Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Authentication: The Need for Public and Private Sector Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Published byLuke Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "E-Authentication: The Need for Public and Private Sector Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy."— Presentation transcript:

1 E-Authentication: The Need for Public and Private Sector Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy The E-Authentication Initiative 3 rd Annual Conference on Technology & Standards May 3, 2006

2 2 Prioritize E-Government President’s Management Agenda: 1. Strategic Management of Human Capital 2. Competitive Sourcing 3. Improved Financial performance 4. Expanded Electronic Government 5. Budget and Performance Integration E-Government Act of 2002 OMB Office of E-Government and Technology

3 3 Government to Govt.Internal Effectiveness and Efficiency Lead 1. e-Vital (business case) 2. Grants.gov 3. Disaster Assistance and Crisis Response 4. Geospatial Information One Stop 5. Wireless Networks 1. e-Training 2. Recruitment One Stop 3. Enterprise HR Integration 4. e-Travel 5. e-Clearance 6. e-Payroll 7. Integrated Acquisition 8. e-Records Management President’s E-Gov Agenda OPM GSA OPM GSA NARA Lead SSA HHS FEMA DOI FEMA Lead GSA Treasury DoED DOI Labor Government to Business 1. Federal Asset Sales 2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting 4. Consolidated Health Informatics 5.Business Gateway 6.Int’l Trade Process Streamlining Lead GSA EPA Treasury HHS SBA DOC Cross-cutting Infrastructure: E-Authentication GSA Government to Citizen 1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop 5. Eligibility Assistance Online

4 4 E-Authentication Key Policy Considerations  For Government-wide deployment : No National ID No National unique identifier No central registry of personal information, attributes, or authorization privileges Different authentication assurance levels are needed for different types of transactions Authentication – not authorization  For E-Authentication technical approach : No single proprietary solution Deploy multiple COTS products – user’s choice Products must interoperate together Controls must protect privacy of personal information

5 5 Factor Token Very High Medium Low Employee Screening for a High Risk Job Obtaining Govt. Benefits Applying for a Loan Online Access to Protected Website PIN/User ID - Knowledge Strong Password -Based PKI/ Digital Signature Multi- Increased $ Cost Increased Need for Identity Assurance Four Authentication Assurance Levels to meet multiple risk levels -

6 6 FBCA PKI Trust List FBCA PKI Trust List Levels 1 & 2 CSPs Levels 3 & 4 CSPs FBCA X-Certification Levels 1 & 2 Online Apps & Services Levels 3 & 4 Online Apps & Services SDT A VERY Simplified View of the Federal EAI Architecture EAI SAML Trust List EAI SAML Trust List Banks Financial Inst. Universities Agency Apps Commercial CSPs CAF Digital Certificates SAML Assertions Federal Agency PKIs Other Gov PKIs Commercial PKIs PKI Bridges (HSPD-12) One-Time Passwords Multi-Factor Authentication PIN, Passwords User ID

7 7 Governments Federal States/Local International Higher Education Universities Higher Education PKI Bridge Healthcare RHIOs NHIN Healthcare providers Travel Industry Airlines Hotels Car Rental Trusted Traveler Programs Central Issue with Federated Identity – Who do you Trust? E-Commerce Industry ISPs Internet Accounts Credit Bureaus eBay Trust Network Financial Services Industry Home Banking Credit/Debit Cards Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels. 280 Million Americans Millions of Businesses State/local/global Govts

8 8 Federation Infrastructure Interoperable Technology (Communications) Determine intra-Federation communication architecture Administer common interface specifications, use cases, profiles Conduct interoperability testing ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services) Trust Establish common trust model Administer common identity management/authentication policies for Federation members Business Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution

9 9 Government Adoption of Federated IDM  Necessary in order to meet President’s E-Gov mandates GSA is directed to provide common authentication infrastructure for all Federal E-Gov business applications and E-access control.  In 2004 GSA established the EAI Federation EAI Federation allows identity federation between multiple industry and government entities and the Federal Government Technical architecture supports multiple authentication technologies, protocols, and IDM software products and components  In 2004 GSA partnered with industry to establish the Electronic Authentication Partnership Incorporated non-profit public/private sector forum to advance and accelerate IDM federation Focuses on interoperability and trust EAP Trust Framework issued 12/04

10 10 Industry and EAI ID Federation/Authentication Alignment The Federal Government is seeking to align with industry in the following ways in order to meet the mandates for government- wide e-Authentication services:  Common trust framework for reciprocal trust  Common business & operating rules for business interoperability  Common technical infrastructure (i.e., architecture, protocols, data models, testing) for technical interoperability  Common business models for ID federation adoption/interoperability.

11 11 EAI/EAP Common Trust Framework 1. Establish & define authentication risk and assurance levels EAI: OMB M-04-04 - Established and defined 4 authentication assurance levels as Governmentwide policy EAP: Adopted OMB M-04-04 authentication assurance levels 2. Establish technical standards & requirements for e-Authentication systems at each assurance level EAI: NIST Special Pub 800-63 Authentication Technical Guidance – Established authentication technical standards at 4 established assurance levels EAP: Adopted NIST SP 800-63 standards 3. Establish methodology for evaluating authentication systems at each assurance level EAI: Credential Assessment Framework – Standard methodology for assessing authentication systems of credential service providers EAP: Service Assessment Criteria – Standard methodology for assessing authentication systems of credential service providers 5. Perform assessments and maintain trust list of trusted CSPs EAP: Trusted CSP List EAI: Trusted CSP List (pending) 6. Establish common business rules for approved CSPs EAI: EAI Federation Business Rules and Service Agreements EAP: EAP Business Rules and Agreements

12 12 Key Architecture Design Considerations  No central registry of personal information, attributes, or authorization privileges – decentralized approach means federation.  Different authentication assurance levels are needed for different types of transactions.  Architecture must support multiple authentication technologies.  Architecture must support multiple protocols.  Federal Government will not mandate a single proprietary solution, therefore, Architecture must support multiple COTS products.  Federal Government will adopt prevailing industry standards that best meet the Government’s needs.  All architecture components must interoperate with ALL other components.  Controls must protect privacy of personal information.

13 13 Standards Convergence  SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information  Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services Shibboleth Specification Liberty Specifications OASIS SAML 1.0, 1.1 OASIS Standard SAML 2.0

14 14 Federal Interoperability Lab  Tests interoperability of products for participation in e- Authentication architecture. Conformance testing to Fed e-Authentication Interface Specification Interoperability testing among all approved products  Currently 11 SAML 1.0 products on Approved Product List. See URL: http://cio.gov/eauthentication  Multiple protocol interoperability testing will be very complex  4 Products approved for PKI certificate path discovery & validation  GSA intends to continue to test architecture components for interoperability and capability to meet governmentwide use requirements

15 15 The Approach to a U.S. Federal PKI  Allow Agencies to implement their own PKIs  Create a Federal Bridge CA using COTS products to bind Agency PKIs together  Establish a Federal PKI Policy Authority to oversee policy and operation of the Federal Bridge CA  Ensure directory compatibility  Use ACES for transactions with the public  Use PKI Shared Service Providers for internal Federal Government provisioning  Approve commercial products for certificate validation (local, hosted)

16 16 University PKI A Snapshot of the U.S. Federal PKI Treas.PKI Higher Education Bridge CA NASA PKI WF PKI Illinois PKI CANADA PKI Federal Bridge CA ACES PKI DOD PKI DOE PKI DOS PKI University PKI University PKI GPO PKI PTO PKI USDA PKI

17 17 IDP SP/RP EAP Vision: Multiple, Interoperable Federations Federation 1 Federation 2 EAP Common Governance Common Trust Framework & Rules Common Architecture & Interoperable Products

18 18 EAI/EAP Alignment EAI EAP Common Assurance Levels Common Authentication Standards Reciprocal CSP Trust Certifications Common Designated Assessors Common Business Rules Common Architecture Common Protocols Common Data Models 2004 2005 2006 2007 Joint Pilots And Projects CSP Assessments CSP Trust Lists 2008 Common Business Model EAI Projects EAP Projects

19 19 Cross-Federation Trust Certifications  FiXs trust certifications will be made at assurance level 4+, as FiXs will be certifying against FIPS 201/HSPD-12 standards/requirements.  EAP may determine to accept FiXs certifications as meeting EAP SAC level 4 authentication assurance  Federal EAI may determine to accept FiXs and/or EAP certifications as meeting EAI CAF level 4 authentication assurance FiXs Trust Certifications EAP Trust Certifications EAI Trust Certifications

20 20 And then there’s HSPD-12 … Homeland Security Presidential Directive 12 (HSPD-12): “Policy for a Common Identification Standard for Federal Employees and Contractors” Dated: August 27, 2004

21 21 For More Information ● Visit our Websites: http://www.cio.gov/eauthenticationwww.cio.gov/eauthentication http://www.cio.gov/ficcwww.cio.gov/ficc http://www.cio.gov/fbcawww.cio.gov/fbca http://www.cio.gov/fpkipawww.cio.gov/fpkipa http://csrc.nist.gov/piv-project/ http://csrc.nist.gov/piv-project/ http://www.cio.gov/fpkisc http://www.eapartnership.org http://www.smart.gov/www.smart.gov/ ● Or contact: David Temoshok Director, Identity Policy and Management 202-208-7655 david.temoshok@gsa.gov

Download ppt "E-Authentication: The Need for Public and Private Sector Trust David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy."

Similar presentations

1 U.S. General Services Administration E-Government Procurement: Standard Transactions and Interoperability David Temoshok Director, Federal Identity Management.

1 U.S. General Services Administration E-Government Procurement: Standard Transactions and Interoperability David Temoshok Director, Federal Identity Management.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.

The Need for Trusted Credentials Information Assurance in Cyberspace Mary Mitchell Deputy Associate Administrator Office of Electronic Government & Technology.
1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration.

1 HSPD-12 Compliance: The Role of Federal PKI Judith Spencer Chair, Federal Identity Credentialing Office of Governmentwide Policy General Services Administration.
Institutional Transformation of Government in the Network Society Jane E. Fountain Director, National Center for Digital Government Harvard University.

Institutional Transformation of Government in the Network Society Jane E. Fountain Director, National Center for Digital Government Harvard University.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Ongoing Efforts to Build The US Federal PKI Bridge

Ongoing Efforts to Build The US Federal PKI Bridge
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
1 Federal Identity Management and Homeland Security Presidential Directive 12 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide.

1 Federal Identity Management and Homeland Security Presidential Directive 12 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.

HIMSS/GSA E-Authentication Initiative A Pilot Project of the HIMSS RHIO Federation HIMSS Public Policy Forum September 28, 2006 Mary Grizkewicz, HIMSS.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Federal Approach to Electronic Credentials For services to citizens, businesses, other governments, and employees Mary J. Mitchell Office of Electronic.

Federal Approach to Electronic Credentials For services to citizens, businesses, other governments, and employees Mary J. Mitchell Office of Electronic.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
The U.S. Federal PKI and the Federal Bridge Certification Authority

The U.S. Federal PKI and the Federal Bridge Certification Authority
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Emergence of Identity Management: A Federal Perspective Dr. Peter Alterman Chair, Federal PKI Policy Authority.

Similar presentations

Ads by Google