Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoD Identity & Access Management (IdAM) Portfolio Overview

Published byGodfrey Harvey Modified over 6 years ago

Similar presentations

Presentation on theme: "DoD Identity & Access Management (IdAM) Portfolio Overview"— Presentation transcript:

1 DoD Identity & Access Management (IdAM) Portfolio Overview
DISA Enterprise Services Directorate (ESD) 7 May 2013 UNCLASSIFIED

2 IdAM Concepts & IdAM Portfolio
Overview IdAM Concepts & IdAM Portfolio 5/7/13 UNCLASSIFIED

3 IdAM Overview Identity and Access Management (IdAM) is the combination of technical systems, policies and processes that create, define, and govern the utilization and safeguarding of identity information, as well as managing the relationship between an entity and the resources to which access is needed. IdAM can be divided into three fundamental capabilities: Manage Digital Identities, Authenticate Users, and Authorize Access to Resources. IdAM supports the warfighter by creating assured identity and access management services for the DoD Enterprise. 5/7/13 UNCLASSIFIED

4 Give access to resource?
IdAM in a Nutshell IdAM Authentication Decision Is the identity valid / authenticated? 2 Resources Give access to resource? I am John. Here is my identity credential. Can I access the resource? 1 4 Resource Access 5 Is John authorized to access the resource? 3 Web Page, File, etc Authorization Decision 5/7/13 UNCLASSIFIED

5 IdAM Terms Digital Identity: the electronic representation of an individual’s identity Authentication: process of verifying that a claimed identity is genuine and based on valid credentials Authorization and Access: processes of granting or denying specific requests for obtaining and using information processing services or data Source: Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance, version 1.0, 10 Nov 2009 5/7/13 UNCLASSIFIED

6 IdAM Portfolio Joint Defense Information Systems Agency (DISA) /Defense Manpower Data Center (DMDC)/National Security Agency (NSA) organizational construct for managing an array of core material solutions to enable DoD enterprise-wide digital identity, authentication, and authorization capabilities Creates a foundation for building a secure and trusted computing environment Provides the capabilities for secure enterprise information sharing Utilizes account and attribute management services, assured digital identity capabilities, automated account provisioning, and attribute based access control 5/7/13 UNCLASSIFIED

7 IdAM Portfolio High-Level Capability Model
Provide Enterprise IdAM Services (CONOPS, Governance ,Target State & Vision, Architecture, Data Quality) Manage Digital Identities Authenticate Users Authorize Access to Resources Enterprise Identity Attribute Services (EIAS) Enterprise Directory Services (EDS) Batch Broker Service (BBS) DoD Enterprise White Pages Identity Synchronization Services (IdSS) Enterprise Directory Query Service (EDQS) IdSS Machine Interface (IdMI) milConnect Real-Time Broker Service (RBS) Authentication Gateway Service (AGS) DoD Visitor Global Directory Service (GDS) Public Key Enablement (PKE) Public Key Infrastructure (PKI) Attribute Based Access Control (ABAC) Legend Service provided by DISA Service provided by DISA in partnership with NSA Service provided by DMDC Suite of services- not an independent service 5/7/13 UNCLASSIFIED

8 IdAM Portfolio Activities
Overview IdAM Portfolio Activities 5/7/13 UNCLASSIFIED

9 IdAM CONOPS & Governance
IdAM Policy and Guidance Developed by DoD CIO in coordination with DISA and DMDC Combatant Commands, Services, and Agencies (CC/S/As) included in review and adjudication Ensures alignment to existing DoD policy and guidance Mandates usage of enterprise IdAM services and defines relevant processes and procedures IdAM Services Developed, deployed, and maintained by DISA and DMDC Other entities such as NSA may be included in the fielding process where appropriate Coordination with CC/S/As for requirements development and pilots Services primarily deployed at enterprise level within Defense Enterprise Computing Centers (DECCs) Specific services deployed locally at CC/S/A level (DoD Visitor, AGS) DISA and DMDC coordinate with CC/S/As to integrate IdAM services into local CC/S/A infrastructures 5/7/13 UNCLASSIFIED

10 IdAM Target State & Vision
IdAM Goals Mission-enabling capabilities: Enterprise User capability “I can go anywhere in the DoD, login, and be productive” – automatic and data driven Security: IT resources protected from inappropriate modification or disclosure and users are able to be held accountable for their actions – automatic and data driven Efficiency: reduce required resources – automatic and data driven IdAM Target State Capabilities – used by all DoD IT devices, systems, applications & services on NIPRNET, SIPRNET, and commercial enclaves Same user identifiers, attributes, and credentials used everywhere, managed automatically from accountable data source to consumer Persona-based from DMDC’s Person Data Repository (PDR) and DISA’s Global Directory Service (GDS) for users with DoD PKI credentials Accountable source-based for other users (other federal, coalition, state & local, etc.) Dynamic authentication, authorization and access control Automatic and user data driven (all use cases) Directly or through gateway services DoD-wide people and organization discovery services 5/7/13 UNCLASSIFIED

11 IdAM Portfolio Architecture
Persona Contact Information Certificates & CRLs Persona Contact Information PKI Authentication Brokered Authentication PKI Authentication PKE milConnect White Pages Enterprise Applications / Services Local Applications / Services AGS DoD Visitor PEP PKI Validation EASF ABAC PKI EDQS PDP IdSS PKI Validation RCVS Policy Store GDS IdMI CC/S/A Directories CA Certificates Attribute Broker BBS PAP PDR RBS EIAS Legend Identity Information Flow ABAC: Attribute Based Access Control IdMI: IdSS Machine Interface AGS: Authentication Gateway Service IdSS: Identity Synchronization Service BBS: Batch Broker Service PAP: Policy Administration Point CA: Certificate Authority PDP: Policy Decision Point CC/S/A: Combatant Commands/Services/Agencies PDR: Person Data Repository CRL: Certificate Revocation List PEP: Policy Enforcement Point EASF: Enterprise Applications Services Forest PKE: Public Key Enablement EDQS: Enterprise Directory Query Service PKI: Public Key Infrastructure EIAS: Enterprise Identity Attribute Service RBS: Real-time Broker Service GDS: Global Directory Service RCVS: Robust Certificate Validation Service Authentication Information Flow Authorization Information Flow Identity Service Authentication Service Authorization Service Service External to IdAM IdAM Services Consumer 5/7/13 UNCLASSIFIED

12 Data Quality Initiative
The Data Quality Initiative is an initiative to improve and maintain the accuracy of enterprise identity and organizational contact information Leverages milConnect to provide users with a self-service portal to manage their contact data in DMDC for access via RBS, BBS, and IdSS Currently coordinating with CC/S/As to provide DMDC with initial authoritative data Currently developing enterprise data specifications, including DoD EDS Data Dictionary 5/7/13 UNCLASSIFIED

13 Manage Digital Identities
Overview Manage Digital Identities 5/7/13 UNCLASSIFIED

14 Enterprise Identity Attribute Service (EIAS)
The Enterprise Identity Attribute Service (EIAS) distributes DoD person, persona, and personnel attributes to applications and services in a controlled, consistent, and secure manner for making authorization decisions Provides ability for relying party to confirm an individual’s identity and affiliation to the DoD for the purpose of enabling Attribute Based Access Control (ABAC) Provides the capability to cross-reference, share, and distribute the DoD Electronic Data Interchange Person Identifier (EDI-PI) and the DoD Enterprise Username Leverages real-time, signed SAML Request/Response Available on NIPRNet and SIPRNet 5/7/13 UNCLASSIFIED

15 Enterprise Directory Services (EDS)
Suite of services providing authoritative DoD Enterprise organizational and contact attributes Consists of: Real-Time Broker Service (RBS) Batch Broker Service (BBS) Identity Synchronization Services (IdSS) Enterprise Directory Query Service (EDQS) Enterprise White Pages milConnect Local directories must leverage the provisioning and sync services Applications requiring people discovery functions must use EDS as the source for their enterprise directory information 5/7/13 UNCLASSIFIED

16 Real-time Broker Service (RBS)
The Real-time Broker Service (RBS) is a synchronous web service that provides DoD identity and contact data to CC/S/As Delivers one record per transaction, customized to the requester Useful for integration into applications in lieu of local datastore / directory server Target response < 2 seconds Recommended persona population under 1 million records 5/7/13 UNCLASSIFIED

17 Batch Broker Service (BBS)
The Batch Broker Service (BBS) is an asynchronous web service that provides DoD identity and contact data to CC/S/As Can deliver tens of thousands of records per transaction, customized to the requester, for populations in the millions Supports local directory provisioning and updating Useful for periodically updating large populations Provides the largest set of authentication attributes of any EDS service Provides DoD dependent and retiree data Feeds the Identity Synchronization Service (IdSS) 5/7/13 UNCLASSIFIED

18 Identity Synchronization Service (IdSS)
The Identity Synchronization Service (IdSS) is a DoD Enterprise directory service forest synchronization service Connects to accountable identity sources to collect and groom identity information for all CAC holders DMDC Person Data Repository (PDR) for identity data DISA Global Directory Service (GDS) for encryption certificates Controls all account creation, deletion, and updates into DISA’s Enterprise Application Services Forest (EASF) which is used for DISA-hosted DoD enterprise services (DEE, DEPS, etc) Data available for consumption via the IdSS Machine Interface (IdMI) and the Enterprise Directory Query Service (EDQS) 5/7/13 UNCLASSIFIED

19 IdSS Machine Interface (IdMI)
The IdSS Machine Interface (IdMI) provides DoD identity and contact data to CC/S/As from IdSS Supports local directory provisioning and updating Supports populating Global Address List (GAL) Active Directory, LDAP v3, CSV, other formats available Available on both NIPRNet and SIPRNet No cost for initial connection (both NIPR and SIPR) 5/7/13 UNCLASSIFIED

20 Enterprise Directory Query Service (EDQS)
The Enterprise Directory Query Service (EDQS) provides an LDAP interface to query IdSS data Provides flexible integration for applications for identity/authentication in lieu of local directory store Currently utilized as data service for DoD Enterprise White Pages Fee for service (cost model TBD) 5/7/13 UNCLASSIFIED

21 DoD Enterprise White Pages
DoD Enterprise White Pages is a website to search for identity and organizational contact information for members of the DoD Enterprise Leverages persona-based authoritative data provided by IdSS Enables search by an individual’s full name, rank, addresses, and other relevant information NIPRNet deployment occurred in April 2013 – SIPRNet deployment planned FY13; Legacy capability provided by JEDS No cost enterprise service 5/7/13 UNCLASSIFIED

22 milConnect For the purposes of EDS, milConnect is a website that allows members of the DoD to access and update their persona contact data Designated interface for maintaining DoD person and persona information such as Duty Organization, Job Title, Installation, Address, and Phone Number milConnect populates DMDC systems, and, in turn, supports all EDS capabilities Keeping persona contact data updated is integral to ensuring local directories, Global Address Lists (GALs), and enterprise applications such as DoD Enterprise White Pages have up-to-date information DoD personnel, including DoD contractors, may access milConnect at No cost enterprise service 5/7/13 UNCLASSIFIED

23 Overview Authenticate Users 5/7/13 UNCLASSIFIED

24 Public Key Infrastructure (PKI)
DoD Public Key Infrastructure (PKI) is a framework established to issue, maintain, and revoke public key certificates, including systems, processes, and people Provides certificates for NIPRNet (DoD Root CA) and SIPRNet (NSS PKI CA) as software certificates or on hardware (e.g., Common Access Card PKI certificates) Interoperates with DoD External Certificate Authorities (ECA), federal PIV certificate issuers, selected approved commercial PKI CAs, and selected approved Combined Communications Electronics Board (CCEB) PKI CAs No cost enterprise service 5/7/13 UNCLASSIFIED

25 Public Key Enablement (PKE)
DoD Public Key Enablement (PKE) is the process of ensuring that applications can use certificates issued by the DoD PKI, NSS PKI, or DoD-approved external PKIs to support identification and authentication, data integrity, confidentiality, and/or technical non-repudiation Common uses include enabling: Smart card logon to DoD networks and certificate-based authentication to systems Secure connections (SSL/TLS) to DoD servers Digital signature and encryption of s from desktop, web, and mobile clients Digital signature of forms No cost enterprise service 5/7/13 UNCLASSIFIED

26 Global Directory Service (GDS)
The Global Directory Service (GDS) is a DISA-provided enterprise-wide directory service that supports the DOD PKI Program GDS is the DoD PKI distribution point for its Certificate Revocation Lists (CRLs) and individual public key encipherment certificates Currently provides a DoD-wide search capability for information (names, addresses, and public key encipherment certificates) regarding DoD personnel with a DoD PKI certificate on the NIPRNet and SIPRNet No cost enterprise service 5/7/13 UNCLASSIFIED

27 DoD Visitor DoD Visitor is GOTS software deployed to CC/S/A user-facing MS domain controllers allowing CAC-holding employees temporary access to basic productivity tools while on travel Provisions temporary access accounts allowing access to a web browser, Microsoft Office, and local print services at a non-home location Files are stored temporarily on the workstation and automatically removed when the user logs off the system NIPRNet: CTO was released Dec/FY12 directing local components to upgrade to latest version of DoD Visitor (Deadline June/FY13) SIPRNet : CTO expected to be released in Q2 FY13 mandating initial installation of DoD Visitor on SIPRNet No cost GOTS software 5/7/13 UNCLASSIFIED

28 Authentication Gateway Service (AGS)
The Authentication Gateway Service (AGS) is an authentication middleware that PKI-enables applications and systems that cannot be directly PK-enabled Where possible, DoD components are directed to perform direct PKI authentication using approved PKI certificates; When not possible, AGS provides an alternative for CAC users only May be locally deployed or deployed at DECC; any instance must be placed in same logical network as the applications associated with it All DoD applications must either become compliant via direct PKI authentication or migrate to the DISA provided service until such time as they are able to become compliant Currently being piloted in US Army integration with Google Applications for Government Fee for service GOTS middleware (cost model TBD) 5/7/13 UNCLASSIFIED

29 Authorize Access to Resources
Overview Authorize Access to Resources 5/7/13 UNCLASSIFIED

30 Enterprise Attribute Based Access Control (ABAC)
Enterprise Attribute Based Access Control (ABAC) provides authorization decision support for web services, Enterprise Messaging, and internal applications Allows Programs of Record to develop custom code for application use Open source software available at Click on “Documents” at top of page Expand “Open Source Attribute Based Access Control (OS ABAC)” folder Identify most recent version and expand that folder (e.g. “ABAC V1.4”) Expand “UserGuide/Installation/Training” folder and download “OS ABAC Install Guide” CC/S/As may deploy locally or utilize DISA-managed service (currently deployed at Columbus and Oklahoma City DECCs) No cost GOTS software; Fee for service if utilizing DISA-managed service (cost model TBD) DISA also evaluating COTS software for enterprise service 5/7/13 UNCLASSIFIED

31 Questions? 5/7/13 UNCLASSIFIED

32 Backup Slides 5/7/13 UNCLASSIFIED

33 Attribute Service Consumers
EIAS Architecture PDR GDS Legend EIAS Identity Service Authentication Service Authorization Service Service External to IdAM Requests / Receives Attributes IdAM Services Consumer 1 2 Application or Service Attribute Broker Attribute Service Consumers 3 Makes Authentication or Access Decision 5/7/13 UNCLASSIFIED

34 EDS Architecture DoD White Pages 5/7/13 UNCLASSIFIED Legend milConnect
Identity Service Authentication Service milConnect GDS Persona Contact Info Authorization Service Service External to IdAM IdAM Services Consumer Credentials PKI Certificate EASF Enterprise Apps DEE DEPS UC RBS BBS IdMI EDQS PDR IdSS DoD Enterprise White Pages Search / Retrieve Persona Contact Info CC/S/A Directories User DoD White Pages 5/7/13 UNCLASSIFIED

35 Global Directory Service (GDS) Architecture
GDS NIPRNET GDS OUTPUTS Distribution point for DoD PKI Encryption Certificates to individual DoD and ECA Users DoD replication partners (AKO, AFDS, IdSS, SPAWAR) for delivery of DoD PKI Encryption Certificates Informally, a part of the local site account provisioning process. Distribution point worldwide for DoD PKI CA and ECA CRL(s) Distribution point for DoD PKI Root CRLs, Certificates, and cross certificates Servicing of AIA and CDP extensions for all DOD PKI issued certificates Servicing of AIA and CDP extensions for all DOD PKI Test certificates Distribution point for DoD PKI Test and preproduction Root CRLs, Certificates, and cross certificates Distribution to GCDS for NIPR users, directly for Internet users and to PKI RCVS servers. Distribution point for Encryption Certificates for individual DoD users DoD replication partners ( IdSS) for delivery of DoD PKI Encryption Certificates Distribution point for DoD PKI CA CRL(s) Distribution point for DoD PKI Root CRLs Servicing of AIA and CDP extensions for all CNSS DOD PKI issued certificates Servicing of AIA and CDP extensions for all CNSS DOD PKI Test certificates Distribution point for CNSS DoD PKI Root CRLs, Certificates, and cross certificates Distribution point for CNSS DoD PKI Test and preproduction Root CRLs, Certificates, and cross certificates DoD PKI Root CA’s (certs &CRL’s) https queries HTTPS webpage DoD PKI CA’s 15-30 ( certs) ldaps queries DoD PKI CA’s 15-30 ( and ID CRL’s) LDAPS ldaps queries ECA Vendor CRL’s (Verisign, ORC, IdenTrust) Legacy Systems IdSS AKO USAF SPAWAR Customized Data Consumer Connections GDS SIPRNET DoD PKI CA’s 17,18,21,23 ( certs) https queries HTTPS webpage DoD PKI CA’s 17,18,21,23 ( and ID CRL’s) ldaps queries ldaps queries CNSS CA ( certs) LDAPS Legacy Systems CNSS CA (CRL’s) IdSS Customized Data Consumer Connection 5/7/13 UNCLASSIFIED

36 DoD Visitor Architecture
Visiting User Present Credentials for Authentication Provision Guest Account 1 4 Local Network Resources DoD Visitor Credentials 2 Request / Retrieve Credential Status Legend 3 Identity Service Authentication Service Authorization Service Service External to IdAM PKI / PKE Services IdAM Services Consumer 5/7/13 UNCLASSIFIED

37 DoD Enterprise/COI Credential Services
AGS Architecture User Present Credentials for Authentication Provide Brokered Authentication 1 4 AGS Legacy Apps Credentials 2 Request / Retrieve Credential Status 3 Legend DoD Enterprise/COI Credential Services Identity Service Authentication Service Authorization Service Service External to IdAM Local User Directory IdAM Services Consumer PKI / PKE Services 5/7/13 UNCLASSIFIED

38 Enterprise ABAC Architecture
User Legend Resources Request Access 1 Identity Service Authentication Service Authorization Service 10 Grant / Deny Access PEP Service External to IdAM IdAM Services Consumer Credentials 2 Request / Retrieve Decision 4 9 PDP 5 Request / Retrieve Digital Policy Request / Retrieve Credential Status PDP 6 Policy Store PKI Services 3 PAP Request / Retrieve Attributes 7 8 Non-DoD Identity Mgmt. DoD Enterprise/COI Attribute Services Deployed Attribute Services Cache Enterprise/COI Attributes Cache Resource Attributes Cache DMDC GFM DI Resource Attributes Attribute Broker 5/7/13 UNCLASSIFIED

39 DMDC Identity Web Services (IWS)
Identity Web Services (IWS) are capabilities developed by DMDC to provide identity verification services to government agencies for DoD military personnel, their dependents, retirees, DoD civilians, and contractors Data is fed from DMDC Person Data Repository (PDR) Includes: Enterprise Identity Attribute Service (EIAS) Real-Time Broker Service (RBS) Batch Broker Service (BBS) 5/7/13 UNCLASSIFIED

Download ppt "DoD Identity & Access Management (IdAM) Portfolio Overview"

Similar presentations

Mobile Devices in the DoD

Mobile Devices in the DoD
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
The Federation for Identity and Cross-Credentialing Systems (FiXs) www.FiXs.org FiXs ® - Federated and Secure Identity Management in Operation Implementing.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
United States DoD Public Key Infrastructure: Deploying the PKI Token

United States DoD Public Key Infrastructure: Deploying the PKI Token
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Spring 2013 ICAM Day Value of ICAM Breakout Session Paul D. Grant Director of Cybersecurity Policy, DoD CIO Co-Chair, Federal Identity, Credential &

Spring 2013 ICAM Day Value of ICAM Breakout Session Paul D. Grant Director of Cybersecurity Policy, DoD CIO Co-Chair, Federal Identity, Credential &
1 UNCLASSIFIED Army Enterprise Email Migration to DISA LTC Peter Barclay, CIO/G6 Mr. Kevin Mott, NETCOM Mr. Jose Ortega, PEO EIS Mr. Donald Greenlee, PEO.

1 UNCLASSIFIED Army Enterprise Migration to DISA LTC Peter Barclay, CIO/G6 Mr. Kevin Mott, NETCOM Mr. Jose Ortega, PEO EIS Mr. Donald Greenlee, PEO.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory

Understanding Active Directory
UNCLASS DoD Public Key Infrastructure LCDR Tom Winnenberg DISA API1 Chief Engineer 25 April 2002.

UNCLASS DoD Public Key Infrastructure LCDR Tom Winnenberg DISA API1 Chief Engineer 25 April 2002.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Enterprise SharePoint Service (ESPS) 17 August 2011 A Combat Support Agency Defense Information Systems Agency.

Enterprise SharePoint Service (ESPS) 17 August 2011 A Combat Support Agency Defense Information Systems Agency.
Managing Client Access

Managing Client Access

Similar presentations

Ads by Google