Operational and Policy Considerations. Glenn R. Cook Department of Information Sciences Naval Postgraduate School Monterey, CA

Transcription

1 Identity Management: Operational and Policy Considerations Glenn R. Cook Department of Information Sciences Naval Postgraduate School Monterey, CA

2 IdM Operations and Policy Who Are You? Identifying Friend and Foe Architecture and Federation: Creating Capabilities IdM Policy: What do we do with the data? Legal and Ethical Implications of Identity Management

3 Identity Mangement Operations

4 Identity Management: Where and How? Drivers Licenses Social Security Cards CAC Passports Biometrics Clear Card Transportation Workers Identification Credential AFIS RFID Bar Codes (1D & 2D) Many sources of Identity from Different sources; who and what do We trust? t? TSA: Airport Security Coast Guard: Port Security Ops Law Enforcement tagencies Immigration and Customs Enforcement Border Patrol Material Logistics/Supply Chain DoD Operations: ESG Operations HA/DR Local National Vetting/Pay IED Forensics Maritime Interdiction Operations Anti-Piracy Efforts Access Control (Logical & Physical) Supply Chain Management

5 Who are You? Blue (Friendly) Forces Military and Civilian Employees Coalition Forces Grey (Unknown) Forces Unknown or Unverified Status Assumed friendly/assumed Unfriendly Red (Unfriendly) Forces Known to be unfriendly Identified Terrorists/Criminals Identity may change over the course of time

6 Who are You? Gray Force Identification Verification Identity Assurance based on Ability to Vet Identification Event Context Verifiable, Consistent Identity No Verifiable or consistent Identity Suspicious Circumstances Known Terrorist or criminal Question - Where does the DoD Gray Population fit?

7 Creating Credentials: DoD CAC Suitability Vetting Biometrics Bind Bind Verify Bind CAC Verify Bind PKI Certificates Verify US Citizens Foreign NAtionals SSN, NAME DOB Identity Vetting Foreign ID Biometrics Passports Affiliation To DoD Create Identifier Bind Bind DoD Personal Identity DoD EDI PI Authorization Process Identity Management Access Control Benefits Pay Logical & Physical Access

8 Sharing Data: Federation DoD Information Sharing Strategy The Department of Defense (DoD) Information Sharing Strategy provides the common vision, goals and approaches that guide the many information sharing initiatives and investments t for all of DoD. D Deliver the power of information to ensure mission success through an agile enterprise with freedom of maneuverability across the information environment. Source: Executive Office of the CIO of DOD, May 4, 2007

9 Sharing Data: Federation 1. Recognize and leverage the Information Sharing Value Chain (minimize risk to the value chain) 2. Forge Information Mobility (make information mobility seamless) Federated Data Environment 3. Make information a force multiplier (Create geometric advances in value) 4. Minimize Economic Impact of Identity Theft (minimize loss due to identify theft)

10 Sharing Data: IdM Objectives Applications IdM Objectives - Modeled Information- Sharing Identity Management Federation IMF Root ID BLUE GREY RED Cross-Domain Interoperability

11 Sharing Data: Architecture Identity Management Architecture bility ork opera amewo Inter Fra Process Architecture Data Architecture Technical Reference Architecture Policie es Governance Framework and Business Context

12 Creating Identity: Applying Policy How do we create, use, maintain and destroy credentials? Provision Propagate Use Deprovision Policy Questions: Who do we provision? To whom do we propagate? How/Where/When is the Identity Used? How often, when, how do we maintain? When/who do we deprovision? Maintain

13 IdM Concerns: Privacy The right to privacy is not explicitly mentioned in the U.S. Constitution. The right to privacy is considered implicit in the Constitution through the bill of rights (specifically the first, third, fourth, fifth and ninth amendments) and the fourteenth amendment. The Supreme Court has held that there is a fundamental right to privacy in the 14 th Amendment s due process clause Supreme Court s position on privacy has been influenced by social values and political beliefs

14 Privacy Rights (U.S. Soil) Activities that implicate the Right to Privacy Surveillance by the government Collection and retention of personal information Legally obtained personal information for improper uses. Illegally obtained personal information for legitimate purposes Absence of any reliable means to verify or contest the accuracy of personal data Retention of extensive amounts of legally obtained personal g y p information that has little or no relevance to legitimate purposes.

15 IdM: Ethical Concerns (Biometrics) Biometrics are PERSONAL data items Biometrics are not (currently) defined as SENSITIVE data Identity Management is a method for LINKING personal data (Biometric and other data) Biometrics creates associations Biometrics may reveal sensitive information when linked Biometrics, as a key, may lead to use other than intended Biometrics facilitates DIFFERENTIATION and DISCRIMINATION

16 Wrap-Up and Questions IdM concepts widely used across multiple domains Technology and Sense of Urgency have driven capabilities There are significant organizational and policy barriers to an integrated, effective DoD-wide capability Legal and Ethical issues will likely be the biggest long-term impediment to a government directed Identity Management capability