Smart cards in Government Conference Oct 23, 2008Ronald Reagan International Center, Washington DC
Managing PIV Life-cycle&ConvergingPhysical & Logical Access Control
Ramesh NagappanSun [email protected]
2
Setting ExpectationsWhat you can take away !
Explore the Personal Identity Verification (PIV)Life-cycle and its pre- and post-issuancedeployment challenges.
Architectural characteristics of managing PIVLife-cycle and converging Physical and LogicalAccess Control Systems.
Role and relevance of adopting to an IdentityManagement Solution (IDMS) for delivering andmanaging an end-to-end PIV lifecycle.
3
Personal Identity Verification (PIV)• Personal Identity Verification has become a
Fiduciary Responsibility of many NationalGovernments.> Adopting to common credentials with verified identity
enables secure and reliable form of personalidentification.
• Host of PIV standards initiatives and regulatorymandates currently being adopted on anational/global basis.> US Homeland Security Presidential Directive (HSPD-12
2004) > UK Identity Cards Act (2006) > French INES (Identité Nationale Electronique Sécurisée) > ICAO 9303 ePassport / eId> EU Citizen Card, EU EAC (EC 2252/2004) > Belgian eID, Finesse eID, Taiwan eID, India ePassport and
several others (in progress).
4
5
PIV Card Issuance and Management
Source: FIPS 201-1
FIPS-201 defined PIV Card Issuance and Management
6
The PIV Life-cycle PIV Identity Management Activities (From registration to till its retirement)
IdentityRegistration
IdentityEnrolment &Adjudication
PIVPhysical &
Logical AccessControl
PIVCredentialIssuance
PIVCredential
Termination
PIVCredential
Maintenance
7
The PIV Ecosystem Core technology components of a PIV Lifecycle
IdentityManagement
Solution
DemographicData/
Documents
Biometricsamples
IdentityProofing &
Adjudication
Public-Key Infrastructure
CredentialsIssuance
( Smartcard/PKI/Biometrics)
Physical/LogicalAccessControl Systems
Security Event
MonitoringEnroll
Change
Terminate
8
PIV Card CredentialsFIPS-201 Mandatory and Optional On-Card Credentials
Mandatory CredentialsPIN (Personal Identification Number)Cardholder Unique Identifier (CHUID)PIV Authentication Data (asymmetric key pair andcorresponding PKI certificate)Two biometric fingerprints (CBEFF)
Optional CredentialsAn asymmetric key pair and corresponding certificatefor digital signaturesAn asymmetric key pair and corresponding certificatefor key managementAsymmetric or symmetric card authentication keys forsupporting additional physical access applicationsSymmetric key(s) associated with the cardmanagement system
Source: GSA USAccess
9
PIV Lifecycle: Known Challenges
• Defining an authoritative source for managing andmaintaining PIV information life-cycle. Silos of point solutions and repositories - Biometric/Enroll
middleware, CMS, PACS, LACS, SIEM, IAM and more ! No single administration console for management. Too many PIV life-cycle events and operations - right from
identity registration and till its retirement !
• Establishing administrative controls, authorizationworkflows and authority approvals/denials for lifecycleoperations. Managing and maintaining authorization workflow,
approval/denial actions and notification. Enforcing segregation of duties (separation of powers). Enforcement of access control policies, Role based Access
control (RBAC) and procedures (ex. Emergency access/exit).
Understanding Real-world Pain Points
10
PIV Lifecycle: Known Challenges …continued
• Provisioning and De-Provisioning complexities withdisparate PIV/FIPS-201 solutions and downstreamapplications. Initiating instantaneous Provisioning and De-provisioning of PIV
enrollment data and its changes to support Identity lifecycleevents - Identity registration to till its termination.
Detecting and thwarting dormant/back-door user accountcreation/modification and circumventing controls.
• Managing changes and re-verification/re-enrollmentissues related to profiles, roles, privileges and policies. Identity attribute changes and propagation to heterogeneous
PIV based applications ? Supporting re-verification and re-enrollment requirements
related to lifecycle events and attribute changes. Certify and attest role and access privileges changes.
Understanding Real-world Pain points
11
Converging Physical/Logical Access:Known Challenges• Enabling PIV credentials to authenticate disparate
Physical Access Control Systems (PACS) and LogicalAccess Control Systems (LACS). Using PIV credentials such as CHUID, PIN, PKI certificates and
Biometrics for authentication. Use PIV credentials based digitally-signed approvals or denials
for authorization workflow and maintaining tamper-prooflogs/records of authorization information.
Enabling PIV credentials based Single Sign-on (SSO) to ITapplications and Desktops and furthering SSO to participate inFederation (eAuthentication Scenarios).
Integration, extensibility limitations and maintenance issues arecommon due to proprietary nature of interfaces related toPACS.
12
Converging Physical/Logical Access:Known Challenges …. continued• Initiating and managing the authentication process using
PIV Credentials. PKI certificate validation via OCSP or CRL DPs of the PKI SSP. Enabling PACS authentication using CHUID/PKI/PIN credentials
(Based on Contact/Contact-less/Hybrid readers). On/Off-the-card Biometric authentication using Biometric
authentication middleware.
• Managing requests and reporting the status of scenariossuch as Forgotten PIN, Temporary card requests and LostPIV card scenarios ? Managing and reporting the status of Lost/Forgotten card-
requests/approvals, certificate revocation, key escrow andrecovery operations.
13
Logical PIV Architecture SolutionPutting it all together
PIV Request w/Sponsor approval
DocumentCredentials
Biometricsamples
Identity Life-cycle Management Services
Physical and Logical Access Control Services
Demographicdata
IdentityProofing/
Adjudication
Identity Enrollment and Adjudication Services
PKI / BiometricAuthentication
Physical AccessControl Systems
IT ApplicationseAuthentication
Single Sign-on / Federation
PublicKey
Infrastructure
SmartcardIssuance/
ManagementServices
IdentityRegistration/Enrollment
ProvisioningDe-provisioning
AuditingLogging
Compliance
AuthorizationWorkflow
Signed Approvals
CredentialChange
Management
User/RoleManagement
14
PIV Authorization Workflow
ApplicantRegistration
BiometricsBreeder Documents
Enrollment
IdentityProofing &
Adjudication
Card Issuance &Activation
Retirement /Termination
Physical &Logical Access
CredentialMaintenance
Hiring Manager
Approval/Denial
EnrollmentOfficer
Approval/Denial
HROfficer
Approval/Denial
HR Manager
Approval/Denial
EnrollmentOfficer
Approval/Denial
Hiring Manager
Approval/Denial
• IDMS manages the authorization workflow and authority approval and denials.> Digitally signed approvals using PIV card credentials verified against a PKI provider.
• IDMS facilitates Work-flow driven provisioning and de-provisioning of PIVinformation and credentials to PIV/FIPS-201 mandated resources.
15
Choosing an IDMS IDMS Requirements for managing PIV lifecycle
• Automated Provisioning & De-Provisioning andSynchronization Services Automated operations for Creation, Maintenance and Termination of
Identity profile (s) and its access privileges . Integration and interoperability with FIPS-201 compliant Biometric
middleware, Document verification, CMS, PACS, IAM and othersupporting IT applications.
Instantaneous provisioning/de-provisioning and synchronization ofUser profile attributes, PIV credentials (PIN/PKI/Biometrics), roles,status/attribute changes, access privileges, rules and policies to/fromtarget resources.
• Automated Authorization and Approval/Denial workflows andnotifications. Workflow-driven provisioning/de-provisioning/change requests,
approvals/denials, notifications and escalations. PIV credentials based digitally-signed approvals and denials.
16
Choosing an IDMS …. continuedCore IDMS Requirements for managing PIV lifecycle• Role Engineering and Management• Establish internal controls for enforcing “Segregation of Duties” and
“Least privilege”. (Ex. FISMA compliance)
• Auditing, Access Certification and Compliance reporting• Who has access ? Who accessed it ?• What went wrong ? Who authorized it ? When it happened ?• Periodic access review (Attestation and Recertification)• Detect and report potential violations• Integration with Security Information and Event monitoring (SIEM).
• Single administration console and dashboard for all PIV userprofile information and status of requests/operations for all targetresources.
• Self-service user administration and delegated administration.• Message and Transport-level Security (FIPS-140 mode)
17
Industry StandardsContributing standards for Managing PIV and Convergence of P/LACS• OASIS SPML 2.0 - Service Provisioning Markup Language.
XML Protocol for Identity Provisioning and De-Provisioning.• OASIS SAML 2.0 - Security Assertions Markup Language.
XML Protocol for representing Authentication and Authorizationassertions.
• OASIS XACML 2.0 - eXtensible Access Control MarkupLanguage. XML Protocol for representing Access Control Policies.
• Liberty Alliance Standards (ID-*) Open Standards for representing Identity Federation across
networks.
• OASIS WS-Security and WS-* Standards for SecuringXML Web Services.
• Finally….FIPS-201 and its related special publications.
18
PIV Solution from Sun and ISV PartnersPre-Integrated, Pre-Verified and Pre-Tested for PIV Deployment
Verisign PKI
Aware BioSP
SunIdentity
ManagementSuite
IdentityEnrollment &Adjudication
SmartcardIssuance andManagement
Public-keyInfrastructure SSP
Physical & LogicalAccess control
Security Information& Event Monitoring(SIEM)
• Aware BioSP• CrossMatch• Secugen
• Quantum Secure SAFE• Aware BioSP• BioBex• ActivIdentity ESSO
• Entrust• Cybertrust• Verisign• Exostar
• ActivIdentity CMS• Bell-ID ANDiS
• ArcSight• LogLogic
19
Smart cards in Government Conference Oct 23, 2008Ronald Reagan International Center, Washington DC
Thank You
Ramesh NagappanSun [email protected]
Top Related