1 / 28

Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009

Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009. Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability | NATO C3 Agency - The Hague Tel.: +31 (0)70 374 3562 | E-mail: sven.kuehne@nc3a.nato.int. NATO IdM Initiatives.

fionan
Download Presentation

Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management in a Federated EnvironmentUS-NATO TEM 61-3 December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability | NATO C3 Agency - The Hague Tel.: +31 (0)70 374 3562 | E-mail: sven.kuehne@nc3a.nato.int

  2. NATO IdM Initiatives • SC/4-SC/5 NATO IdM Workshop (2008/09) • output: NATO IdM Strawman Paper • directory services oriented view • focused on alliance aspect of NATO IdM • identifies IdM use cases in NATO • SC/4 Service Management Infrastructure AHWG (2008/09) • output: SMI Technical Services Definitions working paper • Security Management architecture view • requirements/standards/technology agnostic approach • identifies interfaces with other security management services NATO UNCLASSIFIED

  3. Terminology • Identity Management is ambiguous! • Identity Management includes: • Identity Assurance • Identity Employment or Utilization • Identity Services • What is an “Identity” • … a PKI certificate? • … a set of attributes? • … the same for every entity in the enterprise?

  4. Different view on IdM • NATO has a two-dimensional challenge: • IdM in the NATO Alliance • 28 NATO nations • and partners • constitute a federation • IdM in the NATO Organization • NATO HQs • and NATO agencies • constitute an enterprise (?) NATO UNCLASSIFIED

  5. Challenges • The concept of NATO IdM is in a very early stage of formalization • Requirements for NATO IdM need to be defined • Two dimensions of the NATO IdM has potential to cause conflicts for IdM • Emerging technologies (Identity 2.0) not reflected either in NATO IdM Strawman Paper or in SMI working paper • Policy document for NATO IdM • Interoperability at all levels NATO UNCLASSIFIED

  6. Way forward • What can we accomplish today? • Listen • Inform • Plan for the future NC3A Identity Management Test Campaign

  7. IdM Concept Validation • Purpose: • Identify NATO IdM requirements based on IdM use cases • Verify architectures and solutions for identified IdM use cases • Scope • Validation focused on federated scenarios within NATO Alliance • Test Facility • Classification: NATO Unclassified • NNEC CES Testbed as an investigation platform on the NATO side • National Testbeds • Procedure • VPN Joining Instruction • IdM Joining Instructions (based on ACP145 and ARH forms) • agreed test scope (use cases) and schedule NATO UNCLASSIFIED

  8. NNEC CES Testbed Layout NATO UNCLASSIFIED

  9. IdM Use Cases • IdM use cases defined in NIdM Strawman Paper • Access to C2 Data/Services in NATO SECRET Domain • Single Sign On in Cross-Domain Federation Scenario • Use of certificates bound to the identity • NATO Pass System • Use of national military ID-Card • Technology/Solution specific IdM use cases for testing • Cross-domain group management • Security token based authentication for Web Services • Portal access (based on SharePoint Server) • Collaboration tools (based on JChat application) • Access to legacy applications • Others … NATO UNCLASSIFIED

  10. IdM Strawman and Technology/Solution DrivenUse Cases Relevance Mapping NATO UNCLASSIFIED

  11. IdM Use Case Validation Environment NATO UNCLASSIFIED

  12. Service Components • Information Exchange Gateway scenario B (IEGB) • NATO Enterprise Directory Service (NEDS) • Allied Replication Hub (ARH) • Border Directory Services • NATO Public Key Infrastructure (NPKI) Certificate Authority • Security Token Service (STS) • Policy Enforcement Point (PEP) • Policy Decision Point (PDP) • Web servers/portals and clients • Web Proxy • Web Concentrator • Collaboration tool servers and clients • Identity Data Sources NATO UNCLASSIFIED

  13. Use Cases • Cross-domain group management • Security token based authentication for Web Services • Portal access (based on SharePoint Server) • Collaboration tools (based on JChat application) • Access to legacy applications

  14. Group Management Use Case • Foundation for other use cases • Foundation for a formal access control mechanism implementation. Access control models being considered: • role based access control (RBAC) currently used in many C2 systems, • attribute based access control (ABAC) anticipated to be more exploited in future service-oriented systems • Potential areas of usage (examples) • cross-domain group management delegation • cross-domain group mapping • Status • directory components installed • meta-tools installed, configured, jobs implemented • initial testing completed NATO UNCLASSIFIED

  15. IdM in Group Management NATO UNCLASSIFIED

  16. NNEC Hints • “Network of networks” is one of the main concepts of NNEC vision – environment be made up of many separate networks linked together • Community of Interest (CoI) a driver for access control in NNEC • Sharing of identity information between these different networks is crucial for providing access control • Service Oriented Architecture (SOA) based on Web services is a candidate technology to materialize the NNEC vision, where services can be (dynamically) discovered and called by different clients NATO UNCLASSIFIED

  17. Security Token Based Access Use Case • Simple services can be combined into more complex ones (“orchestration”) • Typically users interact with web services using different kinds of GUIs (web and form based ones). • Service provider/consumer interoperability • standard protocols like SOAP, HTTP • Web services related standards, including the WS-* stack (e.g. WS-Security, WS-Trust, WS-Federation etc .) • Secure SOA-based data/services exchange scenarios in a federated environment to be demonstrated • Status: • all components installed, • not all configured yet • not all tested yet • not integrated with directory yet NATO UNCLASSIFIED

  18. Secure Token Based Access NATO UNCLASSIFIED

  19. … Integrated with Directory Services NATO UNCLASSIFIED

  20. Access to Portal • Web portal access handling is one of the most common and basic information sharing requirements • Access granularity is a desired feature that needs to be implemented in future NATO portals • Microsoft SharePoint is identified as a future NATO portal product. The next version to be integrated with Microsoft's Identity Architecture, and so will be able to act as a relying party to XML security tokens. • Initially, access from national domain to NATO portals is the most expected operational scenario • Status: • all components installed • meta-tools installed, configured jobs implemented • initial testing completed • implemented different authentication mechanisms for internal/external users • hashed passwords for external users populated through ARH NATO UNCLASSIFIED

  21. IdM in Access to Portal NATO UNCLASSIFIED

  22. Collaboration Tools Use Case • XMPP is an open technology for real-time communication, which powers a wide range of applications, e.g.: • instant messaging, • presence, • multi-party chat, • voice and video calls, • collaboration, • lightweight middleware, • content syndication, • generalized routing of XML data. • XMPP is a mandatory collaboration standard for military usage in many NATO nations • JChat application, a standard NATO collaboration tool, to be used on the NATO side • Status: not implemented yet • all components installed • meta-tools installed, configured jobs implemented • hashed passwords for external users populated through ARH NATO UNCLASSIFIED

  23. IdM in Collaboration Tools NATO UNCLASSIFIED

  24. Access to Legacy Applications • There are still applications in NATO CIS, which are not PKI and/or Web services enabled • Authentication/Authorization mechanisms: • implemented as an integral part of the applications (usernames and passwords stored in a local database), which results in application specific solutions, or • are not implemented at all • For completeness of the IdM use case validation picture legacy systems should be included • Status: not implemented yet NATO UNCLASSIFIED

  25. IdM in Legacy Systems NATO UNCLASSIFIED

  26. Summary • The concept of IdM in a federated NATO environment (NATO plus NATO nations) is in an early stage of formalization • List of use cases for IdM is open • NC3A CES/NNEC testbed provides an infrastructure for complex IdM validation to be performed with Alliance partners NATO UNCLASSIFIED

  27. Why Identity Management matters …

  28. NC3A Brussels Visiting address: Bâtiment ZAvenue du Bourget 140B-1110 BrusselsTelephone +32 (0)2 7074111Fax +32 (0)2 7078770 Postal address:NATO C3 AgencyBoulevard Leopold IIIB-1110 Brussels - Belgium NC3A The Hague Visiting address: Oude Waalsdorperweg 612597 AK The HagueTelephone +31 (0)70 3743000Fax +31 (0)70 3743239 Postal address:NATO C3 AgencyP.O. Box 1742501 CD The HagueThe Netherlands CONTACTING NC3A NATO UNCLASSIFIED

More Related