E Authentication Federation The enabler of Electronic Government! presented to AIPC by Stephen A....

EAuthentication Federation The enabler of Electronic Government!

presented to

AIPC by

Stephen A. Timchak

June 12, 2005

The E-Authentication Federation

2


The Goal of E-Government

Empower and enable citizens and businesses to manage their relationships with government on their terms in a secure online environment

E-Authentication is a key component of the President’s Management

Agenda

Develop and implement an enterprise-wide E-Authentication strategy and solution that enables E-Government

The Role of the E-Authentication Program

3


Government to Govt. Internal Effectiveness and Efficiency1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks

1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management

President’s E-Gov Agenda

OPMOPMOPMGSAOPMOPMGSANARA

LeadSSAHHS

FEMA

DOI

FEMA

Lead

GSATreasuryDoEDDOILabor

Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics (business case)5. Business Gateway6. Int’l Trade Process Streamlining

Lead GSAEPA

Treasury

HHS

SBADOC

Cross-cutting Infrastructure: E-Authentication GSA

Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online

4


The E-Authentication Initiative Strategy

Build the E-Authentication Federation Government agencies rely on electronic identity credentials – such

as PINS/user IDs/passwords/PKI certificates – issued and managed by other organizations within and outside the federal government

How do we do it? Develop a federated identity authentication framework

• Supporting secure online transactions

• Reliant on existing trust relationships

• COTS and standards-based with interoperable products, supporting multiple protocols

5


Why Adopt a Federated Approach?

Migration of applications to the web has precipitated increasing need for secure authentication

Identity management now perceived as one of the major enterprise IT challenges

Industry best practices moving toward enterprise identity management solution (portal) and federated identity

Use of Federated Identity is Growing According to Burton Group, more than 300 businesses

deploying SAML-based federations this year

6


MaintenanceWebsite

An Example of Federation

7


Building the E-Authentication Federation

Business &Operating Rules

Operational Infrastructure

Agency Applications/

Identity Credential Issuers

PolicyTechnical Standards

CompleteFY 2004

Complete

Scheduled for Federation membership Q4 FY ’05 and beyond

8


Approved E-Authentication Technology Providers

Novell

9


EAuthentication Federation

The Federal Government agency application owners that have agreed to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains

The private and public sector trusted Credential Service Providers that agree to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains

Federation Management (E-Authentication PMO) that manages the technical, policy, and business rules that serve to make identity portable across domains

10


Key Policy Considerations

For Governmentwide deployment: No National ID No National unique identifier No central registry of personal information, attributes, or

authorization privileges Different authentication assurance levels are needed for different

types of transactions Authentication – not authorization

For E-Authentication technical approach: No single proprietary solution Deploy multiple COTS products – user’s choice Products must interoperate together Controls must protect privacy of personal information

11


The Policy Foundation Is In Place

Policy infrastructure enables real business and trust– because it can be universally leveraged and accepted

Policy framework key to E-Authentication Federation context and cohesiveness

Policy framework necessary for: Technical architecture and interoperability Evaluation of identity credential issuers Determination of assurance level requirements Ease of contracting Efficient, reusable business processes

Key policy/guidance documents & tools: OMB M-04-04

• E-Authentication Risk and Requirements Assessment (E-RA) NIST SP 800-63

• Credential Assessment Framework (CAF)

Matching the right level of authentication to business risk

12


The Technical/Architectural Framework Is In Place

Based on industry best practices Open standards-based, federated identity management Supported by interoperable products, providing choice and market-

driven pricing

Supports the coexistence of multiple federated identity schemes

Provides for the management of transitive trust

Accommodates both low and high level credentials using SAML and PKI

Supports the introduction of other authentication techniques over time

Interoperability among trusted identity credential issuers

13


Federation Operations

First GovPortal

First GovEAuth Apps

ICIWeb Site

Agency Application

Web Site

Starting Point Starting Point

Starting Point

EAuth Validation Service

EAuth Portal

EAuth Step-downTranslator

EAuthProtocol

Translator

14


Implementing a world-class operations capability, available 24x7x365

Federation Contact Center (Help Desk) Operations and maintenance of the portal, step-down

translator(s), validation service and scheme translators Client and production services

Standing Up Federation Operations

Agency customers agreed that a well run operations capability was critical to the Federation’s success

15


Governance: E-Authentication OversightMoving From Initiative to Federation

Executive Steering Committee 24 Cabinet Level Federal agency CIOs

Venture capitalist perspective

..

Proposed Uber Structure Federation Board of Directors User Groups Vendor Council

E-AuthenticationInitiative

E-Authentication Federation

16


Federation Membership RequirementsFor Identity Credential Issuers and Relying Parties (Agencies)

Business & Operating Rules

Technology standards integrated with common business rules

Developing business agreements that govern membership in the E-Authentication Federation

How we bind the trust that drives interoperability

17


Identity Credential Issuers The Federal Government does not want to be in the

credential management business

Various commercial entities – insurers and other financial institutions – are natural trusted credential service issuers (CSIs)

WHO PROVIDES AUTHENTICATION TODAY? Look in your wallet – what credentials are you most likely to find?

A bank card A health insurance card School ID A State Government-issued driver’s license or photo ID

Citizen/business convenience and trust are key to selecting identity credential issuers

18


Targeting Financial Institutions First

Authentication lies at the core of existing financial services products Know-your-customer (KYC) required by law

Financial institutions own 3 powerful assets: Trust 90+% of the US population has banking relationship & 53M

have bank-issued credentials (Pew) Strongly authenticated identities

Law requires more than KYC – it requires that customers’ identities be protected

19


Financial Institutions as Authenticators

Attribute Strong Mixed Weak

Consumer The Relationship The Authenticator

Broad customer

baseLong term

relationship

Frequent use of

credential

Trusted

entity?

Strong registration process?

Current Authenticators – with large bases of authenticated customer relationships

Financial Institutions

ISP’s and Telco’s

Employers

Schools

Merchants & Service Providers

Future Authenticators – could have large bases of authenticated customer relationships

Governments

Private ID Providers

Chart Courtesy of Glenbrook Partners Trusted Identity: Hidden Value From Customer Appreciation

20


The Credential Assessment Framework

Potential ICIs must participate in a credential assessment using the methodology defined in the Credential Assessment Framework On site inspection Credentialing procedures Network and systems security Overall risk management profile

Upon successful assessment, ICIs can be added to E- Authentication’s Trusted Identity Credential Issuer List and to the E-Auth architecture (enabling acceptance of the credential by the Portal)

21


Agencies Are CommittedMoving E-Gov’t Services Online For Business

Type of Transaction Sample Application Potential Users

Licensing/Permits/ Accreditation

Nat’l Park Service Research Permits

3500 researchers, 10,000 permits requested each year

Compliance EPA Central Data Exchange 15,000 businesses and laboratories

Grants/Loans/ Subsidies

FHA Connection 90,000 mortgage lenders – 1.4M loans approved in FY04

Gov’t Contracting E-Offer 8,000 primary business contracts; 100,000 projected business users

Business Support NASA Integrated Information 50,000 contractors, industry participants (350M transaction per year)

Int’l Trade Export.gov 3 million businesses

22


Agencies Are CommittedMoving E-Gov’t Services Online For Citizens

Type of Transaction Sample Application Potential Users

Social Security Direct Deposit

Annual Benefit Statement

47M citizens receiving benefits

Assistance USA Jobs Over 15,000 job postings

Recreation Recreation One Stop 5.7M campers in 2003

Loans Dept. of Education’ National Student Loan

35M student users

Public Safety Dept. of Justice’s Victim Internet System

13M victims and their attorneys

Benefits 1010-Eligibility for Benefits 70M veterans

23


Providing a “one-stop shop” for E-Authentication Federation products and services

Creating an “E-Authentication Federation Suite of Contracts” on Federal Supply Service (FSS) IT Schedule 70

Available to states as well as Federal agencies

Will include: Technology products Architectural components Credential services Accredited providers of Smartcard/HSPD-12/FICC-mandated

credentials and tokens

Federation Acquisition Marketplace

24


E-Authentication Validated by Independent Report

Burton Group, a respected IT research and advisory services firm, reports that E-Authentication:

Aligns with industry best practices

Provides flexible and pragmatic common approach to authentication

Efforts should continue and expand, with fine tuning

“The E-Authentication Initiative’s goals are achievable. The anticipated benefits are real and far-reaching, and extend to end-users, governmental organizations, and commercial businesses alike. The E-Authentication Initiative is well-defined, flexible, technically sound, and employs industry best practices.”

Burton Group Report on the Federal E-Authentication Initiative, 8/30/04

25


Lessons Learned

IT’S HARD!

26


SUCCESS

IS IN SIGHT!

27


For More Information

Phone E-mail

Stephen A. Timchak Office: 703-872-8604 [email protected] Executive

E-Authentication Federation

U.S. General Services Administration

2011 Crystal Drive, Suite 911

Crystal Park One

Arlington, Virginia 22202

Websitehttp://cio.gov/eauthentication

E Authentication Federation The enabler of Electronic Government! presented to AIPC by Stephen A....

Documents

Transcript of E Authentication Federation The enabler of Electronic Government! presented to AIPC by Stephen A....