The E-Authentication Federation EAuthentication Federation The enabler of Electronic Government! presented to AIPC by Stephen A. Timchak June 12, 2005
The Goal of E-Government Empower and enable citizens and businesses to manage their relationships with government on their terms in a secure online environment The Role of the E-Authentication Program Develop and implement an enterprise-wide E-Authentication strategy and solution that enables E-Government E-Authentication is a key component of the President’s Management Agenda
President’s E-Gov Agenda Government to Citizen Lead GSA Treasury DoED DOI Labor Government to Business Lead GSA EPA Treasury HHS SBA DOC 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining Cross-cutting Infrastructure: E-Authentication GSA Government to Govt. Internal Effectiveness and Efficiency Lead SSA HHS FEMA DOI 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management OPM GSA NARA 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks
The E-Authentication Initiative Strategy Build the E-Authentication Federation Government agencies rely on electronic identity credentials – such as PINS/user IDs/passwords/PKI certificates – issued and managed by other organizations within and outside the federal government How do we do it? Develop a federated identity authentication framework Supporting secure online transactions Reliant on existing trust relationships COTS and standards-based with interoperable products, supporting multiple protocols
Why Adopt a Federated Approach? Migration of applications to the web has precipitated increasing need for secure authentication Identity management now perceived as one of the major enterprise IT challenges Industry best practices moving toward enterprise identity management solution (portal) and federated identity Use of Federated Identity is Growing According to Burton Group, more than 300 businesses deploying SAML-based federations this year General Motors – 500,000 employees, customers and trading partners SAFE- BioPharma – Major pharmaceutical research firms and regulators Fidelity Instruments – Employees and plan administrators from over 11,000 companies Boeing – Airlines mechanics and ground service personnel
An Example of Federation Maintenance Website
Building the E-Authentication Federation Agency Applications/ Identity Credential Issuers Scheduled for Federation membership Q4 FY ’05 and beyond Business & Operating Rules Operational Infrastructure Complete Policy Technical Standards Complete FY 2004
Approved E-Authentication Technology Providers Novell
EAuthentication Federation The Federal Government agency application owners that have agreed to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains The private and public sector trusted Credential Service Providers that agree to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains Federation Management (E-Authentication PMO) that manages the technical, policy, and business rules that serve to make identity portable across domains Federation is a new term and this slide puts the three components of the Federation in perspective. Three parts: Agency Applications, Trusted Credential Service Providers, and Federation Management (GSA)
Key Policy Considerations For Governmentwide deployment: No National ID No National unique identifier No central registry of personal information, attributes, or authorization privileges Different authentication assurance levels are needed for different types of transactions Authentication – not authorization For E-Authentication technical approach: No single proprietary solution Deploy multiple COTS products – user’s choice Products must interoperate together Controls must protect privacy of personal information
The Policy Foundation Is In Place Policy infrastructure enables real business and trust– because it can be universally leveraged and accepted Policy framework key to E-Authentication Federation context and cohesiveness Policy framework necessary for: Technical architecture and interoperability Evaluation of identity credential issuers Determination of assurance level requirements Ease of contracting Efficient, reusable business processes Key policy/guidance documents & tools: OMB M-04-04 E-Authentication Risk and Requirements Assessment (E-RA) NIST SP 800-63 Credential Assessment Framework (CAF) Matching the right level of authentication to business risk
Interoperability among trusted identity credential issuers The Technical/Architectural Framework Is In Place Based on industry best practices Open standards-based, federated identity management Supported by interoperable products, providing choice and market-driven pricing Supports the coexistence of multiple federated identity schemes Provides for the management of transitive trust Accommodates both low and high level credentials using SAML and PKI Supports the introduction of other authentication techniques over time Interoperability among trusted identity credential issuers
Federation Operations Starting Point Starting Point EAuth Validation Service EAuth Portal EAuth Step-down Translator Protocol ICI Web Site Agency Application Web Site First Gov EAuth Apps First Gov Portal Starting Point
Standing Up Federation Operations Implementing a world-class operations capability, available 24x7x365 Federation Contact Center (Help Desk) Operations and maintenance of the portal, step-down translator(s), validation service and scheme translators Client and production services Agency customers agreed that a well run operations capability was critical to the Federation’s success
Executive Steering Committee Governance: E-Authentication Oversight Moving From Initiative to Federation E-Authentication Initiative Executive Steering Committee 24 Cabinet Level Federal agency CIOs Venture capitalist perspective .. Proposed Uber Structure Federation Board of Directors User Groups Vendor Council E-Authentication Federation
How we bind the trust that drives interoperability Federation Membership Requirements For Identity Credential Issuers and Relying Parties (Agencies) Business & Operating Rules Technology standards integrated with common business rules Developing business agreements that govern membership in the E-Authentication Federation Business Rules Eligibility Participation requirements Roles and obligations Dispute resolution and recourse Liability issues and management Potential risks and risk management Operating Rules Processes and procedures for: Updates in meta data Software versions Customer service center escalation Customer service center hours of operation Revocation rules & procedures Agency and PMO points of contact How we bind the trust that drives interoperability
Identity Credential Issuers The Federal Government does not want to be in the credential management business Various commercial entities – insurers and other financial institutions – are natural trusted credential service issuers (CSIs) WHO PROVIDES AUTHENTICATION TODAY? Look in your wallet – what credentials are you most likely to find? A bank card A health insurance card School ID A State Government-issued driver’s license or photo ID Citizen/business convenience and trust are key to selecting identity credential issuers
Targeting Financial Institutions First Authentication lies at the core of existing financial services products Know-your-customer (KYC) required by law Financial institutions own 3 powerful assets: Trust 90+% of the US population has banking relationship & 53M have bank-issued credentials (Pew) Strongly authenticated identities Law requires more than KYC – it requires that customers’ identities be protected
Financial Institutions as Authenticators Attribute Strong Mixed Weak Consumer The Relationship The Authenticator Broad customer base Long term relationship Frequent use of credential Trusted entity? Strong registration process? Current Authenticators – with large bases of authenticated customer relationships Financial Institutions ISP’s and Telco’s Employers Schools Merchants & Service Providers Future Authenticators – could have large bases of authenticated customer relationships Governments Private ID Providers - Partnered with Financial Services Technology Consortium (FSTC) - 7 of top 10 U.S. financial organizations engaged - Limited deployments expected 9/05 – agency applications processing commercial credentials Chart Courtesy of Glenbrook Partners Trusted Identity: Hidden Value From Customer Appreciation
The Credential Assessment Framework Potential ICIs must participate in a credential assessment using the methodology defined in the Credential Assessment Framework On site inspection Credentialing procedures Network and systems security Overall risk management profile Upon successful assessment, ICIs can be added to E- Authentication’s Trusted Identity Credential Issuer List and to the E-Auth architecture (enabling acceptance of the credential by the Portal)
Agencies Are Committed Moving E-Gov’t Services Online For Business Type of Transaction Sample Application Potential Users Licensing/Permits/ Accreditation Nat’l Park Service Research Permits 3500 researchers, 10,000 permits requested each year Compliance EPA Central Data Exchange 15,000 businesses and laboratories Grants/Loans/ Subsidies FHA Connection 90,000 mortgage lenders – 1.4M loans approved in FY04 Gov’t Contracting E-Offer 8,000 primary business contracts; 100,000 projected business users Business Support NASA Integrated Information 50,000 contractors, industry participants (350M transaction per year) Int’l Trade Export.gov 3 million businesses Federation Levers OMB hammer Provide financial incentives for early adopter pilot projects Engagements underway: SSA - Change of address, direct deposit VA - Veterans Online Applications (VONAPPS) Treasury - BSA Direct eFiling; FMS Debt Check, among others E-Gov and related initiatives: GSA eOffer GSA (FSS) – vendors create, modify offers Grants.gov HHS, USDA, NSF – find and apply for federal grants eTravel All fed Agencies – agency employee and contractor travel
Agencies Are Committed Moving E-Gov’t Services Online For Citizens Type of Transaction Sample Application Potential Users Social Security Direct Deposit Annual Benefit Statement 47M citizens receiving benefits Assistance USA Jobs Over 15,000 job postings Recreation Recreation One Stop 5.7M campers in 2003 Loans Dept. of Education’ National Student Loan 35M student users Public Safety Dept. of Justice’s Victim Internet System 13M victims and their attorneys Benefits 1010-Eligibility for Benefits 70M veterans
Federation Acquisition Marketplace Providing a “one-stop shop” for E-Authentication Federation products and services Creating an “E-Authentication Federation Suite of Contracts” on Federal Supply Service (FSS) IT Schedule 70 Available to states as well as Federal agencies Will include: Technology products Architectural components Credential services Accredited providers of Smartcard/HSPD-12/FICC-mandated credentials and tokens
E-Authentication Validated by Independent Report Burton Group, a respected IT research and advisory services firm, reports that E-Authentication: Aligns with industry best practices Provides flexible and pragmatic common approach to authentication Efforts should continue and expand, with fine tuning “The E-Authentication Initiative’s goals are achievable. The anticipated benefits are real and far-reaching, and extend to end-users, governmental organizations, and commercial businesses alike. The E-Authentication Initiative is well-defined, flexible, technically sound, and employs industry best practices.” Burton Group Report on the Federal E-Authentication Initiative, 8/30/04
Lessons Learned IT’S HARD!
SUCCESS IS IN SIGHT!
For More Information Phone E-mail Website Stephen A. Timchak Office: 703-872-8604 stephen.timchak@gsa.gov Project Executive E-Authentication Federation U.S. General Services Administration 2011 Crystal Drive, Suite 911 Crystal Park One Arlington, Virginia 22202 Website http://cio.gov/eauthentication 27