1. Continuous Knowing: Know who is in your Network 11921 Freedom Drive, Suite 710, Reston, VA 20190 Phone: (703) 793-7870 | Web: www.certipath.comwww.certipath.com Microsoft and Office are Trademarks of Microsoft Corporation in the United States and/or other countries.

2. CertiPath: Who We Are Identity focused products and services – PKI-based offerings that make identities safer and efficient to use An identity policy hub: the CertiPath Bridge – Certified once, trusted by many – Secure and efficient information exchange – Utilized by LACS and PACS Crafters of Standards and Specifications – Authored or Co-Authored many US credential standards and drafted ICAM’s PIV in EPACS specification – Once a standard/specification is published, we work with vendors and customers to implement it Privately Held – Private U.S. investors and employee owned

3. According to Verizon's 2013 Data Breach Investigation Report, 76 percent of network intrusions exploited weak or stolen credentialsVerizon's 2013 Data Breach Investigation Report "We need to make this the year we eliminate passwords," - Mark Orndorff http://www.federalnewsradio.com/885/3788055/Next-step-for-DoD-cybersecurity-Ditch-passwords-once-and-for- all “The new OS will feature enhancements in areas like identity protection, data security, and malware resistance” http://www.infoworld.com/article/2838016/operating-systems/windows-10-to-get-twofactor- authentication-builtin.html PKI is Center Stage Right Now

4. Smartcard Issuance Progress by Agency

5. We’ve Only Just Begun Credentials issued to our community of interest Ability to detect outage in the trust network Ability to detect suspicious credential usage at one application Ability to detect suspicious credential usage across multiple applications Relying party reporting rules to issuer of suspicious activity Ability to update trust lists at relying parties based on suspicion of an issuer

6. Who Has That Sort of Capability? Credit Cards Network Operations: Extreme fault tolerance and world class network uptime SLAs Credit Card Security: Multiple providers of fraud detection systems based on card usage (e.g. RSA, Falcon, etc.) Suspicious usage at one merchant Suspicious usage across multiple merchants Strong reporting requirements for merchants that backstop auto- detection

7. Increased reliance on PKI : Criticality of PKI’s information Major Consumers: Email Users Websites Enterprise Gateways Physical Access Systems Airplanes Trust fabric sourced information is increasingly the digital trust currency of the internet PKI Monitoring

8. Monitor the status of the credential and identity infrastructure your applications rely on, even when its hosted externally Take action to continuously monitor against access control requirements Usage Profile: Building & Application Owners

9. Monitor the service within the SLA you are providing your customers Usage Profile: Certificate Issuers

10. Continuous monitoring of the health and well being of the members of your community, including peer bridges Usage Profile: Trust Framework Providers

11. Traditional Auditing relies on management assertions, statical process sampling, and tedious log review Continuous monitoring tracks the compliance of everything all the time. Usage Profile: Internal & External Auditors

12. High Assurance Transactions – JPAS Joint Personnel Adjudication System (JPAS)

13. User logs in High Assurance Transactions – JPAS PKI-Authentication

14. High Assurance Transactions – JPAS When they can’t connect, they contact the helpdesk or call center PKI-Authentication*failed* User logs in

15. High Assurance Transactions – A lot can go wrong When they can’t connect, they contact the helpdesk or call center PKI-Authentication*failed* High Assurance Transactions – JPAS

16. High Assurance Transactions – A lot can go wrong An OCSP Responder is offline Server SSL Cert has expired Server SSL Cert has been revoked Server SSL Cert was tampered with Issuing CA has expired Server SSL Cert’s CRL is offline Issuing CA’s CRL is offline Issuing CA was tampered with OCSP Responder Cert was tampered with OCSP Responder Cert has expired Issuing CA’s Cert has been revoked Cross-certificate has a new Name Constraint Cross-certificate has a new Policy Constraint Cross-certificate has expired Cross-certificate was tampered with Unable to build path – AiA location offline Issuing CA has been re-keyed Issuing CA’s CRL was tampered with Server SSL Cert’s CRL was tampered with Cross-certificate’s CRL was tampered with Issuing CA’s CRL has expired Server SSL Cert’s CRL has expired SCA Re-key has occurred SSL Cert has been re-keyed

17. High Assurance Transactions – take many forms High Assurance Transactions – A lot can go wrong An OCSP Responder is offline Server SSL Cert has expired Server SSL Cert has been revoked Server SSL Cert was tampered with Issuing CA has expired Server SSL Cert’s CRL is offline Issuing CA’s CRL is offline Issuing CA was tampered with OCSP Responder Cert was tampered with OCSP Responder Cert has expired Issuing CA’s Cert has been revoked Cross-certificate has a new Name Constraint Cross-certificate has a new Policy Constraint Cross-certificate has expired Cross-certificate was tampered with Unable to build path – AiA location offline Issuing CA’s CRL was tampered with Cross-certificate’s CRL was tampered with Issuing CA’s CRL has expired Issuing CA Re-key has occurred SSL Cert has been re-keyed As it relates to High Assurance Credentials, all applications are the same Root CA has been re-keyed Server SSL Cert’s CRL was tampered with Server SSL Cert’s CRL has expired

18. High Assurance Transactions – take many forms As it relates to High Assurance Credentials, all applications are the same User Digitally Signs or encrypts an Email PKI-Digital Signature

19. High Assurance Transactions – take many forms User Digitally Signs or attempts to encrypt an Email PKI-Digital Signature PKI-Authentication

20. High Assurance Transactions – take many forms PKI-Authentication An OCSP Responder is offline Server SSL Cert has expired Server SSL Cert has been revoked Server SSL Cert was tampered with Issuing CA has expired Server SSL Cert’s CRL is offline Issuing CA’s CRL is offline Issuing CA was tampered with OCSP Responder Cert was tampered with OCSP Responder Cert has expired Issuing CA’s Cert has been revoked Cross-certificate has a new Name Constraint Cross-certificate has a new Policy Constraint Cross-certificate has expired Cross-certificate was tampered with Unable to build path – AiA location offline Issuing CA has been re-keyed Issuing CA’s CRL was tampered with Server SSL Cert’s CRL was tampered with Cross-certificate’s CRL was tampered with Issuing CA’s CRL has expired Server SSL Cert’s CRL has expired SCA Re-key has occurred SSL Cert has been re-keyed

21. Today: Access is granted to “recognized” users while security controls focus on traffic for content & behavior. Risk: Identity is a missing component, networks have a blind spot regarding credential status and use. Opportunity: Include identity as a component of the security model to detect insider and external threats. Any legit credential: Password Access Card Infiltration attempts Denial of Service Spoofed credentials Endpoint security protocol source address destination address destination port source port header analysis payload analysis pattern detection web-based malware email attachments SSO systems active directory allowed user ≠ safe credential The Next Level: Continuous Credential Vetting

22. Today: Once issued, credentials are never seen by the issuer. Enterprise Risk: Yet, credentials are trusted because the issuer says they are “still” good. Issuer Risk: Last to know if a credential has “gone bad.” Opportunity: TFPs/IdPs/RPs work together to create one or more global clearinghouse(s) for use and reputation based on observed behavior of credentials.   ? Provisioning vs. Vetting issue date expiration date revocation misuse continued use missing feedback loop Identity Provisioning vs. Vetting