1. Opening Remarks
2. PIV-I Status (Judy Spencer, GSA)
3. PIV Test Requirements (Dave Temoshok, GSA)
4. ICAM Progress at USDA (Owen Unangst, USDA)
5. PIV-I Discussion Panel (Jim Hatcher, Mike Mestrovich, Chris Louden, Rebecca Nielson)
6. FIWG Status Update (Corinne Irwin, NASA)
7. LAWG Status Update (Bill Erwin, GSA)
8. Closing Remarks
Interagency Advisory Board Meeting Agenda, May 27, 2010
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
USDA –
Identity, Credential and Access Management What We’re Doing; Where We’re Going
June, 2010
Simplifying Business Delivery
Improving Our Security Posture
Enabling Trust & Privacy
Reducing Costs & Increasing Efficiency
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Defining “Ownership” Identify & Implement the Technical Architecture
HR Systems
AgLearn
HSPD‐DM ePACS
XeGov
ADeAuthDB
EIDS
FSA Application FS Adam
SupplementalTwo‐Factor
OCIO ITS AD
RISO – Pilot
Readiness – Rollout
WCTS AD
FSA Application?
EnterpriseFinancialApplication?
AgLearnCourse Status
NFC?NITC ? …
PersonModel
?
44 Active Directories
Completion Goal: March, 2011
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Systems
Compliance, Auditing and Reporting
Applications
Mainframes Servers Workstations Blackberry devices ...
Enterprise aplications Agency applications ...
Facilities
Facilities Buildings Rooms Quarantine Areas ...
Role Management
Entitlement Provisioning
AccessAdministration
Acc
ess
Man
agem
ent
Authorization Authentication
Access Enforcem
ent
Defining “Ownership” Improve the Access Control Processes
22
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
ApplicationHR System Enterprise Entitlement Management System
Function (Examples)
Organization Position/Role
USDA Emp
County Director
FSA Supervisor
FSA Emp
User
AgLearn
User
PACS User
WebTA
User
AD User
Application Roles (Examples)
EmpowHR
Emp
CRP Approver
AgLearn
S’visor
DCP Approver
WebTA
S’visor
EmPowHR
S’visor
AgLearnCreate LP
Approve LPTake Courses
ADDomain Acct
WebTACreate T&A
Create LeaveApprove T&A
Approve LeaveEmPowHR
Create Perf
PlanApprove P-Plan
ePACSAccess to xyz
DCPApprove App
CRPApprove App
Manual Process:
- Over 200 persons to manage roles
- 73 to handle audit issues
One More Thought: • If Joe changes position, what happens?• If Joe retires, what happens?
Joe
Betty
Tom
Joe
Alice
Carl
23
Defining “Ownership”
Don’t Quit Until You Really Improve Something
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
v1
24
“Back Room”
Critical Success Factors
Recognize Organizational Maturity/Culture & Plan For ItPage 1 of 2
•
Projects will touch virtually every individual and user in the organization
•
Get a Sponsor who is an allowance holder and has access to no less than the Deputy Secretary
•
Charter an Executive Steering Team with:–
IT Sr. Execs.•
Cyber Security, Data Center Ops, SOC–
Other Sr. Execs.•
Finance, HR, Audit Compliance, Corporate Risk Management, Physical Security,
Personnel Security …
•
Find a World-Class Team with “Creative but Realistic”
People–
Communicate–
Use Carrots, but when necessary, a Stick –
Recognize organizational change concepts
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
v1
25
“Back Room”
Critical Success Factors
Recognize Organizational Maturity/Culture & Plan For ItPage 2 of 2
•
Don’t automate broken/cumbersome processes
•
Understand organizational readiness before introducing changes
•
Introduce services early that add most value to processes with minimal change (low hanging fruit, quick wins)
•
Understand and Utilize PMBOK’s
Knowledge Areas
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
A General Description of the Technologies
Role and
Compliance
Manager
(RCM)
Federation
Manager
Enterprise
Directory
(eDir)
Identity
Manager
(IdM)
Radiant
Logic ICS
SOA
Security
Manager eAuth
(Site
Minder)
Access
ControlEnterprise
Single Sign‐
On (ESSO)
EEMS
eAuthFY11
Done
FY12 FY11
9/1 9/1
Done
FY11
Done
Done
7/1
F.S.App
FSAApp
AgLearn
eAuth
9/1
9/1
9/1
FSElevatedPrivilege
9/1
NFCElevated
Privilege FS/DOI
Federation
AC/NAC
1/11
Done
1/119/10
FutureApps
AgencyAD’s
3/11
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureIdentity Manager (IdM)
•
IdM is the core product of EEMS –
Administrative interfaces
–
Provisioning and deprovisioning
of identities and entitlements
–
Rule-based policy management–
Role-based access control
–
Monitoring and reporting capabilities
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
•
Provides bidirectional data synchronization and abstracted directory virtualization services
•
Greatly simplify the management of identity across disparate data stores.
•
Detects changes in data sources and transforms and propagates them to consuming systems
Radiant Logic Identity Correlation and
Synchronization Server (ICS)
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureRole & Compliance Manager (RCM)
•
Provides support to quickly and accurately develop, maintain, and analyze role models
•
Manage centralized compliance policies•
Uses advanced pattern recognition analysis to prevent improper privilege escalation and separation of duties (SOD) policy violations
•
Also used to map roles and entitlements in existing data stores during IdM integration
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureEnterprise Directory
•
Provides a comprehensive view of predefined authoritative data managed by IdM for all users across the USDA enterprise
•
Allows enterprise-class applications to leverage the Enterprise Directory for authentication and authorization services
•
Bypasses reliance upon 75+ non-trusted Active Directory forests for authentication and authorization
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureAccess Control
•
Provides host access control and privileged user management–
Manage heterogeneous servers, applications, and devices through a “single pane of glass”
using a PIV Card •
Privileged User Password Management (PUPM) –
One-time password (OTP) scheme (integrated with PIV) for privileged accounts
–
Also allows agencies to eliminate hard-coded passwords from code and scripts
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureEnterprise Single Sign-On (ESSO)
•
Allows agencies to integrate difficult legacy applications–
AS/400
–
Mainframe–
Custom built and legacy programs
•
Provides central administration of application access privileges, audit capabilities, and strong authentication
•
Improves user convenience and reduced helpdesk support •
Leverages a client-side utility that proxy’s username/password synchronization with the target application
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureFederation Manager
•
A “bolt-on”
service to the existing USDA eAuthentication
service•
Supports SAML assertions–
Allows eAuth
to perform Identity Provider (IdP) services for USDA users to external agency services
–
Accept assertions from external IdPs
for access to eAuth-
protected services•
USDA applications and eAuthentication
are freed from the cost and effort of identity-proofing and credential issuance and management for non-USDA users
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational ArchitectureSOA Security Manager (SOA-SM)
•
Delivers comprehensive standards-based SOA/WS security platform–
Enables identity-centric Web Services security including authentication and fine-grained authorization based on the requestor’s identity (person or application)
–
Provides XML security and centrally managed security policy administration and enforcement
•
Supports identity and context-aware security services•
Tightly integrated with Directory, Federation Manager, Site Minder, and Identity Manager
U.S. Department of AgricultureOffice of the Chief Information OfficerInnovative & Operational Architecture
Questions?
35