• No results found

Integration of Access Security with Cloud- Based Credentialing Services

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Integration of Access Security with Cloud- Based Credentialing Services"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

All text, graphics, the selection and arrangement thereof, unless otherwise cited as externally sourced are Copyright 2014 by CertiPath, Inc. ALL RIGHTS RESERVED. Any use of these materials including reproduction, modification, distribution or republication, without the prior written consent of CertiPath, Inc., is strictly prohibited.

Integration of Access Security with

Cloud-Based Credentialing Services

Global Identity Summit

September 17, 2014

(2)

What the Heck does That Mean?

• Integration of Access Security with Cloud-Based

Credentialing Services?

• Let’s narrow this down a bit

‒ Enterprise Physical Access Control Systems (E-PACS)

‒ Integration with the cloud…

• NOT an isolated system anymore

• NOT an issuer of badges

• NOT solely Federal

• NOT authoritative for everything

(3)
(4)

Traditional PACS: Site-centric

• Traditional identity credentialing process

(5)

FBI CBP

Traditional PACS: The Silo Syndrome

• Proprietary PACS, card

formats

• Duplication of operations

‒ ID proofing

• Low assurance!

‒ Issuance

‒ Registration to PACS

‒ No guarantee of uniqueness

…Think of the expense

…and the Lock Down problem

DHS CBP USCIS AG CDC TSA TSA AG AG USCIS USCIS USCIS DHS DHS CBP CBP DoD DoD GSA GSA FBI FBI DoD

5

(6)

The Transformation…

Dependence on Cloud-Based

• Enterprise Identity Management

• Credential Issuance

• PKI Services

(7)

FICAM Roadmap Federal Enterprise

Target Conceptual Diagram

(8)

FICAM Roadmap Overview of PACS

within the Overall Infrastructure

(9)

What is ICAM?

• ICAM represents the

intersection of digital

identities, credentials, and

access control into one

comprehensive approach

• Key ICAM Service Areas

Include:

‒ Digital Identity

‒ Credentialing

‒ Privilege Management

‒ Authentication

‒ Authorization & Access

‒ Cryptography

‒ Auditing and Reporting

(10)

ICAM Foundational Architecture

(11)

E-IdM and My E-PACS

• ICAM provides

‒ E-IdM: Trusted sources of identity for my

agency/department

‒ PIV: Interoperable credentials for these individuals

‒ PKI: Identity binding and status of the employer/employee

relationship

• Automated

‒ Provisioning: Trusted identities and their credentials into

my E-PACS database

‒ Trust: Is that credential still valid?

• On separation, I will know to remove that person from my E-PACS

within 24 hours

(12)

How Policies Govern Implementations

Usage (Buildings/

Facilities)

NIST SP 800-116

Key

PIV/PIV-I per FIPS 201 &

FBCA CP

Lock

FICAM PIV in Enterprise

PACS

(13)

NIST SP800-116

• Provides guidance on usage of a PIV technology card

in PACS

• Defines threats/countermeasures when using PIV

correctly

‒ and incorrectly!

• Defines migration of the federal enterprise through a

maturity model

(14)

The Tools in my Arsenal…

14

• Performing signature checks and private key challenges at enrollment is not sufficient to achieve these levels of assurance. They must be done at the time-of-access.

• Revocation checking for FASC-N and CHUID modes must be done using the PIV authentication certificate.

Auth Modes  Revoked

Counterfeit

or Altered

Copied or

Cloned

Lost or

Stolen

Shared

Auth

Factors

SP 800-116

Security Area

Chip Serial #

None

Uncontrolled

FASC-N/UUID



None

Uncontrolled

CHUID+VIS





1

Controlled

PKI-CAK







1

Controlled

PKI-AUTH









2

Limited

PKI-AUTH+BIO











3

Exclusion

(15)

Mapping Authentication Method to

Controlled Areas

15

NOTE: Circled numbers are references to explanatory

(16)

PKI-Digital Signature

For Email or PC Login

PKI-Authentication

User Digitally Signs for Access

How LONG is the PKI Cloud Dog’s tail?

SO…

When Someone Shows Up

at My Door…

(17)

DoD Sponsored DoD

Other Federal Agency / Sponsored International Government

Commercial

Shared Service Provider

Raytheon

The Boeing Company Carillon Northrop Grumman Lockheed Martin EADS SITA Exostar NL MoD Exostar Federal Common Policy CA DOS Treasury Entrust VeriSign Class 1 SSP Cassidian VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Verizon Business VeriSign Class 2 SSP VeriSign Class 3 SSP DOJ ECA Root CA 2 ORC ECA VeriSign ECA IdenTrust ECA State of Illinois DoD iRoot DoD Root 1 DoD Subordinate

CA’s DoD Root 2

UK CCEB Root UK MOD CCEB Root UK MoD VeriSign SSP CA - G2 Verizon Business DST ACES CA Entrust NFI Root

ORC NFI CA 2 GPO ORC Root 2 USPTO Federal Bridge (FBCA) CertiPath Bridge (CBCA) CertiPath Root CA Veterans Affairs

17

(18)

SHA1 Infrastructure

Veterans Affairs

Raytheon

The Boeing Company Carillon Northrop Grumman Lockheed Martin EADS SITA Exostar NL MoD Exostar Federal Common Policy CA DOS Treasury Entrust VeriSign Class 1 SSP Cassidian VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Verizon Business VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DoD iRoot DoD Root 1 DoD Subordinate

CA’s DoD Root 2

UK CCEB Root UK MOD CCEB Root UK MoD VeriSign SSP CA - G2 Verizon Business DST ACES CA Entrust NFI Root

ORC NFI CA 2 GPO ORC Root 2 USPTO Federal Bridge (FBCA) CertiPath Bridge (CBCA) CertiPath Root CA DOJ ECA Root CA 2 ORC ECA VeriSign ECA IdenTrust ECA

18

(19)

SHA2 Infrastructure

Raytheon

The Boeing Company Carillon Northrop Grumman Lockheed Martin EADS SITA Exostar NL MoD Exostar Federal Common Policy CA DOS Treasury Entrust VeriSign Class 1 SSP Cassidian VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Verizon Business VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DoD iRoot DoD Root 1 DoD Subordinate

CA’s DoD Root 2

UK CCEB Root UK MOD CCEB Root UK MoD VeriSign SSP CA - G2 Verizon Business DST ACES CA Entrust NFI Root ORC NFI CA 2 GPO ORC Root 2 USPTO Federal Bridge (FBCA) CertiPath Bridge (CBCA) CertiPath Root CA DOJ ECA Root CA 2 ORC ECA VeriSign ECA Veterans Affairs IdenTrust ECA

19

(20)

PIV Issuers

Raytheon

The Boeing Company Carillon Northrop Grumman Lockheed Martin EADS SITA Exostar NL MoD Exostar Federal Common Policy CA DOS Treasury Entrust VeriSign Class 1 SSP Cassidian VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Verizon Business VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DoD iRoot DoD Root 1 DoD Subordinate

CA’s DoD Root 2

UK CCEB Root UK MOD CCEB Root UK MoD VeriSign SSP CA - G2 Verizon Business DST ACES CA Entrust NFI Root ORC NFI CA 2 GPO ORC Root 2 USPTO Federal Bridge (FBCA) CertiPath Bridge (CBCA) CertiPath Root CA DOJ ECA Root CA 2 ORC ECA VeriSign ECA Veterans Affairs IdenTrust ECA

20

(21)

PIV-I Issuers

Raytheon

The Boeing Company Carillon Northrop Grumman Lockheed Martin EADS SITA Exostar NL MoD Exostar Federal Common Policy CA DOS Treasury Entrust VeriSign Class 1 SSP Cassidian VeriSign SSP G3 ORC SSP 3 ORC SSP 2 Verizon Business VeriSign Class 2 SSP VeriSign Class 3 SSP State of Illinois DoD iRoot DoD Root 1 DoD Subordinate

CA’s DoD Root 2

UK CCEB Root UK MOD CCEB Root UK MoD VeriSign SSP CA - G2 Verizon Business DST ACES CA Entrust NFI Root ORC NFI CA 2 GPO ORC Root 2 USPTO Federal Bridge (FBCA) CertiPath Bridge (CBCA) CertiPath Root CA DOJ ECA Root CA 2 ORC ECA VeriSign ECA Veterans Affairs IdenTrust ECA

21

(22)

PKI-Authentication

An OCSP Responder

is offline

Server SSL Cert

has expired

Server SSL Cert

has been revoked

Server SSL Cert

was tampered with

Issuing CA

has expired

Server SSL Cert’s

CRL is offline

Issuing CA’s CRL

is offline

Issuing CA

was tampered with

OCSP Responder Cert

was tampered with

OCSP Responder Cert

has expired

Issuing CA’s Cert

has been revoked

Cross-certificate has a

new Name Constraint

Cross-certificate has a

new Policy Constraint

Cross-certificate

has expired

Cross-certificate

was tampered with

Unable to build path –

AiA location offline

Issuing CA has

been re-keyed

Issuing CA’s CRL

was tampered with

Server SSL Cert’s CRL

was tampered with

Cross-certificate’s CRL

was tampered with

Issuing CA’s CRL

has expired

Server SSL Cert’s CRL

has expired

SCA Re-key has

occurred

SSL Cert has

been re-keyed

High Assurance Transactions

(23)

Oh By the Way…

• My E-PACS is NOT an island bounded by the Executive

Branch

‒ Regular access

• Individuals having a trusted credential

• Normal daily access to the facility

‒ Visitors (industry, legislative, judicial and state&local)

• Individuals having a trusted credential

‒ PIV or PIV-I

• Individuals without a trusted credential

‒ Must issue facility access card

• Enterprise just took on a whole new meaning in scale

‒ Prior to PIV and PIV-I, not feasible

(24)

Relying Parties need to

know now what will

happen in the next few

days across a large

portion of the trust

fabric.

Ultimately:

(25)

Summary

• ICAM is a good thing

‒ Saves a lot of money avoiding redundant, silo’d processes

‒ One credential, one human, one identity

• And is it still valid!

• Nothing is perfect

‒ Trust but verify…

‒ Use the PKI!

‒ Challenge the Card!

‒ And be prepared for “issues” with cards from various issuers

• I wonder how mobile and derived credentials will change

all this?

References

Download now ( PDF - 25 Page - 1.97 MB )

Related documents

Profitability and Performance Evaluation of Coconut Sugar Home Agroindustry Product Lais District North Bengkulu Regency Bengkulu Province

Importance Performance Analysis (IPA) digunakan untuk memetakan hubungan antara tingkat kepentingan dengan kinerja dari masing-masing atribut produk.Tujuan dari penelitian ini

Using Textual Emotion Extraction in Context-Aware Computing

pecially, when using text as a major resource, both sentiment analysis and emotion recognition rely heavily on natural language processing.. Still, the goal of affective computing

Courage

As fallen and vulnerable human beings in a world marred by sin and death, the endurance of suffering and death is necessary for us ' all, and courageous endurance is an answer to

What in the heck am I getting myself into! Capitalware's MQ Technical Conference v

 The certificate with the Common Name of “wcas135.chemd.net” was signed by an Intermediate VeriSign certificate with the Common name of “VeriSign Class 3 Secure Server CA –

Development of the Canadian Corporate Debt Market: Some Stylized Facts and Issues

To gain some insight on this issue, we explore some of the characteristics of U.S.-dollar borrowing by Ca- nadian corporations, U.S.-dollar borrowing pat- terns by

The Global Cyber Security Market Competitive Landscape and Strategic Insights: Market Profile

2.1.4 Lockheed Martin Corporation: Recent Contract Wins 2.1.5 Lockheed Martin Corporation: Financial Analysis 2.1.6 Panda Security: Overview. 2.1.7 Panda Security: Products and

How To Log In To Northrop Grumman.Com With A Password Code And Password Code (For A Password)

The purpose of this document is to provide the Northrop Grumman Corporation (NGC) external suppliers, partners and customers with instructions to log in with either a Northrop

Northrop Grumman White Paper

In order for the FNN to meet the operational requirements of public safety, the Core Network must be treated as a mission critical information technology network that supports