Interagency Advisory Board - FIPS201.com...Cyber Security, Data Center Ops, SOC – Other Sr. Execs. • Finance, HR, Audit Compliance, Corporate Risk Management, Physical Security,

1. Opening Remarks

2. PIV-I Status (Judy Spencer, GSA)

3. PIV Test Requirements (Dave Temoshok, GSA)

4. ICAM Progress at USDA (Owen Unangst, USDA)

5. PIV-I Discussion Panel (Jim Hatcher, Mike Mestrovich, Chris Louden, Rebecca Nielson)

6. FIWG Status Update (Corinne Irwin, NASA)

7. LAWG Status Update (Bill Erwin, GSA)

8. Closing Remarks

Interagency Advisory Board Meeting Agenda, May 27, 2010

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture

USDA –

Identity, Credential and Access Management What We’re Doing; Where We’re Going

June, 2010

Simplifying Business Delivery

Improving Our Security Posture

Enabling Trust & Privacy

Reducing Costs & Increasing Efficiency


Defining “Ownership” Identify & Implement the Technical Architecture

HR Systems

AgLearn

HSPD‐DM ePACS

XeGov

ADeAuthDB

EIDS

FSA Application FS Adam

SupplementalTwo‐Factor

OCIO ITS AD

RISO – Pilot

Readiness – Rollout

WCTS AD

FSA Application?

EnterpriseFinancialApplication?

AgLearnCourse Status

NFC?NITC ? …

PersonModel

?

44 Active Directories

Completion Goal: March, 2011


Systems

Compliance, Auditing and Reporting

Applications

Mainframes Servers Workstations Blackberry devices ...

Enterprise aplications Agency applications ...

Facilities

Facilities Buildings Rooms Quarantine Areas ...

Role Management

Entitlement Provisioning

AccessAdministration

Acc

ess

Man

agem

ent

Authorization Authentication

Access Enforcem

ent

Defining “Ownership” Improve the Access Control Processes

22


ApplicationHR System Enterprise Entitlement Management System

Function (Examples)

Organization Position/Role

USDA Emp

County Director

FSA Supervisor

FSA Emp

User

AgLearn

User

PACS User

WebTA

User

AD User

Application Roles (Examples)

EmpowHR

Emp

CRP Approver

AgLearn

S’visor

DCP Approver

WebTA

S’visor

EmPowHR

S’visor

AgLearnCreate LP

Approve LPTake Courses

ADDomain Acct

WebTACreate T&A

Create LeaveApprove T&A

Approve LeaveEmPowHR

Create Perf

PlanApprove P-Plan

ePACSAccess to xyz

DCPApprove App

CRPApprove App

Manual Process:

- Over 200 persons to manage roles

- 73 to handle audit issues

One More Thought: • If Joe changes position, what happens?• If Joe retires, what happens?

Joe

Betty

Tom

Joe

Alice

Carl

23

Defining “Ownership”

Don’t Quit Until You Really Improve Something


v1

24

“Back Room”

Critical Success Factors

Recognize Organizational Maturity/Culture & Plan For ItPage 1 of 2

•

Projects will touch virtually every individual and user in the organization

•

Get a Sponsor who is an allowance holder and has access to no less than the Deputy Secretary

•

Charter an Executive Steering Team with:–

IT Sr. Execs.•

Cyber Security, Data Center Ops, SOC–

Other Sr. Execs.•

Finance, HR, Audit Compliance, Corporate Risk Management, Physical Security,

Personnel Security …

•

Find a World-Class Team with “Creative but Realistic”

People–

Communicate–

Use Carrots, but when necessary, a Stick –

Recognize organizational change concepts


v1

25

“Back Room”

Critical Success Factors

Recognize Organizational Maturity/Culture & Plan For ItPage 2 of 2

•

Don’t automate broken/cumbersome processes

•

Understand organizational readiness before introducing changes

•

Introduce services early that add most value to processes with minimal change (low hanging fruit, quick wins)

•

Understand and Utilize PMBOK’s

Knowledge Areas


A General Description of the Technologies

Role and

Compliance

Manager

(RCM)

Federation

Manager

Enterprise

Directory

(eDir)

Identity

Manager

(IdM)

Radiant

Logic ICS

SOA

Security

Manager eAuth

(Site

Minder)

Access

ControlEnterprise

Single Sign‐

On (ESSO)

EEMS

eAuthFY11

Done

FY12 FY11

9/1 9/1

Done

FY11

Done

Done

7/1

F.S.App

FSAApp

AgLearn

eAuth

9/1

9/1

9/1

FSElevatedPrivilege

9/1

NFCElevated

Privilege FS/DOI

Federation

AC/NAC

1/11

Done

1/119/10

FutureApps

AgencyAD’s

3/11

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureIdentity Manager (IdM)

•

IdM is the core product of EEMS –

Administrative interfaces

–

Provisioning and deprovisioning

of identities and entitlements

–

Rule-based policy management–

Role-based access control

–

Monitoring and reporting capabilities


•

Provides bidirectional data synchronization and abstracted directory virtualization services

•

Greatly simplify the management of identity across disparate data stores.

•

Detects changes in data sources and transforms and propagates them to consuming systems

Radiant Logic Identity Correlation and

Synchronization Server (ICS)

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureRole & Compliance Manager (RCM)

•

Provides support to quickly and accurately develop, maintain, and analyze role models

•

Manage centralized compliance policies•

Uses advanced pattern recognition analysis to prevent improper privilege escalation and separation of duties (SOD) policy violations

•

Also used to map roles and entitlements in existing data stores during IdM integration

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureEnterprise Directory

•

Provides a comprehensive view of predefined authoritative data managed by IdM for all users across the USDA enterprise

•

Allows enterprise-class applications to leverage the Enterprise Directory for authentication and authorization services

•

Bypasses reliance upon 75+ non-trusted Active Directory forests for authentication and authorization

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureAccess Control

•

Provides host access control and privileged user management–

Manage heterogeneous servers, applications, and devices through a “single pane of glass”

using a PIV Card •

Privileged User Password Management (PUPM) –

One-time password (OTP) scheme (integrated with PIV) for privileged accounts

–

Also allows agencies to eliminate hard-coded passwords from code and scripts

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureEnterprise Single Sign-On (ESSO)

•

Allows agencies to integrate difficult legacy applications–

AS/400

–

Mainframe–

Custom built and legacy programs

•

Provides central administration of application access privileges, audit capabilities, and strong authentication

•

Improves user convenience and reduced helpdesk support •

Leverages a client-side utility that proxy’s username/password synchronization with the target application

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureFederation Manager

•

A “bolt-on”

service to the existing USDA eAuthentication

service•

Supports SAML assertions–

Allows eAuth

to perform Identity Provider (IdP) services for USDA users to external agency services

–

Accept assertions from external IdPs

for access to eAuth-

protected services•

USDA applications and eAuthentication

are freed from the cost and effort of identity-proofing and credential issuance and management for non-USDA users

U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureSOA Security Manager (SOA-SM)

•

Delivers comprehensive standards-based SOA/WS security platform–

Enables identity-centric Web Services security including authentication and fine-grained authorization based on the requestor’s identity (person or application)

–

Provides XML security and centrally managed security policy administration and enforcement

•

Supports identity and context-aware security services•

Tightly integrated with Directory, Federation Manager, Site Minder, and Identity Manager


Questions?

35

Documents

Interagency Advisory Board - FIPS201.com...Cyber Security, Data Center Ops, SOC – Other Sr. Execs. • Finance, HR, Audit Compliance, Corporate Risk Management, Physical Security,