cis14: physical and logical access control convergence

Cloud Identity Summit 2014 Getting Physical: Holistic Identity Management

22 July 2014

Karyn Higa-Smith Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency Science and Technology Directorate

Physical and Logical Access Control Convergence

• Presenter’s Name June 17, 2003

CSD Mission & Strategy

2

REQUIREMENTS

CSD MISSION §  Develop and deliver new technologies, tools and techniques to defend and secure current

and future systems and networks §  Conduct and support technology transition efforts §  Provide R&D leadership and coordination within the government, academia, private sector and

international cybersecurity community

CSD STRATEGY Trustworthy

Cyber Infrastructure

Cybersecurity Research

Infrastructure

Network & System Security and

Investigations

Cyber Physical Systems

Transition and Outreach

Government Venture Capital IT Security

Companies Open

Source International

Background

• Presenter’s Name June 17, 2003

S&T Identity Management Testbed

Attribute Repository WS-Security

Policy Decision

Point

Attribute Aggregator

• Presenter’s Name June 17, 2003 • 5

Identity & Access Management Research & Development

• Presenter’s Name June 17, 2003

§ PIV-I/FRAC Technology Transition Working Group (TTWG) § Public Safety/Emergency Response § Security § Federated Identity for First Responders § National standard, Interoperable,

and trusted ID credential § One voice from the TTWG to policy

makers § Sharing lessons learned § Provide innovative, Cost-efficient

solutions 6

Technology Transition Working Group

• Presenter’s Name June 17, 2003

PIN

Authorization Information: Certifications, Clearance, Job Function, Citizenship…

7

Enrollment Elements

• Presenter’s Name June 17, 2003

Bio: Something

you are

•  Something you have

•  Something you know ****

•  Something you are

8

Authentication

• Presenter’s Name June 17, 2003

Federated Attribute Exchange

• Presenter’s Name June 17, 2003 • 10

End-to-End Standard-Based Attribute Exchange

Authoritative Sources

F/ERO Repository (Attributes) SPML

Service

SPML Gateway

Handheld

Local Workstation

SAML Service

SPML Profile Create, Read, Update, Delete

SPML Read-Only Profile

ERO Entitlements Authoritative Source

SPML Read-Only Request/Response

Smartphone

OASIS: Organization for the Advancement of Structured Information Standards F/ERO: Federal/Emergency Response Official SPML: Service Provisioning Markup Language SAML: Security Assertion Markup Language

Lightweight Protocol JSON over REST

SAML Request/Response

BAE SAML Profile

Tablet

Logical and Physical Access Control Systems

Convergence

*show video*

• Presenter’s Name June 17, 2003

Capability Need: Centralized access

control management; utilize PIV/PIV-I

credentials

Technology: Develop standard interface

between Physical and logical access control

system

Impact: Security,

Remote and Central Access Management,

Granular Access Control, Less

Footprint, Usability, and Reduce Cost

Transition: proof-of-concept pilot, transition to industry

Customer: Fusion Center, FEMA,

CSO/CIO

Execution Model

12

• Presenter’s Name June 17, 2003 13

§  Requirement for access control management using PIV and PIV-I §  Interoperability testing at the S&T IdM Testbed

§  Test Physical Access Control System against the “Logical” Policy Decision Point §  PACS vendors to integrate software code based on the standard interfaces

§  XACML (Extensible Access Control Markup Language) - open standard access control policy language

1

24

5

3

Policy  Enforcement  

Point  

Policy  Decision  Point  

Requestor  

Cyber-Physical Access Control System Convergence

• Presenter’s Name June 17, 2003 14

• Presenter’s Name June 17, 2003 15

Pilot at DC Government

• Presenter’s Name June 17, 2003

Visit Authorization Process

• Presenter’s Name June 17, 2003

Visitor Enrollment Kiosk

• Presenter’s Name June 17, 2003

Take Away

•  Security, Interoperability, Efficiency, Enhances Access Control

Benefits

•  Team dynamics, dedication, education •  Convergence required constant communication and

coordination with many different groups that normally operate independently

Innovation – to - Operations

•  Kiosk interface •  Speed

Usability

Lessons Learned

• Presenter’s Name June 17, 2003

Future

• Presenter’s Name June 17, 2003

Resources

Websites http://www.ahcusa.org/PIV-I%20TTWG.htm http://www.dhs.gov/csd-idm http://www.dhs.gov/cyber-research Follow us on Twitter at @dhsscitech

• Presenter’s Name June 17, 2003 • 21

Karyn Higa-Smith DHS Science and Technology Directorate Homeland Security Advanced Research Projects Agency Cyber Security Division Identity, Access, Privacy Research Program Karyn.Higa-Smith@st.dhs.gov

Questions

§  Additional Resources Location-based Access Control §  https://www.youtube.com/watch?v=j3LXxqW160k Data Privacy Research: http://go.usa.gov/8JZ9