The E-Authentication Initiative E-Authentication: Creating an Environment of Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy
Session Objectives Identity Federation Basics Why the Federal Government is federating Key infrastructure needed for ID Federation Interoperability and ID Federation E-Authentication Trust Framework The Electronic Authentication Partnership and how it facilitates identity federation
The Identity Problem Individuals have multiple disconnected identities across the internet and other networks, leading to repeated, stand-alone authentications Costly, insecure, inconvenient www.401k.com User ID: 123-45-6789 Password: my401k My.employer.org User ID: jsmith@work.org Password: myjob www.mytravel.com User ID: frequentflyer Password: etravel
Background Federated identity definition Rules, agreements, standards, technologies that make identity and entitlements portable across autonomous domains Is critical for rich web services environment Federated identity technologies and standards PKI – ISO X.509v3 Security Assertion Markup Language – OASIS SAML 1.0, 1.1. 2.0 Lacking standards Biometrics User ID/PIN/Password Knowledge-based authentication One-time passwords Token-based authentication Federated identity specifications (SAML) Liberty Alliance Shibboleth
Standards Convergence SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services OASIS Standard SAML 2.0 Shibboleth Specification Liberty Specifications OASIS SAML 1.0, 1.1
Four Authentication Assurance Levels to meet multiple risk levels - Increased $ Cost Multi - Factor Token PKI/ Digital Signature Knowledge - Based Very Strong Password High - High PIN/User ID Medium Low Access to Applying Obtaining Employee Protected for a Loan Govt. Screening Website Online Benefits for a High Risk Job Increased Need for Identity Assurance
President’s Management Agenda 1st Priority: Make Government citizen-centered. 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration
Cross-cutting Infrastructure: eAuthentication GSA PMC E-Gov Agenda Government to Citizen Lead GSA Treasury DoED DOI Labor Government to Business Lead GSA EPA Treasury HHS SBA DOC 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics (business case) 5. Business Gateway 6. Int’l Trade Process Streamlining Cross-cutting Infrastructure: eAuthentication GSA Government to Govt. Internal Effectiveness and Efficiency Lead SSA HHS FEMA DOI 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management OPM GSA NARA 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks
Key Policy Points For Governmentwide deployment: No National ID. No National unique identifier. No central registry of personal information, attributes, or authorization privileges. Different authentication assurance levels are needed for different types of transactions. And for e-Authentication technical approach: No single proprietary solution Deploy multiple COTS products -- users choice Products must interoperate together Controls must protect privacy of personal information.
Financial Services Industry Central Issue with Federated Identity – Who do you Trust? 280 Million Americans Millions of Businesses State/local/global Govts Governments Federal States/Local International Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Trust Network Higher Education Universities PKI Bridge E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay Healthcare American Medical Association Patient Safetty Institute Financial Services Industry Home Banking Credit/Debit Cards Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.
Identity Federation – Key Interoperability Needs Identity Federations extend beyond current peer-peer, bi-lateral agreements to build common infrastructure shared among multiple parties. Federation Trust (Policy Interoperability) Federation Communications (Technical Interoperability) Federation Business Relationships (Business Interoperability)
Federation Infrastructure Interoperable Technology (Communications) Determine intra-Federation communication architecture -- protocols Administer common interface specifications, use cases, profiles Ensure interoperability ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services) Trust Establish common trust model Administer common identity management/authentication policies for Federation members Business Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution
The Need for Federated Identity Trust and Business Models Technical issues for sharing identities are being solved, but slowly Federal Interoperability Lab OASIS and Liberty conformance test programs Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards How robust are the identity verification procedures? How strong is this shared identity? How secure is the infrastructure? Common business rules are needed for federated identity to scale N2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define: Trust assurance and credential strength Roles, responsibilities, of IDPs and relying parties Liabilities associated with use of 3rd party credentials Business relationship costs Privacy requirements for handling Personally Identifiable Information (PII) VeriSign Registry Overview com/net/org (Regulated) .tv and .cc (Non-Regulated) Challenges/Business Risks ATLAS—Raising the Bar in Registry Services Securing and enhancing the com/net/org franchise Efficient platform that reduces capital and operating expenses Platform for growth across VeriSign divisions Other Business Opportunities Enhanced Naming Services that stimulate demand for domain names Registry Outsourcing Managed DNS Directory Services Summary
E-Authentication Trust Model for Federated Identity 1. Establish e-Authentication risk and assurance levels (OMB M-04-04 Federal Policy Notice, adopted by EAP 2. Establish standard methodology for e-Authentication risk assessment (ERA) 2/04 4. Establish methodology for evaluating credentials/providers on assurance criteria (EAP SAC and Federal CAF 3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance 6. Establish common business rules for use of trusted 3rd-party credentials 5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04 7. Test products and implementations for interoperability
The Need for Identity Federation Business Case “Federated identity is economically inevitable…” Burton Group However, there must be a clear business case that others can understand Business opportunity must be meaningful yet realistic Business partners need to understand the business case The solution must be replicable Start simple, use standard templates, avoid complexity for complexity sake Leverage open standards Should be clear business case for identity federation for: Financial services industry Health care industry Higher education
Identity Federation Models Bi-lateral (peer-to- peer) Hub & Spoke (unilateral) Circle of Trust (many-to-many) Federated ID Federated ID Federated ID Federated ID Federated ID Federated Federated Federated ID ID ID Federated ID
Commercial Trust Assurance Services State/Local Governments The Need for the Electronic Authentication Partnership Interoperability for: Federal Government Commercial Trust Assurance Services Policy Authentication Assurance levels Credential Profiles Accreditation Business Rules Privacy Principles IDP IDP IDP State/Local Governments Policy, Technical, & Business Interoperability Technology Adopted schemes Common specs User Interfaces APIs Interoperable COTS products Authz support RP IDP RP RP Industry Common Business and Operating Rules http://www.eapartnership.org/ 8
What is the EAP Multi-industry partnership creating a framework for interoperable, trustworthy authentication Incorporated non-profit association with 60 members Product and technology agnostic Goals Provide organizations with a straightforward means of relying on digital credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish bilateral agreements Facilitate the creation of federations through replicable rules Enable federation-to-federation trust In practice this means a federated approach
What the EAP is doing now for ID Federation Bi-lateral Agreements IDP SP/RP Pair-wise Trust Model IDP SP/RP Pair-wise Interface Spec and Products IDP SP/RP Current State of Industry: Bi-Lateral Pairs IDP IDP IDP Common Business Rules/Agreements Common Trust Model Common Interface Specification Interoperable Products SP/RP IDP SP/RP SP/RP EAP Objective: Multi-Party, Interoperable Federation
Multiple, Interoperable Federations What the EAP envisions for ID Federation IDP EAP Common Business Rules/Agreements Common Trust Models Common Basic Interface Specifications Interoperable Products IDP IDP Federation 1 IDP SP/RP SP/RP SP/RP IDP IDP IDP IDP Federation 3 SP/RP IDP IDP SP/RP Federation 2 SP/RP SP/RP SP/RP SP/RP EAP Vision: Multiple, Interoperable Federations SP/RP SP/RP
Phone E-mail David Temoshok 202-208-7655 david.temoshok@gsa.gov For More Information Phone E-mail David Temoshok 202-208-7655 david.temoshok@gsa.gov Websites http://cio.gov/eauthentication http://www.eapartnership.org/ http://cio.gov/fpkipa http://cio.gov/ficc 27