Research and Development: Innovative – Identity and Access Management

Attribute Based Access Control

Operationalizing the Backend Attribute Exchange profile

Presenter’s Name June 17, 2003 2

S&T Identity Management Testbed

Presenter’s Name June 17, 2003

Attribute Exchange for Access Control

Presenter’s Name June 17, 2003

BAE Profile

SAML v2 Governance Processes

BAE Broker Agency B

Federal BAE CA

Metadata Distribution

Service

BAE Broker Agency A

BAE Broker Agency C

BAE Broker Agency D

BAE Broker Agency E

BAE Broker Agency F

Attribute Service Org E-1

Attribute Service Org C-1

Federated Attribute Exchange

4

Presenter’s Name June 17, 2003 5

Local and State Participants Colorado Maryland Virginia District of Columbia Missouri Southwest Texas Pennsylvania Chester County, PA Pittsburgh, PA West Virginia Hawaii Rhode Island Nevada

Technology Transition Working Group

PIV-I/FRAC Technology Transition Working Group (TTWG) Public Safety/Emergency

Response Security Federated Identity for First

Responders National standard,

Interoperable, and trusted ID credential

One voice from the TTWG to policy makers Sharing lessons learned Provide innovative, Cost-

effective solutions

Presenter’s Name June 17, 2003

SPML Read-Only Profile

Web Service Handheld

F/ERO Repository

Credential

SPML Read-Only Request

SPML Read-Only Response

Chester County - PA DHS S&T IdM Testbed

NO COMMUNICATIIONS

1. DHS, FEMA (PIV) 2. DOD (CAC) 3. Chester Co PA (PIV-I)

F/ERO Entitlements Authoritative Source

Field Station

Unique F/ERO Identifier

Incident Scene Access Provisioning Pilot

PIV: Personal Identity Verification PIV-I: PIV– Interoperability CAC: Common Access Card OASIS: Organization for the Advancement of Structured Information Standards F/ERO: Federal/Emergency Response Official SPML: Service Provisioning Markup Language

6

Presenter’s Name June 17, 2003

End-to-End Attribute Exchange Using Standards

Agency 1 Authoritative

Source

Agency 2 Authoritative

Source

Agency 3 Authoritative

Source

F/ERO Repository (Attributes)

SPML Service SPML

Gateway

Local Workstation Handheld

Tablet

Smartphone

SAML Service

SPML Read-Only

Profile Web

Service

SPML Create, Read,

Update, Delete Profile

7

Presenter’s Name June 17, 2003

Verification using Smart Phone

Samsung Galaxy Nexus smartphone Apps screen

“Give me a list of all Users with Attribute X, Y, and Z” “Give me all the

Emergency Support Function (ESF) attributes of User X” “Give me all authorized

users for the incident”

Presenter’s Name June 17, 2003

S&T Identity Management Testbed - Flow Components

9

F/ERO Repository

Protocol WS

WS-Security

Radiant Logic

Layer 7

Axiomatics

Presenter’s Name June 17, 2003 10 10

Attributes

Permit or Deny

Presenter’s Name June 17, 2003

Cyber-Physical Convergence

11

Platform collects sensor data from various sources Platform provides interoperability between the

reader/control and logical policy decision based on standard (XACML)

Presenter’s Name June 17, 2003

BAE and GFIPM interoperability

12

Presenter’s Name June 17, 2003

BAE introduced in Cyber Defense Competition

13

Educating our upcoming workforce on defensive skills in cyberspace

Providing real-world, hands-on experience

Educating students in securing network infrastructures

Inserted the Backend Attribute Exchange and learned some real world lessons

Presenter’s Name June 17, 2003

Resources

14

Websites http://www.ahcusa.org/PIV-I%20TTWG.htm https://www.cyber.st.dhs.gov/idmdp.html http://www.idmanagement.gov/documents/BAE_v2_Ov

erview_Document_Final_v1.0.0.pdf

Contact Information

Karyn Higa-Smith DHS Science and Technology Directorate Cyber Security Division Identity Management Research Program Manager Homeland Security Advanced Research Projects Agency Karyn.Higa-Smith@hq.DHS.gov 202.254.5335

15