cis14: physical and logical access control convergence
DESCRIPTION
Karyn Higa-Smith, DHS Science and Technology Directorate Presentation including a brief demonstration of what is currently going live in a building in Washington, DC, for logical access for hundreds of users with smart cards, using XACML, an OASIS standard to communication between PACS and LACS.TRANSCRIPT
Cloud Identity Summit 2014 Getting Physical: Holistic Identity Management
22 July 2014
Karyn Higa-Smith Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency Science and Technology Directorate
Physical and Logical Access Control Convergence
• Presenter’s Name June 17, 2003
CSD Mission & Strategy
2
REQUIREMENTS
CSD MISSION § Develop and deliver new technologies, tools and techniques to defend and secure current
and future systems and networks § Conduct and support technology transition efforts § Provide R&D leadership and coordination within the government, academia, private sector and
international cybersecurity community
CSD STRATEGY Trustworthy
Cyber Infrastructure
Cybersecurity Research
Infrastructure
Network & System Security and
Investigations
Cyber Physical Systems
Transition and Outreach
Government Venture Capital IT Security
Companies Open
Source International
Background
• Presenter’s Name June 17, 2003
S&T Identity Management Testbed
Attribute Repository WS-Security
Policy Decision
Point
Attribute Aggregator
• Presenter’s Name June 17, 2003 • 5
Identity & Access Management Research & Development
• Presenter’s Name June 17, 2003
§ PIV-I/FRAC Technology Transition Working Group (TTWG) § Public Safety/Emergency Response § Security § Federated Identity for First Responders § National standard, Interoperable,
and trusted ID credential § One voice from the TTWG to policy
makers § Sharing lessons learned § Provide innovative, Cost-efficient
solutions 6
Technology Transition Working Group
• Presenter’s Name June 17, 2003
PIN
Authorization Information: Certifications, Clearance, Job Function, Citizenship…
7
Enrollment Elements
• Presenter’s Name June 17, 2003
Bio: Something
you are
• Something you have
• Something you know ****
• Something you are
8
Authentication
• Presenter’s Name June 17, 2003
Federated Attribute Exchange
• Presenter’s Name June 17, 2003 • 10
End-to-End Standard-Based Attribute Exchange
Authoritative Sources
F/ERO Repository (Attributes) SPML
Service
SPML Gateway
Handheld
Local Workstation
SAML Service
SPML Profile Create, Read, Update, Delete
SPML Read-Only Profile
ERO Entitlements Authoritative Source
SPML Read-Only Request/Response
Smartphone
OASIS: Organization for the Advancement of Structured Information Standards F/ERO: Federal/Emergency Response Official SPML: Service Provisioning Markup Language SAML: Security Assertion Markup Language
Lightweight Protocol JSON over REST
SAML Request/Response
BAE SAML Profile
Tablet
Logical and Physical Access Control Systems
Convergence
*show video*
• Presenter’s Name June 17, 2003
Capability Need: Centralized access
control management; utilize PIV/PIV-I
credentials
Technology: Develop standard interface
between Physical and logical access control
system
Impact: Security,
Remote and Central Access Management,
Granular Access Control, Less
Footprint, Usability, and Reduce Cost
Transition: proof-of-concept pilot, transition to industry
Customer: Fusion Center, FEMA,
CSO/CIO
Execution Model
12
• Presenter’s Name June 17, 2003 13
§ Requirement for access control management using PIV and PIV-I § Interoperability testing at the S&T IdM Testbed
§ Test Physical Access Control System against the “Logical” Policy Decision Point § PACS vendors to integrate software code based on the standard interfaces
§ XACML (Extensible Access Control Markup Language) - open standard access control policy language
1
24
5
3
Policy Enforcement
Point
Policy Decision Point
Requestor
Cyber-Physical Access Control System Convergence
• Presenter’s Name June 17, 2003 14
• Presenter’s Name June 17, 2003 15
Pilot at DC Government
• Presenter’s Name June 17, 2003
Visit Authorization Process
• Presenter’s Name June 17, 2003
Visitor Enrollment Kiosk
• Presenter’s Name June 17, 2003
Take Away
• Security, Interoperability, Efficiency, Enhances Access Control
Benefits
• Team dynamics, dedication, education • Convergence required constant communication and
coordination with many different groups that normally operate independently
Innovation – to - Operations
• Kiosk interface • Speed
Usability
Lessons Learned
• Presenter’s Name June 17, 2003
Future
• Presenter’s Name June 17, 2003
Resources
Websites http://www.ahcusa.org/PIV-I%20TTWG.htm http://www.dhs.gov/csd-idm http://www.dhs.gov/cyber-research Follow us on Twitter at @dhsscitech
• Presenter’s Name June 17, 2003 • 21
Karyn Higa-Smith DHS Science and Technology Directorate Homeland Security Advanced Research Projects Agency Cyber Security Division Identity, Access, Privacy Research Program [email protected]
Questions
§ Additional Resources Location-based Access Control § https://www.youtube.com/watch?v=j3LXxqW160k Data Privacy Research: http://go.usa.gov/8JZ9