SlideShare a Scribd company logo

Federated and Secure Identity Management in Operation

Federation for Identity and Cross-Credentialing Systems (FiXs)
Federation for Identity and Cross-Credentialing Systems (FiXs)

Synopsis: Many visions, definitions, strategies and concepts on how “federation” should or would work currently abound when discussing Identity Management scenarios. The Federation for Identity and Cross-Credentialing Systems (FiXs) a not for profit Industry organization of more than 50 members/subscribers has actually built and operationalized, with the Department of Defense, one of the very first , if not the first such environment in existence today. This presentation and discussion will focus on the journey travelled over the last four years of collaborative work between the DoD and FiXs on establishing this Federation between Industry and Government. Participants will learn about the development of trust models, operating rules, policies on privacy and security, mandatory guidelines and standards, open technology solutions and the politics of making a Federation between Industry and Government actually operational. The discussion leader is Dr. Michael J. Mestrovich, President of FiXs, and one who spent nearly thirty years within the Department of Defense and Federal Government developing, implementing and operating enterprise wide systems and infrastructures for personnel, health, business and command and control systems. Over the past few years, since he retired from DoD, he has focused on innovative ways to allow Industry and Government to work together in collaborative forums in solving National infrastructure issues.

1 of 22
FiXs® - Federated & Secure Identity Management in Operation The Federation for Identity and Cross-Credentialing Systems (FiXs) www.FiXs.org
UNCLASSIFIED FiXs - The Federation for Identity & Cross-Credentialing Systems --- What is it? A 501(c)6 not-for-profit trade association initially formed in 2004 while working with the Department of Defense to provide secure and inter-operable use of identity credentials between and among government entities and industry A coalition of diverse companies/organizations supporting development and implementation of inter-operable identity cross-credentialing standards, systems and end to end solutions for various applications Members/Subscribers include: government contractors, technology companies, major firms, small businesses, sole-proprietors, not-for-profit organizations, Department of Defense, state governments, etc. 2 UNCLASSIFIED
UNCLASSIFIED FiXs is a Standards, C & A and Network Access Organization Complete Legal Governance structure for member firms Certification and Accreditation program for issuing identity credentials and securing personal identifying information A secure network switch through which transactions can be passed for PACS and LACS applications Standards for interfacing with the network switch and interoperability of applications Secure Network access to certified service providers and sponsors of individuals holding certified credentials Clearinghouse for objective consideration of technologies, business processes, rules and requirements 3 UNCLASSIFIED
UNCLASSIFIED 4.1301 Contract clause The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally controlled facility or access to a Federal information system. 52.204-9 Personal Identity Verification of Contractor Personnel (a) The Contractor shall comply with (b) The Contractor shall insert this agency personnel identity verification clause in all subcontracts when the procedures identified in the contract that subcontractor is required to have implement Homeland Security physical access to a federally- Presidential Directive-12 (HSPD-12), controlled facility or access to a Office of Management and Budget (OMB) Federal information system. guidance M-05-24, and Federal Information Processing Standards Publication (FIPS PUB) Number 201. 4 UNCLASSIFIED
UNCLASSIFIED The Foundation In January 2006 FiXs entered into a formal Memorandum of Understanding (MOU) with the Department of Defense which established terms and conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems the MOU was updated & renewed in February 2009. The terms and conditions include:   an operational framework for inter-operability between DoD & FiXs   specific operational responsibilities   legal governance structure ATO Granted by DMDC in July 2007 5 UNCLASSIFIED
UNCLASSIFIED Governance Structure Defined Trust Model Operating Rules Security Guidelines Policy Standards, including Privacy Act compliance Technical Architecture Specifications & Standards Implementation Guidelines Formal, legal flow down agreements for members/ subscribers 6 UNCLASSIFIED
UNCLASSIFIED The Basic Principles Individual personal identifying information, such as biometrics, SSN, & other unique personal identifying information is captured once & accessed as required for authentication of ones’ identity This information is maintained in a federated manner, whereby there is no single database of every individual’s identifying information. The data is maintained in a distributed manner under the authority and control of the organization who “sponsors” the individual holding the certified identity credential Queries of this information are “logged” to support privacy (akin to the processes followed when someone accesses your credit report) Structured to emulate the ATM & credit card network model of the banking industry 7 UNCLASSIFIED
UNCLASSIFIED Identity Federation between DCCIS & FiXs 8 UNCLASSIFIED
UNCLASSIFIED Meeting Policy Objectives Certified Credentials that can be trusted with confidence   “FiXs network fully operational for worldwide use in support of identity authentication purposes & applications” – DMDC July, 16, 2007   “The DoD shall establish & maintain the ECA program to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations.” -- DoDI 8520   “FiXs credentials that include PKI certificates issued from DoD ECA vendors are acceptable for use by DoD web based systems”---ASD/NII July 11, 2008 Short term return on investment (ROI)   Existing highly available architectures for identity deployment & revocation information -- immediate cost avoidance of CAC issuance “outside of the fence” 9 UNCLASSIFIED
UNCLASSIFIED FiXs Chain of Trust 10 UNCLASSIFIED
UNCLASSIFIED Certified & Accredited Subsystems FiXs Network - The Defense Cross Credentialing Identification System (DCCIS) infrastructure and its interface to the FiXs Network are now fully operational for worldwide use in support of identity authentication purposes and applications. The architecture is in place today to inter-operate similarly with non-DoD organizations in a secure manner. Credential Issuers (CI) - Each CI undergoes an extensive and complete review in accordance with the highest industry standards and cover all requirements of the solution proposed in the solution. This is documented in detailed Certification and Accreditation (C&A) reports. Authentications Station - FiXs certified authentication stations enable FiXs and Department of Defense (DoD) CAC credentials to be verified and accepted for physical access authentication purposes by implementing the cross-credentialing services supported by this combined network. Final decisions on physical access privileges, whether at a government or vendor site, are local decisions. 11 UNCLASSIFIED
UNCLASSIFIED Fixing the Identity Credentialing Problem “Hardware tokens [FiXs] & associated certificates issued by the ECA providers have the same assurance level as a Common Access Card (CAC).” – EPMA Note: Access privileges are granted under the purview of the Facility/ Application owner. 12 UNCLASSIFIED
UNCLASSIFIED HSPD-12 Compliant & PIV Inter-operable Credential Management FIPS 201 compliant lifecycle management of users, their identity devices, & associated credentials… … with the strength of DoD Medium Hardware Assurance 13 UNCLASSIFIED
UNCLASSIFIED Multi-Levels of Vetting for Certified Credentials allow for multiple levels of granting or denying physical & logical access control All certificates on a FiXs credential include an Organizational Unit ID and identifies the FiXs vetting assurance level as follows:   FiXs4, for FiXs credentials asserting FiXs equivalent “High”   FiXs3, for FiXs credentials asserting FiXs equivalent “Medium High”   FiXs2, for FiXs credentials asserting FiXs equivalent “Medium”   FiXs1, for FiXs credentials asserting FiXs equivalent “Low” Application/ perimeter owner chooses appropriate verification & authentication levels. 14 UNCLASSIFIED
UNCLASSIFIED Robust revocation processes Certified Credentials issuers are required to maintain FiXs enrollment, privacy, administrative control, revocation, and audit information Maintenance & updating of the revocation information is the joint responsibility of the sponsoring organization & the Certified Credential issuer Card & Certificate Revocation Lists are issued immediately upon revocation “A revocation process must exist such that an expired or invalidated credential is swiftly revoked.” 15 UNCLASSIFIED
UNCLASSIFIED Facility, Installation and Network Access – Today’s Problem No uniform compliance Vulnerability Lack of vision   Who’s on - Who’s off No threat flexibility   DHS NIMS code deployment plan   PX & commissary services   Suppliers to docks   Maintenance & repair access to grounds   Network applications   Occasional Visitors 16 UNCLASSIFIED
UNCLASSIFIED Common Issues with Physical and Logical Security How do we protect our facilities and systems, balanced with ease of use?   Easy, secure access for those who belong   Simple identification verification of visitors & users Identity assurance for contractors & suppliers must:   Incorporate strong vetting for those that require access   Follow DoD and all Federal guidelines Access decisions must be automated & reliable The facility or system owner is ultimately responsible-- so how do we help?   Improve decisions through interoperable electronic authentication   Make it more secure, smarter & cost efficient per system   Develop applications that work with multiple level credentials 17 UNCLASSIFIED
UNCLASSIFIED Do we re-invent the wheel? Federated identity assurance policy & standards have been developed Vetting & security is in place for FiXs, DoD/ECA CAC, & HSPD-12  All are secure identities  All can be used for access decisions  All provide 2 factor authentication Its been done, decided, now lets use it. 18 UNCLASSIFIED
UNCLASSIFIED FiXs & Certified Credentials Value Proposition & ROI Inter-operable with DoD systems — can be used by other Federal organizations Under review to be accepted as PIV inter-operable per Federal CIO Council guidance Achieved enterprise-wide capability & best practices Provides security & privacy of staff, systems, data & facilities in compliance with latest identity assurance & identity management processes Comply with FAR contract requirements Supports HSPD – 12 & NIST PIV Proven uniform approach is possible & realistic across government and industry 19 UNCLASSIFIED
UNCLASSIFIED Contact Information Dr. Michael Mestrovich, President - FiXs  Michael.Mestrovich@fixs.org  703 928 3157 Robert Martin, Corporate Secretary - FiXs  Bob.Martin@fixs.org  703 321 6951 Dan Turissini, Operations Committee Chair - FiXs  turissd@orc.com  703 401 1706 20 UNCLASSIFIED
UNCLASSIFIED Backup Slides 21 UNCLASSIFIED
UNCLASSIFIED Identity Authentication Architecture 22 UNCLASSIFIED

Recommended

Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Ulf Mattsson
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in GovernmentFIDO Alliance
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Oidc fed in pictures@iiw.xxiii
Oidc fed in pictures@iiw.xxiiiOidc fed in pictures@iiw.xxiii
Oidc fed in pictures@iiw.xxiiiRoland Hedberg
 
FIDO Authentication Opportunities in Healthcare
FIDO Authentication Opportunities in HealthcareFIDO Authentication Opportunities in Healthcare
FIDO Authentication Opportunities in HealthcareFIDO Alliance
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 

Recommended

Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Ulf Mattsson
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in GovernmentFIDO Alliance
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Oidc fed in pictures@iiw.xxiii
Oidc fed in pictures@iiw.xxiiiOidc fed in pictures@iiw.xxiii
Oidc fed in pictures@iiw.xxiiiRoland Hedberg
 
FIDO Authentication Opportunities in Healthcare
FIDO Authentication Opportunities in HealthcareFIDO Authentication Opportunities in Healthcare
FIDO Authentication Opportunities in HealthcareFIDO Alliance
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressFIDO Alliance
 
Identity systems
Identity systemsIdentity systems
Identity systemsJim Fenton
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Datacard
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Javelin Research 2017 State of Authentication Report
Javelin Research 2017 State of Authentication ReportJavelin Research 2017 State of Authentication Report
Javelin Research 2017 State of Authentication ReportFIDO Alliance
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
FIDO Alliance Today: Status and News
FIDO Alliance Today: Status and NewsFIDO Alliance Today: Status and News
FIDO Alliance Today: Status and NewsFIDO Alliance
 
FIDO Privacy Principles and Approach
FIDO Privacy Principles and ApproachFIDO Privacy Principles and Approach
FIDO Privacy Principles and ApproachFIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Alliance
 
Modern Architectures
Modern ArchitecturesModern Architectures
Modern ArchitecturesSecureAuth
 
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...Investorideas.com
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlSecureAuth
 
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...Okta-Inc
 
Top 10 Payments Trends
Top 10 Payments TrendsTop 10 Payments Trends
Top 10 Payments TrendsCapgemini
 
26 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 201826 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 2018Brian Solis
 
Issa fi xs briefing
Issa fi xs briefingIssa fi xs briefing
Issa fi xs briefingFederation for Identity and Cross-Credentialing Systems (FiXs)
 

More Related Content

What's hot

Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO AllianceFIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressFIDO Alliance
 
Identity systems
Identity systemsIdentity systems
Identity systemsJim Fenton
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Datacard
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Javelin Research 2017 State of Authentication Report
Javelin Research 2017 State of Authentication ReportJavelin Research 2017 State of Authentication Report
Javelin Research 2017 State of Authentication ReportFIDO Alliance
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer
 
FIDO Alliance Today: Status and News
FIDO Alliance Today: Status and NewsFIDO Alliance Today: Status and News
FIDO Alliance Today: Status and NewsFIDO Alliance
 
FIDO Privacy Principles and Approach
FIDO Privacy Principles and ApproachFIDO Privacy Principles and Approach
FIDO Privacy Principles and ApproachFIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification FIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Alliance
 

What's hot (15)

Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
Introduction to the FIDO Alliance
Introduction to the FIDO AllianceIntroduction to the FIDO Alliance
Introduction to the FIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
 
Authenticate 2021: Welcome Address
Authenticate 2021: Welcome AddressAuthenticate 2021: Welcome Address
Authenticate 2021: Welcome Address
 
Identity systems
Identity systemsIdentity systems
Identity systems
 
Entrust Physical & Logical Access Solutions
Entrust Physical & Logical Access SolutionsEntrust Physical & Logical Access Solutions
Entrust Physical & Logical Access Solutions
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
Javelin Research 2017 State of Authentication Report
Javelin Research 2017 State of Authentication ReportJavelin Research 2017 State of Authentication Report
Javelin Research 2017 State of Authentication Report
 
TrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong AuthenticationTrustBearer - CTST 2009 - OpenID & Strong Authentication
TrustBearer - CTST 2009 - OpenID & Strong Authentication
 
FIDO Alliance Today: Status and News
FIDO Alliance Today: Status and NewsFIDO Alliance Today: Status and News
FIDO Alliance Today: Status and News
 
FIDO Privacy Principles and Approach
FIDO Privacy Principles and ApproachFIDO Privacy Principles and Approach
FIDO Privacy Principles and Approach
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
 

Viewers also liked

Modern Architectures
Modern ArchitecturesModern Architectures
Modern ArchitecturesSecureAuth
 
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...Investorideas.com
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlSecureAuth
 
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...Okta-Inc
 
Top 10 Payments Trends
Top 10 Payments TrendsTop 10 Payments Trends
Top 10 Payments TrendsCapgemini
 
26 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 201826 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 2018Brian Solis
 

Viewers also liked (6)

Modern Architectures
Modern ArchitecturesModern Architectures
Modern Architectures
 
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...
Keynote Speaker Janice Kephart - Founder and CEO of The Secure Identity and B...
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
 
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
Pre-built, Secure Identity Layer for Consumer Websites, B2B Portals and SaaS ...
 
Top 10 Payments Trends
Top 10 Payments TrendsTop 10 Payments Trends
Top 10 Payments Trends
 
26 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 201826 Disruptive & Technology Trends 2016 - 2018
26 Disruptive & Technology Trends 2016 - 2018
 

Similar to Federated and Secure Identity Management in Operation

Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategyfEngel
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computingijcsa
 
Practical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesPractical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesAmazon Web Services
 
Mobile Authentication Interoperability using FIDO for Derived Credentials
Mobile Authentication Interoperability using FIDO for Derived CredentialsMobile Authentication Interoperability using FIDO for Derived Credentials
Mobile Authentication Interoperability using FIDO for Derived CredentialsMichael Queralt
 
Virtual Communications Corporation
Virtual Communications CorporationVirtual Communications Corporation
Virtual Communications CorporationPeter Bell
 
Jelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with AxcientJelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with AxcientErin Olson
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASBKyle Watson
 
Virtual Communication Corporation
Virtual Communication CorporationVirtual Communication Corporation
Virtual Communication CorporationPeter Bell
 
Database Security Project_17Sep2014 final edits
Database Security Project_17Sep2014 final editsDatabase Security Project_17Sep2014 final edits
Database Security Project_17Sep2014 final editsDerick Peterson
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...RSIS International
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
 
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...Patton Boggs LLP
 
PUBLIC KEY INFRASTRUCTURE Network and network devices
PUBLIC KEY INFRASTRUCTURE Network and network devicesPUBLIC KEY INFRASTRUCTURE Network and network devices
PUBLIC KEY INFRASTRUCTURE Network and network devicesantrikshjainwork
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsJeremy Hilton
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfJUSTSTYLISH3B2MOHALI
 

Similar to Federated and Secure Identity Management in Operation (20)

Issa fi xs briefing
Issa fi xs briefingIssa fi xs briefing
Issa fi xs briefing
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
Mulin Holstein PKI-strategy
Mulin Holstein PKI-strategyMulin Holstein PKI-strategy
Mulin Holstein PKI-strategy
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computing
 
Practical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and ExamplesPractical Federal Compliance Strategies and Examples
Practical Federal Compliance Strategies and Examples
 
Mobile Authentication Interoperability using FIDO for Derived Credentials
Mobile Authentication Interoperability using FIDO for Derived CredentialsMobile Authentication Interoperability using FIDO for Derived Credentials
Mobile Authentication Interoperability using FIDO for Derived Credentials
 
Virtual Communications Corporation
Virtual Communications CorporationVirtual Communications Corporation
Virtual Communications Corporation
 
Jelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with AxcientJelecos: Achieving Compliance with Axcient
Jelecos: Achieving Compliance with Axcient
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
 
Virtual Communication Corporation
Virtual Communication CorporationVirtual Communication Corporation
Virtual Communication Corporation
 
Database Security Project_17Sep2014 final edits
Database Security Project_17Sep2014 final editsDatabase Security Project_17Sep2014 final edits
Database Security Project_17Sep2014 final edits
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong AuthenticationFIDO's Role in the Global Regulatory Landscape for Strong Authentication
FIDO's Role in the Global Regulatory Landscape for Strong Authentication
 
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
 
PUBLIC KEY INFRASTRUCTURE Network and network devices
PUBLIC KEY INFRASTRUCTURE Network and network devicesPUBLIC KEY INFRASTRUCTURE Network and network devices
PUBLIC KEY INFRASTRUCTURE Network and network devices
 
Personal identity information protection
Personal identity information protectionPersonal identity information protection
Personal identity information protection
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic RelationshipsSelf-Protecting Information for De-Perimiterised Electronic Relationships
Self-Protecting Information for De-Perimiterised Electronic Relationships
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 

Federated and Secure Identity Management in Operation

  • 1. FiXs® - Federated & Secure Identity Management in Operation The Federation for Identity and Cross-Credentialing Systems (FiXs) www.FiXs.org
  • 2. UNCLASSIFIED FiXs - The Federation for Identity & Cross-Credentialing Systems --- What is it? A 501(c)6 not-for-profit trade association initially formed in 2004 while working with the Department of Defense to provide secure and inter-operable use of identity credentials between and among government entities and industry A coalition of diverse companies/organizations supporting development and implementation of inter-operable identity cross-credentialing standards, systems and end to end solutions for various applications Members/Subscribers include: government contractors, technology companies, major firms, small businesses, sole-proprietors, not-for-profit organizations, Department of Defense, state governments, etc. 2 UNCLASSIFIED
  • 3. UNCLASSIFIED FiXs is a Standards, C & A and Network Access Organization Complete Legal Governance structure for member firms Certification and Accreditation program for issuing identity credentials and securing personal identifying information A secure network switch through which transactions can be passed for PACS and LACS applications Standards for interfacing with the network switch and interoperability of applications Secure Network access to certified service providers and sponsors of individuals holding certified credentials Clearinghouse for objective consideration of technologies, business processes, rules and requirements 3 UNCLASSIFIED
  • 4. UNCLASSIFIED 4.1301 Contract clause The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally controlled facility or access to a Federal information system. 52.204-9 Personal Identity Verification of Contractor Personnel (a) The Contractor shall comply with (b) The Contractor shall insert this agency personnel identity verification clause in all subcontracts when the procedures identified in the contract that subcontractor is required to have implement Homeland Security physical access to a federally- Presidential Directive-12 (HSPD-12), controlled facility or access to a Office of Management and Budget (OMB) Federal information system. guidance M-05-24, and Federal Information Processing Standards Publication (FIPS PUB) Number 201. 4 UNCLASSIFIED
  • 5. UNCLASSIFIED The Foundation In January 2006 FiXs entered into a formal Memorandum of Understanding (MOU) with the Department of Defense which established terms and conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems the MOU was updated & renewed in February 2009. The terms and conditions include:   an operational framework for inter-operability between DoD & FiXs   specific operational responsibilities   legal governance structure ATO Granted by DMDC in July 2007 5 UNCLASSIFIED
  • 6. UNCLASSIFIED Governance Structure Defined Trust Model Operating Rules Security Guidelines Policy Standards, including Privacy Act compliance Technical Architecture Specifications & Standards Implementation Guidelines Formal, legal flow down agreements for members/ subscribers 6 UNCLASSIFIED
  • 7. UNCLASSIFIED The Basic Principles Individual personal identifying information, such as biometrics, SSN, & other unique personal identifying information is captured once & accessed as required for authentication of ones’ identity This information is maintained in a federated manner, whereby there is no single database of every individual’s identifying information. The data is maintained in a distributed manner under the authority and control of the organization who “sponsors” the individual holding the certified identity credential Queries of this information are “logged” to support privacy (akin to the processes followed when someone accesses your credit report) Structured to emulate the ATM & credit card network model of the banking industry 7 UNCLASSIFIED
  • 8. UNCLASSIFIED Identity Federation between DCCIS & FiXs 8 UNCLASSIFIED
  • 9. UNCLASSIFIED Meeting Policy Objectives Certified Credentials that can be trusted with confidence   “FiXs network fully operational for worldwide use in support of identity authentication purposes & applications” – DMDC July, 16, 2007   “The DoD shall establish & maintain the ECA program to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations.” -- DoDI 8520   “FiXs credentials that include PKI certificates issued from DoD ECA vendors are acceptable for use by DoD web based systems”---ASD/NII July 11, 2008 Short term return on investment (ROI)   Existing highly available architectures for identity deployment & revocation information -- immediate cost avoidance of CAC issuance “outside of the fence” 9 UNCLASSIFIED
  • 10. UNCLASSIFIED FiXs Chain of Trust 10 UNCLASSIFIED
  • 11. UNCLASSIFIED Certified & Accredited Subsystems FiXs Network - The Defense Cross Credentialing Identification System (DCCIS) infrastructure and its interface to the FiXs Network are now fully operational for worldwide use in support of identity authentication purposes and applications. The architecture is in place today to inter-operate similarly with non-DoD organizations in a secure manner. Credential Issuers (CI) - Each CI undergoes an extensive and complete review in accordance with the highest industry standards and cover all requirements of the solution proposed in the solution. This is documented in detailed Certification and Accreditation (C&A) reports. Authentications Station - FiXs certified authentication stations enable FiXs and Department of Defense (DoD) CAC credentials to be verified and accepted for physical access authentication purposes by implementing the cross-credentialing services supported by this combined network. Final decisions on physical access privileges, whether at a government or vendor site, are local decisions. 11 UNCLASSIFIED
  • 12. UNCLASSIFIED Fixing the Identity Credentialing Problem “Hardware tokens [FiXs] & associated certificates issued by the ECA providers have the same assurance level as a Common Access Card (CAC).” – EPMA Note: Access privileges are granted under the purview of the Facility/ Application owner. 12 UNCLASSIFIED
  • 13. UNCLASSIFIED HSPD-12 Compliant & PIV Inter-operable Credential Management FIPS 201 compliant lifecycle management of users, their identity devices, & associated credentials… … with the strength of DoD Medium Hardware Assurance 13 UNCLASSIFIED
  • 14. UNCLASSIFIED Multi-Levels of Vetting for Certified Credentials allow for multiple levels of granting or denying physical & logical access control All certificates on a FiXs credential include an Organizational Unit ID and identifies the FiXs vetting assurance level as follows:   FiXs4, for FiXs credentials asserting FiXs equivalent “High”   FiXs3, for FiXs credentials asserting FiXs equivalent “Medium High”   FiXs2, for FiXs credentials asserting FiXs equivalent “Medium”   FiXs1, for FiXs credentials asserting FiXs equivalent “Low” Application/ perimeter owner chooses appropriate verification & authentication levels. 14 UNCLASSIFIED
  • 15. UNCLASSIFIED Robust revocation processes Certified Credentials issuers are required to maintain FiXs enrollment, privacy, administrative control, revocation, and audit information Maintenance & updating of the revocation information is the joint responsibility of the sponsoring organization & the Certified Credential issuer Card & Certificate Revocation Lists are issued immediately upon revocation “A revocation process must exist such that an expired or invalidated credential is swiftly revoked.” 15 UNCLASSIFIED
  • 16. UNCLASSIFIED Facility, Installation and Network Access – Today’s Problem No uniform compliance Vulnerability Lack of vision   Who’s on - Who’s off No threat flexibility   DHS NIMS code deployment plan   PX & commissary services   Suppliers to docks   Maintenance & repair access to grounds   Network applications   Occasional Visitors 16 UNCLASSIFIED
  • 17. UNCLASSIFIED Common Issues with Physical and Logical Security How do we protect our facilities and systems, balanced with ease of use?   Easy, secure access for those who belong   Simple identification verification of visitors & users Identity assurance for contractors & suppliers must:   Incorporate strong vetting for those that require access   Follow DoD and all Federal guidelines Access decisions must be automated & reliable The facility or system owner is ultimately responsible-- so how do we help?   Improve decisions through interoperable electronic authentication   Make it more secure, smarter & cost efficient per system   Develop applications that work with multiple level credentials 17 UNCLASSIFIED
  • 18. UNCLASSIFIED Do we re-invent the wheel? Federated identity assurance policy & standards have been developed Vetting & security is in place for FiXs, DoD/ECA CAC, & HSPD-12  All are secure identities  All can be used for access decisions  All provide 2 factor authentication Its been done, decided, now lets use it. 18 UNCLASSIFIED
  • 19. UNCLASSIFIED FiXs & Certified Credentials Value Proposition & ROI Inter-operable with DoD systems — can be used by other Federal organizations Under review to be accepted as PIV inter-operable per Federal CIO Council guidance Achieved enterprise-wide capability & best practices Provides security & privacy of staff, systems, data & facilities in compliance with latest identity assurance & identity management processes Comply with FAR contract requirements Supports HSPD – 12 & NIST PIV Proven uniform approach is possible & realistic across government and industry 19 UNCLASSIFIED
  • 20. UNCLASSIFIED Contact Information Dr. Michael Mestrovich, President - FiXs  Michael.Mestrovich@fixs.org  703 928 3157 Robert Martin, Corporate Secretary - FiXs  Bob.Martin@fixs.org  703 321 6951 Dan Turissini, Operations Committee Chair - FiXs  turissd@orc.com  703 401 1706 20 UNCLASSIFIED
  • 21. UNCLASSIFIED Backup Slides 21 UNCLASSIFIED