18
1 I d e n t i t y M a n a g e m e n t f o r F i r s t N e t Identity Management May 16, 2013 MOTOROLA SOLUTIONS Adam Lewis Laura Lozano Gino Scribano Steve Upp

FirstNet ICAM

Embed Size (px)

Citation preview

1

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Identity ManagementMay 16, 2013

MOTOROLA SOLUTIONS

Adam LewisLaura LozanoGino ScribanoSteve Upp

2

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Agenda

• What is Identity Management and why does it matter?

• How does it apply to Public Safety and FirstNet?

• What IdM standards exist in the government today?

• Recommended next steps …

3

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Introduction

• Background– Broadband is ushering in new era of applications for first responder

• At 4:54 pm ET on Wednesday May 15th, someone downloaded the 50 billionth app from Apple's online App Store

– Each application will want to authenticate the responder– Each application will want to provision the responder– Risk associated w/each solution solving this independently– A coordinated and cohesive approach to identifying users is needed

• Identity Management solved independently = – overall solution complexity +– inconvenience to both the administrator and the end-user +– weakened security +– obstacle to interoperability

There is a fundamental need for an Identity Layer in FirstNet

4

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

The Need for Identity

Identity 1.0 is broken Siloed approach is an obstruction to usability & interoperability

- Responder must enter (often different) credentials for every application (again, again, and again)- Credentials required on every resource server first responder needs to access (not scalable, not

dynamic)

Passwords have failed to protect us- 5 of 6 attacks on the Internet caused by password breaches

Identity 2.0 is needed Deperimiterization driven by mobile and cloud have caused disruption

- Access to data can no longer depend on traditional security controls- User must be able to access data and resources from anyplace – stored anyplace – from any device- Identity is the new perimeter

Separation of Identity Provider (the one that provides your credentials and authenticates you) and Service Provider (the one that provides you with service) enables:

- SSO- Strong authentication- Interoperable Identity- Scalable trust- Centralized authentication, distributed authorization

*** Alignment with government initiatives and deployments: FICAM, GFIPM, NSTIC ***

5

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Terminology

• Roles– Resource Owner

• The one that owns the resource or service being requested

– Resource Requestor• The person (or machine) that is requesting access to the resource or service

• Authentication– The act of the requestor proving their identity to the resource

owner at some Level of Assurance (LOA)• Authorization

– The resource owner – after having some level of assurance that the requestor is who they claim to be – determining what resources the requestor is able to access

6

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Real-Life Identity (1)

Identify: “Hi, I’m Bob.”Authenticate: “Prove it.”(presentation of credentials)

I have authenticated you, Bob.Here is a token asserting my authentication of you …as well as some attributes of you.

Birth certificate

Utility bill with Name + Address

State DMV

“Bob”1

2

7

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Real-Life Identity (2)

8

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Token = Authenticated Attribute Assertions

9

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Obvious Advantages of Real-Life Identity

• Relying parties (air port security, insurance agent, library, other states) do not need a complex authentication process

– The consume identity as asserted by DMV, make authorization decisions

• Our identity federates to other states (issued by State of Illinois, Trusted by State of Texas)

• Our identity can be used to obtain higher identity (e.g. passport)• Our identity carries attributes that can help the service provider /

relying part make authorization decisions– Old enough to buy alcohol?– Registered in this state?– Certified to drive an 18-wheeler?– No-fly list?

• DMV can move to strong authentication in the future (biometric) without requiring changes to the relying parties

10

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Public Safety Identity (1)

ActiveDirectory

IdM function

Identify: “Hi, I’m Officer Bob.”Authenticate: “Prove it.”(presentation of credentials)

Biometric

**********

password

Public-private Key pair

I have authenticated you, Bob.Here is a token asserting my authentication of you …as well as some attributes of you.

Name: Officer BobAgency: Schaumburg Police DepartmentRole: SergeantLanguages: English, Spanish, RussianQualifications: Firearms, CPRContact-mobile: 847-555-1234Contact-email: [email protected]

User Authentication: RSA 2-factorSigned by: Village of Schaumburg IdM

1

2

11

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Public Safety Identity (1)

Agency State/Region/Federal

Status-info Homepage

CJIS

Web Based

App 2

CAD

Records

App 3

12

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Identity Landscape – Government & Industry

SDOs

• IETF• OASIS• 3GPP• ATIS• TIA• OIX• Kantara

Standards

• SAML• WS-Trust• OpenID• OAuth• OpenID

Connect• UMA• PersonaID• TR 33.980• TR 33.924 • TR 33.804 • TR 22.895

Government Agencies

• White House• GSA• DOJ• USPS• NIST• OMB• DHS• FEMA• FBI

Government Initiatives

• E-Gov Act 2002• FICAM• GFIPM• NIEF• NSTIC• Federal PKI• FCCX• FedRAMP• SICAM• BAE• PIV/PIV-I• FRAC• NIMS• NIEM• CJIS• PIV-I/FRAC

Technology Transition Working Group

Government Publications

• NIST SP800-78

• NIST SP800-63

• NIST SP800-76

• NIST FIPS 201• OMB M-04-04• HSPD-12

** This is just a sample to illustrate the amount of work. It is not an exhaustive list.

13

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Guiding Principles for FirstNet

• An Identity ecosystem should enable single sign-on• An identity ecosystem should enable interoperability • An identity ecosystem shall be usable• An identity ecosystem shall be standards-based • An identity ecosystem shall be secure • An identity ecosystem shall be flexible

14

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Guiding Principles (cont.)

• First Responders are typically Identity Proofed and credentialed by their respective agency – The FirstNet system must enable agencies to reuse their existing agency issued identity & credentials

– This might include FRAC credentials or passwords– The FirstNet system MUST NOT make first responders remember yet another user ID and

password• (or make their IT admin manage yet another set)

• The FirstNet system must enable a scalable identity solution for smaller public safety agencies that don’t have sufficient funds to manage their own Identity Management infrastructure

– E.g. must enable support of Identity Management as a Service (IdMaaS)– Enables smaller agencies to “shop around” for an identity using an open-marketplace type

model– FirstNet may optionally offer their own IdMaaS for smaller agencies (so long as it does not

prohibit those agencies from free choice)

15

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Many Challenges

• First there are the technical hurdles:– A plethora of standards to choose from– The standard that is ultimately chosen must be profiled– Solution must account for diverse credentials types (passwords, PIV-

I / FRAC, biometric), and diversity in size of various public safety agencies

– (and this is the easy part)

• And there is so much to do beyond the technology:– Legal (e.g. what are the contractual obligations of the parities?)– Policy (e.g. Levels of Assurance, dispute resolution, privacy

requirements, etc.)– Accreditation (e.g. ensure that parties meet the policy)– Continued auditing (e.g. ensure that parties meet the police – over

time)

16

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

To Meet the Challenges

A Trust Framework for First Responders is required

• What is a Trust Framework?– An agreement between stakeholders consisting of:

• Selection of standards and profiles of those standards• Identity Proofing• Acceptable credential types• Levels of Assurance• Levels of Protection• Auditing expectations• Legal obligation and liability clauses• Dispute resolution process• Governance structure

• Possible venues for defining a Trust Framework for First Responder:– Kantara Initiative– GLOBAL Security WG

17

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

Take Away

Identity will be the plumbing of Interoperable application-layer communications between public safety agencies and FirstNet

• A scalable Identity Trust Framework for FirstNet is imperative

• We must either plan for it now – or it will be a disaster later

Recommendation:• Engage public safety stakeholders to develop use cases

that reflect real-world identity requirements, resulting in a scalable and interoperable Identity Trust Framework between public safety agencies and the FirstNet national system.

18

Ide

ntity M

an

ag

em

en

t for F

irstNe

t

And in Closing …

• Questions? • Comments?• Scrutiny?

• Thank you! :-)