11/14/13 1 Identity as a Service – Strong enough for government? Date: November 13, 2013 Time: 11:00 pm EST/ 8:00 am PST Host: Richard Moulds, Thales e-Security VP of Strategy and Product Marketing Guest: Daniel E. Turissini CEO, Operational Research Consultants Defend Cri.cal Infrastructure from Invasive A:ack & Informa.on The? Prevent Terrorism & Promote Na.onal Security Prevent Cybercrime; Iden.ty The?; Promote Efficient Use of Technology Cyber Security “One of the most serious economic & na2onal security threats our na2on faces.” President Obama Issues at hand: 2 • Costeffec.vely prevent Cyberterrorism, Cyber crime, & defend our na.on’s cri.cal infrastructure: • Reduce risk of unauthorized disclosure of proprietary & privacy informa.on • Share .mely informa.on securely with remote workers, vendors, partners & customers • Ensure the accountability of all Cybertransac.ons • Avoid unnecessary costs arising from system “silos”
For many companies thinking about moving sensitive data to the cloud, security issues remain a significant concern. But one company, Operational Research Consultants Inc. (ORC) a WidePoint Company, is proving that the cloud really can be made as safe or even safer than on-premise deployments even for organizations as security-focused as the U.S. Federal Government.
– A pioneer in federal identity management: ORC has been a trusted partner of the U.S. government since the mid-‘90s, when the company launched the Navy Acquisition Public Key Infrastructure to support secure interactions with contractors and suppliers. As the government’s emphasis on information assurance expanded over the next two decades, ORC became a go-to partner for security solutions and one of the first companies authorized to provide government-compliant identity management solutions.
Today ORC manages more than three million identities and has issued more than 10 million federal-compliant digital certificates to a variety of employees, contractors, allies, veterans and citizens conducting business with the government.
- The need for secure and interoperable identification and authentication: In August 2004, the Bush administration issued a Homeland Security Presidential Directive (HSPD-12) to secure federal facilities and resources by establishing a government-wide standard for secure and reliable forms of identification. Going far beyond simply issuing ID badges to government employees, this initiative would focus on the processes needed to issue secure personal credentials, on methods to validate those issuance processes and credentials and on managing risk and quality throughout the lifecycle of the credentials.
The Personal Identity Verification (PIV) program implements these processes, and FIPS (Federal Information Processing Standard) 201 specifies interface and data elements of the PIV smart card. Among the data elements on a PIV card are one or more asymmetric private cryptographic keys. Departments and agencies must use a compliant public key infrastructure (PKI) to issue digital certificates to users. The PIV initiative has also spawned other high assurance credentials that support specific Business-to-Government, Citizen-to-Government and Citizen-to-Business transactions while supporting federated interoperability between the issued credentials. These include various PIV-Interoperable (PIV-I) and PIV variants, such as: Transportation Worker Identification Credential (TWIC®), First Responder Authentication Credentials (FRAC), Commercial Identity Verification (CIV), and External Certificate Authority (ECA) PIV-I that address various regulatory requirements and are built to scale globally. The processes and policies for certificate issuance and the protections afforded to the critical root and issuing certificate authority keys in that PKI are critical factors in the overall assurance level of the system.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
11/14/13
1
Identity as a Service – Strong enough for government? Date: November 13, 2013 Time: 11:00 pm EST/ 8:00 am PST
Host: Richard Moulds, Thales e-Security VP of Strategy and Product Marketing
Guest: Daniel E. Turissini CEO, Operational Research Consultants
Defend Cri.cal Infrastructure from Invasive A:ack & Informa.on The?
Prevent Terrorism & Promote Na.onal Security
Prevent Cybercrime; Iden.ty The?; Promote Efficient Use of Technology
Cyber Security “One of the most serious economic & na2onal security threats our na2on faces.” -‐-‐ President Obama
• iDen.ty Management – Create & maintain an iden.ty, including discrete a:ributes, centralized administra.on & user self-‐service
• E-‐Authen.ca.on – Provide repositories for iden.ty, network and/or resource profiles; provide security services that enable iden.fica.on, valida.on & support for authoriza.on
• Access Management – Provide authoriza.on, audit & session management func.ons to define individual access rights for business partners, suppliers, customers or employees
• Provisioning & Workflow – Business policies to support greater automa.on for devices such as iden.ty tokens, credit cards, cell phones & PCs
* Driven by the Federal Government & Commercial Cloud Based Ini;ates
• Markets leading-‐edge secure cri.cal response management solu.ons designed to improve coordina.on within emergency services and cri.cal infrastructure agencies
• Accountability solu.ons for tailored to specific customer workflows, including: incident management, network device management, crime scene evidence control, mortgage processing, etc
In Produc;on – Not Theore;cal
11/14/13
3
Assurance based on who, not where! Most communi.es of interest concerned with Privacy & Security can no Longer be defined by loca.on. ORC’s IA solu.ons address access to mul.-‐level secure resources & message traffic based on En.ty Iden.ty, Roles, & Privileges:
5 People, devices, servers , objects, code ….
Digital Iden.ty ORC’s cyber iden.ty creden.als allow you to SECURELY…
6
• Access email via the internet • Establish a virtual private network with your base
network from anywhere in the world • Move from one applica.on to another without
having to key password informa.on -‐-‐ without losing security along the way
• Apply on-‐line for access rights and services -‐-‐ and, receive those services
• Digitally sign memos, contracts, delivery orders, etc. • Digitally sign code for safe distribu.on
Privacy & cri;cal infrastructure protec;on
11/14/13
4
Security Services
7
Physical (e.g. writing a check)
– Confidentiality
• Limited physical access
– Data Integrity
• Inked text
– Non Repudiation
• Cancelled check
– Identification & Authentication
• Drivers license & signature
– Privilege & Authorization
• Check for account validity
Digital
– Confidentiality
• Data Encryption
– Data Integrity
• Hashing
– Non-Repudiation
• Digital Signature
– Identification & Authentication
• CA Signature
– Privilege & Authorization
• Access/ Privilege Control Lists
A digital solu;on for cyber security
What’s in a Digital Cer.ficate
8
Iden;ty
Cryptographic Strength
Authorita;ve Source
Level of Assurance
Validity
Legi;mate Cer;ficate Authority Or Unknown CA (Untrusted)
Basic/Medium/High Confidence in Iden;ty
Issued on mmddyyy Expires on mmddyyyy
SHA-‐256, AES
With a robust revoca;on/ valida;on infrastructure
11/14/13
5
Alterna.ve Tokens
9
Trusted Plaporm Module (TPM)
SD/MicroSD
Embedded/ Removable HW Crypto FIPS-‐140/ Common Criteria
SIM
USB
Smart Card
ORC is a leader in advanced technology opera;ons!
Federated Trust
10
Subscribers (End-Entities)
Trusted Third Parties (Certificate Authorities)
The Trust Triangle
Relying Parties
The right Assurance, Security, Biometrics & PKI Capabili;es/ Exper;se
11/14/13
6
Infrastructure Based on Commercial Standards
11
Facili.es to Provide Secure & Scalable IT Services
High Availability Data Centers: 365x7x24, 99.999 up.me, as required by Federal Policy Secure Network Opera.ons
Centers (SNOC): Five .er physical protec.on
• Communica.ons traffic is monitored & upgraded bandwidth available as traffic requirements dictate to maintain the customer services with 99.999% up .me
• Audited installa.on procedures to ensure that Government requirements are met & customer expecta.ons exceeded
• SNOCs employ UPS coupled with a constant power generator & dedicated HVAC -‐ at full load, power can be maintained for more than 5 days without public power
• Hardware, so?ware, & vendor service level agreements associated with maintaining appropriate firewall protec.on, redundant warehousing, power genera.on & Internet connec.vity, are leveraged for each customer.
The know-‐how & access to leverage exis;ng deployments
• Federated solu.ons provide support various strong electronic iden.ty creden.al, that can be readily electronically validated by any logical/physical access point that allows the decision maker or databases to make a local specific privilege and/or authorized access decision confident in: – the iden.ty of the person a:emp.ng access; – the iden.ty of the device a:emp.ng access; – the iden.ty of ve:ed organiza;on that they represent; – that the organiza.on and the individual have a legal
rela;onship to do business with the federal government; and, – that the individual has been ve`ed in person and has
undergone a background inves.ga.on consistent with defined levels.
Creden;al assures you are who you say you are,
Relying Party confirms what holder is permi`ed to access!
Federated Access for Enterprise Applica.ons
14
Relying Party’s (Access Rules) Trusted Third Par;es
[External Cer;ficate Authori;es (ECA)/ PIV-‐I]
Strong Access Control
Subscribers (Creden;al Holders)
Strong Iden(ty
Local Access Decisions
Strong creden;als with biometrics consistent with federal standards are essen;al to successful Access control
11/14/13
8
Cer.fied Creden.al Enhanced Access Control
15
Remote/ Mobile Client/ WS
1. Ini;al Enterprise Logon
2. Validate Device Cer;ficate
Remote/ Mobile Client/ WS
3. Authen;cated SSL VPN Established
4. Ini;ate Applica;on Logon
5. Validate ID Cer;ficate
6. Access A`ributes
Remote/ Mobile Client/ WS
SSL VPN h`ps
Border Server
Border Server
Border Server
Applica;on Server
Applica;on Server
Valida;on Data
Valida;on Data
FDS
More informa;on to make be`er access decisions
Leveraging A Common Infrastructure Currently over 25 million people have compliant creden.als
16
Federal Government
Trading Partners & Allies
First Responders
As this number grows -‐ opportuni;es for efficiencies skyrocket!
Veterans
Transportation Workers
Military
Retirees & Dependents
11/14/13
9
Reduce Cost of Goods Sold (COGS)
17
• Federated Digital Solu.on – Reduces High Help Desk Costs
– Mi.gates Risks Associated with username & passwords
• Dis.nguished as 1 of only 4 Cer.fied PKI Shared Service Providers, currently providing PIV services to six federal agencies, with full Authority to Operate (ATO)
• Dis.nguished as 1 of only 4 Approved PIV-‐Interoperable Providers and is currently providing PIV-‐I services to three state governments
• Dis.nguished as the 1st designated DoD Interim External Cer.ficate Authority (IECA-‐1) & the first US Government External Cer.ficate Authority (ECA)
• Dis.nguished as 1 of 2 GSA Access Cer.ficates for Electronic Services (ACES) Trusted Third Par.es, ci.zen focused PKI
• Dis.nguished as the 1st commercial GSA E-‐Authen.ca.on Federa.on Creden.al Service Provider at Level 1, 2, and 3.
• Dis.nguished as the PKI provider for the Transporta.on Worker Iden.fica.on Creden.al (TWIC)
• Dis.nguished as the 1st commercial Creden.al Issuer under The Federa.on for Iden.ty and Cross-‐Creden.aling Systems (FiXs) – h:p://www.FiXs.org
4M iden;;es & more than 14M federal compliant digital cer;ficates
11/14/13
10
Customers
19
• 34 of Fortune 100 Companies
• 22 of Top 25 Federal Contractors
• 200+ Colleges & Universi.es
• 100+ Municipali.es & Schools
• 100+ Private & Public Research Organiza.ons
• 100+ Healthcare Organiza.ons
• 40+ Banks & Financial Ins.tu.ons
• 11 Airlines
• Numerous Federal Agencies
Current Markets Fueled by Government Mandate for Increased Assurance Levels
20
Government Security Standards will be Driven Across the Business Con;nuum
Millions of Users, Servers, Worksta;ons and Handheld Devices
Global provider of data protection and key management solutions
Reduce the cost/complexity associated with use of cryptography
Solutions for traditional, virtualized and cloud environments
Strategic business value Secure cardholder data, payments and transactions Support data privacy obligations Protect intellectual property Secure identities and credentials
40 year security track record
Strategic business unit of Thales Group
24 Hardware Security Modules
What are HSMs? Hardened cryptographic devices Isolated from host OS and applications
What do HSMs do? Secure cryptographic operations (encrypt, sign etc.) Generation and protection of critical cryptographic key material Enforce policy over use of keys and key management
HSM Application Key inside security boundary
HSM security boundary
Business Application Application Data
Decrypted signed/
data
Data to be signed/
decrypted
Crypto processing engine
11/14/13
13
25 Dual Controls for Strong Authorization
Smart cards deliver strong authentication
Sets of smart cards deliver shared responsibility and mutual supervision
Assigned to security personnel Known as Operator Card Sets (OCS)
Authorization based on a “quorum” of cards & card owners
Requires a minimum number of cards from a set, e.g. 3 of 5 cards Creates natural redundancy and resiliency
OCS OCS OCS
Authorized Operators
26 The Thales nShield HSM Family
nShield Connect Network appliances
nShield Solo Embedded PCI card
nShield Edge Portable USB device
11/14/13
14
27
Thank you ! richard.moulds@ thalesesec.com Contact details