FirstNet ICAM
-
Upload
adam-lewis -
Category
Technology
-
view
250 -
download
1
Transcript of FirstNet ICAM
1
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Identity ManagementMay 16, 2013
MOTOROLA SOLUTIONS
Adam LewisLaura LozanoGino ScribanoSteve Upp
2
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Agenda
• What is Identity Management and why does it matter?
• How does it apply to Public Safety and FirstNet?
• What IdM standards exist in the government today?
• Recommended next steps …
3
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Introduction
• Background– Broadband is ushering in new era of applications for first responder
• At 4:54 pm ET on Wednesday May 15th, someone downloaded the 50 billionth app from Apple's online App Store
– Each application will want to authenticate the responder– Each application will want to provision the responder– Risk associated w/each solution solving this independently– A coordinated and cohesive approach to identifying users is needed
• Identity Management solved independently = – overall solution complexity +– inconvenience to both the administrator and the end-user +– weakened security +– obstacle to interoperability
There is a fundamental need for an Identity Layer in FirstNet
4
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
The Need for Identity
Identity 1.0 is broken Siloed approach is an obstruction to usability & interoperability
- Responder must enter (often different) credentials for every application (again, again, and again)- Credentials required on every resource server first responder needs to access (not scalable, not
dynamic)
Passwords have failed to protect us- 5 of 6 attacks on the Internet caused by password breaches
Identity 2.0 is needed Deperimiterization driven by mobile and cloud have caused disruption
- Access to data can no longer depend on traditional security controls- User must be able to access data and resources from anyplace – stored anyplace – from any device- Identity is the new perimeter
Separation of Identity Provider (the one that provides your credentials and authenticates you) and Service Provider (the one that provides you with service) enables:
- SSO- Strong authentication- Interoperable Identity- Scalable trust- Centralized authentication, distributed authorization
*** Alignment with government initiatives and deployments: FICAM, GFIPM, NSTIC ***
5
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Terminology
• Roles– Resource Owner
• The one that owns the resource or service being requested
– Resource Requestor• The person (or machine) that is requesting access to the resource or service
• Authentication– The act of the requestor proving their identity to the resource
owner at some Level of Assurance (LOA)• Authorization
– The resource owner – after having some level of assurance that the requestor is who they claim to be – determining what resources the requestor is able to access
6
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Real-Life Identity (1)
Identify: “Hi, I’m Bob.”Authenticate: “Prove it.”(presentation of credentials)
I have authenticated you, Bob.Here is a token asserting my authentication of you …as well as some attributes of you.
Birth certificate
Utility bill with Name + Address
State DMV
“Bob”1
2
9
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Obvious Advantages of Real-Life Identity
• Relying parties (air port security, insurance agent, library, other states) do not need a complex authentication process
– The consume identity as asserted by DMV, make authorization decisions
• Our identity federates to other states (issued by State of Illinois, Trusted by State of Texas)
• Our identity can be used to obtain higher identity (e.g. passport)• Our identity carries attributes that can help the service provider /
relying part make authorization decisions– Old enough to buy alcohol?– Registered in this state?– Certified to drive an 18-wheeler?– No-fly list?
• DMV can move to strong authentication in the future (biometric) without requiring changes to the relying parties
10
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Public Safety Identity (1)
ActiveDirectory
IdM function
Identify: “Hi, I’m Officer Bob.”Authenticate: “Prove it.”(presentation of credentials)
Biometric
**********
password
Public-private Key pair
I have authenticated you, Bob.Here is a token asserting my authentication of you …as well as some attributes of you.
Name: Officer BobAgency: Schaumburg Police DepartmentRole: SergeantLanguages: English, Spanish, RussianQualifications: Firearms, CPRContact-mobile: 847-555-1234Contact-email: [email protected]
User Authentication: RSA 2-factorSigned by: Village of Schaumburg IdM
1
2
11
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Public Safety Identity (1)
Agency State/Region/Federal
Status-info Homepage
CJIS
Web Based
App 2
CAD
Records
App 3
12
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Identity Landscape – Government & Industry
SDOs
• IETF• OASIS• 3GPP• ATIS• TIA• OIX• Kantara
Standards
• SAML• WS-Trust• OpenID• OAuth• OpenID
Connect• UMA• PersonaID• TR 33.980• TR 33.924 • TR 33.804 • TR 22.895
Government Agencies
• White House• GSA• DOJ• USPS• NIST• OMB• DHS• FEMA• FBI
Government Initiatives
• E-Gov Act 2002• FICAM• GFIPM• NIEF• NSTIC• Federal PKI• FCCX• FedRAMP• SICAM• BAE• PIV/PIV-I• FRAC• NIMS• NIEM• CJIS• PIV-I/FRAC
Technology Transition Working Group
Government Publications
• NIST SP800-78
• NIST SP800-63
• NIST SP800-76
• NIST FIPS 201• OMB M-04-04• HSPD-12
** This is just a sample to illustrate the amount of work. It is not an exhaustive list.
13
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Guiding Principles for FirstNet
• An Identity ecosystem should enable single sign-on• An identity ecosystem should enable interoperability • An identity ecosystem shall be usable• An identity ecosystem shall be standards-based • An identity ecosystem shall be secure • An identity ecosystem shall be flexible
14
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Guiding Principles (cont.)
• First Responders are typically Identity Proofed and credentialed by their respective agency – The FirstNet system must enable agencies to reuse their existing agency issued identity & credentials
– This might include FRAC credentials or passwords– The FirstNet system MUST NOT make first responders remember yet another user ID and
password• (or make their IT admin manage yet another set)
• The FirstNet system must enable a scalable identity solution for smaller public safety agencies that don’t have sufficient funds to manage their own Identity Management infrastructure
– E.g. must enable support of Identity Management as a Service (IdMaaS)– Enables smaller agencies to “shop around” for an identity using an open-marketplace type
model– FirstNet may optionally offer their own IdMaaS for smaller agencies (so long as it does not
prohibit those agencies from free choice)
15
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Many Challenges
• First there are the technical hurdles:– A plethora of standards to choose from– The standard that is ultimately chosen must be profiled– Solution must account for diverse credentials types (passwords, PIV-
I / FRAC, biometric), and diversity in size of various public safety agencies
– (and this is the easy part)
• And there is so much to do beyond the technology:– Legal (e.g. what are the contractual obligations of the parities?)– Policy (e.g. Levels of Assurance, dispute resolution, privacy
requirements, etc.)– Accreditation (e.g. ensure that parties meet the policy)– Continued auditing (e.g. ensure that parties meet the police – over
time)
16
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
To Meet the Challenges
A Trust Framework for First Responders is required
• What is a Trust Framework?– An agreement between stakeholders consisting of:
• Selection of standards and profiles of those standards• Identity Proofing• Acceptable credential types• Levels of Assurance• Levels of Protection• Auditing expectations• Legal obligation and liability clauses• Dispute resolution process• Governance structure
• Possible venues for defining a Trust Framework for First Responder:– Kantara Initiative– GLOBAL Security WG
17
Ide
ntity M
an
ag
em
en
t for F
irstNe
t
Take Away
Identity will be the plumbing of Interoperable application-layer communications between public safety agencies and FirstNet
• A scalable Identity Trust Framework for FirstNet is imperative
• We must either plan for it now – or it will be a disaster later
Recommendation:• Engage public safety stakeholders to develop use cases
that reflect real-world identity requirements, resulting in a scalable and interoperable Identity Trust Framework between public safety agencies and the FirstNet national system.