Integration of Access Security with Cloud- Based Credentialing Services



Similar documents
What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012

Identity, Credential, and Access Management

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Interagency Advisory Board Meeting Agenda, March 5, 2009

Identity, Credential, and Access Management. An information exchange For Information Security and Privacy Advisory Board

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

Federal PKI. Trust Infrastructure. Overview V1.0. September 21, 2015 FINAL

Operational Research Consultants, Inc. Non Federal Issuer. Certificate Policy. Version 1.0.1

Public Key Infrastructure (PKI) Technical Troubleshooting Guide

The Global Unique ID (GUID)

from PKI to Identity Assurance

Identity, Credential, and Access Management. Open Solutions for Open Government

Airbus Group Public Key Infrastructure. Certificate Policy. Version 4.6

DEPARTMENTAL REGULATION

For Official Use Only (FOUO)

DoD Root Certificate Chaining Problem

Practical Challenges in Adopting PIV/PIV-I

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

Government Smart Card Interagency Advisory Board Moving to SHA-2: Overview and Treasury Activities October 27, 2010

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

NIST Test Personal Identity Verification (PIV) Cards

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

Entrust Managed Services Non-Federal Public Key Infrastructure X.509 Certificate Policy

Federal Identity, Credential, and Access Management Trust Framework Solutions. Relying Party Guidance For Accepting Externally-Issued Credentials

Identity and Access Management Initiatives in the United States Government

Required changes to Table 6 2 in FIPS 201

RAPIDPIV-I Credential Service Certification Practice Statement Redacted

Strong Authentication for PIV and PIV-I using PKI and Biometrics

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Department of Defense PKI Use Case/Experiences

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Justice Management Division

TELSTRA RSS CA Subscriber Agreement (SA)

FBCA Cross-Certificate Remover 1.12 User Guide

Driving Safely on Information Highway. April 2006

NIST ITL July 2012 CA Compromise

X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) Version 2.24

Derived credentials. NIST SP ( 5.3.5) provides for long term derived credentials

Public Key Infrastructure (PKI)

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

The Convergence of IT Security and Physical Access Control

X.509 Certification Practices Statement for the U.S. Government Printing Office Principal Certification Authority (GPO-PCA)

FOUR PILLARS FOR A SUCCESSFUL PIV ECOSYSTEM

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

U.S. Department of Agriculture HSPD 12 Program. USDA HSPD-12 Implementing PIV USDA

I N F O R M A T I O N S E C U R I T Y

An Operational Architecture for Federated Identity Management

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

How To Log In To Northrop Grumman.Com With A Password Code And Password Code (For A Password)

Certificate Policy for the United States Patent and Trademark Office November 26, 2013 Version 2.5

Business Issues in the implementation of Digital signatures

Security Digital Certificate Manager

Smart Cards and Biometrics in Physical Access Control Systems

Security Digital Certificate Manager

FEDERAL IDENTITY, CREDENTIAL, AND ACCESS MANAGEMENT AND PERSONAL IDENTITY VERIFICATION (PIV) SOLUTIONS

Public Key Infrastructure

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

Concept of Electronic Approvals

Deploying and Managing a Public Key Infrastructure

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Certification Practice Statement

I N F O R M A T I O N S E C U R I T Y

US Security Directive FIPS 201

Number of relevant issues

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

Bugzilla ID: Bugzilla Summary:

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. July 2011 Version 2.0. Copyright , The Walt Disney Company

Department of Defense External Interoperability Plan Version 1.0

Symantec Trust Network (STN) Certificate Policy

Certification Practice Statement

The Convergence of IT Security and Physical Access Control

Registration Practices Statement. Grid Registration Authority Approved December, 2011 Version 1.00

FICC Shared Service Provider (SSP) Industry Day, 3/11. Questions and Answers

Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

Statoil Policy Disclosure Statement

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Information Technology Policy

epki Root Certification Authority Certification Practice Statement Version 1.2

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Government Compliance Document FIPS 201, FIPS 197, FIPS 140-2

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management. TSCP Symposium November 2013

PKI: Public Key Infrastructure

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

U. S. Department of Justice Information Technology Strategic Plan. Appendix E. Public Key Infrastructure at the Department of Justice.

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

CERTIFICATION PRACTICE STATEMENT UPDATE

Public Key Infrastructure. A Brief Overview by Tim Sigmon

The Commercial Identity Verification (CIV) Credential Leveraging FIPS 201 and the PIV Specifications: Is the CIV Credential Right for You?

Equens Certificate Policy

Transcription:

Integration of Access Security with Cloud- Based Credentialing Services Global Identity Summit September 17, 2014 All text, graphics, the selection and arrangement thereof, unless otherwise cited as externally sourced are Copyright 2014 by CertiPath, Inc. ALL RIGHTS RESERVED. Any use of these materials including reproduction, modification, distribution or republication, without the prior written consent of CertiPath, Inc., is strictly prohibited.

What the Heck does That Mean? Integration of Access Security with Cloud-Based Credentialing Services? Let s narrow this down a bit Enterprise Physical Access Control Systems (E-PACS) Integration with the cloud NOT an isolated system anymore NOT an issuer of badges NOT solely Federal NOT authoritative for everything 2014 CertiPath, Inc., All Rights Reserved 2

The Way It Was

Traditional PACS: Site-centric Traditional identity credentialing process 4

Traditional PACS: The Silo Syndrome CBP AG AG USCIS USCIS FBI DHS GSA AG CBP TSA GSA FBI DHS FBI CBP TSA USCIS DHS Proprietary PACS, card formats Duplication of operations ID proofing Low assurance! Issuance Registration to PACS No guarantee of uniqueness CBP USCIS Think of the expense and the Lock Down problem CDC 5

The Transformation Dependence on Cloud-Based Enterprise Identity Management Credential Issuance PKI Services 2014 CertiPath, Inc., All Rights Reserved 6

FICAM Roadmap Federal Enterprise Target Conceptual Diagram 7

FICAM Roadmap Overview of PACS within the Overall Infrastructure 8

What is ICAM? ICAM represents the intersection of digital identities, credentials, and access control into one comprehensive approach Key ICAM Service Areas Include: Digital Identity Credentialing Privilege Management Authentication Authorization & Access Cryptography Auditing and Reporting 9

ICAM Foundational Architecture

E-IdM and My E-PACS ICAM provides E-IdM: Trusted sources of identity for my agency/department PIV: Interoperable credentials for these individuals PKI: Identity binding and status of the employer/employee relationship Automated Provisioning: Trusted identities and their credentials into my E-PACS database Trust: Is that credential still valid? On separation, I will know to remove that person from my E-PACS within 24 hours 2014 CertiPath, Inc., All Rights Reserved 11

How Policies Govern Implementations Usage (Buildings/ Facilities) NIST SP 800-116 Lock FICAM PIV in Enterprise PACS Key PIV/PIV-I per FIPS 201 & FBCA CP 12

NIST SP800-116 Provides guidance on usage of a PIV technology card in PACS Defines threats/countermeasures when using PIV correctly and incorrectly! Defines migration of the federal enterprise through a maturity model 13

The Tools in my Arsenal Secures against cards that are Auth Modes Revoked Counterfeit or Altered Copied or Cloned Lost or Stolen Shared Auth Factors SP 800-116 Security Area Chip Serial # None Uncontrolled FASC-N/UUID None Uncontrolled CHUID+VIS 1 Controlled PKI-CAK 1 Controlled PKI-AUTH 2 Limited PKI-AUTH+BIO 3 Exclusion Performing signature checks and private key challenges at enrollment is not sufficient to achieve these levels of assurance. They must be done at the time-of-access. Revocation checking for FASC-N and CHUID modes must be done using the PIV authentication certificate. 14

Mapping Authentication Method to Controlled Areas NOTE: Circled numbers are references to explanatory text in SP800-116, not the number of authentication factors 15

SO When Someone Shows Up at My Door PKI-Authentication User Digitally Signs for Access PKI-Digital Signature For Email or PC Login How LONG is the PKI Cloud Dog s tail?

Sponsored Other Federal Agency / Sponsored International Government Commercial Shared Service Provider VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS GPO USPTO Treasury CertiPath Root CA DST ACES CA CertiPath Bridge (CBCA) Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI Root Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 17

SHA1 Infrastructure VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS GPO USPTO Treasury CertiPath Root CA DST ACES CA CertiPath Bridge (CBCA) Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI Root Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 18

SHA2 Infrastructure VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS Treasury Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI DST Root ACES CA GPO USPTO CertiPath Root CA CertiPath Bridge (CBCA) Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 19

PIV Issuers VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS Treasury Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI DST Root ACES CA GPO USPTO CertiPath Root CA CertiPath Bridge (CBCA) Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 20

PIV-I Issuers VeriSign SSP CA - G2 VeriSign Class 1 SSP VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DOJ Veterans Affairs ORC ECA VeriSign ECA IdenTrust ECA Subordinate CA s VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Entrust Verizon Business ECA Root CA 2 Root 1 Federal Common Policy CA Root 2 iroot Federal Bridge (FBCA) UK CCEB Root UK MOD CCEB Root DOS Treasury Verizon Business ORC Root 2 ORC NFI CA 2 Entrust NFI DST Root ACES CA GPO USPTO CertiPath Root CA CertiPath Bridge (CBCA) Exostar EADS Cassidian Carillon Lockheed Martin Raytheon Northrop Grumman The Boeing Company SITA Exostar NL MoD UK MoD 21

High Assurance Transactions have many opportunities to fail Server SSL Cert Issuing CA Cross-certificate has expired was tampered with has expired SSL Cert has Issuing CA s CRL been re-keyed Server SSL Cert has expired Cross-certificate has a Server PKI-Authentication SSL Cert has been revoked new Policy Constraint was tampered with Issuing CA s CRL Server SSL Cert s CRL was tampered with An OCSP Responder Issuing CA s Cert Issuing CA has has expired Issuing CA s CRL is offline has been revoked been re-keyed is offline SCA Re-key has Server SSL Cert s CRL occurred was tampered with Issuing CA Cross-certificate has a Cross-certificate has expired new Name Constraint was tampered with Cross-certificate s CRL Unable to build path was tampered with AiA location offline OCSP Responder Cert has expired OCSP Responder Cert was tampered with Server SSL Cert s CRL is offline

Oh By the Way My E-PACS is NOT an island bounded by the Executive Branch Regular access Individuals having a trusted credential Normal daily access to the facility Visitors (industry, legislative, judicial and state&local) Individuals having a trusted credential PIV or PIV-I Individuals without a trusted credential Must issue facility access card Enterprise just took on a whole new meaning in scale Prior to PIV and PIV-I, not feasible 23

Ultimately: Continuous Monitoring is Required Relying Parties need to know now what will happen in the next few days across a large portion of the trust fabric.

Summary ICAM is a good thing Saves a lot of money avoiding redundant, silo d processes One credential, one human, one identity And is it still valid! Nothing is perfect Trust but verify Use the PKI! Challenge the Card! And be prepared for issues with cards from various issuers I wonder how mobile and derived credentials will change all this? 2014 CertiPath, Inc., All Rights Reserved 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information