Interagency Advisory Board Meeting Agenda, Wednesday, September 26, 2012

1. Opening Remarks

2. Enabling the Mobile Government Workforce with PIV Credentials in a BYOD Future (Neville Pattinson, Gemalto)

3. Enabling PIV and Federated Access and Privileges within Cloud Services (Ken Ammon, CSO, Xceedium)

4. Demonstration of Means to Provision PIV to Various Relying Party Systems (Joe Broghamer, DHS)

5. Identity Management Reassembled (Jeff Nigriny, Certipath)

6. Closing Remarks

Enabling  PIV  and  Federated  Access  and  Privileges  within  Cloud  Services  

PIV  in  the  New  Enterprise  

•  Legacy  compu8ng  and  network  resources  •  Includes  mainframe  

 

•  Private  cloud  implementa8on    •  Implemented  in  support  of  FDCCI    

 •  Public  cloud  integra8on  

•  Driven  by  FDCCI  and  budget    

•  Results  in  “New  Enterprise”  PIV  requirement  with  significant  implica8ons  for  privileged  access  

   

   Cloud  and  Hybrid  Cloud  

3  

•  Hybrid  IaaS  and  PaaS  cloud  implementa8on  may  u8lize    private  plaKorm  and  public  cloud  u8lity  •  VMware  

•  OpenStack    

•  Eucalyptus  

•  Google  

•  Amazon  Web  Services    

•  and  more  on  the  way….  

•  Focus  of  presenta8on  is  Amazon  Web  Services  (AWS)  integrated  into    legacy  enterprise  

Challenges  of  Privileged  Access  in  the  Hybrid  Cloud  

•  Virtualiza8on  AND  cloud  creden8al  and  management  complexity  

•  Configura8on  of  mul8ple  plaKorm  specific  IAM  engines  

•  Lack  of  detailed  and  centralized  privileged  audit  

•  Distributed  policy  management  

•  Automated  API  and  CLI  access  

•  Redundant  two-­‐factor  administra8on  creden8als  

•  PIV  integra8on    

•  Administra8ve  single  sign-­‐on  

•  Federa8ng  privileged  iden8ty  

PIV  and  Federated  Access  and  Privilege  Management  for  AWS  

   

   

 

5  

AWS  IAM  Creden8als  

•  Creden8als  consist  of  a  Master  Account  Key,  Secret  Access  Key,  and  a  corresponding  Access  Key  ID  

•  Permissions  are  encapsulated  within  encrypted,  8me  limited  token  

•  Basic  creden8als  necessary  for:  •  Command  Line  Interface  (CLI)  •  Applica8on  Programing  

Interface  (API)  •  Console  Access  (Web)  

•  S3  (Storage  Bucket)  creden8al  different  than  AWS  EC2  

AWS  IAM  Permissions  

AWS-­‐to-­‐Customer  IAM  Architecture    

Customer AWS Cloud

Customer Enterprise Network

Privileged User

Corporate Enterprise

AWS Console EC2

Role, Permissions, and Policy

SecretAccessKey

Secure Token Service

API

AWS Programmatic Interface

AccessKeyID Token

Master Account Key

Master Account Key

Machine Credential

Amazon Machine Image (AMI)

Instance (Linux, Windows, Oracle, etc…)

Machine Credential

Privileged Script or

Application

Audit  Requirement  

PIV  Enabled  Privileged  Iden8ty  and  Access  Management  for  Legacy  Enterprise  

Client

Privileged User

PIV Credential

Customer Enterprise Network

AD/LDAP Server Server

PIV/CAC Revocation

Server

Web Portal, RDP, SSH, FTP, Telnet, VNC, etc…

PIV Smartcard

•  Policy and permission

•  Audit •  End-point

Credential (Password, SSH Key, etc…)

Applications Network Servers

Federated  with  On  Premise  AD  Authen8ca8on  –  Single  VPC  and  On  Premise  Xsuite  

Availability Zone 1

Customer Enterprise Network

Client

Privileged User

Corporate Enterprise

AD/LDAP Server Server

Smartcard

Smartcard Revocation

Server

Applications

Network

Servers Corporate Enterprise

AWS Console

Role, Permissions, and Policy

Secure Token Service

API

AWS Programmatic Interface

Amazon Machine Image (AMI)

Instance (Linux, Windows, Oracle, etc…)

Machine Credential

Federated  with  On  Premise  AD  Authen8ca8on  –  Single  VPC  and  Virtual  Xsuite  

Availability Zone 1

Customer Enterprise Network

Client

Privileged User

Corporate Enterprise

AD/LDAP Server Server

Smartcard

Smartcard Revocation

Server

Applications

Network

Servers Corporate Enterprise

AWS Console

Role, Permissions, and Policy

Secure Token Service

API

AWS Programmatic Interface

Amazon Machine Image (AMI)

Virtualized Appliance

13  

   Market  Outlook  

•  PIV enabled legacy enterprise •  Servers, network, mainframe

•  Industrial control systems

•  FDCCI drives cloud adoption •  Virtualization and IaaS introduce new IAM vectors

•  PIV integration eliminates expense of redundant two-factor identification system

•  Cloud brings new challenges •  Additional management plane and privileged automation…machines building machines

•  Must federate identity and abstract policy to avoid cloud vendor lock-in

•  Pace of cloud technology evolution •  Admins and engineers require ramp-up time while cloud engineering resource demand is

rapidly increasing

•  PIV identity and federated access for privileged access is available today

•  Today- Legacy IT, Virtual Machine, AWS

•  Roadmap- OpenStack, AWS FIPS 140-2 Level 3, Metadata plane integration

Contact  Us  

2214  Rock  Hill  Road,  Suite  100  Herndon,  VA  20170  Phone:  866-­‐636-­‐5803  

Email:  kammon@xceedium.com    

 Twi7er:  @Xceedium  Facebook:  www.facebook.com/

xceedium    

14