E Authentication Federation The enabler of Electronic Government! presented to AIPC by Stephen A....
-
date post
21-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of E Authentication Federation The enabler of Electronic Government! presented to AIPC by Stephen A....
EAuthentication Federation The enabler of Electronic Government!
presented to
AIPC by
Stephen A. Timchak
June 12, 2005
The E-Authentication Federation
2
The E-Authentication Federation
The Goal of E-Government
Empower and enable citizens and businesses to manage their relationships with government on their terms in a secure online environment
E-Authentication is a key component of the President’s Management
Agenda
Develop and implement an enterprise-wide E-Authentication strategy and solution that enables E-Government
The Role of the E-Authentication Program
3
The E-Authentication Federation
Government to Govt. Internal Effectiveness and Efficiency1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks
1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management
President’s E-Gov Agenda
OPMOPMOPMGSAOPMOPMGSANARA
LeadSSAHHS
FEMA
DOI
FEMA
Lead
GSATreasuryDoEDDOILabor
Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics (business case)5. Business Gateway6. Int’l Trade Process Streamlining
Lead GSAEPA
Treasury
HHS
SBADOC
Cross-cutting Infrastructure: E-Authentication GSA
Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online
4
The E-Authentication Federation
The E-Authentication Initiative Strategy
Build the E-Authentication Federation Government agencies rely on electronic identity credentials – such
as PINS/user IDs/passwords/PKI certificates – issued and managed by other organizations within and outside the federal government
How do we do it? Develop a federated identity authentication framework
• Supporting secure online transactions
• Reliant on existing trust relationships
• COTS and standards-based with interoperable products, supporting multiple protocols
5
The E-Authentication Federation
Why Adopt a Federated Approach?
Migration of applications to the web has precipitated increasing need for secure authentication
Identity management now perceived as one of the major enterprise IT challenges
Industry best practices moving toward enterprise identity management solution (portal) and federated identity
Use of Federated Identity is Growing According to Burton Group, more than 300 businesses
deploying SAML-based federations this year
6
The E-Authentication Federation
MaintenanceWebsite
An Example of Federation
7
The E-Authentication Federation
Building the E-Authentication Federation
Business &Operating Rules
Operational Infrastructure
Agency Applications/
Identity Credential Issuers
PolicyTechnical Standards
CompleteFY 2004
Complete
Scheduled for Federation membership Q4 FY ’05 and beyond
8
The E-Authentication Federation
Approved E-Authentication Technology Providers
Novell
9
The E-Authentication Federation
EAuthentication Federation
The Federal Government agency application owners that have agreed to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains
The private and public sector trusted Credential Service Providers that agree to abide by a set of technical, policy, and business interoperability standards and agreements that serve to make identity portable across multiple domains
Federation Management (E-Authentication PMO) that manages the technical, policy, and business rules that serve to make identity portable across domains
10
The E-Authentication Federation
Key Policy Considerations
For Governmentwide deployment: No National ID No National unique identifier No central registry of personal information, attributes, or
authorization privileges Different authentication assurance levels are needed for different
types of transactions Authentication – not authorization
For E-Authentication technical approach: No single proprietary solution Deploy multiple COTS products – user’s choice Products must interoperate together Controls must protect privacy of personal information
11
The E-Authentication Federation
The Policy Foundation Is In Place
Policy infrastructure enables real business and trust– because it can be universally leveraged and accepted
Policy framework key to E-Authentication Federation context and cohesiveness
Policy framework necessary for: Technical architecture and interoperability Evaluation of identity credential issuers Determination of assurance level requirements Ease of contracting Efficient, reusable business processes
Key policy/guidance documents & tools: OMB M-04-04
• E-Authentication Risk and Requirements Assessment (E-RA) NIST SP 800-63
• Credential Assessment Framework (CAF)
Matching the right level of authentication to business risk
12
The E-Authentication Federation
The Technical/Architectural Framework Is In Place
Based on industry best practices Open standards-based, federated identity management Supported by interoperable products, providing choice and market-
driven pricing
Supports the coexistence of multiple federated identity schemes
Provides for the management of transitive trust
Accommodates both low and high level credentials using SAML and PKI
Supports the introduction of other authentication techniques over time
Interoperability among trusted identity credential issuers
13
The E-Authentication Federation
Federation Operations
First GovPortal
First GovEAuth Apps
ICIWeb Site
Agency Application
Web Site
Starting Point Starting Point
Starting Point
EAuth Validation Service
EAuth Portal
EAuth Step-downTranslator
EAuthProtocol
Translator
14
The E-Authentication Federation
Implementing a world-class operations capability, available 24x7x365
Federation Contact Center (Help Desk) Operations and maintenance of the portal, step-down
translator(s), validation service and scheme translators Client and production services
Standing Up Federation Operations
Agency customers agreed that a well run operations capability was critical to the Federation’s success
15
The E-Authentication Federation
Governance: E-Authentication OversightMoving From Initiative to Federation
Executive Steering Committee 24 Cabinet Level Federal agency CIOs
Venture capitalist perspective
..
Proposed Uber Structure Federation Board of Directors User Groups Vendor Council
E-AuthenticationInitiative
E-Authentication Federation
16
The E-Authentication Federation
Federation Membership RequirementsFor Identity Credential Issuers and Relying Parties (Agencies)
Business & Operating Rules
Technology standards integrated with common business rules
Developing business agreements that govern membership in the E-Authentication Federation
How we bind the trust that drives interoperability
17
The E-Authentication Federation
Identity Credential Issuers The Federal Government does not want to be in the
credential management business
Various commercial entities – insurers and other financial institutions – are natural trusted credential service issuers (CSIs)
WHO PROVIDES AUTHENTICATION TODAY? Look in your wallet – what credentials are you most likely to find?
A bank card A health insurance card School ID A State Government-issued driver’s license or photo ID
Citizen/business convenience and trust are key to selecting identity credential issuers
18
The E-Authentication Federation
Targeting Financial Institutions First
Authentication lies at the core of existing financial services products Know-your-customer (KYC) required by law
Financial institutions own 3 powerful assets: Trust 90+% of the US population has banking relationship & 53M
have bank-issued credentials (Pew) Strongly authenticated identities
Law requires more than KYC – it requires that customers’ identities be protected
19
The E-Authentication Federation
Financial Institutions as Authenticators
Attribute Strong Mixed Weak
Consumer The Relationship The Authenticator
Broad customer
baseLong term
relationship
Frequent use of
credential
Trusted
entity?
Strong registration process?
Current Authenticators – with large bases of authenticated customer relationships
Financial Institutions
ISP’s and Telco’s
Employers
Schools
Merchants & Service Providers
Future Authenticators – could have large bases of authenticated customer relationships
Governments
Private ID Providers
Chart Courtesy of Glenbrook Partners Trusted Identity: Hidden Value From Customer Appreciation
20
The E-Authentication Federation
The Credential Assessment Framework
Potential ICIs must participate in a credential assessment using the methodology defined in the Credential Assessment Framework On site inspection Credentialing procedures Network and systems security Overall risk management profile
Upon successful assessment, ICIs can be added to E- Authentication’s Trusted Identity Credential Issuer List and to the E-Auth architecture (enabling acceptance of the credential by the Portal)
21
The E-Authentication Federation
Agencies Are CommittedMoving E-Gov’t Services Online For Business
Type of Transaction Sample Application Potential Users
Licensing/Permits/ Accreditation
Nat’l Park Service Research Permits
3500 researchers, 10,000 permits requested each year
Compliance EPA Central Data Exchange 15,000 businesses and laboratories
Grants/Loans/ Subsidies
FHA Connection 90,000 mortgage lenders – 1.4M loans approved in FY04
Gov’t Contracting E-Offer 8,000 primary business contracts; 100,000 projected business users
Business Support NASA Integrated Information 50,000 contractors, industry participants (350M transaction per year)
Int’l Trade Export.gov 3 million businesses
22
The E-Authentication Federation
Agencies Are CommittedMoving E-Gov’t Services Online For Citizens
Type of Transaction Sample Application Potential Users
Social Security Direct Deposit
Annual Benefit Statement
47M citizens receiving benefits
Assistance USA Jobs Over 15,000 job postings
Recreation Recreation One Stop 5.7M campers in 2003
Loans Dept. of Education’ National Student Loan
35M student users
Public Safety Dept. of Justice’s Victim Internet System
13M victims and their attorneys
Benefits 1010-Eligibility for Benefits 70M veterans
23
The E-Authentication Federation
Providing a “one-stop shop” for E-Authentication Federation products and services
Creating an “E-Authentication Federation Suite of Contracts” on Federal Supply Service (FSS) IT Schedule 70
Available to states as well as Federal agencies
Will include: Technology products Architectural components Credential services Accredited providers of Smartcard/HSPD-12/FICC-mandated
credentials and tokens
Federation Acquisition Marketplace
24
The E-Authentication Federation
E-Authentication Validated by Independent Report
Burton Group, a respected IT research and advisory services firm, reports that E-Authentication:
Aligns with industry best practices
Provides flexible and pragmatic common approach to authentication
Efforts should continue and expand, with fine tuning
“The E-Authentication Initiative’s goals are achievable. The anticipated benefits are real and far-reaching, and extend to end-users, governmental organizations, and commercial businesses alike. The E-Authentication Initiative is well-defined, flexible, technically sound, and employs industry best practices.”
Burton Group Report on the Federal E-Authentication Initiative, 8/30/04
25
The E-Authentication Federation
Lessons Learned
IT’S HARD!
26
The E-Authentication Federation
SUCCESS
IS IN SIGHT!
27
The E-Authentication Federation
For More Information
Phone E-mail
Stephen A. Timchak Office: 703-872-8604 [email protected] Executive
E-Authentication Federation
U.S. General Services Administration
2011 Crystal Drive, Suite 911
Crystal Park One
Arlington, Virginia 22202
Websitehttp://cio.gov/eauthentication