Widepoint orc thales webinar 111313d - nov 2013
-
Upload
federation-for-identity-and-cross-credentialing-systems-fixs -
Category
Technology
-
view
419 -
download
0
description
Transcript of Widepoint orc thales webinar 111313d - nov 2013
11/14/13
1
Identity as a Service – Strong enough for government? Date: November 13, 2013 Time: 11:00 pm EST/ 8:00 am PST
Host: Richard Moulds, Thales e-Security VP of Strategy and Product Marketing
Guest: Daniel E. Turissini CEO, Operational Research Consultants
Defend Cri.cal Infrastructure from Invasive A:ack & Informa.on The?
Prevent Terrorism & Promote Na.onal Security
Prevent Cybercrime; Iden.ty The?; Promote Efficient Use of Technology
Cyber Security “One of the most serious economic & na2onal security threats our na2on faces.” -‐-‐ President Obama
Issues at hand:
2
• Cost-‐effec.vely prevent Cyber-‐terrorism, Cyber-‐crime, & defend our na.on’s cri.cal infrastructure:
• Reduce risk of un-‐authorized disclosure of proprietary & privacy informa.on
• Share .mely informa.on securely with remote workers, vendors, partners & customers
• Ensure the accountability of all Cyber-‐transac.ons • Avoid unnecessary costs arising from system “silos”
11/14/13
2
Cyber Approach Standards-‐based, Cyber IA Enabling Infrastructure (CIEI©)* for electronic authen.ca.on, valida.on & access control:
3
• iDen.ty Management – Create & maintain an iden.ty, including discrete a:ributes, centralized administra.on & user self-‐service
• E-‐Authen.ca.on – Provide repositories for iden.ty, network and/or resource profiles; provide security services that enable iden.fica.on, valida.on & support for authoriza.on
• Access Management – Provide authoriza.on, audit & session management func.ons to define individual access rights for business partners, suppliers, customers or employees
• Provisioning & Workflow – Business policies to support greater automa.on for devices such as iden.ty tokens, credit cards, cell phones & PCs
* Driven by the Federal Government & Commercial Cloud Based Ini;ates
Exper.se
4
• Informa.on security solu.ons ensuring fully compliant & trusted exchange & assurance of informa.on
• Cer.ficate-‐based personal & non-‐personal iden.ty creden.aling
• Mul.-‐level assurance managed ID services across various domains (i.e., First Responder, Healthcare, Government, Ci.zen, etc.)
• Layered security technologies addressing best prac.ce authen.ca.on, authoriza.on, audi.ng & encryp.on methodologies
• Scalable, highly available, VPN services & suppor.ng appliances for secure communica.ons management
• Markets leading-‐edge secure cri.cal response management solu.ons designed to improve coordina.on within emergency services and cri.cal infrastructure agencies
• Accountability solu.ons for tailored to specific customer workflows, including: incident management, network device management, crime scene evidence control, mortgage processing, etc
In Produc;on – Not Theore;cal
11/14/13
3
Assurance based on who, not where! Most communi.es of interest concerned with Privacy & Security can no Longer be defined by loca.on. ORC’s IA solu.ons address access to mul.-‐level secure resources & message traffic based on En.ty Iden.ty, Roles, & Privileges:
5 People, devices, servers , objects, code ….
Digital Iden.ty ORC’s cyber iden.ty creden.als allow you to SECURELY…
6
• Access email via the internet • Establish a virtual private network with your base
network from anywhere in the world • Move from one applica.on to another without
having to key password informa.on -‐-‐ without losing security along the way
• Apply on-‐line for access rights and services -‐-‐ and, receive those services
• Digitally sign memos, contracts, delivery orders, etc. • Digitally sign code for safe distribu.on
Privacy & cri;cal infrastructure protec;on
11/14/13
4
Security Services
7
Physical (e.g. writing a check)
– Confidentiality
• Limited physical access
– Data Integrity
• Inked text
– Non Repudiation
• Cancelled check
– Identification & Authentication
• Drivers license & signature
– Privilege & Authorization
• Check for account validity
Digital
– Confidentiality
• Data Encryption
– Data Integrity
• Hashing
– Non-Repudiation
• Digital Signature
– Identification & Authentication
• CA Signature
– Privilege & Authorization
• Access/ Privilege Control Lists
A digital solu;on for cyber security
What’s in a Digital Cer.ficate
8
Iden;ty
Cryptographic Strength
Authorita;ve Source
Level of Assurance
Validity
Legi;mate Cer;ficate Authority Or Unknown CA (Untrusted)
Basic/Medium/High Confidence in Iden;ty
Issued on mmddyyy Expires on mmddyyyy
SHA-‐256, AES
With a robust revoca;on/ valida;on infrastructure
11/14/13
5
Alterna.ve Tokens
9
Trusted Plaporm Module (TPM)
SD/MicroSD
Embedded/ Removable HW Crypto FIPS-‐140/ Common Criteria
SIM
USB
Smart Card
ORC is a leader in advanced technology opera;ons!
Federated Trust
10
Subscribers (End-Entities)
Trusted Third Parties (Certificate Authorities)
The Trust Triangle
Relying Parties
The right Assurance, Security, Biometrics & PKI Capabili;es/ Exper;se
11/14/13
6
Infrastructure Based on Commercial Standards
11
Facili.es to Provide Secure & Scalable IT Services
High Availability Data Centers: 365x7x24, 99.999 up.me, as required by Federal Policy Secure Network Opera.ons
Centers (SNOC): Five .er physical protec.on
• Communica.ons traffic is monitored & upgraded bandwidth available as traffic requirements dictate to maintain the customer services with 99.999% up .me
• Audited installa.on procedures to ensure that Government requirements are met & customer expecta.ons exceeded
• SNOCs employ UPS coupled with a constant power generator & dedicated HVAC -‐ at full load, power can be maintained for more than 5 days without public power
• Hardware, so?ware, & vendor service level agreements associated with maintaining appropriate firewall protec.on, redundant warehousing, power genera.on & Internet connec.vity, are leveraged for each customer.
The know-‐how & access to leverage exis;ng deployments
Strong Cer.fica.on & Accredita.on Processes
12 FISMA Compliant
-‐-‐ Prepara(on -‐-‐ No(fica(on & Resource Id -‐-‐ Syst Security Baseline, Analysis, Update, & Acceptance
Ini(a(on
-‐-‐ Configura(on Mgmt & Control -‐-‐ Security Controls Monitoring -‐-‐ Status Repor(ng & Documenta(on
Con(nuous Monitoring
-‐-‐ Security Accredita(on Decision -‐-‐ Security Accredita(on Documenta(on
Security Accredita(on
-‐-‐ Security Controls Assessment -‐-‐ Security Cer(fica(on Documenta(on
Security Cer(fica(on
11/14/13
7
Federated Solu.ons
13
• Federated solu.ons provide support various strong electronic iden.ty creden.al, that can be readily electronically validated by any logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized access decision confident in: – the iden.ty of the person a:emp.ng access; – the iden.ty of the device a:emp.ng access; – the iden.ty of ve:ed organiza;on that they represent; – that the organiza.on and the individual have a legal
rela;onship to do business with the federal government; and, – that the individual has been ve`ed in person and has
undergone a background inves.ga.on consistent with defined levels.
Creden;al assures you are who you say you are,
Relying Party confirms what holder is permi`ed to access!
Federated Access for Enterprise Applica.ons
14
Relying Party’s (Access Rules) Trusted Third Par;es
[External Cer;ficate Authori;es (ECA)/ PIV-‐I]
Strong Access Control
Subscribers (Creden;al Holders)
Strong Iden(ty
Local Access Decisions
Strong creden;als with biometrics consistent with federal standards are essen;al to successful Access control
11/14/13
8
Cer.fied Creden.al Enhanced Access Control
15
Remote/ Mobile Client/ WS
1. Ini;al Enterprise Logon
2. Validate Device Cer;ficate
Remote/ Mobile Client/ WS
3. Authen;cated SSL VPN Established
4. Ini;ate Applica;on Logon
5. Validate ID Cer;ficate
6. Access A`ributes
Remote/ Mobile Client/ WS
SSL VPN h`ps
Border Server
Border Server
Border Server
Applica;on Server
Applica;on Server
Valida;on Data
Valida;on Data
FDS
More informa;on to make be`er access decisions
Leveraging A Common Infrastructure Currently over 25 million people have compliant creden.als
16
Federal Government
Trading Partners & Allies
First Responders
As this number grows -‐ opportuni;es for efficiencies skyrocket!
Veterans
Transportation Workers
Military
Retirees & Dependents
11/14/13
9
Reduce Cost of Goods Sold (COGS)
17
• Federated Digital Solu.on – Reduces High Help Desk Costs
– Mi.gates Risks Associated with username & passwords
– Enhances Fraud Protec.on
• Syndicated Investment/ Syndicated Risk
• Federally Cer.fied & Accredited Products/ Services Commercially Priced
Chain of Trust
Privacy
Interoperability
ORC’s Cyber Creden.als
18
• Dis.nguished as 1 of only 4 Cer.fied PKI Shared Service Providers, currently providing PIV services to six federal agencies, with full Authority to Operate (ATO)
• Dis.nguished as 1 of only 4 Approved PIV-‐Interoperable Providers and is currently providing PIV-‐I services to three state governments
• Dis.nguished as the 1st designated DoD Interim External Cer.ficate Authority (IECA-‐1) & the first US Government External Cer.ficate Authority (ECA)
• Dis.nguished as 1 of 2 GSA Access Cer.ficates for Electronic Services (ACES) Trusted Third Par.es, ci.zen focused PKI
• Dis.nguished as the 1st commercial GSA E-‐Authen.ca.on Federa.on Creden.al Service Provider at Level 1, 2, and 3.
• Dis.nguished as the PKI provider for the Transporta.on Worker Iden.fica.on Creden.al (TWIC)
• Dis.nguished as the 1st commercial Creden.al Issuer under The Federa.on for Iden.ty and Cross-‐Creden.aling Systems (FiXs) – h:p://www.FiXs.org
4M iden;;es & more than 14M federal compliant digital cer;ficates
11/14/13
10
Customers
19
• 34 of Fortune 100 Companies
• 22 of Top 25 Federal Contractors
• 200+ Colleges & Universi.es
• 100+ Municipali.es & Schools
• 100+ Private & Public Research Organiza.ons
• 100+ Healthcare Organiza.ons
• 40+ Banks & Financial Ins.tu.ons
• 11 Airlines
• Numerous Federal Agencies
Current Markets Fueled by Government Mandate for Increased Assurance Levels
20
Government Security Standards will be Driven Across the Business Con;nuum
Millions of Users, Servers, Worksta;ons and Handheld Devices
Tens of Millions of Users, Servers, Worksta;ons
and Handheld Devices
Global interoperability & Unlimited Computer
Resources
Ready for industry to leverage!
11/14/13
11
ORC Solu.ons Rely on for key protec.on
21
Key provisioning & cer;ficate management
Trusted ops & performance Key protec;on & a`esta;on
Summary
22
• Enhanced Security -‐ New Customer Mo.vator
• Reduced Infrastructural Support Costs
• Minimal Investment -‐ Immediate ROI Payback
11/14/13
12
23 Thales e-Security
Global provider of data protection and key management solutions
Reduce the cost/complexity associated with use of cryptography
Solutions for traditional, virtualized and cloud environments
Strategic business value Secure cardholder data, payments and transactions Support data privacy obligations Protect intellectual property Secure identities and credentials
40 year security track record
Strategic business unit of Thales Group
24 Hardware Security Modules
What are HSMs? Hardened cryptographic devices Isolated from host OS and applications
What do HSMs do? Secure cryptographic operations (encrypt, sign etc.) Generation and protection of critical cryptographic key material Enforce policy over use of keys and key management
HSM Application Key inside security boundary
HSM security boundary
Business Application Application Data
Decrypted signed/
data
Data to be signed/
decrypted
Crypto processing engine
11/14/13
13
25 Dual Controls for Strong Authorization
Smart cards deliver strong authentication
Sets of smart cards deliver shared responsibility and mutual supervision
Assigned to security personnel Known as Operator Card Sets (OCS)
Authorization based on a “quorum” of cards & card owners
Requires a minimum number of cards from a set, e.g. 3 of 5 cards Creates natural redundancy and resiliency
OCS OCS OCS
Authorized Operators
26 The Thales nShield HSM Family
nShield Connect Network appliances
nShield Solo Embedded PCI card
nShield Edge Portable USB device
11/14/13
14
27
Thank you ! richard.moulds@ thalesesec.com Contact details
Dan Turissini +1 703-246-8550 [email protected]
www.orc.com
Richard Moulds +1 954-888-6258
[email protected] www.thales-esecurity.com