Global Federated Identity Privilege Management GFIPM John Ruegg
Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice
What is Federated Identity Management? • You trust another organization to Identify their users and Authenticate them before they can connect to your System. A Trusted Identity Provider (IDP) • Your System relies on the Identity Information provided from the IDP to make access and authorization decisions. (relying Service Provider (SP) • IDP’s and SP’s have mutual technical and policy obligations to meet for participation in the Federation.
FBI CJIS Systems - A Federated Identity Management Model • FBI trusts your organization to Identify your users and Authenticate them before they can connect to the CJIS Systems. The Trusted Identity Provider (IDP) is {CJIS Control Terminal Officer CTO} • FBI {CJIS Systems} relies on the Identity Information provided from your {CTO} IDP to make access and authorization decisions. (relying Service Provider (SP) • IDP’s and SP’s have mutual technical and policy obligations in the Federation. {CJIS Policy}
Justice NIEM Inside XML Inside
Benefits of Federated Identity Management • Local Organization provides Identity Management System (IDP) using local authentication methods • Many Commercial products have adopted Federated Identity open standards which GFIPM is utilizing • Identity information is communicated over the network via a standard GFIPM justice identity credential
Benefits of Federated Identity Management • Eliminate multiple userid/passwords and security tokens • Only grant access to your system for users who authenticate first to a trusted Identity Provider (IDP) • GFIPM enabled systems always get current identity information via the GFIPM justice identity credential – no requirement to manually register/maintain users • Changes in user status (job role, retire, etc) only needs to be updated once at the local IDP system
GFIPM Federation (Single Sign-on SSO) One DOJ HSIN Internet RISS 7 Fusion Center A
Request message GFIPM credentials Security & Privacy Policy Enforcement Actions: release, modify, access, delete, … Response message Content metadata PEP Audit trail Environmental conditions PEP: Policy Enforcement Point PDP: Policy Decision Point 8 PDP Obligations Electronic policy statements (dynamic, federated) Written policy
Early Adopters of GFIPM Live in Production • RISSnet – Intelligence • Pennsylvania JNET- criminal justice information • Cisa. Net – Southwestern States Intelligence Under Development • LA County – local Criminal History • San Diego County – ARJIS criminal justice information • Southern Shield – 14 States Fusion Centers • Connect Project – 8 States portals and federated query services • One. DOJ – Access to Federal Information Resources • One. DHS – Access to DHS resources
Benefit of Open Standards Adoption • RSA Conference, April 6, 2008 – 7 Vendors Products Interoperability Demonstration • "We're pleased to work with OASIS on addressing the very sensitive issues related to the access of patient information, " said John (Mike) Davis, standards architect with the VHA Office of Information in the Department of Veterans Affairs, and a member of the HITSP Security, Privacy and Infrastructure Technical Committee. "XACML helps ensure that patients, physicians, hospitals, public health agencies and other authorized users share critical information appropriately and securely. "
- Slides: 10