NISTIC Pilot - Attribute Exchange Network. Biometric Consortium Conference - 2013

Similar documents
Attribute-Based Access Control Solutions: Federating Authoritative User Data to Support Relying Party Authorization Decisions and Requirements

Can We Reconstruct How Identity is Managed on the Internet?

Cloud-Based Identity Services

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

Biometrics in Identity as a Service

Identity: The Key to the Future of Healthcare

Identity, Credential, and Access Management. Open Solutions for Open Government

TrustedX: eidas Platform

Single Sign-On (SSO), Identity Exchange Hub, Remote Identity Proofing

FCCX Briefing. Information Security and Privacy Advisory Board. June 13, 2014

FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs

NCSU SSO. Case Study

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

The Future of Cloud Identity Security. Michael Schwartz Founder / CEO Gluu

Scalable Authentication

Glinda Cummings World Wide Tivoli Security Product Manager

Glossary of Key Terms

Agenda. How to configure

HOL9449 Access Management: Secure web, mobile and cloud access

Identity Relationship and Access Management for the Extended Enterprise

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

Federated Identity for Cloud Computing and Cross-organization Collaboration

The Top 5 Federated Single Sign-On Scenarios

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Rich Furr Head, Global Regulatory Affairs and Chief Compliance Officer, SAFE-BioPharma Association. SAFE-BioPharma Association

The increasing popularity of mobile devices is rapidly changing how and where we

Federation Proxy for Cross Domain Identity Federation

Cloud Security: Is It Safe To Go In Yet?

Managing Access for External Users with ARMS

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

A Standards-based Mobile Application IdM Architecture

STATE OF NEW YORK IT Transformation. Request For Information (RFI) Enterprise Identity and Access Management Consolidated Questions and Responses

APIs The Next Hacker Target Or a Business and Security Opportunity?

Presentation to House Committee on Technology: HHS System Identity & Access Management

An Introduction to User-Managed Access (UMA)

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

UNI. UNIfied identity management. Krzysztof Benedyczak ICM, Warsaw University

TrustedX - PKI Authentication. Whitepaper

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Cloud SSO and Federated Identity Management Solutions and Services

Federal Identity, Credential, and Access Management Trust Framework Solutions

Identity Relationship Management

Federal Identity, Credential, and Access Management Trust Framework Solutions. Overview

Entrust IdentityGuard Comprehensive

WIPRO IDENTITY CLOUD UNLEASHING THE NEXT GENERATION OF IDENTITY AND ACCESS MANAGEMENT (IAM)

OpenLogin: PTA, SAML, and OAuth/OpenID

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Digital Identity in Healthcare: What's Coming Down the Pike. Lisa Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions, HIMSS

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Step-up-authetication as a service

Cloud Essentials for Architects using OpenStack

Leveraging SAML for Federated Single Sign-on:

Big Data, Big Risk, Big Rewards. Hussein Syed

WHITE PAPER Usher Mobile Identity Platform

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

SAML for EPCS (Electronic Prescription of Controlled Substances)

GSA FIPS 201 Evaluation Program

The Imperative for High Assurance Credentials: State Identity Credential and Access Management (SICAM) Guidance and Roadmap

Extend and Enhance AD FS

Mobile Security. Policies, Standards, Frameworks, Guidelines

Getting Started with Single Sign-On

White Paper. FFIEC Authentication Compliance Using SecureAuth IdP

BYE BYE PASSWORDS. The Future of Online Identity. Hans Zandbelt Sr. Technical Architect. CTO Office - Ping Identity

OpenID & Strong Authentication

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

An Identity Management Survey. on Cloud Computing

GFIPM & NIEF Single Sign-on Supporting all Levels of Government

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Easy as 1-2-3: The Steps to XE. Mark Hoye Services Portfolio Consultant

Single Sign On at Colorado State. Ron Splittgerber

Biometric SSO Authentication Using Java Enterprise System

NSTIC National Program Office Discussion Draft STANDARDS CATALOG

Strong Authentication for PIV and PIV-I using PKI and Biometrics

Enhancing Web Application Security

5 Things to Look for in a Cloud Provider When it Comes to Security

Transcription:

NISTIC Pilot - Attribute Exchange Network Biometric Consortium Conference - 2013

Market Development Startup (2011) Unrealized Large Market Potential Evolving Value Props & Use-Cases Evolving Tech/Policy Standards Initial Tech Implementations Low Volume Pricing (inefficient) Disruptive Tech/Business Models Pilots/Early Adoption (2012) Unproven Market Defined Market Objectives & Metrics Baseline Tech/Policy Standards Demo and Pilot Systems Ready Low Volume Pricing (inefficient) Contracts w/early Participants Growth/Efficient (2013 +) Established Market Adoption Expanding Portfolio of Use-Cases Stabilized Tech/Policy Standards Technology Proven & Operational High Volume Pricing (efficient) IdP, RP, AP and AXN Market Evolution NSTIC Guiding Principles Privacy-Enhancing and Voluntary Secure and Resilient Interoperable Cost-Effective and Easy To Use OIX AX Trust Framework Credential & Attribute Exchange Business, Legal, Technical, Privacy, Audit/Certification Industry Driven 2

Federated Identity Use Cases Federated Consumer Login - user credential of choice to create accounts (using verified, user-asserted attributes) and to enable SSO Business Process Outsource Services community hubs for outsourced communications and/or transaction services Enterprise Attribute Based Attribute Control (ABAC) federated login using verified attributes for policy-controlled access to shared resources Mitigate data leakage to control service, application and data level access Managing content providers, content, and real-time distribution Supply/Value Chain federated login (using many IdP credentials) to enterprise resources for employees, partners, and consumers Rationalizing credentials for federated login ABAC driven access to shared resources New Federation Applications enhanced access, mobility, usability, and collaboration Page 3

Enabling IT & Other Values Cloud implementation Real-time information verification services Authoritative information sources Reduce account creation and maintenance costs Customer single sign on using a known login to reduce drop off Credential Federation verified attributes are used to create new or bind to existing user accounts Additional signals including Strength of authentication credentials Adaptive access ( step up ) verification and authentication methods for high risk or sensitive transactions Select appropriate attribute sources based on Confidence level Price point Tiered verification mechanisms to enable broad (global) coverage Select information sets to meet the needs of specific transaction types (FIPPS data minimization) Enterprise Federation 4

IdAM Constituency To Approach Source: Gartner Group Life Cycle/ Constituency Employee Services Contractor Services Vendor Services Partner Services Customer Services Public Services Purpose/Posture Enable/Provide/ Manage/Collect Enable/Provide/ Manage/ Collect Enable/Manage/ Collect Enable/Provide/ Support Expose/Sell/ Service/Provide Expose/Sell/ Service/Provide Life Cycle Event / Options Ent. Admin/ Change in Authoritative Source Delegated Admin/Change in Authoritative or Federated Source Delegated Admin/Selfservice/Federated Provisioning -SCIM Delegated Admin/Selfservice/Federated Provisioning -SCIM Self Service/Social Identity (OpenID)/ Federated Provisioning -SCIM Self Service/Social Identity (OpenID)/ Federated Provisioning -SCIM ID Store Enterprise Directory Federated Enterprise Directory Federated Enterprise Directory/ VDS Federated Enterprise Directory/ VDS Federated Enterprise Directory/ VDS Federated Enterprise Directory/ VDS Authorization Roles/Rules/ABAC Sponsored Roles/Rules/ABAC Roles/Rules/ABAC /OAuth or SAML Roles/Rules/ABAC /OAuth or SAML Roles/Rules/ABAC /OAuth or SAML Roles/Rules/ABAC /OAuth or SAML Authentication Username/Pswd/ Strong Auth/ Federate/ID Proofing Username/Pswd/ Strong Auth/ Federate/ Adaptive Access/ID Proofing Username/Pswd/ Strong Auth/ Federate/ Adaptive Access/ID Proofing Username/Pswd/ Strong Auth/ Federate/ Adaptive Access/ID Proofing Username/Pswd/ Strong Auth/ Federate/ Adaptive Access/ID Proofing Username/Pswd/ Strong Auth/ Federate/ Adaptive Access/ID Proofing Audit Access Cert./Reporting Access Cert./Reporting Access Cert./ Reporting/ Realtime Monitoring Real-time Monitoring/ Fraud Detection Real-time Monitoring/ Fraud Detection Real-time Monitoring/ Fraud Detection Page 5

AXN Services Framework Attribute Providers (AP) Trust Framework Provider (TFP) Proxy Identity Providers (IdP) Attribute Exchange Network (AXN) Relying Parties (RP) IdP Services Credential OpenID 2.0, SAML 2.0, IMI 1.0 Protocol OAuth 2.0, SAML 2.0, Other LOA LOA 1-4 Cert/TF FICAM, OIX, Kantara, Other AP Services Attributes NEAT, SS, DOB, Gender, Corp Verification Quality Refresh Rate, Coverage, Sources, Data Types Physical Device ID, BIO, Card, Other Pricing Per Transaction, Per User Per Year, Annual License Cert/TF FICAM, OIX, Kantara, Other Assessors & Auditors user Dispute Resolvers AXN Services Billing Pricing and Analytics Acct Management Service Provisioning Contracting Policy Management Marketing Transaction Management Registration Operations and Security Logs, Reporting Administration Audit User Interface RP Services Enroll Business Purpose, Attribute Selection, Claims Refresh Rate, IdP & RP Selections, User Preferences, Contract LOA LOA 1-4 Admin Logs, Reporting, Billing, Contract Management Cert/TF FICAM, OIX, Kantara, Other User Services Attributes Not Stored In AXN, Self Asserted, Data Minimization PDS PII, Preferences, ABAC, Encrypted, External Store MAX User Only, Personal Control and Security, Acct Linking, Federated Access Via RP 6

AXN Identity Federation Services 1. Credential Federation Verified attributes are used to create new or bind to existing user accounts 2. Personal Data Services (PDS) User attribute data is not stored in the AXN PDS data is presented via MAX to create and manage RP accounts User-centric, privacy protective, secure, and federated No cost to user - My Attribute Exchange 3. User Managed Admin (UMA) Console Authenticated users have federated access at each RP Created when a user first opts in to share their verified attribute claims via the AXN with an RP Users can securely manage PDS attributes shared with an RP service accessed by an IdP credential Enables user to link and unlink multiple IdP credentials Page 7

AXN Technology Roadmap Trust Elevation Services Device Attribute Verification Services Mobile Device Verification Services Users log in using a trusted mobile device registered and managed on the AXN via MAX Secure device ID service ensures user RP accounts can only be accessed using a trusted device Computer Verification Services Over 600 million computers with Trusted Platform Modules (TPMs) can be managed via the AXN Windows 8 requires TPMs on a wide range of devices from desktops to smart phones Biometric Attribute Verification Services Cloud-based Voice, Retinal, Photo and Fingerprint Verification Services Daon, CGI, and others Integration with Authoritative AP Services e.g., driver license attributes and photos ABAC Services Fine-grained Policy Authorization Services UMA Services to Dynamically Control Access to RP Data and Services AXN Trust Elevation Services Page 8

AXN Privacy By Design AXN legal agreements Standardized agreements with regulatory flow down terms from IdPs and APs Limit PII collection to what is necessary to accomplish the specified purpose(s) Accountability and audit to protect PII through appropriate safeguards AXN as a proxy - no single service provider can gain a complete picture of a user s activity The AXN data management design mitigates potential threats Does not create a central data store of verified user attributes Security and privacy enhancing technology is built into the AXN infrastructure Users opt-in to each control process for collection, verification, and distribution of attributes User Admin console for attribute and credential management Only the minimum necessary information is shared in a transaction (FIPPS) 9

The First Year NSTIC Use Cases Broadridge Use Case RP Service: Fluent Online Application Platform for Investor Communications Industrial General Electric Enterprise (GE) Use Case (Pending Final Approval) RP Service: Various Service Sector Applications Corporate, Partner and Consumer Account Access DHS/FEMA (MIT Lincoln Labs) First Responder Use Case RP Service: Account creation and login for the First USA disaster response collaboration portal ebay Use Case RP Service: Retail Seller and Buyer Account Creation and Login Industry B to C Investor Communications B to C, B to B Multiple Market Verticals G to G, G to C First Responders First USA Services B to C, C to C Retail Page 10

AXN Demonstration Page 11

Lessons Learned RPs are the customer, and will drive market requirements, adoption, and policy controls. Emerging Trust Frameworks are being driven by Communities of Interest (COI) who seek market operational efficiencies through business, legal, technical and policy interoperability. Credential federation requires policy changes to enable significant security, user experience (SSO and account creation), and business benefits. Current IdP and RP business practices do not always conform to FIPP s, and need to be managed. A rigorous Privacy Evaluation Methodology (PEM) implementation resulted in significant benefits AXN technical and architectural enhancements Privacy protective enhancements as core messaging in AXN marketing strategy RP risk mitigation strategies (for a required LOA) lack consistency Emerging user-centric trust elevation technologies are scalable, cost effective and interoperable. Trust Marks could be used to objectively promote confidence in various combinations of authentication methods, verified user attributes, and attribute claims from device identities, biometric technologies, etc. It would be helpful to map these risk mitigation methods to NIST SP 800-63. Page 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information