View
5
Download
0
Category
Preview:
Citation preview
Using FICAM as a model for TSCP Best Prac:ces in Physical Iden:ty and Access Management
TSCP Symposium
November 2013
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Quantum Secure’s Focus on FICAM and Related Standards
§ Complete Suite of Physical Iden:ty and Access management tools, which align with FICAM
§ Industry Leadership and Par:cipa:on v SIA Iden:ty Management CommiOee v SIA PIV Working Group v Smart Card Alliance v Open Security Exchange v Regular IAB Mee:ng AOendance v Public GSA EPTWG Par:cipa:on
San Francisco Airport
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Pressure Points and Conformance Driving FICAM Alignment
HSPD-‐12
NIST SP 800-‐116 FICAM OMB M-‐11-‐11
FIPS 201-‐2
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
What is FICAM?
§ Federal Iden:ty, Creden:al and Access Management Roadmap and Guidance, Version 2
§ 400+ page Document
§ Authored by Federal CIO Council
§ Best Prac:ces in ─ Governance
─ Defining Target (segment) Architectures
─ Transi:oning from AS-‐IS to Target State
─ Proper creden:al issuance
─ Provisioning iden::es for logical and physical access
─ Lifecycle privilege management for con:nuously updated access authoriza:ons
─ Compliance, Audit, Accountability
4
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
One Iden'ty
Elimina1on of redundancy Policies & procedures
Improved PIV card interoperability Within, between agencies
Compliance Internal, external controls
Increased security Close security gaps
Enhanced customer service User-‐friendly transac>ons
Visitor
Employee
Contractor
Increased protec1on of PII Secure data, secure access
Goals And Expected Outcomes For FICAM Implementa:on
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
FICAM Alignment Both Logical and Physical are Held to the Same Standard
PACS Brand A
PACS Brand B
PACS Brand C
Logical Iden>ty Access
Management (LIAM or LACS)
Physical Identity Access
Management (PIAM)
Access Management • Policy-driven privilege
assignment • Automated Workflows • Compliance, Enforcement
Authorita:ve Iden:ty Management HR, LDAP, IdM
PIV/CAC CMS US Access, DEERS, etc.
Authoritative Identity Management • Card issuance, etc.
Resources: • Software applications • Database access • Door access • Metal keys • Asset access
HR, Payroll Produc1vity tools
Web Sites
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Primary Themes in FICAM to Achieve Goals PACS are Held to the Same Standard as LACS
§ Privilege Management for Physical Access ─ Policy Automa:on -‐ Automa:c assignment of access based on combina:on of business rules such as role/:tle, training, project or special work assignment, security clearance level, opera:ve, etc.
─ Process Automa:on -‐ Automated workflows requiring human approvals
§ End to End Integra:on ─ Bi-‐direc:onal integra:on with Authorita:ve Database(s) for real :me updates to PACS provisioning
─ Centralized/Transparent support for all PACS (brands) within a given opera:onal en:ty (department, agency, etc.)
§ Result ─ Reduce/eliminate human error
─ Apply uniform access policy across all users and processes
─ Save money
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Privilege Management for Physical Access
Physical iden:ty and access management (PIAM) technologies provide authen:ca:on, authoriza:on and provisioning services in order to efficiently streamline the lifecycle of a physical iden:ty within a global organiza:on. PIAM ensures the right Physical ID’s – i.e. employees, visitors, contractors, vendors –are properly authen:cated and have the right access to the right areas, for the right reasons for a specified dura:on of :me.
Right Physical IDs
Right Access
Right Times
Right Reasons
1Gartner Research; Physical Iden:ty and Access Management; Feb 2012
“Physical iden>ty and access management (PIAM) deployments are increasing due to technology and product development, compliance mandates, a greater desire to manage alterna>ve user popula>ons such as on-‐premises visitors and contractors, and a sharp emphasis on >mely and secure access”1
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
The Current State of Physical Access Management (the As-‐is State)
Contractor Database
LDAP
Corporate HR System
• Mul:ple disjointed systems – many s:ll non-‐PIV compliant • Limited use of PIV card for physical & logical access • Mul:ple (onen manual) processes for iden:ty veong, on-‐/off-‐boarding, creden:aling and enrollment, background checks, etc.
• Audit & compliance process – manual and costly • Lack of interoperability • Common framework for physical & logical security lacking • Ability to put “internal controls” is manual • Customer service is manual, slow, complicated, error prone • Cost of security opera:on -‐ high
Inter-‐Agency or PKI
Infrastructure Mul1ple, Disparate Physical Access Control Systems
Standalone Readers, Locks, Keys, Tokens, Dosimeter
Clearance Management
Training Database
Phone
Email Phone
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Case Study for Mapping a COTS product to FICAM Model
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
SAFE Agents for Authorita1ve Datasources 1
SAFE OCSP/ SCVP/ CRL Agent 3
SAFE Agents for Physical Access Control Systems 2
SAFE Applica1on Modules for FICAM • Personnel Mgmt/
Cardholder Database • Privilege/Access Mgmt • Visitor Mgmt • Repor1ng (pre-‐defined
reports) • Rules/Workflow Engine
4
4
Mapping SAFE to the FICAM Target State: Figure 108
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
SAFE Applica1on – Self-‐service 3
SAFE Applica1ons – Process and Policy Automa1on Privilege/Access Mgmt
2
SAFE Applica1on – Pre-‐defined reports 6
SAFE Agent for Physical Access Control System 4
SAFE Agent for Authorita1ve Source 1
SAFE Agent for email 5
Mapping SAFE to FICAM Privilege Management – Figure 34
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Policy Automa:on – No Human Interven:on
Presentation Title and date (update in slide master) 14
Process Automation – Human Driven
• One end user interface for making all types of physical security requests
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Integra:on Framework
Policy Server
Physical Iden:ty & Access Management
Physical Iden:ty and Access Manager
Web Badging
Self Service Portal
Asset Manager
Visitor Iden:ty Manager
Contractor Registra:on Portal
Tenant Management Portal
Compliance & Risk Management
Compliance Regulator § NERC/FERC § SOX § FDA/DEA § Audit Management
Document Management
Infrac:on Manager
Watch List Manager
AOesta:on Audit
Security Intelligence
Robust Repor:ng
Iden:ty Analy:cs
Alarm Analy:cs
Iden:ty & Event Correla:on
SAFE Event Correla:on Engine
Privilege Management Applica:on Suite
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Bringing it All Together: FICAM Security Management System
Source: CIO Council FICAM Roadmap Modernized PACS Brochure - 2011
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Payoff for Adop:ng FICAM Best Prac:ces
17
Source: CIO Council FICAM Roadmap Modernized PACS Brochure - 2011
© 2013 Quantum Secure, Incorporated. All Rights Reserved. Confiden:al.
Thank you!
Visit us in the Exposition for more discussion!
Recommended