cis14: nstic - identity and access management collaborative approaches to novel use cases

Identity and Access Management: Collaborative Approaches to Novel Use Cases Nate Lesser, Deputy Director National Cybersecurity Center of Excellence

Cloud Identity Summit 2014 July 20, 2014

ENERGY SECTOR USE CASE: IDENTITY AND ACCESS MANAGEMENT

3 Cloud Identity Summit 2014

OVERVIEW

Goals

‣ Authenticate individuals and systems

‣ Enforce authorization control policies

‣ Unify IdAM services

‣ Protect generation, transmission and distribution

Business value

‣ Reduce costs

‣  Increase efficiency

Cloud Identity Summit 2014 4

SILOS

IT network OT network Physical system

Cloud Identity Summit 2014 5

THE IT-OT DIVIDE

Cloud Identity Summit 2014 6

HIGH-LEVEL ARCHITECTURE

Cloud Identity Summit 2014 7

COLLABORATORS

ABOUT THE NCCOE

Cloud Identity Summit 2014 9

STRATEGY

Vision

‣ A secure cyber infrastructure that inspires technological innovation and fosters economic growth

Mission

‣ Collaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs

10 Cloud Identity Summit 2014

TENETS

Standards-based

Modular

Usable

Repeatable

Open and transparent

Commercially available

Cloud Identity Summit 2014 11

REALIZED SECURITY

Realized security = security controls + security gains from ease of use  

Cloud Identity Summit 2014 12

APPROACH

We seek problems that are:

‣ Broadly relevant

‣ Technology-based

‣ Addressable with multiple commercially available technologies

Cloud Identity Summit 2014 13

REFERENCE DESIGNS

Use cases

‣ Sector-specific challenges

‣  Identified through industry engagement

Building blocks

‣ Technology-specific challenges ‣  Identified through public engagement

Cloud Identity Summit 2014 14

MODEL

Engage ‣ Work with community of interest to define problem

Explore

‣ Map security characteristics to standards, controls and best practices

‣ Circulate drafts and incorporate feedback

Partner ‣  Invite technology vendors to collaborate in our labs

Build ‣ Collaborate on design components

‣  Incorporate feedback from experts in technology community Show ‣ Demonstrate reference designs

Cloud Identity Summit 2014 15

MODEL

Form small community of interest

Provide input and feedback to NCCoE

Expand community of interest

Submit feedback on use cases to

NCCoE

Offer insights on use cases

Community Of Interest

Support deployment, revision and maintenance of products as part of the

practice guide

Collaborate to develop reference designs

Evangelize on behalf of reference design and practice guide

Deploy, test and provide feedback on the reference design

Provide regular feedback on use case builds

Technology Partners Submit letters

of interest

Speak at sector-

specific events

Work with COI to identify cybersecurity challenges

Host sector-specific

workshop

Review & circulate

pre-release use cases

Revise & publish

draft use cases

Revise use cases &

invite participation

from technology

partners

Receive technology

partners letters

of interest

Demonstrate reference designs

Discuss improvements &

modifications

Publish reference

design and practice guide

Develop composed reference

design

Form build

teams Sign

CRADAs Host

partner day

Cloud Identity Summit 2014 16

CORE PARTNERS

BUILDING BLOCK: ATTRIBUTE BASED ACCESS CONTROL

18 Cloud Identity Summit 2014

OVERVIEW

Goals

‣ Enterprise to enterprise identity federation

‣ Enable access control decisions for previously unknown users

‣ Demonstrate security capabilities that support a wide range of enterprise risk postures

Business value

‣ Simplified identity management

‣ Shared IT resources across multiple enterprises

‣ Reduced risk through granular access control

Cloud Identity Summit 2014 19

HIGH-LEVEL WORKFLOW

Cloud Identity Summit 2014 20

HIGH-LEVEL WORKFLOW

Cloud Identity Summit 2014 21

DEFINITIONS

Sources

‣ Authorization and Attribute Services Committee Glossary

‣ FICAM

‣ FIPS 201

‣ NCCoE

‣ NIST SP 800-37-1 ‣ NIST SP 800-63-2

‣ OMB M-04-04

‣ RFC 4949

Cloud Identity Summit 2014 22

HIGH-LEVEL ARCHITECTURE

Next

nccoe@nist.gov  240-­‐314-­‐6800  

9600  Gudelsky  Drive  Rockville,  MD  20850  

hCp://nccoe.nist.gov