1 / 19

Privileged User Access for Non-US Citizens LA-UR 09-03378

Privileged User Access for Non-US Citizens LA-UR 09-03378. Randall (Randy) Cardon rec@lanl.gov Los Alamos National Laboratory, an affirmative action/equal opportunity employer, is operated by the Los Alamos National Security, LLC

gary-davidson
Download Presentation

Privileged User Access for Non-US Citizens LA-UR 09-03378

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privileged User Access for Non-US CitizensLA-UR 09-03378 Randall (Randy) Cardon rec@lanl.gov Los Alamos National Laboratory, an affirmative action/equal opportunity employer, is operated by the Los Alamos National Security, LLC for the National Nuclear Security Administration of the U.S. Department of Energy under contract DE-AC52-06NA25396. By acceptance of this article, the publisher recognizes that the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published form of this contribution, or to allow others to do so, for U.S. Government purposes. Los Alamos National Laboratory requests that the publisher identify this article as work performed under the auspices of the U.S. Department of Energy. Los Alamos National Laboratory strongly supports academic freedom and a researcher’s right to publish; as an institution, however, the Laboratory does not endorse the viewpoint of a publication or guarantee its technical correctness.

  2. Things I’m Glad I Didn’t Say • “Everything that can be invented has been invented.” • “I think there is a world market for maybe five computers.” • “Get your feet off my desk, get out of here, you stink, and we're not going to buy your product.” • “There is no reason for any individual to have a computer in his home” • “640K ought to be enough for anybody.”

  3. Things I Wish I’d Said • "However beautiful the strategy, you should occasionally look at the results.“ • “Great leaders tell people what to do not how to do their jobs. They allocate resources, and give them authority.”

  4. Contact Information • Randy Cardon • rec@lanl.gov • (505) 665-1853

  5. Multiple Tools • Database for International Visits and Assignments (DIVA) • Open Collaborator Enclave (OCE) • Privileged User Access Request (PUAR)

  6. DIVA • The requirements were provided by Foreign Visits and Assignments. • The implementation was done by LDRD

  7. How Does DIVA Work DIVA does the following: • Captures visitor and visit or assignment information as a request • Routes the request for reviews and approvals • Authorizes Badging

  8. User Roles and Actions

  9. Sent To Badging Yes FV&A Approval HostOrganization Request No GL/DL Approval Cancel Yes Denied Host Sign-Off Return No No Yes FV&A Review Yes AD Approval Denied Return Return Yes Yes SME Review SPL Review Return Yes Review and Approval

  10. OCE • The initial concept and design were done by ACS-PO • The implementation was done by NIE

  11. Open Collaboration Enclave Yellow Network Access OCE Enclave

  12. Goals • Create a network that is segmented from the Yellow for FN systems to meet HQ expectations. • Meet the NAP requirements through engineered controls. • Demonstrate a new model architecture for the LANL unclassified environment that provides greater data protection, access flexibility and control, and monitoring for various use profiles of LANL unclassified computing. • Provide near real-time access management updates for Inter-enclave access with enforced business rules. • Develop enhance surveillance to detect unauthorized access.

  13. OCE Design Diva Enclave Membership and Access Management RemoteAccess Net Devices SSL VPN OCE Control Business Rules OCE Host Authentication Logs OCE Gateway Yellow Network Resource Cyber Monitoring OCE Host

  14. Access Control Features • User Based Authenticated Access to specific Yellow assets. • OCE Control manages access control. • User Role based access. • Role = Yellow Assets & Who can access them. • Yellow Monitoring • Key indicators are monitored for unauthorized OCE access. OCE Members can only access the OCE resources and those yellow resources that a member is authorized through roles. • Jumping from authorized Yellow resources to non-authorized resources will be detected. • Bypassing OCE Gateway will also be detected using this system. • Remote Access • Remote OCE Users see same access control polices as local.

  15. Yellow Web ProxyUnauthenticatedAccess: Yellow Controls User based “roles”define access. UserAuthentication On-Sitefrom OCEto Yellow/Internet OCE “Out” IP-basedAccess Rules Non-Auth User based “roles”define access. UserAuthentication Off-SiteTo OCE or Yellow Non-Auth None. On-Siteoutside OCE User based Access Controls to Data Any Access “Source” Central Authentication“on” Access List OCE Member “Source” Central Authentication “off” Access List Unauthorized Access Non OCE Memberoutside OCE OCEResource OCE FirewallAccess List Any Access Use Cases

  16. PUAR • Requirements were developed by OCIO • Implementation was done by SAE

  17. PUAR Workflow

  18. Questions? “Nothing in the world can take the place of persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.” Calvin Coolidge

More Related