View
229
Download
2
Tags:
Embed Size (px)
Citation preview
E-Authentication: Creating an Environment of Trust
David Temoshok Director, Identity Policy and Management
GSA Office of Governmentwide Policy
The E-Authentication Initiative
2The E-Authentication Initiative
Session Objectives
Identity Federation Basics
Why the Federal Government is federating
Key infrastructure needed for ID Federation
Interoperability and ID Federation
E-Authentication Trust Framework
The Electronic Authentication Partnership and how it facilitates identity federation
3The E-Authentication Initiative
The Identity Problem
Individuals have multiple disconnected identities across the internet and other networks, leading to repeated, stand-alone authentications
Costly, insecure, inconvenient
www.401k.comUser ID: 123-45-6789Password: my401k
My.employer.orgUser ID: [email protected]: myjob
www.mytravel.comUser ID: frequentflyerPassword: etravel
4The E-Authentication Initiative
Background
Federated identity definition Rules, agreements, standards, technologies that make identity and
entitlements portable across autonomous domains Is critical for rich web services environment
Federated identity technologies and standards PKI – ISO X.509v3 Security Assertion Markup Language – OASIS SAML 1.0, 1.1. 2.0 Lacking standards
• Biometrics• User ID/PIN/Password• Knowledge-based authentication• One-time passwords• Token-based authentication
Federated identity specifications (SAML) Liberty Alliance Shibboleth
5The E-Authentication Initiative
Standards Convergence
SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information
Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services
ShibbolethSpecification
LibertySpecifications
OASIS SAML 1.0, 1.1
OASIS Standard SAML 2.0
6The E-Authentication Initiative
Factor Token
Very High
High
Medium
Low
Employee Screening for a High Risk Job
Obtaining Govt. Benefits
Applying for a Loan
Online
Access to Protected
Website
PIN/User ID-
Knowledge
Strong Password
-Based
PKI/ Digital Signature
Multi-
Incre
ase
d $
Cost
Increased Need for Identity Assurance
Four Authentication Assurance Levelsto meet multiple risk levels -
7The E-Authentication Initiative
President’s Management Agenda
• 1st Priority: Make Government citizen-centered.
• 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration
8The E-Authentication Initiative
Government to Govt. Internal Effectiveness and Efficiency1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks
1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management
PMC E-Gov Agenda
OPMOPMOPMGSAOPMOPMGSANARA
LeadSSAHHS
FEMA
DOI
FEMA
Lead
GSATreasuryDoEDDOILabor
Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics (business case)5. Business Gateway6. Int’l Trade Process Streamlining
Lead GSAEPA
Treasury
HHS
SBADOC
Cross-cutting Infrastructure: eAuthentication GSA
Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online
9The E-Authentication Initiative
Key Policy Points
For Governmentwide deployment:
No National ID.
No National unique identifier.
No central registry of personal information, attributes, or authorization privileges.
Different authentication assurance levels are needed for different types of transactions.
And for e-Authentication technical approach:
No single proprietary solution
Deploy multiple COTS products -- users choice
Products must interoperate together
Controls must protect privacy of personal information.
10The E-Authentication Initiative
GovernmentsFederal
States/LocalInternational
Higher EducationUniversities
Higher EducationPKI Bridge
HealthcareAmerican Medical Association
Patient Safetty Institute
Travel Industry AirlinesHotels
Car RentalTrusted Traveler Programs
Central Issue with Federated Identity – Who do you Trust?
E-Commerce Industry ISPs
Internet AccountsCredit Bureaus
eBay
Trust Network
Financial Services IndustryHome Banking
Credit/Debit Cards
Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.
280 Million AmericansMillions of BusinessesState/local/global Govts
11The E-Authentication Initiative
Identity Federation – Key Interoperability Needs
Federation Communications(Technical Interoperability)
Federation Business Relationships(Business Interoperability)
Federation Trust(Policy Interoperability)
Identity Federations extend beyond current peer-peer, bi-lateral agreements to buildcommon infrastructure sharedamong multiple parties.
12The E-Authentication Initiative
Federation Infrastructure
• Interoperable Technology (Communications) Determine intra-Federation communication architecture -- protocols Administer common interface specifications, use cases, profiles Ensure interoperability ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services)
• Trust Establish common trust model Administer common identity management/authentication policies for
Federation members
• Business Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution
13The E-Authentication Initiative
The Need for Federated Identity Trust and Business Models
Technical issues for sharing identities are being solved, but slowly Federal Interoperability Lab OASIS and Liberty conformance test programs
Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards
• How robust are the identity verification procedures?• How strong is this shared identity? • How secure is the infrastructure?
Common business rules are needed for federated identity to scale N2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define:
• Trust assurance and credential strength• Roles, responsibilities, of IDPs and relying parties• Liabilities associated with use of 3rd party credentials• Business relationship costs• Privacy requirements for handling Personally Identifiable Information (PII)
14The E-Authentication Initiative
E-Authentication Trust Model for Federated Identity
3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance
1. Establish e-Authenticationrisk and assurance levels (OMB M-04-04 Federal Policy Notice, adopted by EAP
4. Establish methodology for evaluating credentials/providers on assurance criteria (EAP SAC and Federal CAF
2. Establish standard methodology for e-Authentication riskassessment (ERA) 2/04
5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04
6. Establish common business rules for use of trusted 3rd-party credentials
7. Test products and implementations for interoperability
15The E-Authentication Initiative
The Need for Identity Federation Business Case
However, there must be a clear business case that others can understand
Business opportunity must be meaningful yet realistic Business partners need to understand the business case
The solution must be replicable Start simple, use standard templates, avoid complexity for complexity sake Leverage open standards
Should be clear business case for identity federation for: Financial services industry Health care industry Higher education
“Federated identity is economically inevitable…”Burton Group
16The E-Authentication Initiative
Identity Federation Models
Bi-lateral (peer-to- peer)
Hub & Spoke (unilateral)
Circle of Trust (many-to-many)
ID
ID
ID
ID
ID
ID
ID
ID
ID
17The E-Authentication Initiative
The Need for the Electronic Authentication PartnershipThe Need for the Electronic Authentication Partnership
State/Local Governments
Industry
Policy• Authentication
• Assurance levels
• Credential Profiles
• Accreditation
• Business Rules
• Privacy Principles
Technology• Adopted schemes
• Common specs
• User Interfaces
• APIs
• Interoperable
COTS products
• Authz support
Federal Government Commercial Trust Assurance Services
Policy, Technical, & Business Interoperability
Common Business and Operating Rules
IDP
IDP
IDP
IDP
RP RP
RP
http://www.eapartnership.org/
Interoperability for:
18The E-Authentication Initiative
What is the EAP
• Multi-industry partnership creating a framework for interoperable, trustworthy authentication
Incorporated non-profit association with 60 members Product and technology agnostic
• Goals Provide organizations with a straightforward means of relying on digital
credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish
bilateral agreements Facilitate the creation of federations through replicable rules Enable federation-to-federation trust
• In practice this means a federated approach
19The E-Authentication Initiative
What the EAP is doing now for ID Federation
Current State of Industry: Bi-Lateral Pairs
IDP
IDP
IDP
SP/RP
SP/RP
SP/RP
Bi-lateral Agreements
Pair-wise Trust Model
Pair-wise Interface Spec and Products
EAP Objective: Multi-Party, Interoperable Federation
IDP
IDP
IDP
IDP
SP/RP SP/RP
SP/RP
Common Business Rules/AgreementsCommon Trust ModelCommon Interface SpecificationInteroperable Products
20The E-Authentication Initiative
What the EAP envisions for ID Federation
IDP
IDP
IDP IDP
IDP
IDP
IDP
IDP
IDP
IDP
SP/RP
SP/RP
SP/RP
SP/RP SP/RP
SP/RP
SP/RP
SP/RP
SP/RP
SP/RP
SP/RPEAP Vision:
Multiple, Interoperable Federations
EAPCommon Business Rules/AgreementsCommon Trust ModelsCommon Basic Interface SpecificationsInteroperable Products
Federation 1
Federation 2
Federation 3
21The E-Authentication Initiative
For More Information
Phone E-mail David Temoshok 202-208-7655 [email protected]
Websiteshttp://cio.gov/eauthenticationhttp://www.eapartnership.org/
http://cio.gov/fpkipahttp://cio.gov/ficc