Integration of Access Security with Cloud- Based Credentialing Services Global Identity Summit September 17, 2014 All text, graphics, the selection and arrangement thereof, unless otherwise cited as externally sourced are Copyright 2014 by CertiPath, Inc. ALL RIGHTS RESERVED. Any use of these materials including reproduction, modification, distribution or republication, without the prior written consent of CertiPath, Inc., is strictly prohibited.
What the Heck does That Mean? Integration of Access Security with Cloud-Based Credentialing Services? Let s narrow this down a bit Enterprise Physical Access Control Systems (E-PACS) Integration with the cloud NOT an isolated system anymore NOT an issuer of badges NOT solely Federal NOT authoritative for everything 2014 CertiPath, Inc., All Rights Reserved 2
The Way It Was
Traditional PACS: Site-centric Traditional identity credentialing process 4
Traditional PACS: The Silo Syndrome CBP AG AG USCIS USCIS FBI DHS GSA AG CBP TSA GSA FBI DHS FBI CBP TSA USCIS DHS Proprietary PACS, card formats Duplication of operations ID proofing Low assurance! Issuance Registration to PACS No guarantee of uniqueness CBP USCIS Think of the expense and the Lock Down problem CDC 5
The Transformation Dependence on Cloud-Based Enterprise Identity Management Credential Issuance PKI Services 2014 CertiPath, Inc., All Rights Reserved 6
FICAM Roadmap Federal Enterprise Target Conceptual Diagram 7
FICAM Roadmap Overview of PACS within the Overall Infrastructure 8
What is ICAM? ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach Key ICAM Service Areas Include: Digital Identity Credentialing Privilege Management Authentication Authorization & Access Cryptography Auditing and Reporting 9
ICAM Foundational Architecture
E-IdM and My E-PACS ICAM provides E-IdM: Trusted sources of identity for my agency/department PIV: Interoperable credentials for these individuals PKI: Identity binding and status of the employer/employee relationship Automated Provisioning: Trusted identities and their credentials into my E-PACS database Trust: Is that credential still valid? On separation, I will know to remove that person from my E-PACS within 24 hours 2014 CertiPath, Inc., All Rights Reserved 11
How Policies Govern Implementations Usage (Buildings/ Facilities) NIST SP 800-116 Lock FICAM PIV in Enterprise PACS Key PIV/PIV-I per FIPS 201 & FBCA CP 12
NIST SP800-116 Provides guidance on usage of a PIV technology card in PACS Defines threats/countermeasures when using PIV correctly and incorrectly! Defines migration of the federal enterprise through a maturity model 13
The Tools in my Arsenal Secures against cards that are Auth Modes Revoked Counterfeit or Altered Copied or Cloned Lost or Stolen Shared Auth Factors SP 800-116 Security Area Chip Serial # None Uncontrolled FASC-N/UUID None Uncontrolled CHUID+VIS 1 Controlled PKI-CAK 1 Controlled PKI-AUTH 2 Limited PKI-AUTH+BIO 3 Exclusion Performing signature checks and private key challenges at enrollment is not sufficient to achieve these levels of assurance. They must be done at the time-of-access. Revocation checking for FASC-N and CHUID modes must be done using the PIV authentication certificate. 14
Mapping Authentication Method to Controlled Areas NOTE: Circled numbers are references to explanatory text in SP800-116, not the number of authentication factors 15
SO When Someone Shows Up at My Door PKI-Authentication User Digitally Signs for Access PKI-Digital Signature For Email or PC Login How LONG is the PKI Cloud Dog s tail?
Sponsored Other Federal Agency / Sponsored International Government Commercial Shared Service Provider VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS GPO USPTO Treasury CertiPath Root CA DST ACES CA CertiPath Bridge (CBCA) Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI Root Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 17
SHA1 Infrastructure VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS GPO USPTO Treasury CertiPath Root CA DST ACES CA CertiPath Bridge (CBCA) Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI Root Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 18
SHA2 Infrastructure VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS Treasury Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI DST Root ACES CA GPO USPTO CertiPath Root CA CertiPath Bridge (CBCA) Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 19
PIV Issuers VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS Treasury Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI DST Root ACES CA GPO USPTO CertiPath Root CA CertiPath Bridge (CBCA) Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 20
PIV-I Issuers VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS Treasury Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI DST Root ACES CA GPO USPTO CertiPath Root CA CertiPath Bridge (CBCA) Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 21
High Assurance Transactions have many opportunities to fail Server SSL Cert Issuing CA Cross-certificate has expired was tampered with has expired SSL Cert has Issuing CA s CRL been re-keyed Server SSL Cert has expired Cross-certificate has a Server PKI-Authentication SSL Cert has been revoked new Policy Constraint was tampered with Issuing CA s CRL Server SSL Cert s CRL was tampered with An OCSP Responder Issuing CA s Cert Issuing CA has has expired Issuing CA s CRL is offline has been revoked been re-keyed is offline SCA Re-key has Server SSL Cert s CRL occurred was tampered with Issuing CA Cross-certificate has a Cross-certificate has expired new Name Constraint was tampered with Cross-certificate s CRL Unable to build path was tampered with AiA location offline OCSP Responder Cert has expired OCSP Responder Cert was tampered with Server SSL Cert s CRL is offline
Oh By the Way My E-PACS is NOT an island bounded by the Executive Branch Regular access Individuals having a trusted credential Normal daily access to the facility Visitors (industry, legislative, judicial and state&local) Individuals having a trusted credential PIV or PIV-I Individuals without a trusted credential Must issue facility access card Enterprise just took on a whole new meaning in scale Prior to PIV and PIV-I, not feasible 23
Ultimately: Continuous Monitoring is Required Relying Parties need to know now what will happen in the next few days across a large portion of the trust fabric.
Summary ICAM is a good thing Saves a lot of money avoiding redundant, silo d processes One credential, one human, one identity And is it still valid! Nothing is perfect Trust but verify Use the PKI! Challenge the Card! And be prepared for issues with cards from various issuers I wonder how mobile and derived credentials will change all this? 2014 CertiPath, Inc., All Rights Reserved 25