Identity, Credential, and Access Management at NASA, from Zachman to Attributes

Similar documents

Office of the Chief Information Officer Department of Energy Identity, Credential, and Access Management (ICAM)

Interagency Advisory Board Meeting Agenda, May 27, 2010

Identity Management for Interoperable Health Information Exchanges

DOE Joint ICAM Program - Unclass & Secret Fabrics

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Outline SSC Configuring and Troubleshooting Windows Server 2008 Active Directory

Extend and Enhance AD FS

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Identity, Credential, and Access Management. Open Solutions for Open Government

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Entrust IdentityGuard Comprehensive

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

PRIVACY IMPACT ASSESSMENT

Designing IT Platform Collaborative Applications with Microsoft SharePoint 2003 Workshop

Enterprise Architecture Standard

The Unique Alternative to the Big Four. Identity and Access Management

Shared Services Canada (SSC)

Course 2788A: Designing High Availability Database Solutions Using Microsoft SQL Server 2005

Government of Canada Directory Services Architecture. Presentation to the Architecture Framework Advisory Committee November 4, 2013

Quest One Identity Solution. Simplifying Identity and Access Management

STATE OF NEW YORK IT Transformation. Request For Information (RFI) Enterprise Identity and Access Management Consolidated Questions and Responses

Active Directory and DirectControl

Role Based Access Control for Industrial Automation and Control Systems

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

COMPLETE COMPUTING, INC.

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack 2

10233B: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Identity Access Management Challenges and Best Practices

Outline SSS Configuring and Troubleshooting Windows Server 2008 Active Directory

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack 2 MOC 10233

Course: Configuring and Troubleshooting Windows Server 2008 Active Direct-ory Domain Services

M6425a Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Microsoft Active Directory Project

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack 2

USDA Identity, Credential and Access Management

Citrix Password Manager 4.5 Partner and Sales FAQ

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Single Sign-On: Reviewing the Field

Integrated Approach to User Account Management

Department of Defense SHA-256 Migration Overview

Security Assertion Markup Language (SAML) Site Manager Setup

DEPARTMENTAL REGULATION

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

PROTECT YOUR WORLD. Identity Management Solutions and Services

Mod 3: Office 365 DirSync, Single Sign-On & ADFS

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Authentication, Authorization, and Audit Design Pattern: Internal User Identity Authentication

Advanced Authentication

Recommended Practices for Deploying & Using Kerberos in Mixed Environments

U.S. DEPARTMENT OF COMMERCE UNITED STATES PATENT AND TRADEMARK OFFICE. Privacy Impact Assessment

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

ALIGNING BUSINESS STRATEGY TO CLOUD APPLICATIONS

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack 2

Mod 2: User Management

Course 10233:Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack 2

How To Configure An Active Directory Domain Services

Adagio and Terminal Services

Active Directory & Consolidation Project. Category: Enterprise IT Management Initiatives. State of Missouri

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

Module: Sharepoint Administrator

IDENTITY & ACCESS MANAGEMENT

Defense Information Systems Agency A Combat Support Agency. Identity and Access Management (IdAM): Consistent Access to Capability

Federal Identity, Credentialing, and Access Management. Identity Scheme Adoption Process

User Guide Remote PIV to VDI Using a PIV Card

Factory-Installed, Standards-Based Hardware Security. Steven K. Sprague President & CEO, Wave Systems Corp.

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010

Windows and Active Directory The Replacement for Novell Netware

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Exploring Converged Access of IT Security and Building Access Today, Tomorrow and the Future

NETWRIX IDENTITY MANAGEMENT SUITE

Configuring Sites and Understanding AD replication. Dante Villarroel Saavedra

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course Agenda: Managing Active Directory with NetIQ Directory and Resource Administrator and NetIQ Exchange Administrator

NIST PKI 06: Integrating PKI and Kerberos (updated April 2007) Jeffrey Altman

Designing a Windows Server 2008 Applications Infrastructure

Troubleshooting and Supporting Windows 7 in the Enterprise

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

This unit contains the following two lessons:

Transcription:

Identity, Credential, and Access Management at NASA, from Zachman to Attributes Corinne Irwin Dennis Taylor VISION: Integrated, secure, and efficient information technology and solutions that support NASA

Agenda Based upon a paper that Corinne Irwin and I presented at IDtrust 2009 in April 2009 (Identity, Credential, and Access Management at NASA, from Zachman to Attributes) EA View Active Directory consolidation authentication source to enable smartcard authentication LoA Requirements October 20, 2009 ICAM at NASA 2

Introduction NASA includes: 20,000 civil servant employees 80,000 on-site contractors Additional partners world-wide NASA s system/application landscape includes: 3,000 applications, most built in-house Mission control, research labs, product fabrication, more Every flavor of every operating system, hardware, software. Historically, NASA has been: Highly decentralized Autonomous Centers with a B-to-B network infrastructure Characterized by weak CIO governance HSPD-12 helped us: Implement a robust Identity, Credential, and Access Management Architecture Position NASA for use of ABAC and RBAC October 20, 2009 ICAM at NASA 3

Enterprise Architecture Enterprise Architecture (EA) frameworks provide structure for developing complex, integrated systems Ideally, one: Develops an As-Is architecture Develops a To-Be architecture Performs gap analysis Develops plan to move toward the To-Be architecture NASA used Zachman to develop its ICAM architecture starting in 2006 October 20, 2009 ICAM at NASA 4

The Really Big Picture COMMUNITY ASSET GROUP Access Permission Rules MEMBERSHIP ACCESS PERMISSION POSITION WORKER CLEARANCE ASSET ACCESS REQUEST Approved! INVESTIGATION Implemented Objects CREDENTIAL ACCESS CONTROL ACCESS POINT October 20, 2009 ICAM at NASA 5

ICAM Business Processes October 20, 2009 ICAM at NASA 6

ICAM Systems Model October 20, 2009 ICAM at NASA 7

Technology Model October 20, 2009 ICAM at NASA 8

Identity Management October 20, 2009 ICAM at NASA 9

Identity and Credential October 20, 2009 ICAM at NASA 10

Full ICAM Model October 20, 2009 ICAM at NASA 11

NCAD Active Directory Forest and Domain Structure As-Is Structure To-Be CDR Structure Supports Migration Activities To-Be Structure: One Forest One Domain ndc.nasa.gov October 20, 2009 ICAM at NASA 12

NCAD Interim/Current Topology October 20, 2009 ICAM at NASA 13

NCAD TO-BE Topology October 20, 2009 ICAM at NASA 14

AD Consolidation Summary Finally top-down versus grass-roots Formal project methodology System Engineering Methodology per NASA NPR 7123 Project Management Lifecycle per NASA NPR 7120.7 Detailed large project plan with linked tasks Project plan maintained by an experienced project scheduler Formality in test-set development SIR-TP, SATS, ORTS, all with traceability Project Manager experienced in large engineering development; experienced program managers for two major contractors leading effort Brought in personnel with experience in similar consolidation efforts at Army, AF, and Navy-Marines All eggs in one basket argument SIEM April 14, 2009 ICAM at NASA 15

LoA Introduction: Tokens October 20, 2009 ICAM at NASA 16

Missing Capture of LoA on Logon October 20, 2009 ICAM at NASA 17

Missing AuthZ based upon LoA October 20, 2009 ICAM at NASA 18

New Developments Since April Windows 2008 R2 Windows domain logon on an XP workstation using password October 20, 2009 ICAM at NASA 19

New Developments Since April Windows 2008 R2 Windows domain logon on an XP workstation using smartcard (PIV) Reference: http://technet.microsoft.com/en-us/library/dd378897.aspx October 20, 2009 ICAM at NASA 20

LoA Summary We are going to be using a mix of primarily passwords and smartcards for a long time We need our authentication service to provide an LoA attribute to our authorization mechanism Authorization based upon strength of authentication Our eauth service (based upon Sun Access Manager) can provide this attribute through SAML like structures We need Microsoft Active Directory to provide a similar functionality in their logon (KINIT, PKINIT) and resultant PAC authorization data We need capability to map particular policy OID to security group id-fpki-common-authentication means PIV card (only real measure) October 20, 2009 ICAM at NASA 21

Backup VISION: Integrated, secure, and efficient information technology and solutions that support NASA

Conclusions A well-developed Enterprise Architecture is essential to ICAM implementation NASA must implement Position and Community Management modules in order to support robust ABAC Integrated data flow means data is only authoritative at the source, and changes can only occur at the source Identity federation and LoA require additional maturity in the market Technology is sometimes tricky, but politics is harder! Single sign-on is a strong motivator for migration October 20, 2009 ICAM at NASA 23

Use Cases October 20, 2009 ICAM at NASA 24

Future LoA Tokens October 20, 2009 ICAM at NASA 25