Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

Global Federated Identity &Privilege Management

GFIPMJohn Ruegg, Director

LA County ISAB

United StatesDepartment of Justice

What is Federated Identity Management?What is Federated Identity Management?

• You trust another organization to Identify their users and Authenticate them before they can connect to your System. A Trusted Identity Provider (IDP)

• Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. (relying Service Provider (SP)

• IDP’s and SP’s have mutual technical and policy obligations to meet for participation in the Federation.

FBI CJIS Systems - A Federated Identity FBI CJIS Systems - A Federated Identity Management Model Management Model • FBI trusts your organization to Identify your users and

Authenticate them before they can connect to the CJIS Systems. The Trusted Identity Provider (IDP) is{CJIS Control Terminal Officer CTO}

• FBI {CJIS Systems} relies on the Identity Information provided from your {CTO} IDP to make access and authorization decisions. (relying Service Provider (SP)

• IDP’s and SP’s have mutual technical and policy obligations in the Federation. {CJIS Policy}

Justice XMLInside

NIEM Inside

Benefits of Federated Identity ManagementBenefits of Federated Identity Management

• Local Organization provides Identity Management System (IDP) using local authentication methods

• Many Commercial products have adopted Federated Identity open standards which GFIPM is utilizing

• Identity information is communicated over the network via a standard GFIPM justice identity credential

Benefits of Federated Identity ManagementBenefits of Federated Identity Management

• Eliminate multiple userid/passwords and security tokens

• Only grant access to your system for users who authenticate first to a trusted Identity Provider (IDP)

• GFIPM enabled systems always get current identity information via the GFIPM justice identity credential – no requirement to manually register/maintain users

• Changes in user status (job role, retire, etc) only needs to be updated once at the local IDP system

7

InternetInternet

One DOJ

One DOJ

Fusion Center A

Fusion Center A

HSINHSIN

RISSRISS

AuthID

AuthID

AuthID

GFIPM FederationGFIPM Federation

(Single Sign-on SSO)(Single Sign-on SSO)

AuthID

8

Audittrail

Environmentalconditions

Written policy

Obligations

Actions: release, modify, access, delete, …

Response

message

Content metadata

Electronic policy

statements (dynamic, federated)

PEP

PDP

Request

message

GFIPMcredentials

PEP: Policy Enforcement PointPDP: Policy Decision Point

Security & Privacy Policy Enforcement

Early Adopters of GFIPMEarly Adopters of GFIPMLive in Production • RISSnet – Intelligence • Pennsylvania JNET- criminal justice information • CisaNet – Southwestern States Intelligence

Under Development • LA County – local Criminal History• San Diego County – ARJIS criminal justice information• Southern Shield – 14 States Fusion Centers• Connect Project – 8 States portals and federated query services • OneDOJ – Access to Federal Information Resources• OneDHS – Access to DHS resources

Benefit of Open Standards Adoption • RSA Conference, April 6, 2008 – 7 Vendors Products

Interoperability Demonstration

• "We're pleased to work with OASIS on addressing the very sensitive issues related to the access of patient information," said John (Mike) Davis, standards architect with the VHA Office of Information in the Department of Veterans Affairs, and a member of the HITSP Security, Privacy and Infrastructure Technical Committee. "XACML helps ensure that patients, physicians, hospitals, public health agencies and other authorized users share critical information appropriately and securely."