Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Slide 1 Randall (Randy) Cardon Los Alamos National Laboratory, an affirmative action/equal opportunity employer, is operated by the Los Alamos National Security, LLC for the National Nuclear Security Administration of the U.S. Department of Energy under contract DE-AC52-06NA By acceptance of this article, the publisher recognizes that the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published form of this contribution, or to allow others to do so, for U.S. Government purposes. Los Alamos National Laboratory requests that the publisher identify this article as work performed under the auspices of the U.S. Department of Energy. Los Alamos National Laboratory strongly supports academic freedom and a researcher’s right to publish; as an institution, however, the Laboratory does not endorse the viewpoint of a publication or guarantee its technical correctness. Privileged User Access for Non-US Citizens LA-UR

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Slide 3 Things I’m Glad I Didn’t Say “Everything that can be invented has been invented.” “I think there is a world market for maybe five computers.” “Get your feet off my desk, get out of here, you stink, and we're not going to buy your product.” “There is no reason for any individual to have a computer in his home” “640K ought to be enough for anybody.”

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Things I Wish I’d Said "However beautiful the strategy, you should occasionally look at the results.“ “Great leaders tell people what to do not how to do their jobs. They allocate resources, and give them authority.”

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Contact Information Randy Cardon (505)

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Multiple Tools Database for International Visits and Assignments (DIVA) Open Collaborator Enclave (OCE) Privileged User Access Request (PUAR)

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited DIVA The requirements were provided by Foreign Visits and Assignments. The implementation was done by LDRD

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited How Does DIVA Work DIVA does the following: Captures visitor and visit or assignment information as a request Routes the request for reviews and approvals Authorizes Badging Visit Requests Reviews and Approvals Badge

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited User Roles and Actions

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Review and Approval Yes Return Yes Retur n Yes No Yes Return No Yes

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited OCE The initial concept and design were done by ACS-PO The implementation was done by NIE

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited OCE Enclave Access

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Goals Create a network that is segmented from the Yellow for FN systems to meet HQ expectations. Meet the NAP requirements through engineered controls. Demonstrate a new model architecture for the LANL unclassified environment that provides greater data protection, access flexibility and control, and monitoring for various use profiles of LANL unclassified computing. Provide near real-time access management updates for Inter-enclave access with enforced business rules. Develop enhance surveillance to detect unauthorized access.

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited OCE Design OCE Control OCE Gateway Enclave Membership and Access Management Diva Net Devices Business Rules Cyber Monitoring Authentication Logs Remote Access OCE Host Yellow Network Resource SSL VPN

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Access Control Features User Based Authenticated Access to specific Yellow assets. OCE Control manages access control. User Role based access. — Role = Yellow Assets & Who can access them. Yellow Monitoring Key indicators are monitored for unauthorized OCE access. OCE Members can only access the OCE resources and those yellow resources that a member is authorized through roles. Jumping from authorized Yellow resources to non-authorized resources will be detected. Bypassing OCE Gateway will also be detected using this system. Remote Access Remote OCE Users see same access control polices as local.

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Use Cases OCE Member On-Site from OCE to Yellow/Internet Off-Site To OCE or Yellow On-Site outside OCE User Authentication Non-Auth Non OCE Member outside OCE User Authentication Any Access“Source” Central Authentication “on” Access List Non-Auth User based “roles” define access. Yellow Web Proxy Unauthenticated Access: Yellow Controls OCE “Out” IP-based Access Rules User based “roles” define access. None. “Source” Central Authentication “off” Access List Unauthorized Access User based Access Controls to Data OCE Resource Any Access OCE Firewall Access List

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited PUAR Requirements were developed by OCIO Implementation was done by SAE

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited PUAR Workflow

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited Questions? “Nothing in the world can take the place of persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.” Calvin Coolidge