cis14: nstic - identity and access management collaborative approaches to novel use cases

Identity and Access Management: Collaborative Approaches to Novel Use Cases Nate Lesser, Deputy Director National Cybersecurity Center of Excellence

Cloud Identity Summit 2014 July 20, 2014

ENERGY SECTOR USE CASE: IDENTITY AND ACCESS MANAGEMENT

3 Cloud Identity Summit 2014

OVERVIEW

Goals

‣ Authenticate individuals and systems

‣ Enforce authorization control policies

‣ Unify IdAM services

‣ Protect generation, transmission and distribution

Business value

‣ Reduce costs

‣  Increase efficiency

Cloud Identity Summit 2014 4

SILOS

IT network OT network Physical system


THE IT-OT DIVIDE


HIGH-LEVEL ARCHITECTURE


COLLABORATORS

ABOUT THE NCCOE


STRATEGY

Vision

‣ A secure cyber infrastructure that inspires technological innovation and fosters economic growth

Mission

‣ Collaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs


TENETS

Standards-based

Modular

Usable

Repeatable

Open and transparent

Commercially available


REALIZED SECURITY

Realized security = security controls + security gains from ease of use


APPROACH

We seek problems that are:

‣ Broadly relevant

‣ Technology-based

‣ Addressable with multiple commercially available technologies


REFERENCE DESIGNS

Use cases

‣ Sector-specific challenges

‣  Identified through industry engagement

Building blocks

‣ Technology-specific challenges ‣  Identified through public engagement


MODEL

Engage ‣ Work with community of interest to define problem

Explore

‣ Map security characteristics to standards, controls and best practices

‣ Circulate drafts and incorporate feedback

Partner ‣  Invite technology vendors to collaborate in our labs

Build ‣ Collaborate on design components

‣  Incorporate feedback from experts in technology community Show ‣ Demonstrate reference designs


MODEL

Form small community of interest

Provide input and feedback to NCCoE

Expand community of interest

Submit feedback on use cases to

NCCoE

Offer insights on use cases

Community Of Interest

Support deployment, revision and maintenance of products as part of the

practice guide

Collaborate to develop reference designs

Evangelize on behalf of reference design and practice guide

Deploy, test and provide feedback on the reference design

Provide regular feedback on use case builds

Technology Partners Submit letters

of interest

Speak at sector-

specific events

Work with COI to identify cybersecurity challenges

Host sector-specific

workshop

Review & circulate

pre-release use cases

Revise & publish

draft use cases

Revise use cases &

invite participation

from technology

partners

Receive technology

partners letters

of interest

Demonstrate reference designs

Discuss improvements &

modifications

Publish reference

design and practice guide

Develop composed reference

design

Form build

teams Sign

CRADAs Host

partner day


CORE PARTNERS

BUILDING BLOCK: ATTRIBUTE BASED ACCESS CONTROL


OVERVIEW

Goals

‣ Enterprise to enterprise identity federation

‣ Enable access control decisions for previously unknown users

‣ Demonstrate security capabilities that support a wide range of enterprise risk postures

Business value

‣ Simplified identity management

‣ Shared IT resources across multiple enterprises

‣ Reduced risk through granular access control


HIGH-LEVEL WORKFLOW


DEFINITIONS

Sources

‣ Authorization and Attribute Services Committee Glossary

‣ FICAM

‣ FIPS 201

‣ NCCoE

‣ NIST SP 800-37-1 ‣ NIST SP 800-63-2

‣ OMB M-04-04

‣ RFC 4949


HIGH-LEVEL ARCHITECTURE

Next

[email protected] 240-‐314-‐6800

9600 Gudelsky Drive Rockville, MD 20850

hCp://nccoe.nist.gov

cis14: nstic - identity and access management collaborative approaches to novel use cases

Technology

enterprise identity

use cases community

draft use cases

technology community

ease of use

prerelease use cases

behalf of reference

technology partners