The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure...
-
Upload
nestor-jaquess -
Category
Documents
-
view
217 -
download
0
Transcript of The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure...
The Federation for Identity and Cross-Credentialing Systems (FiXs)
www.FiXs.org
FiXs® - Federated and Secure Identity Management in
Operation
FiXs® - Federated and Secure Identity Management in
Operation
Implementing federated identity management and assurance in operational scenarios
Implementing federated identity management and assurance in operational scenarios
UNCLASSIFIED
UNCLASSIFIED
2
Common Issues with Physical and Logical SecurityCommon Issues with Physical and Logical Security
How do we protect our facilities and systems, balanced with ease of use?
Easy, secure access for those who belong Simple identification verification of visitors and users
Identity assurance for contractors & suppliers must: Incorporate strong vetting for those that require access Follow DoD and all Federal guidelines
Access decisions must be automated & reliable
The facility or system owner is ultimately responsible-- so how do we help?
Improve decisions through interoperable electronic authentication
Make it more secure, smarter & cost efficient per system Develop applications that work with multiple level credentials
How do we protect our facilities and systems, balanced with ease of use?
Easy, secure access for those who belong Simple identification verification of visitors and users
Identity assurance for contractors & suppliers must: Incorporate strong vetting for those that require access Follow DoD and all Federal guidelines
Access decisions must be automated & reliable
The facility or system owner is ultimately responsible-- so how do we help?
Improve decisions through interoperable electronic authentication
Make it more secure, smarter & cost efficient per system Develop applications that work with multiple level credentials
UNCLASSIFIED
UNCLASSIFIED
3
FiXs - The Federation for Identity & Cross-Credentialing Systems ---What is it?
FiXs - The Federation for Identity & Cross-Credentialing Systems ---What is it?
A 501(c)6 not-for-profit trade association initially formed in 2004 while working with the Department of Defense to provide secure and inter-operable use of identity credentials between and among government entities and industry
A coalition of diverse companies/organizations supporting development and implementation of inter-operable identity cross-credentialing standards, systems and end to end solutions for various applications
Members/Subscribers include: government contractors, technology companies, major firms, small businesses, sole-proprietors, not-for-profit organizations, Department of Defense, state governments, etc.
A 501(c)6 not-for-profit trade association initially formed in 2004 while working with the Department of Defense to provide secure and inter-operable use of identity credentials between and among government entities and industry
A coalition of diverse companies/organizations supporting development and implementation of inter-operable identity cross-credentialing standards, systems and end to end solutions for various applications
Members/Subscribers include: government contractors, technology companies, major firms, small businesses, sole-proprietors, not-for-profit organizations, Department of Defense, state governments, etc.
UNCLASSIFIED
UNCLASSIFIED
4
FiXs is a Standards, C & A and Network Access Organization
FiXs is a Standards, C & A and Network Access Organization
Complete Legal Governance structure for member firms Certification and Accreditation program for issuing identity credentials and securing personal identifying information
A secure network switch through which transactions can be passed for PACS and LACS applications
Standards for interfacing with the network switch and interoperability of applications
Secure Network access to certified service providers and sponsors of individuals holding certified credentials
Clearinghouse for objective consideration of technologies, business processes, rules and requirements
Complete Legal Governance structure for member firms Certification and Accreditation program for issuing identity credentials and securing personal identifying information
A secure network switch through which transactions can be passed for PACS and LACS applications
Standards for interfacing with the network switch and interoperability of applications
Secure Network access to certified service providers and sponsors of individuals holding certified credentials
Clearinghouse for objective consideration of technologies, business processes, rules and requirements
UNCLASSIFIED
UNCLASSIFIED
5
Governance StructureGovernance Structure
Defined Trust Model
Operating Rules
Security Guidelines
Policy Standards, including Privacy Act compliance
Technical Architecture Specifications and Standards
Implementation Guidelines
Formal, legal flow down agreements for members/subscribers
Defined Trust Model
Operating Rules
Security Guidelines
Policy Standards, including Privacy Act compliance
Technical Architecture Specifications and Standards
Implementation Guidelines
Formal, legal flow down agreements for members/subscribers
UNCLASSIFIED
UNCLASSIFIED
6
The Basic PrinciplesThe Basic PrinciplesIndividual personal identifying information, such as biometrics, ss#, and other unique personal identifying information is captured once and accessed as required for authentication of ones’ identity
This information is maintained in a federated manner, whereby there is no single database of every individual’s identifying information.
The data is maintained in a distributed manner under the authority and control of the organization who “sponsors” the individual holding the certified identity credential
Structured to emulate the ATM and credit card network model of the banking industry
Individual personal identifying information, such as biometrics, ss#, and other unique personal identifying information is captured once and accessed as required for authentication of ones’ identity
This information is maintained in a federated manner, whereby there is no single database of every individual’s identifying information.
The data is maintained in a distributed manner under the authority and control of the organization who “sponsors” the individual holding the certified identity credential
Structured to emulate the ATM and credit card network model of the banking industry
UNCLASSIFIED
UNCLASSIFIED
7
Identity Federation between DCCIS & FiXsIdentity Federation between DCCIS & FiXs
Users: Users: Member Member company company employees w/ employees w/ their credentials their credentials or CAC holdersor CAC holders
Users:Users: Member Member company employees w/ company employees w/ their credentials or their credentials or CAC holdersCAC holders
UNCLASSIFIED
UNCLASSIFIED
8
Meeting Policy ObjectivesMeeting Policy Objectives
Certified Credentials that can be trusted with confidence “FiXs network fully operational for worldwide use in support of
identity authentication purposes & applications” – DMDC July, 16, 2007
“The DoD shall establish & maintain the ECA program to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations.” -- DoDI 8520
“FiXs credentials that include PKI certificates issued from DoD ECA vendors are acceptable for use by DoD web based systems”---ASD/NII July 11, 2008
Short term return on investment (ROI) Existing highly available architectures for identity deployment &
revocation information -- immediate cost avoidance of CAC issuance “outside of the fence”
Certified Credentials that can be trusted with confidence “FiXs network fully operational for worldwide use in support of
identity authentication purposes & applications” – DMDC July, 16, 2007
“The DoD shall establish & maintain the ECA program to support the issuance of DoD-approved certificates to industry partners & other external entities & organizations.” -- DoDI 8520
“FiXs credentials that include PKI certificates issued from DoD ECA vendors are acceptable for use by DoD web based systems”---ASD/NII July 11, 2008
Short term return on investment (ROI) Existing highly available architectures for identity deployment &
revocation information -- immediate cost avoidance of CAC issuance “outside of the fence”
UNCLASSIFIED
UNCLASSIFIED
9
FiXs Chain of TrustFiXs Chain of Trust
The appropriate and necessary background
verification is performed on both the sponsoring
company and the individual
Sponsoring party (organization) asserts need for credentials and attests to the
identity of the individual to receive credential
1
2
Chain of Trust
Individuals are ÒenrolledÓ and issued credentials
3
Credential holder may then use their credential for identity authentication
purposes and have it validated across FiXs Network
4
The sponsoring party maintains an obligation to revoke credentials when
necessary
A single credential can be ÒlinkedÓ to multiple entities, precluding the need
for multiple credentials (badges)
The appropriate and necessary background
verification is performed on both the sponsoring
company and the individual
Sponsoring party (organization) asserts need for credentials and attests to the
identity of the individual to receive credential
1
2
Chain of Trust
Individuals are ÒenrolledÓ and issued credentials
3
Credential holder may then use their credential for identity authentication
purposes and have it validated across FiXs Network
4
The sponsoring party maintains an obligation to revoke credentials when
necessary
A single credential can be ÒlinkedÓ to multiple entities, precluding the need
for multiple credentials (badges)
UNCLASSIFIED
UNCLASSIFIED
10
Robust revocation processesRobust revocation processes
“A revocation process must exist such that an expired or invalidated credential is swiftly revoked.”
Certified Credentials issuers are required to maintain FiXs enrollment, privacy, administrative control, revocation, and audit information
Maintenance & updating of the revocation information is the joint responsibility of the sponsoring organization & the Certified Credential issuer
Card & Certificate Revocation Lists are issued immediately upon revocation
Certified Credentials issuers are required to maintain FiXs enrollment, privacy, administrative control, revocation, and audit information
Maintenance & updating of the revocation information is the joint responsibility of the sponsoring organization & the Certified Credential issuer
Card & Certificate Revocation Lists are issued immediately upon revocation
UNCLASSIFIED
UNCLASSIFIED
11
FiXs & Certified Credentials Value Proposition & ROI
FiXs & Certified Credentials Value Proposition & ROI
Inter-operable with DoD systems—can be used by other Federal organizations
Under review to be accepted as PIV Inter-operable per Fed CIO Council guidance
Achieved enterprise-wide capability and best practices Provides Security & Privacy of staff, systems, data and facilities in compliance with latest identity assurance and identity management processes
Comply with FAR contract requirements
Supports HSPD – 12 and NIST PIV
Proven uniform approach is possible and realistic across government and industry
Inter-operable with DoD systems—can be used by other Federal organizations
Under review to be accepted as PIV Inter-operable per Fed CIO Council guidance
Achieved enterprise-wide capability and best practices Provides Security & Privacy of staff, systems, data and facilities in compliance with latest identity assurance and identity management processes
Comply with FAR contract requirements
Supports HSPD – 12 and NIST PIV
Proven uniform approach is possible and realistic across government and industry
UNCLASSIFIED
UNCLASSIFIED
Kantara Initiative
IDDY Award (Identity Deployment of the Year)
Kantara Initiative
IDDY Award (Identity Deployment of the Year)
12
UNCLASSIFIED
UNCLASSIFIED
13
Contact InformationContact Information
Dr. Michael Mestrovich, President - FiXs [email protected] 703 928 3157
Robert Martin, Corporate Secretary - FiXs [email protected] 703 321 6951
Larry Mendenhall, Board Member- FiXs [email protected] 703 968 5280
Dr. Michael Mestrovich, President - FiXs [email protected] 703 928 3157
Robert Martin, Corporate Secretary - FiXs [email protected] 703 321 6951
Larry Mendenhall, Board Member- FiXs [email protected] 703 968 5280