Securing Access through a Multi-Purpose Credential and Digital ID

ForgeRock Identity Relationship Management Summit

June 4, 2014

• Stephan Papadopulos, Managing Director, The Triage Group

• Washington, DC-based Woman-Owned Business

• Healthcare and Emergency Response IT and Business Consulting Firm

• ForgeRock Systems Integration Partner with deep Identity and Access Management experience

Introduction

2

PAPADOPULOS,STEPHAN

ChallengeMultiple Agencies, Multiple Cards

• The DC One Card is designed to give cardholders convenient access to DC government facilities, resources and programs

• Provides immediate benefits by incorporating WMATA SmarTrip® capabilities

• Reduces citywide credentialing inefficiencies and reduces costs

• Establishes single trusted identity for DC stakeholders

• Consolidates Constituent Touch Points

DC One Card Overview

4

DC One Card ProgramPhysical and Digital Credentials

5

Citizens have multiple ID Cards

Citizens have multiple online identities

Agency A

User ID:

Password: Agency B

User ID: Password: Agency C

User ID: Password:

Agency DUser ID: Password:

Objectives• Convenience• Physical and Digital

ID Consolidation• Improved

Constituent Relationships

• Security• Cost Savings• Fraud Reduction• Improved Access

DC One ID Username: Password:

DCPS Google Apps Login

@dcpsk12.edu

Connect using your DC One ID

or

How it Works

6

Physical Credential Features Online Digital Identity Features

Single digital identity can be used to access multiple online systems –

eliminating users to remember numerous passwords

12-digit barcode number ties to individual and can be easily read with a

basic scanner

Embedded chips can be used to control physical

access to facilities and

transit

The PIV-I with Smart Chip

secures access to high risk

systems and facilities

Mag Stripe for future banking use DC One ID

Username: Password:

DCPS Google Apps Login

@dcpsk12.edu

Connect using your DC One ID

or

How it WorksCreating Digital Account

7

8

somagee8456@student.k12.dc.us

DCPS Google Apps Login

@student.k12.dc.us

Connect using your DC One ID

or

forgot username?

DCPS Google Apps Login

@dcpsk12.edu

Connect using your DC One ID

or

How it WorksFederated Identity for SSO

DC1C IAM Framework

9

Identity Administration• User Provisioning• Password Management• Role Management

Identity Auditing• Reporting• Fraud Detection• Identity Reconciliation

Identity Management Services Credential ManagementServices

Access Management Services

Identity Verification• Identity Proofing • User Authentication

Logical Access Management• Authentication• Application Authorization• Single Sign-on and Federation• Virtual Directory Synchronization

Advanced Security /Key Management

• Certificate Authority• Encryption• Digital Signatures• PKI enabled authentication• OCSP / Validation

Governance, Policies and ProceduresPolicy Management

• Policy Administration• Policy Enforcement• Organizational Alignment

Security Services• Platform Security• Web Services Security

Service Management• Service Desk Integration• Service Operations

Credential Management• Card / Token Issuance Lifecycle• Revoke / Reissue Cards / Tokens

Credential Application Definition Management

• PIV / PIV-I • HID• Other

Physical Access• Facility Entitlements• Situational Controls

Local Agency Systems Centralized Systems Centralized / Managed Services

Centralized

Directory Management• Directory / SSO Services• Metadata Management• Virtual Directory Management

Converged IAM Platform Logical Architecture

Identity Management

Employees (HCM)

IAM Txn Database

LDAP

AccessManagement

(OpenAM)

Physical Control Systems

Logical Apps

Contractors

Credential Issuance

Iden

tity

Sour

ces

SSO and Access

Enforcement

IAM Platform

Public / Visitors

BAE

Schools

11

Single Sign-on Authentication Mechanisms

DC One ID

DC One CardIAM Platform

Case Study: PIV/PIV-I PACS/LACS

Case Study: Entitlements

• Access Policies Set in OpenAM

• IdM Manages PIV-I Issuance

• PIV Registered After Issuance

Case Study: Enrollment Kiosk

• Authenticates and Validates Visitor Credential

• Matches Card Data to Entitlement Policy

Case Study: Lobby Entry

• Reads, Authenticates and Validates PIV Credential

• Sends XACML Access and Attribute Request to OpenAM

• Opens Turnstile on Permit Decision

16

Deanwood Customer Service Center

One Judiciary SquareCustomer Service Center

WilsonCustomer Service Center

DCPS Secondary Schools(DCPS Student and Staff DC One

Cards Only)

Ever in Washington, DCGet a DC One Card, they’re Free!

ConclusionGood, Fast, Cheap – Pick Two

Conclusion

Questions?