Continuous Knowing: Know who is in your Network 11921 Freedom
Drive, Suite 710, Reston, VA 20190 Phone: (703) 793-7870 | Web:
www.certipath.comwww.certipath.com Microsoft and Office are
Trademarks of Microsoft Corporation in the United States and/or
other countries.
Slide 2
CertiPath: Who We Are Identity focused products and services
PKI-based offerings that make identities safer and efficient to use
An identity policy hub: the CertiPath Bridge Certified once,
trusted by many Secure and efficient information exchange Utilized
by LACS and PACS Crafters of Standards and Specifications Authored
or Co-Authored many US credential standards and drafted ICAMs PIV
in EPACS specification Once a standard/specification is published,
we work with vendors and customers to implement it Privately Held
Private U.S. investors and employee owned
Slide 3
According to Verizon's 2013 Data Breach Investigation Report,
76 percent of network intrusions exploited weak or stolen
credentialsVerizon's 2013 Data Breach Investigation Report "We need
to make this the year we eliminate passwords," - Mark Orndorff
http://www.federalnewsradio.com/885/3788055/Next-step-for-DoD-cybersecurity-Ditch-passwords-once-and-for-
all The new OS will feature enhancements in areas like identity
protection, data security, and malware resistance
http://www.infoworld.com/article/2838016/operating-systems/windows-10-to-get-twofactor-
authentication-builtin.html PKI is Center Stage Right Now
Slide 4
Smartcard Issuance Progress by Agency
Slide 5
Weve Only Just Begun Credentials issued to our community of
interest Ability to detect outage in the trust network Ability to
detect suspicious credential usage at one application Ability to
detect suspicious credential usage across multiple applications
Relying party reporting rules to issuer of suspicious activity
Ability to update trust lists at relying parties based on suspicion
of an issuer
Slide 6
Who Has That Sort of Capability? Credit Cards Network
Operations: Extreme fault tolerance and world class network uptime
SLAs Credit Card Security: Multiple providers of fraud detection
systems based on card usage (e.g. RSA, Falcon, etc.) Suspicious
usage at one merchant Suspicious usage across multiple merchants
Strong reporting requirements for merchants that backstop auto-
detection
Slide 7
Increased reliance on PKI : Criticality of PKIs information
Major Consumers: Email Users Websites Enterprise Gateways Physical
Access Systems Airplanes Trust fabric sourced information is
increasingly the digital trust currency of the internet PKI
Monitoring
Slide 8
Monitor the status of the credential and identity
infrastructure your applications rely on, even when its hosted
externally Take action to continuously monitor against access
control requirements Usage Profile: Building & Application
Owners
Slide 9
Monitor the service within the SLA you are providing your
customers Usage Profile: Certificate Issuers
Slide 10
Continuous monitoring of the health and well being of the
members of your community, including peer bridges Usage Profile:
Trust Framework Providers
Slide 11
Traditional Auditing relies on management assertions, statical
process sampling, and tedious log review Continuous monitoring
tracks the compliance of everything all the time. Usage Profile:
Internal & External Auditors
Slide 12
High Assurance Transactions JPAS Joint Personnel Adjudication
System (JPAS)
Slide 13
User logs in High Assurance Transactions JPAS
PKI-Authentication
Slide 14
High Assurance Transactions JPAS When they cant connect, they
contact the helpdesk or call center PKI-Authentication*failed* User
logs in
Slide 15
High Assurance Transactions A lot can go wrong When they cant
connect, they contact the helpdesk or call center
PKI-Authentication*failed* High Assurance Transactions JPAS
Slide 16
High Assurance Transactions A lot can go wrong An OCSP
Responder is offline Server SSL Cert has expired Server SSL Cert
has been revoked Server SSL Cert was tampered with Issuing CA has
expired Server SSL Certs CRL is offline Issuing CAs CRL is offline
Issuing CA was tampered with OCSP Responder Cert was tampered with
OCSP Responder Cert has expired Issuing CAs Cert has been revoked
Cross-certificate has a new Name Constraint Cross-certificate has a
new Policy Constraint Cross-certificate has expired
Cross-certificate was tampered with Unable to build path AiA
location offline Issuing CA has been re-keyed Issuing CAs CRL was
tampered with Server SSL Certs CRL was tampered with
Cross-certificates CRL was tampered with Issuing CAs CRL has
expired Server SSL Certs CRL has expired SCA Re-key has occurred
SSL Cert has been re-keyed
Slide 17
High Assurance Transactions take many forms High Assurance
Transactions A lot can go wrong An OCSP Responder is offline Server
SSL Cert has expired Server SSL Cert has been revoked Server SSL
Cert was tampered with Issuing CA has expired Server SSL Certs CRL
is offline Issuing CAs CRL is offline Issuing CA was tampered with
OCSP Responder Cert was tampered with OCSP Responder Cert has
expired Issuing CAs Cert has been revoked Cross-certificate has a
new Name Constraint Cross-certificate has a new Policy Constraint
Cross-certificate has expired Cross-certificate was tampered with
Unable to build path AiA location offline Issuing CAs CRL was
tampered with Cross-certificates CRL was tampered with Issuing CAs
CRL has expired Issuing CA Re-key has occurred SSL Cert has been
re-keyed As it relates to High Assurance Credentials, all
applications are the same Root CA has been re-keyed Server SSL
Certs CRL was tampered with Server SSL Certs CRL has expired
Slide 18
High Assurance Transactions take many forms As it relates to
High Assurance Credentials, all applications are the same User
Digitally Signs or encrypts an Email PKI-Digital Signature
Slide 19
High Assurance Transactions take many forms User Digitally
Signs or attempts to encrypt an Email PKI-Digital Signature
PKI-Authentication
Slide 20
High Assurance Transactions take many forms PKI-Authentication
An OCSP Responder is offline Server SSL Cert has expired Server SSL
Cert has been revoked Server SSL Cert was tampered with Issuing CA
has expired Server SSL Certs CRL is offline Issuing CAs CRL is
offline Issuing CA was tampered with OCSP Responder Cert was
tampered with OCSP Responder Cert has expired Issuing CAs Cert has
been revoked Cross-certificate has a new Name Constraint
Cross-certificate has a new Policy Constraint Cross-certificate has
expired Cross-certificate was tampered with Unable to build path
AiA location offline Issuing CA has been re-keyed Issuing CAs CRL
was tampered with Server SSL Certs CRL was tampered with
Cross-certificates CRL was tampered with Issuing CAs CRL has
expired Server SSL Certs CRL has expired SCA Re-key has occurred
SSL Cert has been re-keyed
Slide 21
Today: Access is granted to recognized users while security
controls focus on traffic for content & behavior. Risk:
Identity is a missing component, networks have a blind spot
regarding credential status and use. Opportunity: Include identity
as a component of the security model to detect insider and external
threats. Any legit credential: Password Access Card Infiltration
attempts Denial of Service Spoofed credentials Endpoint security
protocol source address destination address destination port source
port header analysis payload analysis pattern detection web-based
malware email attachments SSO systems active directory allowed user
safe credential The Next Level: Continuous Credential Vetting
Slide 22
Today: Once issued, credentials are never seen by the issuer.
Enterprise Risk: Yet, credentials are trusted because the issuer
says they are still good. Issuer Risk: Last to know if a credential
has gone bad. Opportunity: TFPs/IdPs/RPs work together to create
one or more global clearinghouse(s) for use and reputation based on
observed behavior of credentials. ? Provisioning vs. Vetting issue
date expiration date revocation misuse continued use missing
feedback loop Identity Provisioning vs. Vetting