1 / 24

The E-Authentication Initiative

The E-Authentication Initiative. Federated Identity and Interoperability: Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy. Educause Net@EDU Annual Meeting February 7, 2005. Session Objectives.

landis
Download Presentation

The E-Authentication Initiative

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The E-Authentication Initiative Federated Identity and Interoperability:Federal e-Authentication InitiativeDavid Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy Educause Net@EDU Annual Meeting February 7, 2005

  2. Session Objectives • Provide status of ID Federation efforts in government and industry • Discuss key infrastructure needed for ID Federation • Discuss issues related to interoperability for ID Federation • Discuss Federal e-Authentication initiative infrastructure • Present the goals of the Electronic Authentication Partnership and how it facilitates identity federation

  3. Background • Industry snapshot – federated identity • Federated identity definition • Agreements, standards, technologies that make identity and entitlements portable across loosely coupled, autonomous domains • Standards and specifications • Security Assertion Markup Language (SAML) 1.0, 1.1, 2.0 • Liberty Alliance, Shibboleth, and Web services security • Adoption • Burton Group cites over 200 organizations implementing SAML plus other specifications, in multiple industries • Vendors • Multiple identity management and other vendors have implemented SAML and federated identity in COTS products • Interoperability, trust, deployment still challenging

  4. Identity Federation – Key Interoperability Needs Identity Federations extend beyond current peer-peer, bi-lateral agreements to build common infrastructure shared among multiple parties. Federation Trust (Policy Interoperability) Federation Communications (Technical Interoperability) Federation Business Relationships (Business Interoperability)

  5. Federation Infrastructure • Interoperable Technology (Communications) • Determine intra-Federation communication architecture • Administer common interface specifications, use cases, profiles • Conduct interoperability testing ( as needed) according to the specifications • Provide a common portal service (I.e., discovery and interaction services) • Trust • Establish common trust model • Administer common identity management/authentication policies for Federation members • Business Relationships • Establish and administer common business rules • Manage relations among relying parties and CSPs • Manage compliance/dispute resolution

  6. President’s Management Agenda • 1st Priority: Make Government citizen-centered. • 5 Key Government-wide Initiatives: • Strategic Management of Human Capital • Competitive Sourcing • Improved Financial performance • Expanded Electronic Government • Budget and Performance Integration

  7. PMC E-Gov Agenda Government to Citizen Government to Business Lead GSA Treasury DoED DOI Labor Lead GSA EPA Treasury HHS SBA DOC 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online Cross-cutting Infrastructure:eAuthentication GSA Government to Govt. Internal Effectiveness and Efficiency Lead SSA HHS FEMA DOI FEMA OPM OPM OPM GSA OPM OPM GSA NARA 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks

  8. The Starting Place for e-Authentication: Key Policy Points For Governmentwide deployment: • No National ID. • No National unique identifier. • No central registry of personal information, attributes, or authorization privileges. • Different authentication assurance levels are needed for different types of transactions. And for e-Authentication technical approach: • No single proprietary solution • Deploy multiple COTS products -- users choice • Products must interoperate together • Controls must protect privacy of personal information.

  9. The Federal E-Authentication Service Discovery Portal Step 1 Step 2 Step 3 Application User Agency Application Credential Service Provider Access Point • Step 2: • User is redirected to selected credential service provider • If user already possesses credential, user authenticates • If not, user acquires credential and then authenticates Step 1: At access point (portal, agency Web site or credential service provider) user selects agency application and credential provider (Discovery Portal) Step 3: Credential service hands off authenticated user to the agency application user selected at the access point

  10. Central Issue with Federated Identity – Who do you Trust? 280 Million Americans Millions of Businesses State/local/global Govts Governments Federal States/Local International Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Trust Network Higher Education Universities Higher Education PKI Bridge E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay Financial Services Industry Home Banking Credit/Debit Cards Healthcare American Medical Association Patient Safetty Institute Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.

  11. The Need for Federated Identity Trust and Business Models • Technical issues for sharing identities are being solved, but slowly • Trust is critical issue for deployment of federated identity • Federated ID networks have strong need for trust assurance standards • How robust are the identity verification procedures? • How strong is this shared identity? • How secure is the infrastructure? • Common business rules are needed for federated identity to scale • N2 bi-lateral trust relationships is not a scalable business process • Common business rules are needed to define: • Trust assurance and credential strength • Roles, responsibilities, of IDPs and relying parties • Liabilities associated with use of 3rd party credentials • Business relationship costs • Privacy requirements for handling Personally Identifiable Information (PII) • Federal e-Authentication Initiative will provide trust framework to integrate (policy, technology, business relationships) across disparate and independent identity systems

  12. Multi - Factor Token PKI/ Digital Signature Knowledge - Based Very Pin/Password High High Click - wrap Medium Standard Low Employee Access to Applying Obtaining Surfing the Screening Protected for a Loan Govt. Internet for a High Website Online Benefits Risk Job Multiple Authentication Assurance Levelsto meet multiple risk levels Increased $ Cost Increased Need for Identity Assurance

  13. e-Authentication Trust Model for Federated Identity 1. Establish e-Authentication risk and assurance levels (OMB M-04-04 Federal Policy Notice 12/16/03) 2. Establish standard methodology for e-Authentication risk assessment (ERA) 2/04 4. Establish methodology for evaluating credentials/providers on assurance criteria (FBCA & Credential Assessment Framework 11/03) 3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance 6/04) 6. Establish common business rules for use of trusted 3rd-party credentials (11/04) 5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04 7. Test products and implementations for interoperability (2/04)

  14. Federal Interoperability Lab • Tests interoperability of products for participation in e-Authentication architecture. • Conformance testing to Fed e-Authentication Interface Specification • Interoperability testing among all approved products • Currently 10 SAML 1.0 products on Approved Product List. • See URL: http://cio.gov/eauthentication • Federal e-Authentication Program will adopt additional schemes • SAML 2.0 • Liberty Alliance • Shibboleth • Protocol Translator is required for technical architecture • Multiple protocol interoperability testing will be very complex • Federal Government will operate Interoperability lab until protocol/product convergence or industry test lab is in place • Approved products list is publicly available.

  15. The Approach to a U.S. Federal PKI • Agencies implement their own PKIs • Create a Federal Bridge CA using COTS products to bind Agency PKIs together • Establish a Federal PKI Policy Authority to oversee operation of the Federal Bridge CA • Ensure directory compatibility • Use ACES for transactions with the public

  16. A Snapshot of the U.S. Federal PKI DOL PKI DOD PKI ACES PKI Illinois PKI NASA PKI CANADA PKI NFC PKI Federal Bridge CA Wells Fargo Bank Treasury PKI Higher Education Bridge CA State Dept PKI University PKI University PKI University PKI

  17. The Need for the Electronic Authentication Partnership Interoperability for: Commercial Trust Assurance Services Federal Government • Policy • Authentication • Assurance levels • Credential Profiles • Accreditation • Business Rules • Privacy Principles IDP IDP IDP State/Local Governments Policy, Technical, & Business Interoperability • Technology • Adopted schemes • Common specs • User Interfaces • APIs • Interoperable • COTS products • Authz support RP IDP RP RP Industry Common Business and Operating Rules http://www.eapartnership.org/

  18. What is the EAP • Multi-industry partnership creating a framework for interoperable authentication • Plans to establish itself as a member-supported organization, and complete framework in early 2005 • Goals • Provide organizations with a straightforward means of relying on digital credentials issued by a variety of authentication systems • Eliminate or at least reduce the need for organizations to establish bilateral agreements • Organizations would operate under common EAP rule set, resulting in multilateral trust • In practice this means a federated approach

  19. What the EAP is doing now for ID Federation Bi-lateral Agreements IDP SP/RP Pair-wise Trust Model SP/RP IDP Pair-wise Interface Spec and Products SP/RP IDP Current State of Industry: Bi-Lateral Pairs IDP IDP IDP Common Business Rules/Agreements Common Trust Model Common Interface Specification Interoperable Products SP/RP IDP SP/RP SP/RP EAP Objective: Multi-Party, Interoperable Federation

  20. What the EAP envisions for ID Federation IDP EAP Common Business Rules/Agreements Common Trust Models Common Basic Interface Specifications Interoperable Products IDP IDP Federation 1 IDP SP/RP SP/RP SP/RP IDP IDP IDP Federation 3 IDP SP/RP IDP SP/RP IDP SP/RP SP/RP Federation 2 SP/RP SP/RP EAP Vision: Multiple, Interoperable Federations SP/RP SP/RP

  21. Subject: Policy for a Common Identification Standard for Federal Employees and Contractors (1) Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). (2) To implement the policy set forth in paragraph (1), the Secretary of Commerceshall promulgate in accordance with applicable law a Federal standard for secure and reliable forms of identification (the "Standard") not later than 6 months after the date of this directive in consultation with the Secretary of State, the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, the Director of the Office of Management and Budget (OMB), and the Director of the Office of Science and Technology Policy. The Secretary of Commerce shall periodically review the Standard and update the Standard as appropriate in consultation with the affected agencies. Homeland Security Presidential Directive/HSPD-12 FIPS 201 Personal Identity Verification Standard

  22. Homeland Security Presidential Directive/HSPD-12 (3) "Secure and reliable forms of identification" for purposes of this directive means identification that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process. The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application. The Standard shall not apply to identification associated with national security systems as defined by 44 U.S.C. 3542(b)(2). (4) Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. As promptly as possible, but in no case later than 8 months after the date of promulgation of the Standard, the heads of executive departments and agencies shall, to the maximum extent practicable, require the use of identification by Federal employees and contractors that meets the Standard in gaining physical access to Federally controlled facilities and logical access to Federally controlled information systems.

  23. Federal Personal Identification Verification Standard

  24. For More Information Phone E-mail David Temoshok 202-208-7655 david.temoshok@gsa.gov Websites http://cio.gov/eauthentication http://www.eapartnership.org/ http://cio.gov/fpkipa http://cio.gov/ficc

More Related