Upload
forgerock
View
249
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Breakout Session at the 2014 IRM Summit in Phoenix, Arizona by Stephan Papadopulos, Managing Director at the Triage Group.
Citation preview
Securing Access through a Multi-Purpose Credential and Digital ID
ForgeRock Identity Relationship Management Summit
June 4, 2014
• Stephan Papadopulos, Managing Director, The Triage Group
• Washington, DC-based Woman-Owned Business
• Healthcare and Emergency Response IT and Business Consulting Firm
• ForgeRock Systems Integration Partner with deep Identity and Access Management experience
Introduction
2
PAPADOPULOS,STEPHAN
ChallengeMultiple Agencies, Multiple Cards
• The DC One Card is designed to give cardholders convenient access to DC government facilities, resources and programs
• Provides immediate benefits by incorporating WMATA SmarTrip® capabilities
• Reduces citywide credentialing inefficiencies and reduces costs
• Establishes single trusted identity for DC stakeholders
• Consolidates Constituent Touch Points
DC One Card Overview
4
DC One Card ProgramPhysical and Digital Credentials
5
Citizens have multiple ID Cards
Citizens have multiple online identities
Agency A
User ID:
Password: Agency B
User ID: Password: Agency C
User ID: Password:
Agency DUser ID: Password:
Objectives• Convenience• Physical and Digital
ID Consolidation• Improved
Constituent Relationships
• Security• Cost Savings• Fraud Reduction• Improved Access
DC One ID Username: Password:
DCPS Google Apps Login
@dcpsk12.edu
Connect using your DC One ID
or
How it Works
6
Physical Credential Features Online Digital Identity Features
Single digital identity can be used to access multiple online systems –
eliminating users to remember numerous passwords
12-digit barcode number ties to individual and can be easily read with a
basic scanner
Embedded chips can be used to control physical
access to facilities and
transit
The PIV-I with Smart Chip
secures access to high risk
systems and facilities
Mag Stripe for future banking use DC One ID
Username: Password:
DCPS Google Apps Login
@dcpsk12.edu
Connect using your DC One ID
or
How it WorksCreating Digital Account
7
8
DCPS Google Apps Login
@student.k12.dc.us
Connect using your DC One ID
or
forgot username?
DCPS Google Apps Login
@dcpsk12.edu
Connect using your DC One ID
or
How it WorksFederated Identity for SSO
DC1C IAM Framework
9
Identity Administration• User Provisioning• Password Management• Role Management
Identity Auditing• Reporting• Fraud Detection• Identity Reconciliation
Identity Management Services Credential ManagementServices
Access Management Services
Identity Verification• Identity Proofing • User Authentication
Logical Access Management• Authentication• Application Authorization• Single Sign-on and Federation• Virtual Directory Synchronization
Advanced Security /Key Management
• Certificate Authority• Encryption• Digital Signatures• PKI enabled authentication• OCSP / Validation
Governance, Policies and ProceduresPolicy Management
• Policy Administration• Policy Enforcement• Organizational Alignment
Security Services• Platform Security• Web Services Security
Service Management• Service Desk Integration• Service Operations
Credential Management• Card / Token Issuance Lifecycle• Revoke / Reissue Cards / Tokens
Credential Application Definition Management
• PIV / PIV-I • HID• Other
Physical Access• Facility Entitlements• Situational Controls
Local Agency Systems Centralized Systems Centralized / Managed Services
Centralized
Directory Management• Directory / SSO Services• Metadata Management• Virtual Directory Management
Converged IAM Platform Logical Architecture
Identity Management
Employees (HCM)
IAM Txn Database
LDAP
AccessManagement
(OpenAM)
Physical Control Systems
Logical Apps
Contractors
Credential Issuance
Iden
tity
Sour
ces
SSO and Access
Enforcement
IAM Platform
Public / Visitors
BAE
Schools
11
Single Sign-on Authentication Mechanisms
DC One ID
DC One CardIAM Platform
Case Study: PIV/PIV-I PACS/LACS
Case Study: Entitlements
• Access Policies Set in OpenAM
• IdM Manages PIV-I Issuance
• PIV Registered After Issuance
Case Study: Enrollment Kiosk
• Authenticates and Validates Visitor Credential
• Matches Card Data to Entitlement Policy
Case Study: Lobby Entry
• Reads, Authenticates and Validates PIV Credential
• Sends XACML Access and Attribute Request to OpenAM
• Opens Turnstile on Permit Decision
16
Deanwood Customer Service Center
One Judiciary SquareCustomer Service Center
WilsonCustomer Service Center
DCPS Secondary Schools(DCPS Student and Staff DC One
Cards Only)
Ever in Washington, DCGet a DC One Card, they’re Free!
ConclusionGood, Fast, Cheap – Pick Two
Conclusion
Questions?