Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements"

Transcription

1 Joint White Paper: Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements Submitted Date: April 10, 2013 Submitted by: David Coxe, CEO, ID Dataweb, Inc. Co-Founder and SVP, Criterion Systems, Inc Boone Blvd., Suite 400 Vienna, VA O: , ext. 315 C: Karyn Higa-Smith, Program Manager Science and Technology Directorate, Cyber Security Division Homeland Security Advanced Research Projects Agency DHS S&T Identity Management Testbed The Johns Hopkins University Applied Physics Laboratory RESTRICTION ON DISCLOSURE AND USE OF DATA. This document includes data that may be proprietary, may be legally privileged, and is for the intended recipient only. Access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. If obtained in error, please delete. The data subject to this restriction is contained on pages marked: Use or disclosure of data contained on this page is subject to the restriction on the title page of this whitepaper.

2 Executive Summary: The ID DataWeb (IDW) Attribute Exchange Network (AXN) is an Internet-scale, neutral transaction services and contractual hub for enabling online credential authentication and attribute exchange services. The IDW AXN enforces privacy and security precepts driven by industry and in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) Guiding Principles. The exchange allows Identity Providers (IdPs), Attribute Providers (APs), Relying Parties (RPs), and users to federate and reuse credentials and attributes in a policy-driven, low-risk manner, at an affordable cost. AXN participants must register the contracting entity (e.g., corporation, agency, etc.) and each service (e.g., AP, IdP, or RP Web site, Web service, application programming interface (API), Lightweight Directory Access Protocol (LDAP) directory, meta-directory, etc.). Policy is applied at the service level through settings in the corresponding Admin Console on the exchange. The Department of Homeland Security (DHS) Science and Technology (S&T) Directorate established the Identity Management (IdM) testbed hosted at The Johns Hopkins University Applied Physics Laboratory (JHU/APL). The IdM testbed team has been tasked by S&T to identify solutions to capability gaps in identity and access management for the Homeland Security Enterprise, which includes Federal, State, and local governments, and the public and private sectors. The S&T IdM team partnered with the U.S. Department of Defense (DoD) Manpower Data Center (DMDC) to collaborate on a proof-of-concept implementation of the Backend Attribute Exchange (BAE) Security Assertion Markup Language (SAML) 2.0 Profile (BAE-Profile) in The BAE-Profile was developed to specify how a user who has been issued a credential is represented as a SAML subject, how an assertion regarding the user is produced and consumed, and finally how two entities exchange attributes about the user in a federated environment. The BAE-Profile has been transitioned and accepted for government-wide adoption by the Federal Identity, Credential, and Access Management (FICAM) Subcommittee (ICAM-SC) under the Federal Chief Information Officer (CIO), and can be found on IdManagement.gov. In addition, S&T is working with the Financial Services Sector Coordinating Council (FSSCC) on a project focused on reducing the risks of identity fraud and theft. The IdM testbed team developed the Verification of Identity Credential Service gateway to verify the validity of government-issued credentials, such as drivers licenses, social security numbers, and passports, to improve the identity proofing process of consumers opening financial accounts. As part of this effort, the IdM testbed team developed the extensible Access Control Markup Language (XACML) 3.0 Subject Data Verification Profile (XACML- Assertion-Profile), which describes translation, routing, and matching capabilities and defines the transaction between the RP and a gateway for validating a user s self-asserted attribute information. The AXN can support these protocols and requirements by integration with existing government BAE implementations and/or by direct registration of RPs and APs that require Authoritative Attribute (AA) and verification services. In all cases, the AXN requires the user to be present during the IDW AXN attribute exchange process and must always authorize the Back-Channel verification of attribute assertions. This approach actively engages the user in the attribute exchange process, thereby preserving user privacy and enabling active user management of RP interactions. Having the user opt in and assert their attributes promotes transaction trust and improves the quality and refresh of related transaction data. Overview The Identity Ecosystem has evolved to where each RP is required to establish its own transaction process with each IdP and AP. The IDW AXN solution is an Internet-scale transaction services hub and contractual hub for federating online credential authentication and Figure 1: AXN: A Transaction and Contractual Services Hub 2

3 attribute exchange services. The exchange allows IdPs, APs, RPs, and users to exchange and reuse credentials and attributes in a policy-driven, low-risk manner, and at an affordable cost. The AXN is built on open industry standards as a neutral transaction and claims management hub that can enforce privacy and security precepts driven by industry and in support of the NSTIC Guiding Principles. The AXN does not issue end-user credentials nor does it perform authentication or authorization, but it does enable these transaction services for participating IdPs (authentication) and RPs (authorization). RPs registered on the AXN can obtain credential authentication services available from FICAM-approved IdPs [for Level of Assurance (LOA) 1 to 4 using SAML 2.0, OpenID Connect, or OAuth 2.0] and user attribute verification services available from commercial APs [e.g., Experian, LexisNexis, Equifax, Verizon, AT&T, American Association of Motor Vehicle Administrators (AAMVA), etc.]. In addition, RPs can obtain verified user-asserted identity attributes and authoritative role-based attributes (from registered commercial and government AA sources) to support the following: Authentication credential tamper detection Attribute-based access control (ABAC) and management Provisioning (in advance) Personnel medical emergencies Enhanced response capabilities (e.g., first responder) The BAE-Profile details an implementation that an RP can use to obtain attribute information for a specific user through a direct or brokered connection to an AA service. Technically, the BAE-Profile defines a Simple Object Access Protocol (SOAP)-based SAML 2.0 attribute assertion implementation and can be used wherever that protocol and token apply. Operationally, the BAE-Profile (Figure 2) defines the Federal AA service required for delivering attribute content to Federal, State, or local government RPs. In practice, these government agencies are highly motivated to protect privacy and handle citizen information as extremely sensitive. The release of any citizen information even to other government agencies is scrutinized and highly regulated. In practice, governments do not release citizen information to non-government entities given the potential risk for unauthorized use. However, government AAs can provide limited support for data-matching requests from non-government clients when the citizen has self-asserted and approved the submitted data and Boolean predicate matching algorithms are embedded in the matching capability trusted by the AA service provider. In this configuration, the matching request and matching response support multiple pairs of data identifiers and values; namely, the self-asserted data Figure 2: Verifying Identity Credentials Service verification request and Boolean verification results. There are matching services provided by organizations that may centralize an aggregation of these government data verification services and shield these AA providers from direct exposure to the RP, e.g., AAMVA. The XACML-Assertion-Profile describes the intermediate actors and defines the transaction between the RP and the gateway. The BAE-Profile could participate on the AXN in two different scenarios: 1. Existing government BAE Brokers and Metadata Services could be integrated into the AXN as an AP service with defined policies for interoperability, authentication, and permissible use. Government RPs would register on the AXN and specify policies for which user attributes would need to be verified via participating APs, including these government-to-government-only providers. As such, existing government BAE Brokers and Metadata Services could be protected 3

4 from exposure through an XACML-Assertion-Profile gateway. This approach would minimize AXN integration requirements into existing BAE implementations. 2. New AP services could register directly on the AXN as they become available and publish their attribute service offerings along with restrictions for permissible uses and RP participation. The AXN provides online RP and AP registration and account management along with account support for charge back, usage, and central billing if these are desired features. The AXN AP gateway would enable all transaction processes and engage the user in transaction flows in support of NSTIC privacy policy. In addition, the AXN would not store attribute data or create a centralize data store. In either scenario, participating RPs register with the AXN. As defined by AP policies (e.g., white list and/or permissible use restrictions), each RP selects attributes, data types (authoritative, derived, selfasserted), and sources published by APs willing to verify and offer user-asserted attribute data. A set of verified user-asserted attributes and claims can readily be re-verified by APs and, with user consent, shared with participating RPs on demand. AXN Overview AXN transaction services between participants (i.e., RPs, IdPs, and APs) are standardized to a few specific models. Once each participant registers (see Figure 3) and completes integration with the AXN, no further work is required from an IdP or AP as the number of RPs grows on the exchange. Based on the RP registration settings, the AXN serves as a policy control point for credential and attribute information transactions, and only sends the required information to the RP, regardless of what was proffered by an IdP or AP. AXN participants must register the contracting entity (e.g., corporation, agency, etc.) and each service (e.g., AP, IdP, or RP Web site, Web service, API, LDAP directory, meta-directory, etc.). Policy is applied at the service level via settings in the corresponding Admin Console on the exchange. During AXN registration, an RP selects attributes to be verified using the minimal necessary data for the RP to authorize service and, as needed, perform account creation or binding of a credential to an existing account. The decision about what is required by an RP to authorize user access to an RP service or to create/bind a user account is based on corresponding Trust Framework policy, the RP s risk mitigation requirements, and any overarching privacy regime under which the RP operates (e.g., FICAM, Figure 3: AXN Registration and Management Services Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, etc.). The role of the AXN is to enable the management and enforcement of AP and RP policies and service requirements as defined in the corresponding (IdP, AP, and RP) Management Console on the AXN. The IDW AXN architecture enhances user privacy and control over verified user attributes without creating a centralized data store of user attributes at the AXN. The individual user s Personally 4

5 Identifiable Information is not stored at the AXN, but will be under direct user control via the user s Personal Data Service (PDS) at an online location of the user s choice. Users will assert their attributes at RP sites via the AXN to procure services and, as needed, to establish an RP account. After completing the first verification flow, users can leverage verified attributes from their PDS to access additional RP services and establish new accounts. This feature minimizes user friction and promotes user adoption. Throughout the identity ecosystem, users will leverage a credential issued and managed by their IdPs to enable single sign-on and to minimize password use. This reduces the administrative burden associated with account creation and maintenance while greatly improving the user experience. An AXN administrative operations team manages the process of registering and activating AXN subscribers. A subscriber could be an IdP, AP, or RP. Users will consume AXN services but will not subscribe to the AXN. Although most of the AP, IdP, and RP registration processes are fully Web-enabled and automated, the IDW AXN administrative operations team is required to perform a number of manual contractual audits and quality checks before releasing a subscriber into production. The list of attributes for the user to self-assert is determined at the time of RP registration on the AXN. In all cases, the AXN gathers user attributes (based on the RP registration requirements), verifies those attributes with participating AP services (again, based on RP registration requirements), and with user permission shares the user-asserted attributes and resulting AP claims with the RP. To resolve situations in which IdPs and APs prefer more user information than required, the AXN only verifies attributes asserted by users based on requirements established by the RP during registration. In this process, the AXN ignores any additional attributes that may be available from an IdP or AP interface, and only verifies the assertion claim for the self-asserted user information. As such, the AXN enables privacy policy enforcement and serves as audit compliance point for data minimization policies. Attribute-Based Access Control (ABAC) Services RPs that subscribe to this service can designate authoritative role-based attributes for users to assert when accessing their RP service to enhance detection of Authentication Credential tampering, access control and management, and user access and response capabilities (e.g., online and physical first responder access to a community RP service in a disaster zone). The AXN will also support dynamic, contextual, policy-driven mechanisms that allow RPs to make real-time decisions within a flexible framework to enforce real-time policy decisions. This requires decision-making capabilities to be external to systems, applications, or services, with input to these decisions based on information about the user, resource, and contextual information that may be expressed as attributes. These attributes can reside at multiple AP sources where the level of confidence in an RP attribute may vary. The AXN uses a unique method to supply attributes at the time of the Authentication Assertion. There is a one-time use key for the RP to retrieve the attributes associated with the assertion in the encrypted token that includes session details and the Authentication Assertion. The expectation is the RP service will immediately retrieve these attributes to support the RP service Authorization decision. The AXN does not use the RP s session to pass data about the user. The AXN requires the RP service to use the one-time use token to retrieve the data via an asynchronous session using the defined scheme for the RP. Additional elements that could be included in the retrieval token are: (1) any customer asserted attributes and (2) any collected attribute verification data. This process of separating the transmission of the Authentication Assertion and the customer data using a second asynchronous session increases the security and reduces the impact of a man in the middle attack. The AXN can verify attributes used in the IdP Credential (Authentication Assertion) authentication process and passed to the AXN by the IdP. This is accomplished by asking users to opt in to having their attributes verified after being authenticated by the IdP and before they are returned to the session on the RP. We recommend this process happen a minimum of once per year, but it can occur more often based on the RP service risk profile requirements. The verification process leverages the data packet (SAML or OpenID) from the IdP and verifies the data using a third-party attribute provider (e.g., Experian). Trust 5

6 Framework Provider Policies generally dictate the implementation options for RP services. Attribute verification options include: (1) self-asserted attributes, (2) prefill attributes from a masked version of the attributes received from the IdP, and/or (3) the request of attributes outside the SAML/OpenID Scheme. Attributes are encrypted and staged for the RP service to retrieve from the AXN along with the claims (Pass/Fail) associated with the attributes assertions. Summary The IDW AXN is an Internet-scale, neutral transaction services and contractual hub for online exchange of credentials and attributes that can enforce privacy and security precepts driven by industry and in support of the NSTIC Guiding Principles. The exchange allows IdPs, APs, RPs, and users to federate and reuse credentials and attributes in a policy-driven, low-risk manner and at an affordable cost. AXN participants must register the contracting entity (e.g., corporation, agency, etc.) and each service (e.g., AP, IdP, or RP Web site, Web service, API, LDAP directory, meta-directory, etc.). Policy is applied at the service level via settings in the corresponding Admin Console on the exchange. The AXN can support these protocols and requirements by integration with existing government BAE implementations and/or by direct registration of RPs and APs that require AA and verification services. In all cases, the AXN requires users to be present during the IDW AXN attribute exchange process and must always authorize the Back-Channel verification of attribute assertions. This approach actively engages users in the process, thereby preserving customer privacy and enabling active user management of RP interactions. Having users opt in and assert their attributes promotes transaction trust and improves the quality and refresh of related transaction data. 6

Online Identity Attribute Exchange 2013-2014 Initiatives

Online Identity Attribute Exchange 2013-2014 Initiatives Online Identity Attribute Exchange 2013-2014 Initiatives Agenda Overview AXN Services Framework Demonstration NSTIC Pilots Summary ABAC Services Attribute Exchange Network Page 2 AXN - Enabling IT & Other

More information

Online Identity Attribute Exchange 2013-2014 Initiatives

Online Identity Attribute Exchange 2013-2014 Initiatives Online Identity Attribute Exchange 2013-2014 Initiatives Agenda Overview AXN Services Framework Demonstration NSTIC Pilots Summary ABAC Services Attribute Exchange Network Page 2 AXN - Enabling IT & Other

More information

NISTIC Pilot - Attribute Exchange Network. Biometric Consortium Conference - 2013

NISTIC Pilot - Attribute Exchange Network. Biometric Consortium Conference - 2013 NISTIC Pilot - Attribute Exchange Network Biometric Consortium Conference - 2013 Market Development Startup (2011) Unrealized Large Market Potential Evolving Value Props & Use-Cases Evolving Tech/Policy

More information

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials Federal Identity, Credential, and Access Management Trust Framework Solutions Relying Party Guidance For Accepting Externally-Issued Credentials Version 1.1.0 Questions? Contact the FICAM TFS Program Manager

More information

One Identity Trust Framework for all Business and Personal Transactions

One Identity Trust Framework for all Business and Personal Transactions One Identity Trust Framework for all Business and Personal Transactions Establishing a Key Cornerstone for Cyber Security to Achieve Trust In the wake of seemingly daily news articles about the theft of

More information

Can We Reconstruct How Identity is Managed on the Internet?

Can We Reconstruct How Identity is Managed on the Internet? Can We Reconstruct How Identity is Managed on the Internet? Merritt Maxim February 29, 2012 Session ID: STAR 202 Session Classification: Intermediate Session abstract Session Learning Objectives: Understand

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview Federal Identity, Credential, and Access Management Trust Framework Solutions Overview Version 1.0 02/07/2014 Questions? Contact the FICAM TFS Program Manager at TFS.EAO@gsa.gov 1 Table of Contents 1.

More information

FCCX Briefing. Information Security and Privacy Advisory Board. June 13, 2014

FCCX Briefing. Information Security and Privacy Advisory Board. June 13, 2014 FCCX Briefing Information Security and Privacy Advisory Board June 13, 2014 1 Agenda Overview NSTIC FICAM Federal Cloud Credential Exchange Lessons Learned Enhancing Federation Privacy Questions 2 Challenge

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES pingidentity.com EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES Best practices for identity federation in AWS Table of Contents Executive Overview 3 Introduction: Identity and Access Management in Amazon

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Royal Roads University_ Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they

More information

Cloud-Based Identity Services

Cloud-Based Identity Services Cloud-Based Identity Services TrustX Technologies, Inc. 11325 Random Hills Rd., Suite 650 Fairfax, VA 22030 TrustX Identity Services Affordable Identity Assurance TrustX is a cloud-based implementation

More information

Identity, Credential, and Access Management. Open Solutions for Open Government

Identity, Credential, and Access Management. Open Solutions for Open Government Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management www.idmanagement.gov Open Solutions for Open Government Judith Spencer Co-Chair, ICAM

More information

Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0

Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0 sm Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Reference Framework... 5 Applicability... 6 Related Usage Models...

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation

IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Author: Creation Date: Last Updated: Version: I. Bailey May 28, 2008 March 23, 2009 0.7 Reviewed By Name Organization

More information

nexus Hybrid Access Gateway

nexus Hybrid Access Gateway Product Sheet nexus Hybrid Access Gateway nexus Hybrid Access Gateway nexus Hybrid Access Gateway uses the inherent simplicity of virtual appliances to create matchless security, even beyond the boundaries

More information

Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0

Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0 sm Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Related Usage Models... 5 Reference Framework...

More information

GFIPM & NIEF Single Sign-on Supporting all Levels of Government

GFIPM & NIEF Single Sign-on Supporting all Levels of Government GFIPM & NIEF Single Sign-on Supporting all Levels of Government Presenter: John Ruegg, Director LA County Information Systems Advisory Body (ISAB) & Chair, Global Federated ID & Privilege Management (GFIPM)

More information

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics Identity, Privacy, and Data Protection in the Cloud XACML David Brossard Product Manager, Axiomatics 1 What you will learn The issue with authorization in the cloud Quick background on XACML 3 strategies

More information

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 Realization of the IAM (R)evolution Executive Summary Many organizations

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014 Standards for Identity & Authentication Catherine J. Tilton 17 September 2014 Purpose of these standards Wide deployment of authentication technologies that may be used in a global context is heavily dependent

More information

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: RESEARCH RESEARCH LTD. 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources

More information

2013 AWS Worldwide Public Sector Summit Washington, D.C.

2013 AWS Worldwide Public Sector Summit Washington, D.C. Washington, D.C. Next Generation Privileged Identity Management Control and Audit Privileged Access Across Hybrid Cloud Environments Ken Ammon, Chief Strategy Officer Who We Are Security software company

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology Establishing A Multi-Factor Authentication Solution Report to the Joint Legislative Oversight Committee on Information Technology Keith Werner State Chief Information Officer Department of Information

More information

The Rise of Identity Proofing Services in the Federal Government

The Rise of Identity Proofing Services in the Federal Government The Rise of Identity Proofing Services in the Federal Government Jamie Danker, Verification Privacy Officer, Office of Privacy, U.S. Citizenship and Immigration Services Naomi Lefkovitz, Senior Privacy

More information

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Develop HIPAA-Compliant Mobile Apps with Verivo Akula Develop HIPAA-Compliant Mobile Apps with Verivo Akula Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200 sales@verivo.com Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200

More information

Date: Wednesday March 12, 2014 Time: 10:00 am to 2:45 pm ET Location: Virtual Hearing

Date: Wednesday March 12, 2014 Time: 10:00 am to 2:45 pm ET Location: Virtual Hearing Remarks of Catherine Tilton at the Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) held by the Office of the National Coordinator for Health Information Technology Health

More information

INFORMATION SHARING ENVIRONMENT GUIDANCE (ISE-G) IDENTITY AND ACCESS MANAGEMENT FRAMEWORK FOR THE ISE VERSION 1.0

INFORMATION SHARING ENVIRONMENT GUIDANCE (ISE-G) IDENTITY AND ACCESS MANAGEMENT FRAMEWORK FOR THE ISE VERSION 1.0 INFORMATION SHARING ENVIRONMENT GUIDANCE (ISE-G) IDENTITY AND ACCESS MANAGEMENT FRAMEWORK FOR THE ISE VERSION 1.0 1. Authority. The National Security Act of 1947, as amended; The Intelligence Reform and

More information

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board Federal CIO Council Information Security and Identity Management Committee Identity, Credential, and Access Management An information exchange For Information Security and Privacy Advisory Board Deb Gallagher

More information

Federal Identity, Credential, and Access Management Trust Framework Solutions

Federal Identity, Credential, and Access Management Trust Framework Solutions 1 2 3 4 5 6 7 Federal Identity, Credential, and Access Management Trust Framework Solutions 8 9 10 11 Trust Framework Provider Adoption Process (TFPAP) For All Levels of Assurance 12 13 14 15 16 17 18

More information

Identity: The Key to the Future of Healthcare

Identity: The Key to the Future of Healthcare Identity: The Key to the Future of Healthcare Chief Medical Officer Anakam Identity Services July 14, 2011 Why is Health Information Technology Critical? Avoids medical errors. Up to 98,000 avoidable hospital

More information

INCIDENT SCENE AUTHORIZED ACCESS USING A MOBILE DEVICE

INCIDENT SCENE AUTHORIZED ACCESS USING A MOBILE DEVICE INCIDENT SCENE AUTHORIZED ACCESS USING A MOBILE DEVICE Karyn Higa-Smith DHS Science and Technology Directorate Homeland Security Advanced Research Projects Agency CyberSecurity Division Session ID: PNG-F42A

More information

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam (CAT-140) Version 1.4 - PROPRIETARY AND CONFIDENTIAL INFORMATION - These educational materials (hereinafter referred to as

More information

Intelligent Security Design, Development and Acquisition

Intelligent Security Design, Development and Acquisition PAGE 1 Intelligent Security Design, Development and Acquisition Presented by Kashif Dhatwani Security Practice Director BIAS Corporation Agenda PAGE 2 Introduction Security Challenges Securing the New

More information

OpenHRE Security Architecture. (DRAFT v0.5)

OpenHRE Security Architecture. (DRAFT v0.5) OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants

More information

OIX IDAP Alpha Project - Technical Findings

OIX IDAP Alpha Project - Technical Findings OIX IDAP Alpha Project - Technical Findings Warwickshire County Council - using a Federated UK Government ID in trusted Local Authority transactions. By Graham Dunnings and Ian Litton 1 Table of Contents

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

June 5, 2013 Ken Klingenstein. Identity Management, the Cloud, NSTIC and Accessibility

June 5, 2013 Ken Klingenstein. Identity Management, the Cloud, NSTIC and Accessibility June 5, 2013 Ken Klingenstein Identity Management, the Cloud, NSTIC and Accessibility Identity Management, the Cloud, NSTIC and Accessibility Contents Internet Identity Today Two types of cloud use cases

More information

GFIPM Supporting all Levels of Government Toward the Holy Grail of Single Sign-on

GFIPM Supporting all Levels of Government Toward the Holy Grail of Single Sign-on GFIPM Supporting all Levels of Government Toward the Holy Grail of Single Sign-on Presenter(s): John Ruegg, DOJ Global Security Working Group Mark Phipps, CJIS/FBI Law Enforcement Online Kevin Heald, PM-ISE

More information

APIs The Next Hacker Target Or a Business and Security Opportunity?

APIs The Next Hacker Target Or a Business and Security Opportunity? APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Gilad L. Rosner Ph.D. Candidate University of Nottingham School of Computer Science psxgr@nottingham.ac.uk

Gilad L. Rosner Ph.D. Candidate University of Nottingham School of Computer Science psxgr@nottingham.ac.uk E-Government Trust Frameworks in the United States Paper presented at the Symposium on Neither Public nor Private: Mixed Forms of Service Delivery around the Globe 17-18 May 2012, Barcelona, Spain Gilad

More information

TIB 2.0 Administration Functions Overview

TIB 2.0 Administration Functions Overview TIB 2.0 Administration Functions Overview Table of Contents 1. INTRODUCTION 4 1.1. Purpose/Background 4 1.2. Definitions, Acronyms and Abbreviations 4 2. OVERVIEW 5 2.1. Overall Process Map 5 3. ADMINISTRATOR

More information

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis Business and Process Requirements Business Requirements mapped to downstream Process Requirements IAM UC Davis IAM-REQ-1 Authorization Capabilities The system shall enable authorization capabilities that

More information

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19 Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19 Andrew Sessions, Abel Sussman Biometrics Consortium Conference Agenda

More information

TrustedX: eidas Platform

TrustedX: eidas Platform TrustedX: eidas Platform Identification, authentication and electronic signature platform for Web environments. Guarantees identity via adaptive authentication and the recognition of either corporate,

More information

White Paper The Identity & Access Management (R)evolution

White Paper The Identity & Access Management (R)evolution White Paper The Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 A New Perspective on Identity & Access Management Executive Summary Identity & Access Management

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: McGill University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

Creating trusted data governance across domains and sectors

Creating trusted data governance across domains and sectors Authors: Niall Burns (Symphonic), Professor Bill Buchanan (Edinburgh Napier University), Cassie Anderson (miicard) Overview There is a growing demand within governments, health sectors, social care, police,

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

WHITE PAPER Usher Mobile Identity Platform

WHITE PAPER Usher Mobile Identity Platform WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction

More information

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data Global Alliance for Genomics and Health SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data VERSION 1.1 March 12,

More information

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions Introduction This paper provides an overview of the integrated solution and a summary of implementation options

More information

Open Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0

Open Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0 sm Open Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Reference Framework... 5 Context... 6 Applicability...

More information

Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing

Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing Brian Seggie Director of Security 1 Why are we doing this? Leverage large MICAM investment ($30 M) Improve identity verification to

More information

Enhancing Web Application Security

Enhancing Web Application Security Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor

More information

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C Cunsheng Ding, HKUST Lecture 06: Public-Key Infrastructure Main Topics of this Lecture 1. Digital certificate 2. Certificate authority (CA) 3. Public key infrastructure (PKI) Page 1 Part I: Digital Certificates

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

Federation Proxy for Cross Domain Identity Federation

Federation Proxy for Cross Domain Identity Federation Proxy for Cross Domain Identity Makoto Hatakeyama NEC Corporation, Common Platform Software Res. Lab. 1753, Shimonumabe, Nakahara-Ku, Kawasaki, Kanagawa 211-8666, Japan +81-44-431-7663 m-hatake@ax.jp.nec.com

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes

More information

HSIN R3 User Accounts: Manual Identity Proofing Process

HSIN R3 User Accounts: Manual Identity Proofing Process for the HSIN R3 User Accounts: Manual Identity Proofing Process DHS/OPS/PIA-008(a) January 15, 2013 Contact Point James Lanoue DHS Operations HSIN Program Management Office (202) 282-9580 Reviewing Official

More information

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)

United States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB) for the United States Citizenship and Immigration Services (USCIS) June 22, 2007 Contact Point Harry Hopkins Office of Information Technology (OIT) (202) 272-8953 Reviewing Official Hugo Teufel III Chief

More information

Federal Identity, Credential, and Access Management Trust Framework Solutions

Federal Identity, Credential, and Access Management Trust Framework Solutions Federal Identity, Credential, and Access Management Trust Framework Solutions Trust Framework Provider Adoption Process (TFPAP) For All Levels of Assurance Version 2.0.2 03/14/2014 Questions? Contact the

More information

Identity Management for Interoperable Health Information Exchanges

Identity Management for Interoperable Health Information Exchanges Identity Management for Interoperable Health Information Exchanges Presented to the NASMD Medicaid Transformation Grants HIE Workgroup - March 26, 2008 Presented by: John (Mike) Davis, Department of Veterans

More information

Understanding Enterprise Cloud Governance

Understanding Enterprise Cloud Governance Understanding Enterprise Cloud Governance Maintaining control while delivering the agility of cloud computing Most large enterprises have a hybrid or multi-cloud environment comprised of a combination

More information

Vidder PrecisionAccess

Vidder PrecisionAccess Vidder PrecisionAccess Security Architecture February 2016 910 E HAMILTON AVENUE. SUITE 410 CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview... 3 II. Components...

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0 sm Open Data Center Alliance Usage: Identity Interoperability Guide rev. 1.0 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary...

More information

GEC4. Miami, Florida

GEC4. Miami, Florida GENI Security Architecture GEC4 Stephen Schwab, Alefiya Hussain Miami, Florida 1 Outline Overview of Security Architecture Draft Work in progress Observations About Candidate Technologies Considerations

More information

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is

More information

Privacy Impact Assessment for the. E-Verify Self Check. DHS/USCIS/PIA-030(b) September 06, 2013

Privacy Impact Assessment for the. E-Verify Self Check. DHS/USCIS/PIA-030(b) September 06, 2013 for the E-Verify Self Check DHS/USCIS/PIA-030(b) September 06, 2013 Contact Point Donald K. Hawkins Privacy Officer United States Citizenship and Immigration Services (202) 272-8030 Reviewing Official

More information

PRIVACY-ENHANCED IDENTITY BROKERS

PRIVACY-ENHANCED IDENTITY BROKERS BUILDING BLOCK WHITE PAPER PRIVACY-ENHANCED IDENTITY BROKERS Paul Grassi Naomi Lefkovitz National Strategy for Trusted Identities in Cyberspace National Program Office Kevin Mangold Information Access

More information

OPENIAM ACCESS MANAGER. Web Access Management made Easy

OPENIAM ACCESS MANAGER. Web Access Management made Easy OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Identity Protection and Access Management (IPAM) Architectural Standard Identity Management Services ITP Number ITP-SEC013 Category Recommended Policy Contact RA-ITCentral@pa.gov

More information

Authentication and Authorization Systems in Cloud Environments

Authentication and Authorization Systems in Cloud Environments Authentication and Authorization Systems in Cloud Environments DAVIT HAKOBYAN Master of Science Thesis Stockholm, Sweden 2012 TRITA-ICT-EX-2012:203 Abstract The emergence of cloud computing paradigm offers

More information

Biometrics in Identity as a Service

Biometrics in Identity as a Service Daon - your trusted Identity Partner Biometrics in Identity as a Service What is BaaS and who is doing it? Catherine Tilton 28 September 2011 The Need As the world becomes more interdependent, as transactions

More information

Network-based Access Control

Network-based Access Control Chapter 4 Network-based Access Control 4.1 Rationale and Motivation Over the past couple of years, a multitude of authentication and access control technologies have been designed and implemented. Although

More information

ABAC Workshop Minutes

ABAC Workshop Minutes ABAC Workshop Minutes Prepared by Jeff Coleman (NSA), Paul Jacob (Booz Allen and Hamilton), and Vincent Hu (NIST) Date: 17 July 2013 Location: National Cybersecurity Center of Excellence (NCCoE), 9600

More information

How much do you pay for your PKI solution?

How much do you pay for your PKI solution? Information Paper Understand the total cost of your PKI How much do you pay for your PKI? A closer look into the real costs associated with building and running your own Public Key Infrastructure and 3SKey.

More information

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used? esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents

More information

USING FEDERATED AUTHENTICATION WITH M-FILES

USING FEDERATED AUTHENTICATION WITH M-FILES M-FILES CORPORATION USING FEDERATED AUTHENTICATION WITH M-FILES VERSION 1.0 Abstract This article provides an overview of federated identity management and an introduction on using federated authentication

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP White Paper FFIEC Authentication Compliance Using SecureAuth IdP September 2015 Introduction Financial institutions today face an important challenge: They need to comply with guidelines established by

More information

Student Administration and Scheduling System

Student Administration and Scheduling System for the Student Administration and Scheduling System DHS/FLETC/PIA-002 February 12, 2013 Contact Point William H. Dooley Chief, Office of IT Budget, Policy, & Plans (912) 261-4524 Reviewing Official Jonathan

More information

Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association

Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association Navigating the Identity Landscape Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association SAFE-BioPharma Association Overview An overview of US and EU government

More information

How to Implement Enterprise SAML SSO

How to Implement Enterprise SAML SSO How to Implement Enterprise SSO THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY How to Implement Enterprise SSO Introduction Security Assertion Markup Language, or, provides numerous The advantages and

More information

Maginatics Security Architecture

Maginatics Security Architecture Maginatics Security Architecture What is the Maginatics Cloud Storage Platform? Enterprise IT organizations are constantly looking for ways to reduce costs and increase operational efficiency. Although

More information

The Impact of NSTIC on the Internal Revenue Service. Economic Case Study: Planning Report 13-2

The Impact of NSTIC on the Internal Revenue Service. Economic Case Study: Planning Report 13-2 Planning Report 13-2 Economic Case Study: The Impact of NSTIC on the Internal Revenue Service Prepared by: RTI International for National Institute of Standards & Technology July 2013 Contents Chapter

More information

Identity and Access Management Initiatives in the United States Government

Identity and Access Management Initiatives in the United States Government Identity and Access Management Initiatives in the United States Government Executive Office of the President November 2008 Importance of Identity Management within the Federal Government "Trusted Identity"

More information

SAML Security Option White Paper

SAML Security Option White Paper Fujitsu mpollux SAML Security Option White Paper Fujitsu mpollux Version 2.1 February 2009 First Edition February 2009 The programs described in this document may only be used in accordance with the conditions

More information

Open Data Center Alliance Usage: Cloud Based Identity Provisioning Rev. 1.0

Open Data Center Alliance Usage: Cloud Based Identity Provisioning Rev. 1.0 sm Open Data Center Alliance Usage: Cloud Based Identity Provisioning Rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Reference Framework... 5 Applicability... 6 Related

More information

RealMe. Technology Solution Overview. Version 1.0 Final September 2012. Authors: Mick Clarke & Steffen Sorensen

RealMe. Technology Solution Overview. Version 1.0 Final September 2012. Authors: Mick Clarke & Steffen Sorensen RealMe Technology Solution Overview Version 1.0 Final September 2012 Authors: Mick Clarke & Steffen Sorensen 1 What is RealMe? RealMe is a product that offers identity services for people to use and manage

More information