Identity & Privacy Protection

Transcription

1 Identity & Privacy Protection An Essential Component for a Federated Access Ecosystem Dan Turissini - CTO, WidePoint Corporation turissd@orc.com

2 CyberSecurity One of the most serious economic & national security threats our nation faces. -- President Obama Issues at Hand: Cost-effectively prevent Cyber-terrorism, Cyber-crime, & defend our nation s critical infrastructure: Reduce risk of un-authorized disclosure of proprietary & privacy information Share timely information securely with remote workers, vendors, partners & customers Ensure the accountability of all Cyber-transactions Avoid unnecessary costs arising from system silos Prevent Terrorism & Promote National Security Prevent Cybercrime; Identity Theft; Promote Efficient use of Technology Defend Critical Infrastructure from Invasive Attack & Information Theft

3 CyberApproach Standards-based, Cyber Identity Enabling Infrastructure (CIEI )* for electronic authentication, validation & access control: identity Management Create & maintain an identity, including discrete attributes, centralized administration & self-service of user accounts E-Authentication Provide repositories for identity, network and/or resource profiles; provide security services that enable identification, validation & support for authorization Access Management Provide authorization, audit & session management functions to define individual access rights for business partners, suppliers, customers or employees Provisioning & Workflow Implement business policies to support greater automation for devices such as identity tokens, credit cards, cell phones & PCs * Driven in the Federal Government by OMB & Commercial Cloud Based Initiatives Prevent Terrorism & Promote National Security Prevent Cybercrime; Identity Theft; Promote Efficient use of Technology Defend Critical Infrastructure from Invasive Attack & Information Theft

4 Federated Identity Solution Federated identity provides a strong, biometrically enabled electronic identity credential, that can be readily electronically validated by any Federal logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized access decision confident in: the identity of the person attempting access; the identity of the device attempting access; the identity of vetted organization that they represent; that the organization & the individual have a legal relationship; and, that the individual has been vetted in person consistent with defined levels. Credential assures you are who you say you are, Relying Party confirms what holder is permitted to access!

5 System of Systems A common understanding/ governance is required to insure interoperability and collapse silos

6 Federated Trust Trusted Third Parties Relying Parties (Federal, State & Local Government, Businesses & Individuals) The Trust Triangle Subscribers (End-Entities)

7 Robust Validation Infrastructure Validation Service (Site 1) CRL Update Path (ldap/ ldaps http/https) Validation Service (Site N) Alternative Validation Paths (OCSP) 50 + Compliant CRLs 20 + Compliant PKI Directories Local Area Network https Application Servers Client/WS Client/WS Inside and/or Outside the LAN Client/WS Client/WS OCSP Repeater

8 Strong Audit Processes Initiation -- Preparation -- Notification & Resource Id -- Syst Security Baseline, Analysis, Update, & Acceptance Continuous Monitoring Security Certification -- Configuration Mgmt & Control -- Security Controls Monitoring -- Status Reporting & Documentation -- Security Controls Assessment -- Security Certification Documentation Security Accreditation -- Security Accreditation Decision -- Security Accreditation Documentation A consistent certification process

9 Alternative Tokens CAC/ PIV/ PIV-I Embedded/ Removable HW Crypto FIPS-140/ Common Criteria SD/MicroSD USB Trusted Platform Module (TPM) SIM CAC = DoD Common Access Card PIV = U.S. Personal Identification Verification PIV-I = PIV-Interoperable (Non-Federal Issuer Equivalent)

10 Device as an Identity Token Removable HW Crypto SD/MicroSD USB SIM Embedded HW Crypto Token

11 Enhanced Logical Access Control 1. Initial Enterprise Logon 2. Validate Device Certificate Remote Client/WS Border Server Validation Data 5. Validate ID Certificate 3. Authenticated SSL VPN Established 4. Initiate Application Logon 6. Access Attributes Validation Data Remote Client/WS Border Server Application Server FDS SSL VPN https Remote Client/WS Border Server Application Server

12 Current Markets Fueled by Government Mandate for Increased Assurance Levels Government Security Standards will be Driven Across the Business Continuum Government Mandated Regulations Government Contracting Ecosystem Enterprise Marketplace End User Applications Mass Markets Millions of Users, Servers, Workstations and Handheld Devices Tens of Millions of Users, Servers, Workstations and Handheld Devices Global interoperability & Unlimited Computer Resources

13 Critical Infrastructure Protection Citizen Privacy Information Energy Grid First Responders Financial Systems Military Secrets Federal Government HealthCare/HIPAA Veterans Benefits Transportation Systems Retirees & Dependents Trading Partners & Allies Breaking down silos Sarbanes/ Oxley

14 Can Dramatically Reduce COGS Federated Digital Signature Solution Chain of Trust Privacy Reduces High Help Desk Costs Mitigates Risks Associated with username & passwords Enhances Fraud Protection Syndicated Investment/ Syndicated Risk Federally Certified & Accredited Products/ Services Interoperability

15 Summary Enhanced Security - New Customer Motivator Reduced Infrastructural Support Costs Minimal Investment - Immediate ROI Payback

16 Contact Information Dan Turissini - CTO, WidePoint Corporation, turissd@orc.com Questions?