identity and access management enterprise security office forum november 9, 2010
TRANSCRIPT
Identity and Access Management
Enterprise Security Office Forum
November 9, 2010
IAM Forum
Welcome
Housekeeping
Review Agenda
Agenda
Current State of Oregon Activities: Judicial Department – Scott Smith
Employment Department – Troy Rutten
State of California – Lee Mosbrucker
State of Colorado – Micheline Casey
National-States Efforts– Micheline & Lee
Panel Discussion - Q&A – all presenters
Wrap-up - ESO
Background
Enterprise IAM project initiated during state data center consolidation
ESO would manage IAM project to program phase then transition program to the enterprise infrastructure
2008 IAM project was terminated
Termination Factors
Higher than expected operation costsLack of business
participation/understandingLack of agreement on fundamental
issues
Termination Factors
No Program StaffNo authoritative identity data sourceNo acceptable funding model going
forwardNo Governance Structure
Assumptions for Future
Citizens & Business Partners want secure access to their confidential information
To work within and across state boundaries and with the Federal government will require a Federated model
Goal of IAM is to provide authorized access in a secure and efficient manner
Requirement for the FutureEstablish Governance Board comprised
of participating agency leadershipDevelop architecture standards that
support federated modelDevelop Business Case authored and
approved by the Governance Board to determine best path forward
Next Steps
Agencies are welcome to join one or more of the following work groups: Lexicon Development
Governance Model
Architecture Development
Oregon eCourt
Oregon eCourt will give courts and judges the tools they need to provide just, prompt and safe
resolution of civil disputes; improve public safety and the quality of life in our communities; and improve lives of children and families in crisis.
Background: Outdated Technology
Technology systems Over 25 yrs. old, difficult to use and maintain
Case-based rather than person-based
Limited access to information, documents are not available electronically
Difficult to determine if an offender has other cases in existence
No online services
The Oregon eCourt Solution
Electronic Content Mgt. and eFiling
Web Portal
Decision Support System
Case Mgt. System
Financial Mgt. System
Partner Integration Backbone
Oregon eCourt
Current Authentication Stacks
Current Access Privileges
Anticipated Growth in Identities
The graph below shows a medium growth assumption in user accounts requiring support as we move to make available more online offerings in the coming years.
I&AM Cost Avoidance
This graph shows the biennial cost avoidance benefit from implementing tools for all I&AM functions. The escalating benefit from biennium to biennium is directly related to the cost avoidance benefits garnered from automated provisioning and web access management systems, given anticipated annual user account growth rates. Chart assumes full implementation by 2011.
Proposed Solution – Enterprise I&AM
Future Access Authorities
Decision Point - WAM
Next Steps
RFP for comprehensive I&AM solution
Emphasis onIdentity management
Role based access control
Web access management
Single sign-on
Privileged account management
Provisioning
Questions?Scott E. SmitheCourt Program DirectorOregon Judicial [email protected]
Identity and Access Management
November 2010
Public-facing web applications
• Citizens • Unemployed• Job seekers• Workforce development• Child care consumers
and workers• Employers
• Owner/Officer• Recruiter• Payroll employee/agent
• Child care providers• Partners and vendors
Online Claims
WOMIS
Jobs List
WOMIS
Child Care
OTTER
IdMEAA
Online Claims
Biggest Bang for the Buck
Approach
Three Phases1. Simple authentication and authorization
• External focus on Child Care Partners and Employers
2. Strong authentication and high availability• Load balancing, failover, fraud detection• External focus adding citizens
3. Internal (Privileged) users• Integration with Active Directory• Internal focus
Timeline
Status
• IAM Project in motion July 2010
Next Steps
• Enterprise Design• Complete Build• Branding• Application Integration
• Analysis• Design• Development• Testing• Implementation
Lessons
• From others• Full analysis but don’t fret the
details• Build in increments• Active Directory
Not a piece of cake
• Learned so far• Define terms• Clear scope• The level of analysis will be
larger than you estimate
Federated Trust Identity Concepts, Business Models and Use Cases for State of
California Departments
State of CaliforniaDeputy Director of Enterprise Architecture
Foundation– Enterprise Architecture Segment Identification– FICAM Road Map v1.0
Goals and Objectives– Comply with Regulatory Statures, Laws, and
Standards– Improve Security Posture– Enable Interoperability– Reduce Costs and Increase Efficiency
Design Principles– Open Standards Based– Separate Authentication from Authorization
both in function and administration
Approach– Identify existing IdAM Systems
– (EDD, DMV, CDCR, AOC)
– Establish Executive and Vendor Sponsorship – (IBM, Oracle, Microsoft)
– Identify Pilot Programs based on Business Use Case – (Unemployment Insurance Continued Claims)– (Health Information Exchange)
– Develop a Pilot CA-ICAM Segment Architecture* Develop CA-ICAM Documentation– Develop a Transition Roadmap– Develop Implementation Guidelines
IntroductionIdentity Federation is an act of exchange of
identity information between two separate entities (domains)
Identity Domain is a self-contained system that manages a repository of identity information about its users.
Federation Partnership• Identity Provider
(IDP) is an entity that provides identity information to other services.
• Service Provider (SP) relies on the identity information sent by the identity provider to grant access to services within the SP domain.
What impacts Identity Federation?Identity Federation requires Trust
Trust has always direction and it’s a business concept that cannot be solved through technology – receiving Domain needs to trust sending Domain
Business operating model is critical since federation is driven by the underlying business processes
State Government technology cycles CA implementations are longer than technology lifecycle Today vs. tomorrow’s standards Business benefits mapped to implementation approach Each State Department could be consider an Enterprise that
requires federation within itself
How does IT work?1. Operating
Model2. Enterprise
Architecture3. IT
Engagement
Source: MIT Sloan Center for Information Systems Research
Operating ModelsCoordination• Single face to
customers• No specific
business process standards
• Example – Toyota Europe
Unification• Centralized
organization• Standard business
processes• Sharing data• Example - Delta
Diversification• Decentralized
organization• Autonomy• Example - Carlson
Replication• Process
standardization• Operating units
use the same systems
• Example - Marriott
Low Standardization High
Low
In
teg
rati
on
H
igh
Source: MIT Sloan Center for Information Systems Research
CA State - Operating ModelCoordination Operating Model characteristics:
Shared customers, services or suppliers Each department can impact others unit transaction Operationally unique business units and functions Autonomous business management Business unit control over business process design Shared customer, service, supplier data Consensus processes for designing IT infrastructure services;
IT applications decisions made in business units;
OCIO Federated Procurement Model influences this model
Implementation StrategiesProject Based• Business skeptical • Investment
“bundled” with other project deliverables
Enterprise• Business and
IT Management 100% behind investment
Infrastructure• IT able to
drive reuse across departments
Technology and Process Gaps
Stage I
Technology and process are immature; not fully deployed, not aligned with the business, provide limited automation, not providing the original perceived value to the organization.
Stage II
Technology and process are implemented and fairly mature. Some limited flexibility in terms of supporting ongoing demands. Some automation, average performance.
Stage III
Aligned with industry standards for technology and process. Significant automation, cost savings, and efficiencies are realized. Highly flexible in support of business demands.
Stage IV
Technology and process improvements have transformed the business; enabling facilitating significant growth. Identified as a thought leader in the industry.
Today
Marginal
Stable
Transformational
Best Practice
Future State
Identities ClassificationCitizens
Claimants, Drivers, Individual Tax Payers…
Partners and BusinessesDoctors, Lawyers, Law Enforcement Officers…
Employees 157 Departments / 243,973 employees
External Identities TodayState departments maintain a separate user store for each
business transactions type
Various storage technologies/products are in use: mainframe, databases, directories…
Business logic/process to maintain these repositories is typically integrated and embedded into business applications each department operates
Employees Identities TodayTypical department maintains an enterprise
directory (such as MS Active Directory) with various level of consolidation
Provisioning / (de)provisioning processes are at various levels of maturity, mostly manual and fragmented
Inconsistent directory schemas and mixed entries (employees and contractors) are common
Identity as a ServiceImplementation of identity, access and compliance
management functionality predominantly as services in a service oriented architecture within the cloud or enterprise
Various lines of business applications, policy management applications, devices, and other services then leverage these services either autonomously or in an choreographed manner
Design ConsiderationsIdentity Services Platform
Identity HubIdentity AssuranceIdentity AuthorizationIdentity AdministrationIdentity Audit
Identity Service PlatformIdentity Hub
Accounts for Identity Storage and Repository Administration, Synchronization and Virtualization
Identity AssuranceAccounts for Authentication, (including MFA),
Fraud Prevention, Identity Proofing and Single Sign-On
Identity AuthorizationAccounts for policy definition, enforcement and
management
Identity Service PlatformIdentity Administration
Accounts for user and role lifecycle management, provisioning, and credential management
Identity AuditAccounts for identity auditing, compliance
reporting and analytics
Identity Services Network
Typical Identity Business Drivers
CA State Federation DriversShort term
Improved citizen experience - State Portal + SSO across domains
Identity Providers will lower transaction costs for services providers – i.e. DOJ Cures
Domain specific exchanges AOC/CDCR/DOJ, secure State’s Data Warehouse…
Long termInnovation and new categories of applications
Possible Phased Approach Phase 1 – “Federated User Stores”
Expose identity repositories based on the existing single source of truth systems – via Virtual Directory – owned and maintained by each department
Implement Federated Single Sign On and Access Management services
Phase 2 – “Federated Provisioning” Enable Federated Provisioning
Phase 1 - Use CasesTransient Federation - “blind trust” by receiving
domainAttribute Based – group, role or specific attributeAccount Mapping – via common user attributes
Use Case 1Federation with account linking
Steve exists in both directories DMV and EDDMapping is based on common attributes
Use Case 2Transient Federation
SAML token is forwarded to a 3rd party “Career Coaching Service”
Use Case 3Workflow with account provisioning
Maria’s account is provisioned into EDD directory after successful verification of SSN & tax info via web services
Phase 1 - StandardsOracle Identity Federation* supports:
1. SAML 1.0 / 1.1 / 2.02. Liberty Alliance ID-FF 1.1 /1.23. WS-Federation 4. MS CardSpace
Standards do not guarantee interoperability Setup and testing required with other
vendors
* - Liberty Alliance certification for Liberty ID-FF and SAML 2.0
Phase 1 – Key Success Factors No change in identities governance model –
business processes and ownership for each identity repository remains intact
No need to develop a master enterprise schema - provide basic view of identities information based on existing stores
Leverage existing investments in authoritative data stores – Virtual Directory will enable them to be Federated User Store
Gradual deployment – Identity Providers can be established in stages, benefits starting from day one
SummaryIdentity Federation matches State’s operating model -
creating Identity Providers via Federated User Stores will enable execution of today’s key use cases
Identity Federation Standards are important but do not guarantee interoperability – additional testing/configuration is required
Licensing models exist to provide cost effective investment path to match technical requirements for federation via project, infrastructure or enterprise driven implementations
Possible Next Steps1. Technical in-depth discussion including product
demos
2. Facilitated discovery session to develop detailed Use Cases
3. Interoperability POC with other vendors using #2
4. Contact – [email protected]
61
Micheline Casey State Chief Data Officer
November 11, 2010
State of Colorado Identity Management
62
ICAM is a foundational technology for multiple business facets
First Responder Credentialing
Driver Licenses
Voter Registration
Business Permits
Hunting Licenses
Birth Certificates
Tax Collection
Child Welfare
Social Services(Food and Financial Assistance)
Medicaid
State Longitudinal Data system (SLDS)
Early Childhood Learning Commission
Health IT
State Employee Services(payroll, benefits, email access
On/off boarding)
Professional Licenses Health Insurance Exchange
63
Enabling Services and Workflow• I
mprove trust in the digital identity
• Streamline and re-engineer business processes
• Enables C2G, B2G, and G2G applications
• Improve fraud detection
Enterprise Data Sharing and Management• S
upport data sharing and interoperability
• Permits cross-departmental data analysis and forecasting
• Promotes evidence-based policy making
Protecting Critical Assets• S
upports multiple risk and access levels
• Access auditing
• Security, privacy, compliance
• Secure authentication
Operational Efficiencies• S
tandards-based approach
• Single sign-on
• Automatic provisioning
• Password resets
Critical Service Capabilities
IAM is a foundational technology for multiple business facets
Internal
External
64
Goals and Objectives
65
Identity as Service: Shift in how we view Identities
66
• Separate identity from attributes and privileges (e.g., driver, voter, receiver of benefits, employee, first responder, patient)
• Identity verification and fraud management
• Attributes assigned by agencies/programs
• Federated model
• Basis for providing services and sharing data across agencies
• Master data management
Colorado Unique Personal Identifier (CUPID)
67
Web Services
Federal Agencies
Other States
Local Govts
Citizens and Business
Other Stakeholders
Business Partners
Security
IAM
Enterprise Search
Data Access
Service Bus - SOA
Identity As A Service Architecture
68
Statewide Identity Services
69
Statewide Identity Trust Federation
70
State Agency Identity Infrastructure
71
CUPID Infrastructure
72
Example: Education Longitudinal Data System Architecture
Co
lorad
o U
niq
ue Id
entifier (U
niq
ue ID
)
73
Key Integration Areas• Directory Services
• Establish statewide directory service
• Strong Authentication• Multi-factor
• Risk-based
• PKI and other token types
• Access Management• Web single sign-on to portal and web applications
• Policy engine
• Federation• Statewide identity provider and department service provider
• Trusted identity attribute exchange
• Relying party and consumer of external digital identities
• User Administration
• Master Data Management
74
Governance across Diverse Areas
Authority guiding trust decisions, definitions and processes within an organization.
ICAM includes both technology and business processes.
75
Big Vision, Incremental Steps
Early Targeted Service Domains: • Education (State Longitudinal Data System)
• Juvenile Justice (Colorado Children & Youth Information Sharing)
• Healthcare (CORHIO, All-Payer Claims Database)
• Early Childhood and Social Services (Early Childhood Leadership Commission and HB 10-1028)
NASCIO State Digital Identity BriefingSeptember 26, 2010
State Perspective on Identity, Credentialing, and Access Management: Draft SICAM
Roadmap
78
Panel of Speakers
Presenters: Micheline Casey, Chief Data Officer,
State of Colorado Lee Mosbrucker, California Deputy
Director of Enterprise Architecture, State of California
Stephan Papadopulos, DC One Card Program Manager, District of Columbia
79
SICAM Document Background Who participated
NASCIO Digital Identity Working Group participants from across the country
Purpose Provide a standard, unified framework for all states to utilize and adopt Provide definition, architectural guidance, and processes Develop a baseline for further discussion and improvement by NASCIO
community
Scope Remote authentication of human users of State IT systems Help identify and analyze risks during authentication process Out of scope:
Authentication of system-to-system requests Authorization to access resources was out of scope Did not address electronic signature issues
80
ICAM Business DriversEnabling Services and Workflow• I
mprove trust in the digital identity
• Streamline and re-engineer business processes
• Enables C2G, B2G, and G2G applications
• Improve fraud detection
Enterprise Data Sharing and Management• S
upport data sharing and interoperability
• Permits cross-departmental data analysis and forecasting
• Promotes evidence-based policy making
Protecting Critical Assets• S
upports multiple risk and access levels
• Access auditing
• Security, privacy, compliance
• Secure authentication
Operational Efficiencies• S
tandards-based approach
• Single sign-on
• Automatic provisioning
• Password resets
Critical Service Capabilities
81
SICAM Document Sections Introduction Goals and Objectives Maturity Model Architecture Framework Implementation Strategy
Risk Assessment Assurance Levels Identity Proofing Requirements Authentication Technology Selection Attribute Management Governance
Roles and Responsibilities Relying Parties Issuing Parties
• Use Cases
82
Goals and Objectives
83
Maturity Model
84
Architecture Framework• Federation Centralization Identity Assurance vs. Authentication vs.
Authorization Standards-based
Interfaces, communications, exchanges SOA infrastructure and Web services Concepts of ‘issuing party’ and ‘relying
party’
85
Risk Assessment Business enablement via ICAM services requires a
fundamental assessment of the degree of risk involved in the transaction
Steps for the risk assessment include: Data security classification analysis Impact assessment Likelihood assessment Calculated risk rating (formula driven) Overall security level determination
Results of risk assessment drive Assurance level Identity proofing requirements Authentication technologies required for transaction
–
86
Assurance Levels• Based on eAuthentication Guidelines of OMB
Circular M-04-04• Level 1 – Little or non confidence in asserted
identity’s validity • Level 2 – Confidence exists that asserted
identity is accurate• Level 3 – High confidence in the asserted
identity’s validity• Level 4 - Very high confidence in the asserted
identity’s validity
87
Identity Proofing RequirementsLevel In-Person Remote
Level 1 Not applicable Not applicable
Level 2 Possession of a valid current primary Government Picture ID that contains applicant’s picture, and either address of record or nationality (e.g. driver’s license or passport). Confirmation of Information provided required.
Possession of a valid Government ID (e.g. a driver’s license or passport) number and a financial account number (e.g., checking account, savings account, loan or credit card) with confirmation via records of either number.
Level 3 Possession of a verified current primary government photo ID that contains applicant’s picture, and either address of record or nationality (e.g., driver’s license or passport). Confirmation of Information provided required.
Possession of a valid government ID (e.g., a driver’s license or passport) number and a financial account number (e.g., checking account, savings account, loan or credit card) with confirmation via records of either number. Confirmation of Information provided required.
Level 4 In-person appearance and verification of two independent ID documents or accounts, meeting the requirements of Level 3 (in-person), one of which must be current primary Government Picture ID that contains applicant’s picture, and either address of record or nationality (e.g. driver’s license or passport), and a new recording of a biometric of the applicant at the time of application
Not applicable
88
Authentication Technology Selection
Risk-Value proposition Multi-factor concepts
Something you know Something you have Something you are Some place you are
National standards
89
Attribute Management Critical for authorization control decisions
in a federated process Typically decentralized across various
agency systems Example: First Responder attributes scattered
across multiple agencies in Colorado Enhance enterprise trust model and
security Attribute classifications
90
Governance
Authority guiding trust decisions, definitions and processes within an organization.
ICAM includes both technology and business processes.
91
Roles and Responsibilities Relying Party
“A system entity that decides to take an action based on information from another system entity.”
Issuing Party “Issues a valid digital identity token or
credential based on the rules and processes in the trust framework that will be consumed by relying parties.”
92
SICAM Use Cases NASCIO Seeks State Involvement for Submission of Use
Cases: Create and Maintain Digital Identity Record for
Internal Users and External Users Create, Issue, and Maintain PIV Card , PKI Credential
and Password Token Granting Physical and/or Logical Access Provision and Deprovision User Account for an
Application State examples could be illustrated through initiatives in healthcare,education, travel documents, government employee identification, etc.
93
SICAM Document Next Steps
Privacy component to be addressed Timelines
For Working Group review For final publication (possible June 30, 2011)
Resource Support Add, review and finalize document Contribute use cases Other ???????
94
Questions?