piv 1 ketan mehta [email protected] may 5, 2005
TRANSCRIPT
PIV 1PIV 1• What does it mean to agencies
• Role-based vs System-based Models
• Moving forward
What does PIV I mean to agencies?What does PIV I mean to agencies?
PIV I requiresPIV I requires PIV I does not specifyPIV I does not specify
• Credentials may be issued by authorized entity only to individuals whose true identity has been verified
• Only an individual with a background investigation on record may be issued a credential;
• Fraudulent identity source documents are not accepted as genuine and unaltered;
• A person suspected or known to the government as being a terrorist is not issued a credential;
• No substitution occurs in the identity proofing process;
• No credential is issued unless requested by proper authority;
• A credential remains serviceable only up to its expiration date;
• A single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential;
• An issued credential is not modified, duplicated, or forged. Separation of roles
• Credentials may be issued by authorized entity only to individuals whose true identity has been verified
• Only an individual with a background investigation on record may be issued a credential;
• Fraudulent identity source documents are not accepted as genuine and unaltered;
• A person suspected or known to the government as being a terrorist is not issued a credential;
• No substitution occurs in the identity proofing process;
• No credential is issued unless requested by proper authority;
• A credential remains serviceable only up to its expiration date;
• A single corrupt official in the process may not issue a credential with an incorrect identity or to a person not entitled to the credential;
• An issued credential is not modified, duplicated, or forged. Separation of roles
• A particular card technology
• Requirements for fingerprint biometrics
• Composition of the Identity Credentials
• Roles within an agency• Identity proofing process or
implementation models• Integration of Physical and
Logical access security
• A particular card technology
• Requirements for fingerprint biometrics
• Composition of the Identity Credentials
• Roles within an agency• Identity proofing process or
implementation models• Integration of Physical and
Logical access security
Role-based ModelRole-based ModelApplicant—The individual to whom a PIV credential needs to be issued.
PIV Sponsor—The individual who substantiates the need for a PIV credential to be issued to the Applicant, and provides sponsorship to the Applicant. The PIV Sponsor requests the issuance of a PIV credential to the Applicant.
PIV Registrar—The entity responsible for identity proofing of the Applicant and ensuring the successful completion of the background checks. The PIV Registrar provides the final approval for the issuance of a PIV credential to the Applicant.
PIV Issuer—The entity that performs credential personalization operations and issues the identity credential to the Applicant after all identity proofing, background checks, and related approvals have been completed. The PIV Issuer is also responsible for maintaining records and controls for PIV credential stock to ensure that stock is only used to issue valid credentials.
System-based ModelSystem-based Model
EmployeeApplication
1:n biometric search
Confirm employment
ID Validation through standard government wide services
Government DB’s
Threat risk
1:n biometric search
Confirm employment
ID Validation through standard government wide services
Government DB’s
Threat risk
Identity VerificationIdentity Verification
Enrollment/Registrar
Identity Management
System (IDMS) / Issuer
Card Production & Personalization
/Issuer
21
4
5
Numbers Indicate Functional Areas of Responsibility
Green functions manageChain of Trust for Identity Verification
Employer/Sponsorship
/ Sponsor
Issuer -Card Activation/ Issuer
6
7
8
ApprovalAuthority / Registrar3
EmployeeEnrolls
User information fragmented,
duplicated and obsolete;
Redundant processes;
Little to no visibility or auditability
Employees AdministratorCustomers Partners Employees Customers Partners
Administrator Administrator Administrator
Email Timesheets
Engineering HR
CustomersExpense
Applications and DataSystems Resources
Information
Understand your current environmentUnderstand your current environment
Agencies should look to bring coherence to user Agencies should look to bring coherence to user identities, roles, privileges, and policiesidentities, roles, privileges, and policies
User Management
Sets up and maintainsuser accounts and privileges
(Digital Identities)
Credentialing
Assigns and manages attributes usedto validate a user’s identity
(Credentials)
Authentication
Validates identities basedon their credentials
(Who you are)
Authorization
Grants user access to resources based on a secondary set of attributes
(What you can access)
Storage
Stores user credentials,privileges, and other attributes
UsersUsers ResourcesResources
Only 20% of the planning involves technologyOnly 20% of the planning involves technology
20%
80%
Po
licy, Plan
nin
g, an
d P
olitics
Tech
no
log
yHardware/Software Directories
Identity Management System
Application Integration
Defining businessrequirements
Defining functionalrequirements
Creating newpolicies where
needed
Determining laws,regulations, mandates
to be followed
Identity Management is a broad capability and requires an integrated solution
Reviewingpolicies
Determining budgetrequirements
Provisioning Credentialing
Access Management
Agencies that adopt a strategy based approach to Agencies that adopt a strategy based approach to their PIV investments will achieve the best return on their PIV investments will achieve the best return on
their investmenttheir investmentStrategy Based Approach Produces Maximum ROI
What is your current environment?
What is your current environment?
What form will your solution take?
What form will your solution take? How will you implement?How will you implement?
• What is your current baseline?
• Who are responsible for identity management in your agency?
• What are the current processes?
• What FIPS 201 objectives are not met in the current environment?
• What are the gap areas?
• What are your architecture choices?o Insource / Outsourceo Federation vs. Not Fedo Trust Path
• What is your migration strategy?
• What stages will your implementation follow?
• How will you leverage prototypes and pilots?
Define The Need Architect the Solution Manage Construction
How will you manage?How will you manage?
• How will you mange the change program?
• How will you communicate changes to the organization?
• How will you mitigate program risks?