZIGRAM Introduction September 2020
 
Electronic credential authentication_standard
Electronic credential authentication_standardElectronic credential authentication_standard
Electronic credential authentication_standard
 

Recently uploaded

Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)NAP Global Network
 
2024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 292024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 29JSchaus & Associates
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)Congressional Budget Office
 
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.Christina Parmionova
 
Financing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCFinancing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCNAP Global Network
 
VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...
VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...
VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...SUHANI PANDEY
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Finance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCFinance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCNAP Global Network
 
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourcelebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourCall Girls in Nagpur High Profile
 
Election 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdfElection 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdfSamirsinh Parmar
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORSPPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORSgovindsharma81649
 
The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...nservice241
 
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...robinsonayot
 
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakurbest call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha ThakurSUHANI PANDEY
 
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...aartirawatdelhi
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos WebinarLinda Reinstein
 
The NAP process & South-South peer learning
The NAP process & South-South peer learningThe NAP process & South-South peer learning
The NAP process & South-South peer learningNAP Global Network
 

Recently uploaded (20)

Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)Tuvalu Coastal Adaptation Project (TCAP)
Tuvalu Coastal Adaptation Project (TCAP)
 
Sustainability by Design: Assessment Tool for Just Energy Transition Plans
Sustainability by Design: Assessment Tool for Just Energy Transition PlansSustainability by Design: Assessment Tool for Just Energy Transition Plans
Sustainability by Design: Assessment Tool for Just Energy Transition Plans
 
2024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 292024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 29
 
The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)The U.S. Budget and Economic Outlook (Presentation)
The U.S. Budget and Economic Outlook (Presentation)
 
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
WORLD DEVELOPMENT REPORT 2024 - Economic Growth in Middle-Income Countries.
 
Financing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCCFinancing strategies for adaptation. Presentation for CANCC
Financing strategies for adaptation. Presentation for CANCC
 
VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...
VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...
VIP Model Call Girls Lohegaon ( Pune ) Call ON 8005736733 Starting From 5K to...
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
 
Finance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCCFinance strategies for adaptation. Presentation for CANCC
Finance strategies for adaptation. Presentation for CANCC
 
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hourcelebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
celebrity 💋 Agra Escorts Just Dail 8250092165 service available anytime 24 hour
 
Election 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdfElection 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdf
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Chakan ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORSPPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
PPT BIJNOR COUNTING Counting of Votes on ETPBs (FOR SERVICE ELECTORS
 
The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...
 
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
 
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakurbest call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
best call girls in Pune - 450+ Call Girl Cash Payment 8005736733 Neha Thakur
 
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar
 
The NAP process & South-South peer learning
The NAP process & South-South peer learningThe NAP process & South-South peer learning
The NAP process & South-South peer learning
 

Lessons Learned from Federal ICAM - User Group

  • 1. Lessons Learned from Federal ICAM Applications of Identity, Credentialing, and Access Management Joel Rader, CISSP – Solutions Architect
  • 2. Agenda • Introductions – Myself, and your interests as an interactive audience • Federal History with ICAM – How we arrived at today • Enterprise Support – Identity as a Cornerstone • Use Cases – Problems, Solutions, Lessons Learned
  • 3. Introductions – Joel Rader • 10 Years in Military and Federal Consulting – Enterprise Architecture: Focus on identity management – PIV/CAC Credentials: Logical and physical access • Biometrics (fingerprint, iris) – Federation: Sharing of information among trusted partners – Radiant Logic: Why I’m Here Affiliation Employee Agency/Department Agency Name Expires 2015JAN31 Contact Chip Lastname Firstname, MI. JAN2015 United States Government
  • 4. Introductions – Audience Questions • What Applications of ICAM Interest You? – Enterprise Architecture? Fundamentals? – Smart Cards, compatibility with other organizations? • Other credentials? – Physical and Logical Access Convergence? – Federation and Data Exchange? – Interaction with Federal/State Government, Military? – Federal Policy? Difficulties in Practical Implementation? – How RadiantOne Can Enable Your Success? – Internet of Things?
  • 5. Federal History with ICAM HSPD-12 & OMB M-11-11 • HSPD-12 – Released in August 2004, describes need for common identification standard – Leads to development of FIPS-201 (‘05) & PIV Card – Defines common credentialing standard for Federal Employees & Contractors • OMB M-11-11 – Released in February 2011, requires PIV usage for physical and logical access – Agencies must accept and electronically verify other agency PIV credentials – Standardization as a way to reduce costs and leverage buying power
  • 6. Federal History with ICAM FICAM Highlights • FICAM Roadmap and Implementation Guidance – Version 1.0 released in November 2009, Version 2.0 in December 2011 – Describes a Segment Architecture, Use Cases, and Implementation Guidance – Drives the development and implementation of interoperable solutions – Builds out a Transition Roadmap and Implementation Guidance – Goes beyond just using a standard credential, presents a high-level vision for the government – NIST 800 series for guidelines, recommendations, and reference materials Key Takeaway (FICAM Roadmap): “ICAM efforts within the Federal Government are a key enabler for addressing the nation’s cybersecurity need.”
  • 7. Federal History with ICAM So Where Are We Today? • Credential issuance is generally well understood • Varying levels of implementation progress • Guidance from HSPD-12, OMB M-11-11, FICAM, others • Significant educational progress across industry But…. we’re not at a ideal state. Why?
  • 8. Federal History with ICAM Challenges in Actual Implementation • Many choices in vendor solutions, architecture designs, etc. • Significant roadblocks in legacy system integration • Every organization has unique population demographics • Cybersecurity failings are a constant distraction – OMB data breach (20+M records) and cyber “sprints” • Disconnect between theory and reality – Pretty pictures and architecture models aren’t actually helpful – Enterprise architects need to tell you how at a finite level – That said, DoDAF is a good documentation model to emulate Department of Defense Architecture Framework
  • 9. Identity as a Cornerstone What Happened to the “I” in ICAM? • PIV is a credential, not an identity • Identity should the primary focus for an organization • Necessary to have high level support, from both technology and policy • You have to build a proper foundation first Key Takeaway: Identity is the cornerstone of an organization’s ICAM infrastructure Identity Management System Notification & Reporting Performance Metric Analysis Policy & Process Management Authoritative Attribute Exchange Identity Record Database Data Segmentation
  • 10. Identity as a Cornerstone Building a Digital Identity Record • Context – Must be useful, relevant, trustworthy – Must uniquely identify a subject within a given context • Consistent – Must be able to be referenced uniformly across applications – Where unique identifiers are not supported, mappings must be established • High Assurance – Trust that a Digital Identity represents an Identity – Requires Identity Proofing, Vetting, and Adjudication
  • 11. Identity as a Cornerstone What a Digital Identity Record Looks Like • Building a Digital Identity Record – Generating unique identifiers (RFC 4122, UUID) • Add in credentialing and organization data blocks – Biographic, Biometric, and Application • Storing Identity Records – Authoritative Identity Service – Federation Support – Data Sharing – Policy, Payload, and Protocol Adjudication Results Human Resources Attributes Personal Identity Verification (PIV) Credential Attributes Clearance Criminal Sponsor Name Address Hire Date Position Medical Compensation Dependents Status Unique IdentifierUUID AgencyIssue Date FASC-NExpiration Date Active Directory Attributes Full Name Digital Identity Record Application #1 Attributes User ID Role TitleEmail Company Department Office City
  • 12. Identity as a Cornerstone What a Digital Identity Record Looks Like Auditing and Reporting Systems and Services CONUS Employee or Contractor Application #1 Application #2 Human Resources (HR) Information Data Transfer Standards (XML, SOAP, REST, TLS, SAML 2.0, etc.) D1 D2 D3Data Elements Policy (Purpose, Owners, Legal, Data) Phase 2 Create Digital Identity Notify Application #3 (Phases 2 & 3) Authoritative Identity Service System or Service Active Directory Authoritative Identity Service Authoritative Attribute Sources External User Data Connection & Exchange Details Phase 3 OCONUS User Identity Management System (IDMS) External Source (Phases 2 & 3) Identity Digital Identity Universally Unique Identifier Database (UUID) Federal Background Investigation Systems Digital Identity Records On-Boarding Store Send/Receive AttributesProvide Attributes Credential Report Access Report Hiring Report Accounts and Privileges • Key Areas – Onboarding/Offboarding Processes – Authoritative Sources of Data – Application Usage – Auditing/Reporting • Policy, Payload, and Protocol – Why we’re sharing – What we’re sharing – How we’re sharing • Designed for Department of State
  • 13. Identity as a Cornerstone What a Digital Identity Record Looks Like Adjudication Results Human Resources Attributes Personal Identity Verification (PIV) Credential Attributes Clearance CriminalBackground Sponsor Name Address Hire Date Position Medical Compensation Dependents Clearance Unique Identifier Human Resources (HR) Information UUID Cardholder Unique Identifier (CHUID) IssueDate FASC-NExpiration Date Active Directory Attributes Display Name Application #1 Application #2 Digital Identity Record Application #2 Attributes User ID Role PKI Attributes IssueDate Expiration Date Certificate Hiring Report Credential Report Accounts and Privileges Title Data Pull Data Pull Data Push DataConnection&Exchange Email Company Department Office City Public Key Infrastructure (PKI) IssuanceSystem GlobalAddress List (GAL) Standardization Report Data Pull Identity Management System (IDMS) Active Directory Authoritative Attribute Sources Systems and Services Auditing and Reporting AttributeDiscovery Unique Identifier Generation System Federal Background Investigation Systems Phase 2 & 3 Attributes Future Application #1 Attribute 1 Attribute 2 Attribute 3 Future Application #2Attribute 1 Attribute 2 • Building Digital Identity Record • Attribute Discovery • Data Exchanges • Applications can be both sources and sinks for attributes
  • 14. Use Cases Credentialing in a Classified Environment Unclassified Access - PIN #1, Proximity, Contactless • Unclassified Physical Access • Unclassified Logical Access via Unclassified PKI Certificate Classified Access - PIN #2 + Biometric (Iris or Fingerprint) • Classified Logical Access via Classified PKI Certificate Benefits  Maintains unclassified physical topology for privacy  PIV interoperability in unclassified environments  Single credential to track and support  Allows for multi-factor classified access  No direct link between identities if card compromised  Maintains separate PKI certificate revocation status Affiliation Employee Agency/Department Agency Name Expires 2015JAN31 Contact Chip Lastname Firstname, MI. JAN2015 United States Government Customized chip firmware & middleware
  • 15. Use Cases Amtrak Enhanced Employee ID (EID) Affiliation Employee Agency/Department National Railway Passenger Corporation Expires 2015JAN31 Contact Chip Lastname Firstname, MI. 16026722-1A 44742 IF FOUND, PLEASE RETURN BY DROPPING INA MAILBOX. RETURN POSTAGE GUARANTEED Return To: National Railroad Passenger Corporation (AMTRAK) P.O. Box 2597 Washington, DC 20013 Backof Contact Chip To report a crime or suspicious activity, call the AMTRAK Police at 1-800-331-0008 • Problem: Need a modern credential to replace legacy • PIV Card or TWIC? • Why choose PIV? Need compatibility • PIV Card, PIV-I, PIV-C, what are the differences? • Design considerations for security and roles • Non-Federal Credential Decisions • Form factor • Multi-factor authentication • Mobile devices
  • 16. Use Cases Enterprise Physical Access Control Systems (ePACS) Data Cache & Reconciliation 1:N Facility PACS Server PIV / PIV-I Readers Enterprise SAFE Identity Data Active Directory PIV System / Non-PIIStore Credential Management System ENTERPRISE SYSTEMS ENTERPRISE PACS MANAGEMENT Door & Panel Hardware Single PACS Facility Validation Authority RS-485 Facility PACS Server (Virtualized) Local SAFE PACS Head-End Local Facility Data *optional Other Facility PACS Local Enrollment Console(s) Personnel Dashboard *optional Enterprise Local Facilities SAFE NOTES:  Local SAFE (Optional) – Allows for future connectivity to an enterprise version of SAFE to be streamlined  Top PACS Server – A “reference” build can be established for new sites to allow for quick deployment and integration NOTES:  Data Cache and Reconciliation – Allows for authoritative data to be provided for PACS  Enterprise SAFE – Allows for Facility PACS to stay local, but leverage Enterprise data