11/14/13  

1  

Identity as a Service – Strong enough for government? Date: November 13, 2013 Time: 11:00 pm EST/ 8:00 am PST

Host: Richard Moulds, Thales e-Security VP of Strategy and Product Marketing

Guest: Daniel E. Turissini CEO, Operational Research Consultants

Defend  Cri.cal  Infrastructure  from  Invasive  A:ack  &  Informa.on  The?  

Prevent  Terrorism  &  Promote  Na.onal  Security  

Prevent  Cybercrime;  Iden.ty  The?;  Promote  Efficient  Use  of  Technology  

Cyber  Security  “One  of  the  most  serious  economic  &  na2onal  security  threats  our  na2on  faces.”    -­‐-­‐  President  Obama  

Issues  at  hand:  

2  

•  Cost-­‐effec.vely  prevent  Cyber-­‐terrorism,  Cyber-­‐crime,  &  defend  our  na.on’s  cri.cal  infrastructure:  

•  Reduce  risk  of  un-­‐authorized  disclosure  of  proprietary  &  privacy  informa.on  

•  Share  .mely  informa.on  securely  with  remote  workers,  vendors,  partners  &  customers  

•  Ensure  the  accountability  of  all  Cyber-­‐transac.ons  •  Avoid  unnecessary  costs  arising  from  system  “silos”  

11/14/13  

2  

Cyber  Approach  Standards-­‐based,  Cyber  IA  Enabling  Infrastructure  (CIEI©)*  for  electronic  authen.ca.on,  valida.on  &  access  control:  

3  

•  iDen.ty  Management  –  Create  &  maintain  an  iden.ty,  including  discrete  a:ributes,  centralized  administra.on  &  user  self-­‐service  

•  E-­‐Authen.ca.on  –  Provide  repositories  for  iden.ty,  network  and/or  resource  profiles;  provide  security  services  that  enable  iden.fica.on,  valida.on  &  support  for  authoriza.on  

•  Access  Management  –  Provide  authoriza.on,  audit  &  session  management  func.ons  to  define  individual  access  rights  for  business  partners,  suppliers,  customers  or  employees  

•  Provisioning  &  Workflow  –  Business  policies  to  support  greater  automa.on    for  devices  such  as  iden.ty  tokens,  credit  cards,  cell  phones  &  PCs  

*  Driven  by  the  Federal  Government  &  Commercial  Cloud  Based  Ini;ates  

Exper.se  

4  

•  Informa.on  security  solu.ons  ensuring  fully  compliant  &  trusted  exchange  &  assurance  of  informa.on  

•  Cer.ficate-­‐based  personal  &  non-­‐personal  iden.ty  creden.aling    

•  Mul.-­‐level  assurance  managed  ID  services  across  various  domains  (i.e.,  First  Responder,  Healthcare,  Government,  Ci.zen,  etc.)  

•  Layered  security  technologies  addressing  best  prac.ce  authen.ca.on,  authoriza.on,  audi.ng  &  encryp.on  methodologies  

•  Scalable,  highly  available,  VPN  services  &  suppor.ng  appliances  for  secure  communica.ons  management  

•  Markets  leading-­‐edge  secure  cri.cal  response  management  solu.ons  designed  to  improve  coordina.on  within  emergency  services  and  cri.cal  infrastructure  agencies  

•  Accountability  solu.ons  for  tailored  to  specific  customer  workflows,  including:  incident  management,  network  device  management,  crime  scene  evidence  control,  mortgage  processing,  etc  

In  Produc;on  –  Not  Theore;cal  

11/14/13  

3  

Assurance  based  on  who,  not  where!  Most  communi.es  of  interest  concerned  with  Privacy  &  Security  can  no  Longer  be  defined  by  loca.on.  ORC’s  IA  solu.ons  address  access  to  mul.-­‐level  secure  resources  &  message  traffic  based  on  En.ty  Iden.ty,  Roles,  &  Privileges:  

5   People,  devices,  servers  ,  objects,  code  ….  

Digital  Iden.ty  ORC’s  cyber  iden.ty  creden.als  allow  you  to  SECURELY…  

6  

•  Access  email  via  the  internet  •  Establish  a  virtual  private  network  with  your  base    

network  from  anywhere  in  the  world  •  Move  from  one  applica.on  to  another  without  

having  to  key  password  informa.on  -­‐-­‐  without  losing  security  along  the  way  

•  Apply  on-­‐line  for  access  rights  and  services  -­‐-­‐  and,  receive  those  services  

•  Digitally  sign  memos,  contracts,  delivery  orders,  etc.  •  Digitally  sign  code  for  safe  distribu.on  

Privacy  &  cri;cal  infrastructure  protec;on  

11/14/13  

4  

Security  Services  

7  

Physical (e.g. writing a check)

–  Confidentiality

•  Limited physical access

–  Data Integrity

•  Inked text

–  Non Repudiation

•  Cancelled check

–  Identification & Authentication

•  Drivers license & signature

–  Privilege & Authorization

•  Check for account validity

Digital

–  Confidentiality

•  Data Encryption

–  Data Integrity

•  Hashing

–  Non-Repudiation

•  Digital Signature

–  Identification & Authentication

•  CA Signature

–  Privilege & Authorization

•  Access/ Privilege Control Lists

A  digital  solu;on  for  cyber  security  

What’s  in  a  Digital  Cer.ficate  

8  

Iden;ty  

Cryptographic  Strength  

Authorita;ve  Source  

Level  of  Assurance  

Validity  

Legi;mate  Cer;ficate  Authority  Or  Unknown  CA  (Untrusted)  

Basic/Medium/High  Confidence  in  Iden;ty  

Issued  on  mmddyyy  Expires  on  mmddyyyy  

SHA-­‐256,  AES  

With  a  robust  revoca;on/  valida;on  infrastructure  

11/14/13  

5  

Alterna.ve  Tokens  

9  

Trusted  Plaporm  Module  (TPM)  

SD/MicroSD  

Embedded/  Removable  HW  Crypto  FIPS-­‐140/  Common  Criteria  

SIM  

USB  

Smart Card

ORC  is  a  leader  in  advanced  technology  opera;ons!  

Federated  Trust  

10  

Subscribers (End-Entities)

Trusted Third Parties (Certificate Authorities)

The Trust Triangle

Relying Parties

The  right  Assurance,  Security,  Biometrics  &  PKI  Capabili;es/  Exper;se  

11/14/13  

6  

Infrastructure  Based  on  Commercial  Standards    

11  

Facili.es  to  Provide  Secure  &  Scalable  IT  Services  

High  Availability  Data  Centers:  365x7x24,  99.999  up.me,  as  required  by  Federal  Policy  Secure  Network  Opera.ons  

Centers  (SNOC):  Five  .er  physical  protec.on  

•  Communica.ons  traffic  is  monitored  &  upgraded  bandwidth  available  as  traffic  requirements  dictate  to  maintain  the  customer  services  with  99.999%  up  .me  

•  Audited  installa.on  procedures  to  ensure  that  Government  requirements  are  met  &  customer  expecta.ons  exceeded  

•  SNOCs  employ  UPS  coupled  with  a  constant  power  generator  &  dedicated  HVAC  -­‐  at  full  load,  power  can  be  maintained  for  more  than  5  days  without  public  power  

•  Hardware,  so?ware,  &  vendor  service  level  agreements  associated  with  maintaining  appropriate  firewall  protec.on,  redundant  warehousing,  power  genera.on  &  Internet  connec.vity,  are  leveraged  for  each  customer.  

The  know-­‐how  &  access  to  leverage  exis;ng  deployments  

Strong  Cer.fica.on  &    Accredita.on  Processes  

12   FISMA  Compliant  

-­‐-­‐  Prepara(on  -­‐-­‐  No(fica(on  &  Resource  Id  -­‐-­‐  Syst  Security  Baseline,  Analysis,  Update,  &  Acceptance    

Ini(a(on  

-­‐-­‐  Configura(on  Mgmt  &  Control  -­‐-­‐  Security  Controls  Monitoring  -­‐-­‐  Status  Repor(ng  &  Documenta(on  

Con(nuous  Monitoring  

-­‐-­‐  Security  Accredita(on  Decision  -­‐-­‐  Security  Accredita(on  Documenta(on  

Security  Accredita(on  

-­‐-­‐  Security  Controls  Assessment  -­‐-­‐  Security  Cer(fica(on  Documenta(on  

Security  Cer(fica(on  

11/14/13  

7  

Federated  Solu.ons  

13  

•  Federated  solu.ons  provide  support  various  strong  electronic  iden.ty  creden.al,  that  can  be  readily  electronically  validated  by  any  logical/physical  access  point  that  allows  the  decision  maker  or  databases  to  make  a  local  specific  privilege  and/or  authorized  access  decision  confident  in:  –  the  iden.ty  of  the  person  a:emp.ng  access;  –  the  iden.ty  of  the  device  a:emp.ng  access;  –  the  iden.ty  of  ve:ed  organiza;on  that  they  represent;  –  that  the  organiza.on  and  the  individual  have  a  legal  

rela;onship  to  do  business  with  the  federal  government;  and,  –  that  the  individual  has  been  ve`ed  in  person  and  has  

undergone  a  background  inves.ga.on  consistent  with  defined  levels.  

Creden;al  assures  you  are  who  you  say  you  are,  

Relying  Party  confirms  what  holder  is  permi`ed  to  access!  

Federated  Access  for  Enterprise  Applica.ons  

14  

Relying  Party’s  (Access  Rules)  Trusted  Third  Par;es  

[External  Cer;ficate  Authori;es  (ECA)/  PIV-­‐I]  

Strong  Access  Control  

Subscribers  (Creden;al  Holders)  

Strong  Iden(ty  

Local  Access  Decisions  

Strong  creden;als  with  biometrics  consistent  with  federal  standards  are  essen;al  to  successful  Access  control  

11/14/13  

8  

Cer.fied  Creden.al  Enhanced  Access  Control  

15  

Remote/  Mobile  Client/  WS  

1.   Ini;al  Enterprise    Logon  

2.  Validate  Device  Cer;ficate  

Remote/  Mobile  Client/  WS  

3.  Authen;cated  SSL  VPN  Established  

4.  Ini;ate    Applica;on  Logon  

5.  Validate  ID  Cer;ficate  

6.  Access  A`ributes  

Remote/  Mobile  Client/  WS  

SSL  VPN   h`ps  

Border  Server  

Border  Server  

Border  Server  

Applica;on  Server  

Applica;on  Server  

Valida;on  Data  

Valida;on  Data  

FDS  

More  informa;on  to  make  be`er  access  decisions  

Leveraging  A  Common  Infrastructure  Currently  over  25  million  people  have  compliant  creden.als  

16  

Federal Government

Trading Partners & Allies

First Responders

As  this  number  grows  -­‐    opportuni;es  for  efficiencies  skyrocket!    

Veterans

Transportation Workers

Military

Retirees & Dependents

11/14/13  

9  

Reduce  Cost  of  Goods  Sold  (COGS)  

17  

•  Federated  Digital  Solu.on  –  Reduces  High  Help  Desk  Costs  

– Mi.gates  Risks  Associated  with  username  &  passwords  

–  Enhances  Fraud  Protec.on  

•  Syndicated  Investment/  Syndicated  Risk  

•  Federally  Cer.fied  &  Accredited  Products/  Services  Commercially  Priced  

Chain of Trust

Privacy

Interoperability

ORC’s  Cyber  Creden.als  

18  

•  Dis.nguished  as  1  of  only  4  Cer.fied  PKI  Shared  Service  Providers,  currently  providing  PIV  services  to  six  federal  agencies,  with  full  Authority  to  Operate  (ATO)  

•  Dis.nguished  as  1  of  only  4  Approved  PIV-­‐Interoperable  Providers  and  is  currently  providing  PIV-­‐I  services  to  three  state  governments  

•  Dis.nguished  as  the  1st  designated  DoD  Interim  External  Cer.ficate  Authority  (IECA-­‐1)  &  the  first  US  Government  External  Cer.ficate  Authority  (ECA)  

•  Dis.nguished  as  1  of  2  GSA  Access  Cer.ficates  for  Electronic  Services  (ACES)  Trusted  Third  Par.es,  ci.zen  focused  PKI  

•  Dis.nguished  as  the  1st  commercial  GSA  E-­‐Authen.ca.on  Federa.on  Creden.al  Service  Provider  at  Level  1,  2,  and  3.  

•  Dis.nguished  as  the  PKI  provider  for  the  Transporta.on  Worker  Iden.fica.on  Creden.al  (TWIC)  

•  Dis.nguished  as  the  1st  commercial  Creden.al  Issuer  under  The  Federa.on  for  Iden.ty  and  Cross-­‐Creden.aling  Systems  (FiXs)  –  h:p://www.FiXs.org  

4M  iden;;es  &  more  than  14M  federal  compliant  digital  cer;ficates    

11/14/13  

10  

Customers  

19  

•  34  of  Fortune  100  Companies  

•  22  of  Top  25  Federal  Contractors  

•  200+  Colleges  &  Universi.es  

•  100+  Municipali.es  &  Schools  

•  100+  Private  &  Public  Research  Organiza.ons  

•  100+  Healthcare  Organiza.ons  

•  40+  Banks  &  Financial  Ins.tu.ons  

•  11  Airlines  

•  Numerous  Federal  Agencies  

Current  Markets  Fueled  by  Government  Mandate  for  Increased  Assurance  Levels  

20  

Government  Security  Standards  will  be  Driven  Across  the  Business  Con;nuum  

Millions  of  Users,  Servers,  Worksta;ons  and  Handheld  Devices  

Tens  of  Millions  of  Users,  Servers,  Worksta;ons  

and  Handheld  Devices  

Global  interoperability  &  Unlimited  Computer  

Resources  

Ready  for  industry  to  leverage!  

11/14/13  

11  

ORC  Solu.ons  Rely  on                    for  key  protec.on  

21  

Key  provisioning  &  cer;ficate  management  

Trusted  ops  &  performance   Key  protec;on  &  a`esta;on  

Summary  

22  

•  Enhanced  Security  -­‐  New  Customer  Mo.vator  

•  Reduced  Infrastructural  Support  Costs  

•  Minimal  Investment  -­‐  Immediate  ROI  Payback  

11/14/13  

12  

23 Thales e-Security

Global provider of data protection and key management solutions

  Reduce the cost/complexity associated with use of cryptography

  Solutions for traditional, virtualized and cloud environments

Strategic business value   Secure cardholder data, payments and transactions   Support data privacy obligations   Protect intellectual property   Secure identities and credentials

40 year security track record

Strategic business unit of Thales Group

24 Hardware Security Modules

What are HSMs?   Hardened cryptographic devices   Isolated from host OS and applications

What do HSMs do?   Secure cryptographic operations (encrypt, sign etc.)   Generation and protection of critical cryptographic key material   Enforce policy over use of keys and key management

HSM Application Key inside security boundary

HSM security boundary

Business Application Application Data

Decrypted signed/

data

Data to be signed/

decrypted

Crypto processing engine

11/14/13  

13  

25 Dual Controls for Strong Authorization

Smart cards deliver strong authentication

Sets of smart cards deliver shared responsibility and mutual supervision

  Assigned to security personnel   Known as Operator Card Sets (OCS)

Authorization based on a “quorum” of cards & card owners

  Requires a minimum number of cards from a set, e.g. 3 of 5 cards   Creates natural redundancy and resiliency

OCS OCS OCS

Authorized Operators

26 The Thales nShield HSM Family

nShield Connect Network appliances

nShield Solo Embedded PCI card

nShield Edge Portable USB device

11/14/13  

14  

27

Thank you ! richard.moulds@ thalesesec.com Contact details

Dan Turissini +1 703-246-8550 turissd@orc.com

www.orc.com

Richard Moulds +1 954-888-6258

richard.moulds@thalesesec.com www.thales-esecurity.com