SlideShare una empresa de Scribd logo
1 de 16
Descargar para leer sin conexión
Federated Access
Identity & Privacy Protection
Presented at:
Information Systems Security Association-Northern
Virginia (ISSA-NOVA) Chapter Meeting
Presented by:
Daniel E. Turissini
Board Member, Federation for Identity and Cross-
Credentialing Systems (FiXs)
http://www.FiXs.org
January 20, 2011
The Federation for Identity & Cross-
Credentialing Systems (FiXs)
•  A 501(c)6 not-for-profit trade association formed in 2004
in collaboration with the DoD to provide secure and inter-
operable use of identity credentials between and among
government entities & industry
•  A coalition of diverse companies/organizations
supporting development & implementation of inter-
operable identity cross-credentialing standards and
systems
•  Members include: government contractors, technology
companies, major financial firms, not-for-profit
organizations, DoD, GSA, state governments, etc.
Federated Identity Solution
•  Federated identity provides a strong, biometrically
enabled electronic identity credential, that can be readily
electronically validated by any Federal logical/physical
access point that allows the decision maker or databases
to make a local specific privilege and/or authorized
ACCESS decision confident in:
–  the identity of the person attempting access;
–  the identity of the device attempting access;
–  the identity of vetted organization that they represent;
–  that the organization and the individual have a legal relationship to do
business with the federal government; and,
–  that the individual has been vetted in person and has undergone a
background investigation consistent with defined levels.
Credential assures you are who you say you are,
Commander’s confirm what holder is permitted to access!
The Foundation
•  FiXs entered into formal Memorandum of Understanding
(MOU) with the DoD that established terms & conditions
under which FiXs & DoD will use their respective
systems as part of an identity suite of systems in January
2006, updated February 2009:
–  https://www.dmdc.osd.mil/dmdcomn/owa/DMDC.FEDPIIPS
•  The terms and conditions include:
–  Operational framework for inter-operability between DoD &FiXs
–  Specific operational responsibilities
–  Governance structure
•  Authority To Operate Granted by DMDC
•  Strong Certification & Accreditation Processes
Documentation available online at: http://www.fixs.org/library
Federated Access DoD Application
Relying Party’s
(Access Rules)
Trusted Third Parties
[External Certificate
Authorities (ECA)/ PIV-I]
Strong credentials with biometrics consistent with federal
standards are essential to successful Access control
Strong
Access Control
Subscribers
(Credential Holders)
Strong Identity
Local
Access
Decisions
TESTED, SPOT – FiXs Inter-operability Pilot
•  Successful assessment of the feasibility to utilize
commercially - issued credentials in “feeding” the SPOT
database – that adhere to FiXs-certified standards
•  Issue FiXs-certified credentials - 3,000 contractor
personnel
•  Credentials authenticated across secure network against
federated data stores
•  Included “cleared” personnel, non-cleared personnel,
first responders, other entities that interact with Army
Material Command
•  Monitor utilization, increases in productivity, & security
profile
•  Provided strategic assessment for future activities
FiXs – Chain of Trust
FiXs - Certified Credentials
CAC FiXs
2D barcode,
1D barcode &
mag-stripe
on back
2 RFID antenna
Clear Contractor
Markings
RFID, Barcodes, PIV Applet and Certificate Provide Issuer ID,
Sponsor ID, Employee ID, & other Data Processed via Network
Robust Validation Infrastructure
Application Servers
Local Area
Network
Client/WS
Client/WS
Inside and/or
Outside the LANClient/WS
Alternative
Validation Paths
(OCSP)
20 + FiXs
Compliant PKI
Directories
50 + FiXs
Compliant CRLs
FiXs
Validation
Service
(Site 1)
FiXs
Validation
Service
(Site N)
CRL Update Path
(ldap/ ldaps
http/https)
https
Client/WS
OCSP Repeater
STEP 1: Apply
Device Administrator goes to any-CA.ORC.com &
completes online certificate registration application.
STEP 3: Print
Administrator prints or PDFs
the application form.
STEP 4: ID Proofing
Administrator digitally signs the
form & sends or takes the form
with two valid forms of ID either
to LRA or other Trusted Agent.
STEP 2: Submit
The device’s key pair is
generated in a cryptographic
module, associated to device &
the device’s public key is
submitted to the CA along with
the application.
STEP 5: Confirmation
RA confirms that ID proofing is
complete & correct.
STEP 7: Download
Administrator returns to any-
CA.ORC.com, performs a proof of
possession, & downloads their
certificate.
STEP 6: Issuance
An CA issues the certificate &
provides out-of-band download
instructions to the applicant.
STEP 8: Install
Administrator installs SD into
device & applies tamper evident
tape.
Device Credential Issuance Process
Device Secure Access
Video
Application
Servers
Local Area
Network
Inside and/or
Outside the LAN
Validation Paths
(OCSP/SCVP)
20 + Federally
Compliant PKI
Directories
50 + Federally
Compliant CRLs
Credential
Validation
Service
CRL Update Path
(ldap/ ldaps
http/https)
3. Authenticated SSL VPN
Client/WS Validation Repeater
(Optional)
1. Authenticated https
Client/WS
2/4. OCSP/SCVP
2. OCSP/SCVP
1.  Mutual Certificate Authentication
between Client & Video Server
2.  Mutual Validation of Credentials
https session established
3.  Mutual Certificate Authentication
between Video Server & Camera
4.  Validation of Credential SSL VPN
session established
FiXs Certified Credential Authenticated at DoD
Location
Company A
FiXs Domain Server (FDS)
Company B
FDS
Issuer FDS
Companies
C, D, E
FiXs Trust Broker
(FTB)
DMDC
Trusted
Gateway
Broker
(TGB)
DMDC Domain Server
(DDS)
Authentication Node
Defense National Visitor Center
(DNVC)
Defense Biometric Identification System
(DBIDS)
FiXs
Authentication
Stations/
Handhelds
Legend:
= Secure Connection
= Transaction Path – no Fee
= Transaction Path – w/ Fee
Company F FiXs
Authentication
Node
FiXs Certified Credential Authenticated at FiXs
Location
Company A
FDS
Company B
FDS
Issuer FDS
Companies
C, D, E
Hosted
FTB
DMDC
TGB
DMDC
DDS
DNVC/
DBIDS
FiXs
Authentication
Stations/
Handhelds
Legend:
= Secure Connection
= Transaction Path – no Fee
= Transaction Path – w/ Fee
Company F FiXs
Authentication
Node
CAC Authentication at FiXs Location
Company A
FDS
Company B
FDS
Issuer FDS
Companies
C, D, E
Hosted
FTB
DMDC
TGB
DMDC
DDS
DNVC/
DBIDS Company F FiXs
Authentication
Node
FiXs
Authentication
Stations/
Handhelds
Legend:
= Secure Connection
= Transaction Path – no Fee
= Transaction Path – w/ Fee
FiXs Certified Credential Enhanced Logical
Access Control
Remote
Client/WS
1.  Initial Enterprise
Logon
2. Validate Device
Certificate
Remote
Client/WS
3. Authenticated SSL
VPN Established
4. Initiate
Application Logon
5. Validate ID
Certificate
6. Access
Attributes
Remote
Client/WS
SSL VPN https
Border
Server
Border
Server
Border
Server
Application
Server
Application
Server
Validation
Data
Validation
Data
FDS
Contact Information
Dan Turissini - CTO, WidePoint Corporation, FiXs Board
turissd@orc.com
703 246 8550
Dr. Michael Mestrovich, FiXs President
Michael.Mestrovich@fixs.org
703 928 3157

Más contenido relacionado

La actualidad más candente

Security Software Datasheet Template
Security Software Datasheet TemplateSecurity Software Datasheet Template
Security Software Datasheet TemplateTDSmaker
 
Delegation of Authority
Delegation of AuthorityDelegation of Authority
Delegation of AuthorityUbisecure
 
eMAS Indentity and Access Management
eMAS Indentity and Access ManagementeMAS Indentity and Access Management
eMAS Indentity and Access ManagementKalyana Sundaram
 
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
 Securing eHealth, eGovernment and eBanking with Java - JCON Conference Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON ConferenceThodoris Bais
 
OpenIDand User-Centric Identity: It’s All About Me
OpenIDand User-Centric Identity: It’s All About MeOpenIDand User-Centric Identity: It’s All About Me
OpenIDand User-Centric Identity: It’s All About MeEduserv Foundation
 
CJohnson_Portfolio_3_16
CJohnson_Portfolio_3_16CJohnson_Portfolio_3_16
CJohnson_Portfolio_3_16Casey Johnson
 
PROACTEYE ACCESS MANAGEMENT
PROACTEYE ACCESS MANAGEMENTPROACTEYE ACCESS MANAGEMENT
PROACTEYE ACCESS MANAGEMENThardik soni
 

La actualidad más candente (10)

Security Software Datasheet Template
Security Software Datasheet TemplateSecurity Software Datasheet Template
Security Software Datasheet Template
 
Delegation of Authority
Delegation of AuthorityDelegation of Authority
Delegation of Authority
 
eMAS Indentity and Access Management
eMAS Indentity and Access ManagementeMAS Indentity and Access Management
eMAS Indentity and Access Management
 
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
 Securing eHealth, eGovernment and eBanking with Java - JCON Conference Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
 
OpenIDand User-Centric Identity: It’s All About Me
OpenIDand User-Centric Identity: It’s All About MeOpenIDand User-Centric Identity: It’s All About Me
OpenIDand User-Centric Identity: It’s All About Me
 
ICAM Target Architecture
ICAM Target ArchitectureICAM Target Architecture
ICAM Target Architecture
 
CJohnson_Portfolio_3_16
CJohnson_Portfolio_3_16CJohnson_Portfolio_3_16
CJohnson_Portfolio_3_16
 
PROACTEYE ACCESS MANAGEMENT
PROACTEYE ACCESS MANAGEMENTPROACTEYE ACCESS MANAGEMENT
PROACTEYE ACCESS MANAGEMENT
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
eMCA Suite
eMCA SuiteeMCA Suite
eMCA Suite
 

Destacado (7)

La supremacía de la constitución
La supremacía de la constitución La supremacía de la constitución
La supremacía de la constitución
 
SWC Lab Orientation 5-20-09
SWC Lab Orientation 5-20-09SWC Lab Orientation 5-20-09
SWC Lab Orientation 5-20-09
 
Pt kstar
Pt kstarPt kstar
Pt kstar
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
Bbq Invitation
Bbq InvitationBbq Invitation
Bbq Invitation
 
DgL's
DgL'sDgL's
DgL's
 
Federated and Secure Identity Management in Operation
Federated and Secure Identity Management in OperationFederated and Secure Identity Management in Operation
Federated and Secure Identity Management in Operation
 

Similar a Issa fi xs briefing

IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015Eurotech
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization ModelsCSCJournals
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
 
Asset-management-blockchain-solution-2019
Asset-management-blockchain-solution-2019Asset-management-blockchain-solution-2019
Asset-management-blockchain-solution-2019Saasvaap
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication ModelsRaj Chanchal
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2dP2PSystem
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...MikeLeszcz
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesBlackBerry
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...RSIS International
 
Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Hai Nguyen
 

Similar a Issa fi xs briefing (20)

IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015IoT Security in Action - Boston Sept 2015
IoT Security in Action - Boston Sept 2015
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment  Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Authentication and Authorization Models
Authentication and Authorization ModelsAuthentication and Authorization Models
Authentication and Authorization Models
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
Asset-management-blockchain-solution-2019
Asset-management-blockchain-solution-2019Asset-management-blockchain-solution-2019
Asset-management-blockchain-solution-2019
 
Access management
Access managementAccess management
Access management
 
Carrie Peter
Carrie PeterCarrie Peter
Carrie Peter
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
Authentication Models
Authentication ModelsAuthentication Models
Authentication Models
 
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
317c0cdb 81da-40f9-84f2-1c5fba2f4b2d
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Blockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and DegreesBlockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and Degrees
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
 
File Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial ServicesFile Sharing Use Cases in Financial Services
File Sharing Use Cases in Financial Services
 
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...
 
Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096
 
Alpha Education
Alpha EducationAlpha Education
Alpha Education
 

Último

Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Último (20)

Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Issa fi xs briefing

  • 1. Federated Access Identity & Privacy Protection Presented at: Information Systems Security Association-Northern Virginia (ISSA-NOVA) Chapter Meeting Presented by: Daniel E. Turissini Board Member, Federation for Identity and Cross- Credentialing Systems (FiXs) http://www.FiXs.org January 20, 2011
  • 2. The Federation for Identity & Cross- Credentialing Systems (FiXs) •  A 501(c)6 not-for-profit trade association formed in 2004 in collaboration with the DoD to provide secure and inter- operable use of identity credentials between and among government entities & industry •  A coalition of diverse companies/organizations supporting development & implementation of inter- operable identity cross-credentialing standards and systems •  Members include: government contractors, technology companies, major financial firms, not-for-profit organizations, DoD, GSA, state governments, etc.
  • 3. Federated Identity Solution •  Federated identity provides a strong, biometrically enabled electronic identity credential, that can be readily electronically validated by any Federal logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized ACCESS decision confident in: –  the identity of the person attempting access; –  the identity of the device attempting access; –  the identity of vetted organization that they represent; –  that the organization and the individual have a legal relationship to do business with the federal government; and, –  that the individual has been vetted in person and has undergone a background investigation consistent with defined levels. Credential assures you are who you say you are, Commander’s confirm what holder is permitted to access!
  • 4. The Foundation •  FiXs entered into formal Memorandum of Understanding (MOU) with the DoD that established terms & conditions under which FiXs & DoD will use their respective systems as part of an identity suite of systems in January 2006, updated February 2009: –  https://www.dmdc.osd.mil/dmdcomn/owa/DMDC.FEDPIIPS •  The terms and conditions include: –  Operational framework for inter-operability between DoD &FiXs –  Specific operational responsibilities –  Governance structure •  Authority To Operate Granted by DMDC •  Strong Certification & Accreditation Processes Documentation available online at: http://www.fixs.org/library
  • 5. Federated Access DoD Application Relying Party’s (Access Rules) Trusted Third Parties [External Certificate Authorities (ECA)/ PIV-I] Strong credentials with biometrics consistent with federal standards are essential to successful Access control Strong Access Control Subscribers (Credential Holders) Strong Identity Local Access Decisions
  • 6. TESTED, SPOT – FiXs Inter-operability Pilot •  Successful assessment of the feasibility to utilize commercially - issued credentials in “feeding” the SPOT database – that adhere to FiXs-certified standards •  Issue FiXs-certified credentials - 3,000 contractor personnel •  Credentials authenticated across secure network against federated data stores •  Included “cleared” personnel, non-cleared personnel, first responders, other entities that interact with Army Material Command •  Monitor utilization, increases in productivity, & security profile •  Provided strategic assessment for future activities
  • 7. FiXs – Chain of Trust
  • 8. FiXs - Certified Credentials CAC FiXs 2D barcode, 1D barcode & mag-stripe on back 2 RFID antenna Clear Contractor Markings RFID, Barcodes, PIV Applet and Certificate Provide Issuer ID, Sponsor ID, Employee ID, & other Data Processed via Network
  • 9. Robust Validation Infrastructure Application Servers Local Area Network Client/WS Client/WS Inside and/or Outside the LANClient/WS Alternative Validation Paths (OCSP) 20 + FiXs Compliant PKI Directories 50 + FiXs Compliant CRLs FiXs Validation Service (Site 1) FiXs Validation Service (Site N) CRL Update Path (ldap/ ldaps http/https) https Client/WS OCSP Repeater
  • 10. STEP 1: Apply Device Administrator goes to any-CA.ORC.com & completes online certificate registration application. STEP 3: Print Administrator prints or PDFs the application form. STEP 4: ID Proofing Administrator digitally signs the form & sends or takes the form with two valid forms of ID either to LRA or other Trusted Agent. STEP 2: Submit The device’s key pair is generated in a cryptographic module, associated to device & the device’s public key is submitted to the CA along with the application. STEP 5: Confirmation RA confirms that ID proofing is complete & correct. STEP 7: Download Administrator returns to any- CA.ORC.com, performs a proof of possession, & downloads their certificate. STEP 6: Issuance An CA issues the certificate & provides out-of-band download instructions to the applicant. STEP 8: Install Administrator installs SD into device & applies tamper evident tape. Device Credential Issuance Process
  • 11. Device Secure Access Video Application Servers Local Area Network Inside and/or Outside the LAN Validation Paths (OCSP/SCVP) 20 + Federally Compliant PKI Directories 50 + Federally Compliant CRLs Credential Validation Service CRL Update Path (ldap/ ldaps http/https) 3. Authenticated SSL VPN Client/WS Validation Repeater (Optional) 1. Authenticated https Client/WS 2/4. OCSP/SCVP 2. OCSP/SCVP 1.  Mutual Certificate Authentication between Client & Video Server 2.  Mutual Validation of Credentials https session established 3.  Mutual Certificate Authentication between Video Server & Camera 4.  Validation of Credential SSL VPN session established
  • 12. FiXs Certified Credential Authenticated at DoD Location Company A FiXs Domain Server (FDS) Company B FDS Issuer FDS Companies C, D, E FiXs Trust Broker (FTB) DMDC Trusted Gateway Broker (TGB) DMDC Domain Server (DDS) Authentication Node Defense National Visitor Center (DNVC) Defense Biometric Identification System (DBIDS) FiXs Authentication Stations/ Handhelds Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee Company F FiXs Authentication Node
  • 13. FiXs Certified Credential Authenticated at FiXs Location Company A FDS Company B FDS Issuer FDS Companies C, D, E Hosted FTB DMDC TGB DMDC DDS DNVC/ DBIDS FiXs Authentication Stations/ Handhelds Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee Company F FiXs Authentication Node
  • 14. CAC Authentication at FiXs Location Company A FDS Company B FDS Issuer FDS Companies C, D, E Hosted FTB DMDC TGB DMDC DDS DNVC/ DBIDS Company F FiXs Authentication Node FiXs Authentication Stations/ Handhelds Legend: = Secure Connection = Transaction Path – no Fee = Transaction Path – w/ Fee
  • 15. FiXs Certified Credential Enhanced Logical Access Control Remote Client/WS 1.  Initial Enterprise Logon 2. Validate Device Certificate Remote Client/WS 3. Authenticated SSL VPN Established 4. Initiate Application Logon 5. Validate ID Certificate 6. Access Attributes Remote Client/WS SSL VPN https Border Server Border Server Border Server Application Server Application Server Validation Data Validation Data FDS
  • 16. Contact Information Dan Turissini - CTO, WidePoint Corporation, FiXs Board turissd@orc.com 703 246 8550 Dr. Michael Mestrovich, FiXs President Michael.Mestrovich@fixs.org 703 928 3157