Identity management will be crucial for FirstNet to enable authentication of first responders across new applications and interoperability between agencies. A coordinated approach is needed to avoid inconvenience, security risks, and obstacles to interoperability from independent solutions. Standards-based identity management following guiding principles like single sign-on, usability, flexibility and security could provide a foundational identity layer. Developing a trust framework through stakeholder engagement would help define requirements to deliver a scalable and interoperable solution.
2. 2
IdentityManagementforFirstNet
Agenda
• What is Identity Management and why does it matter?
• How does it apply to Public Safety and FirstNet?
• What IdM standards exist in the government today?
• Recommended next steps …
3. 3
IdentityManagementforFirstNet
Introduction
• Background
– Broadband is ushering in new era of applications for first responder
• At 4:54 pm ET on Wednesday May 15th, someone downloaded the 50 billionth app
from Apple's online App Store
– Each application will want to authenticate the responder
– Each application will want to provision the responder
– Risk associated w/each solution solving this independently
– A coordinated and cohesive approach to identifying users is needed
• Identity Management solved independently =
– overall solution complexity +
– inconvenience to both the administrator and the end-user +
– weakened security +
– obstacle to interoperability
There is a fundamental need for an Identity Layer in FirstNet
4. 4
IdentityManagementforFirstNet
The Need for Identity
Identity 1.0 is broken
Siloed approach is an obstruction to usability & interoperability
- Responder must enter (often different) credentials for every application (again, again, and again)
- Credentials required on every resource server first responder needs to access (not scalable, not dynamic)
Passwords have failed to protect us
- 5 of 6 attacks on the Internet caused by password breaches
Identity 2.0 is needed
Deperimiterization driven by mobile and cloud have caused disruption
- Access to data can no longer depend on traditional security controls
- User must be able to access data and resources from anyplace – stored anyplace – from any device
- Identity is the new perimeter
Separation of Identity Provider (the one that provides your credentials and authenticates you)
and Service Provider (the one that provides you with service) enables:
- SSO
- Strong authentication
- Interoperable Identity
- Scalable trust
- Centralized authentication, distributed authorization
*** Alignment with government initiatives and deployments: FICAM, GFIPM, NSTIC ***
5. 5
IdentityManagementforFirstNet
Terminology
• Roles
– Resource Owner
• The one that owns the resource or service being requested
– Resource Requestor
• The person (or machine) that is requesting access to the resource or service
• Authentication
– The act of the requestor proving their identity to the resource
owner at some Level of Assurance (LOA)
• Authorization
– The resource owner – after having some level of assurance
that the requestor is who they claim to be – determining what
resources the requestor is able to access
6. 6
IdentityManagementforFirstNet
Real-Life Identity (1)
Identify: “Hi, I’m Bob.”
Authenticate: “Prove it.”
(presentation of credentials)
I have authenticated you, Bob.
Here is a token asserting my authentication of you …
as well as some attributes of you.
Birth certificate
Utility bill with Name
+ Address
State DMV
“Bob”
1
2
9. 9
IdentityManagementforFirstNet
Obvious Advantages of Real-Life Identity
• Relying parties (air port security, insurance agent, library, other
states) do not need a complex authentication process
– The consume identity as asserted by DMV, make authorization decisions
• Our identity federates to other states (issued by State of Illinois,
Trusted by State of Texas)
• Our identity can be used to obtain higher identity (e.g. passport)
• Our identity carries attributes that can help the service provider /
relying part make authorization decisions
– Old enough to buy alcohol?
– Registered in this state?
– Certified to drive an 18-wheeler?
– No-fly list?
• DMV can move to strong authentication in the future (biometric)
without requiring changes to the relying parties
10. 10
IdentityManagementforFirstNet
Public Safety Identity (1)
Active
Directory
IdM function
Identify: “Hi, I’m Officer Bob.”
Authenticate: “Prove it.”
(presentation of credentials)
Biometric
**********
password
Public-private Key pair
I have authenticated you, Bob.
Here is a token asserting my authentication of you …
as well as some attributes of you.
Name: Officer Bob
Agency: Schaumburg Police Department
Role: Sergeant
Languages: English, Spanish, Russian
Qualifications: Firearms, CPR
Contact-mobile: 847-555-1234
Contact-email:bob@schaumburgPD.gov
User Authentication: RSA 2-factor
Signedby: Village of Schaumburg IdM
1
2
12. 12
IdentityManagementforFirstNet
Identity Landscape – Government & Industry
SDOs
• IETF
• OASIS
• 3GPP
• ATIS
• TIA
• OIX
• Kantara
Standards
• SAML
• WS-Trust
• OpenID
• OAuth
• OpenID
Connect
• UMA
• PersonaID
• TR 33.980
• TR 33.924
• TR 33.804
• TR 22.895
Government
Agencies
• White House
• GSA
• DOJ
• USPS
• NIST
• OMB
• DHS
• FEMA
• FBI
Government
Initiatives
• E-Gov Act 2002
• FICAM
• GFIPM
• NIEF
• NSTIC
• Federal PKI
• FCCX
• FedRAMP
• SICAM
• BAE
• PIV/PIV-I
• FRAC
• NIMS
• NIEM
• CJIS
• PIV-I/FRAC
Technology
Transition
Working Group
Government
Publications
• NIST SP800-
78
• NIST SP800-
63
• NIST SP800-
76
• NIST FIPS 201
• OMB M-04-04
• HSPD-12
** This is just a sample to illustrate the amount of work. It is not an exhaustive list.
13. 13
IdentityManagementforFirstNet
Guiding Principles for FirstNet
• An Identity ecosystem should enable single sign-on
• An identity ecosystem should enable interoperability
• An identity ecosystem shall be usable
• An identity ecosystem shall be standards-based
• An identity ecosystem shall be secure
• An identity ecosystem shall be flexible
14. 14
IdentityManagementforFirstNet
Guiding Principles (cont.)
• First Responders are typically Identity Proofed and credentialed by their respective
agency – The FirstNet system must enable agencies to reuse their existing agency issued
identity & credentials
– This might include FRAC credentials or passwords
– The FirstNet system MUST NOT make first responders remember yet another user ID and
password
• (or make their IT admin manage yet another set)
• The FirstNet system must enable a scalable identity solution for smaller public safety
agencies that don’t have sufficient funds to manage their own Identity Management
infrastructure
– E.g. must enable support of Identity Management as a Service (IdMaaS)
– Enables smaller agencies to “shop around” for an identity using an open-marketplace type
model
– FirstNet may optionally offer their own IdMaaS for smaller agencies (so long as it does not
prohibit those agencies from free choice)
15. 15
IdentityManagementforFirstNet
Many Challenges
• First there are the technical hurdles:
– A plethora of standards to choose from
– The standard that is ultimately chosen must be profiled
– Solution must account for diverse credentials types (passwords, PIV-I
/ FRAC, biometric), and diversity in size of various public safety
agencies
– (and this is the easy part)
• And there is so much to do beyond the technology:
– Legal (e.g. what are the contractual obligations of the parities?)
– Policy (e.g. Levels of Assurance, dispute resolution, privacy
requirements, etc.)
– Accreditation (e.g. ensure that parties meet the policy)
– Continued auditing (e.g. ensure that parties meet the police – over
time)
16. 16
IdentityManagementforFirstNet
To Meet the Challenges
A Trust Framework for First Responders is required
• What is a Trust Framework?
– An agreement between stakeholders consisting of:
• Selection of standards and profiles of those standards
• Identity Proofing
• Acceptable credential types
• Levels of Assurance
• Levels of Protection
• Auditing expectations
• Legal obligation and liability clauses
• Dispute resolution process
• Governance structure
• Possible venues for defining a Trust Framework for First Responder:
– Kantara Initiative
– GLOBAL Security WG
17. 17
IdentityManagementforFirstNet
Take Away
Identity will be the plumbing of Interoperable application-
layer communications between public safety agencies and
FirstNet
• A scalable Identity Trust Framework for FirstNet is
imperative
• We must either plan for it now – or it will be a disaster later
Recommendation:
• Engage public safety stakeholders to develop use cases
that reflect real-world identity requirements, resulting in a
scalable and interoperable Identity Trust Framework
between public safety agencies and the FirstNet national
system.
The Global Justice Information Sharing Initiative (Global) serves as a Federal Advisory Committee (FAC) and advises the U.S. Attorney General on justice information sharing and integration initiatives. Global was created to support the broad scale exchange of pertinent justice and public safety information. It promotes standards-based electronic information exchange to provide the justice community with timely, accurate, complete, and accessible information in a secure and trusted environment.
Global is a ''group of groups,'' representing more than 30 independent organizations, spanning the spectrum of law enforcement, judicial, correctional, and related bodies. Member organizations participate in Global with a shared responsibility and shared belief that, together, they can bring about positive change by making recommendations and supporting the initiatives of the U.S. Department of Justice (DOJ).