Managing PIV Card Lifecycle and Converging Physical & Logical Access Control


Published on

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Managing PIV Card Lifecycle and Converging Physical & Logical Access Control

  1. 1. Managing PIV Life-cycle & Converging Physical & Logical Access Control Ramesh Nagappan Sun Microsystems Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC
  2. 2. Setting Expectations What you can take away !  Explore the Personal Identity Verification (PIV) Life-cycle and its pre- and post-issuance deployment challenges.  Architectural characteristics of managing PIV Life-cycle and converging Physical and Logical Access Control Systems.  Role and relevance of adopting to an Identity Management Solution (IDMS) for delivering and managing an end-to-end PIV lifecycle. 2
  3. 3. Personal Identity Verification (PIV) • Personal Identity Verification has become a Fiduciary Responsibility of many National Governments. > Adopting to common credentials with verified identity enables secure and reliable form of personal identification. • Host of PIV standards initiatives and regulatory mandates currently being adopted on a national/global basis. > US Homeland Security Presidential Directive (HSPD-12 2004)‫‏‬ > UK Identity Cards Act (2006)‫‏‬ > French INES (Identité Nationale Electronique Sécurisée)‫‏‬ > ICAO 9303 ePassport / eId > EU Citizen Card, EU EAC (EC 2252/2004)‫‏‬ > Belgian eID, Finesse eID, Taiwan eID, India ePassport and several others (in progress). 3
  4. 4. 4
  5. 5. PIV Card Issuance and Management FIPS-201 defined PIV Card Issuance and Management Source: FIPS 201-1 5
  6. 6. The PIV Life-cycle PIV Identity Management Activities (From registration to till its retirement) Identity Registration PIV Identity Credential Enrolment & Termination Adjudication PIV PIV Credential Credential Maintenance Issuance PIV Physical & Logical Access Control 6
  7. 7. The PIV Ecosystem Core technology components of a PIV Lifecycle Demographic Data/ Documents Security Event Biometric Monitoring samples Enroll Identity Physical/ Management Te Logical Solution rm Access ge Identity in Control n Proofing & ha at Systems C Adjudication e Credentials Public-Key Issuance Infrastructure ( Smartcard/PKI/ Biometrics) 7
  8. 8. PIV Card Credentials FIPS-201 Mandatory and Optional On-Card Credentials Mandatory Credentials PIN (Personal Identification Number) Cardholder Unique Identifier (CHUID)‫‏‬ PIV Authentication Data (asymmetric key pair and corresponding PKI certificate)‫‏‬ Two biometric fingerprints (CBEFF)‫‏‬ Optional Credentials An asymmetric key pair and corresponding certificate for digital signatures Source: GSA USAccess An asymmetric key pair and corresponding certificate for key management Asymmetric or symmetric card authentication keys for supporting additional physical access applications Symmetric key(s) associated with the card management system 8
  9. 9. PIV Lifecycle: Known Challenges Understanding Real-world Pain Points • Defining an authoritative source for managing and maintaining PIV information life-cycle.  Silos of point solutions and repositories - Biometric/Enroll middleware, CMS, PACS, LACS, SIEM, IAM and more !  No single administration console for management.  Too many PIV life-cycle events and operations - right from identity registration and till its retirement ! • Establishing administrative controls, authorization workflows and authority approvals/denials for lifecycle operations.  Managing and maintaining authorization workflow, approval/denial actions and notification.  Enforcing segregation of duties (separation of powers).  Enforcement of access control policies, Role based Access control (RBAC) and procedures (ex. Emergency access/exit). 9
  10. 10. PIV Lifecycle: Known Challenges …continued Understanding Real-world Pain points • Provisioning and De-Provisioning complexities with disparate PIV/FIPS-201 solutions and downstream applications.  Initiating instantaneous Provisioning and De-provisioning of PIV enrollment data and its changes to support Identity lifecycle events - Identity registration to till its termination.  Detecting and thwarting dormant/back-door user account creation/modification and circumventing controls. • Managing changes and re-verification/re-enrollment issues related to profiles, roles, privileges and policies.  Identity attribute changes and propagation to heterogeneous PIV based applications ?  Supporting re-verification and re-enrollment requirements related to lifecycle events and attribute changes.  Certify and attest role and access privileges changes. 10
  11. 11. Converging Physical/Logical Access: Known Challenges • Enabling PIV credentials to authenticate disparate Physical Access Control Systems (PACS) and Logical Access Control Systems (LACS).  Using PIV credentials such as CHUID, PIN, PKI certificates and Biometrics for authentication.  Use PIV credentials based digitally-signed approvals or denials for authorization workflow and maintaining tamper-proof logs/records of authorization information.  Enabling PIV credentials based Single Sign-on (SSO) to IT applications and Desktops and furthering SSO to participate in Federation (eAuthentication Scenarios).  Integration, extensibility limitations and maintenance issues are common due to proprietary nature of interfaces related to PACS. 11
  12. 12. Converging Physical/Logical Access: Known Challenges …. continued • Initiating and managing the authentication process using PIV Credentials.  PKI certificate validation via OCSP or CRL DPs of the PKI SSP.  Enabling PACS authentication using CHUID/PKI/PIN credentials (Based on Contact/Contact-less/Hybrid readers).  On/Off-the-card Biometric authentication using Biometric authentication middleware. • Managing requests and reporting the status of scenarios such as Forgotten PIN, Temporary card requests and Lost PIV card scenarios ?  Managing and reporting the status of Lost/Forgotten card- requests/approvals, certificate revocation, key escrow and recovery operations. 12
  13. 13. Logical PIV Architecture Solution Putting it all together Identity Enrollment and Adjudication Services Identity Identity Registration/ Demographic PIV Request w/ Document Biometric Proofing/ Enrollment data Credentials samples Sponsor approval Adjudication Identity Life-cycle Management Services Smartcard Issuance/ Auditing Authorization Credential Management Provisioning User/Role Services Logging Workflow Change De-provisioning Management Compliance Signed Approvals Management Physical and Logical Access Control Services IT Applications Public PKI / Biometric Physical Access eAuthentication Key Authentication Control Systems Single Sign-on / Federation Infrastructure 13
  14. 14. PIV Authorization Workflow Hiring Enrollment HR Manager Officer Officer Approval/ Approval/ Approval/ Denial Denial Denial Biometrics Identity Card Issuance & Applicant Breeder Documents Proofing & Registration Activation Enrollment Adjudication HR Enrollment Hiring Manager Officer Manager Approval/ Approval/ Approval/ Denial Denial Denial Retirement / Credential Physical & Termination Maintenance Logical Access • IDMS manages the authorization workflow and authority approval and denials. > Digitally signed approvals using PIV card credentials verified against a PKI provider. • IDMS facilitates Work-flow driven provisioning and de-provisioning of PIV information and credentials to PIV/FIPS-201 mandated resources. 14
  15. 15. Choosing an IDMS IDMS Requirements for managing PIV lifecycle • Automated Provisioning & De-Provisioning and Synchronization Services  Automated operations for Creation, Maintenance and Termination of Identity profile (s) and its access privileges .  Integration and interoperability with FIPS-201 compliant Biometric middleware, Document verification, CMS, PACS, IAM and other supporting IT applications.  Instantaneous provisioning/de-provisioning and synchronization of User profile attributes, PIV credentials (PIN/PKI/Biometrics), roles, status/attribute changes, access privileges, rules and policies to/from target resources. • Automated Authorization and Approval/Denial workflows and notifications.  Workflow-driven provisioning/de-provisioning/change requests, approvals/denials, notifications and escalations.  PIV credentials based digitally-signed approvals and denials. 15
  16. 16. Choosing an IDMS …. continued Core IDMS Requirements for managing PIV lifecycle • Role Engineering and Management • Establish internal controls for enforcing “Segregation of Duties” and “Least privilege”. (Ex. FISMA compliance) • Auditing, Access Certification and Compliance reporting • Who has access ? Who accessed it ? • What went wrong ? Who authorized it ? When it happened ? • Periodic access review (Attestation and Recertification) • Detect and report potential violations • Integration with Security Information and Event monitoring (SIEM). • Single administration console and dashboard for all PIV user profile information and status of requests/operations for all target resources. • Self-service user administration and delegated administration. • Message and Transport-level Security (FIPS-140 mode) 16
  17. 17. Industry Standards Contributing standards for Managing PIV and Convergence of P/LACS • OASIS SPML 2.0 - Service Provisioning Markup Language.  XML Protocol for Identity Provisioning and De-Provisioning. • OASIS SAML 2.0 - Security Assertions Markup Language.  XML Protocol for representing Authentication and Authorization assertions. • OASIS XACML 2.0 - eXtensible Access Control Markup Language.  XML Protocol for representing Access Control Policies. • Liberty Alliance Standards (ID-*)  Open Standards for representing Identity Federation across networks. • OASIS WS-Security and WS-* Standards for Securing XML Web Services. • Finally….FIPS-201 and its related special publications. 17
  18. 18. PIV Solution from Sun and ISV Partners Pre-Integrated, Pre-Verified and Pre-Tested for PIV Deployment Smartcard Identity Issuance and Enrollment & Management Adjudication • Aware BioSP • ActivIdentity CMS • CrossMatch • Bell-ID ANDiS • Secugen Aware BioSP Sun Public-key Identity Infrastructure SSP Security Information & Event Monitoring Management • Entrust (SIEM) Suite • Cybertrust • Verisign • ArcSight • Exostar • LogLogic Physical & Logical Verisign PKI Access control • Quantum Secure SAFE • Aware BioSP • BioBex • ActivIdentity ESSO 18
  19. 19. Thank You Ramesh Nagappan Sun Microsystems Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC 19