securing access through a multi-purpose credential and digital id
DESCRIPTION
Breakout Session at the 2014 IRM Summit in Phoenix, Arizona by Stephan Papadopulos, Managing Director at the Triage Group.TRANSCRIPT
![Page 1: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/1.jpg)
Securing Access through a Multi-Purpose Credential and Digital ID
ForgeRock Identity Relationship Management Summit
June 4, 2014
![Page 2: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/2.jpg)
• Stephan Papadopulos, Managing Director, The Triage Group
• Washington, DC-based Woman-Owned Business
• Healthcare and Emergency Response IT and Business Consulting Firm
• ForgeRock Systems Integration Partner with deep Identity and Access Management experience
Introduction
2
PAPADOPULOS,STEPHAN
![Page 3: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/3.jpg)
ChallengeMultiple Agencies, Multiple Cards
![Page 4: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/4.jpg)
• The DC One Card is designed to give cardholders convenient access to DC government facilities, resources and programs
• Provides immediate benefits by incorporating WMATA SmarTrip® capabilities
• Reduces citywide credentialing inefficiencies and reduces costs
• Establishes single trusted identity for DC stakeholders
• Consolidates Constituent Touch Points
DC One Card Overview
4
![Page 5: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/5.jpg)
DC One Card ProgramPhysical and Digital Credentials
5
Citizens have multiple ID Cards
Citizens have multiple online identities
Agency A
User ID:
Password: Agency B
User ID: Password: Agency C
User ID: Password:
Agency DUser ID: Password:
Objectives• Convenience• Physical and Digital
ID Consolidation• Improved
Constituent Relationships
• Security• Cost Savings• Fraud Reduction• Improved Access
DC One ID Username: Password:
DCPS Google Apps Login
@dcpsk12.edu
Connect using your DC One ID
or
![Page 6: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/6.jpg)
How it Works
6
Physical Credential Features Online Digital Identity Features
Single digital identity can be used to access multiple online systems –
eliminating users to remember numerous passwords
12-digit barcode number ties to individual and can be easily read with a
basic scanner
Embedded chips can be used to control physical
access to facilities and
transit
The PIV-I with Smart Chip
secures access to high risk
systems and facilities
Mag Stripe for future banking use DC One ID
Username: Password:
DCPS Google Apps Login
@dcpsk12.edu
Connect using your DC One ID
or
![Page 7: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/7.jpg)
How it WorksCreating Digital Account
7
![Page 8: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/8.jpg)
8
DCPS Google Apps Login
@student.k12.dc.us
Connect using your DC One ID
or
forgot username?
DCPS Google Apps Login
@dcpsk12.edu
Connect using your DC One ID
or
How it WorksFederated Identity for SSO
![Page 9: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/9.jpg)
DC1C IAM Framework
9
Identity Administration• User Provisioning• Password Management• Role Management
Identity Auditing• Reporting• Fraud Detection• Identity Reconciliation
Identity Management Services Credential ManagementServices
Access Management Services
Identity Verification• Identity Proofing • User Authentication
Logical Access Management• Authentication• Application Authorization• Single Sign-on and Federation• Virtual Directory Synchronization
Advanced Security /Key Management
• Certificate Authority• Encryption• Digital Signatures• PKI enabled authentication• OCSP / Validation
Governance, Policies and ProceduresPolicy Management
• Policy Administration• Policy Enforcement• Organizational Alignment
Security Services• Platform Security• Web Services Security
Service Management• Service Desk Integration• Service Operations
Credential Management• Card / Token Issuance Lifecycle• Revoke / Reissue Cards / Tokens
Credential Application Definition Management
• PIV / PIV-I • HID• Other
Physical Access• Facility Entitlements• Situational Controls
Local Agency Systems Centralized Systems Centralized / Managed Services
Centralized
Directory Management• Directory / SSO Services• Metadata Management• Virtual Directory Management
![Page 10: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/10.jpg)
Converged IAM Platform Logical Architecture
Identity Management
Employees (HCM)
IAM Txn Database
LDAP
AccessManagement
(OpenAM)
Physical Control Systems
Logical Apps
Contractors
Credential Issuance
Iden
tity
Sour
ces
SSO and Access
Enforcement
IAM Platform
Public / Visitors
BAE
Schools
![Page 11: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/11.jpg)
11
Single Sign-on Authentication Mechanisms
DC One ID
DC One CardIAM Platform
![Page 13: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/13.jpg)
Case Study: Entitlements
• Access Policies Set in OpenAM
• IdM Manages PIV-I Issuance
• PIV Registered After Issuance
![Page 14: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/14.jpg)
Case Study: Enrollment Kiosk
• Authenticates and Validates Visitor Credential
• Matches Card Data to Entitlement Policy
![Page 15: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/15.jpg)
Case Study: Lobby Entry
• Reads, Authenticates and Validates PIV Credential
• Sends XACML Access and Attribute Request to OpenAM
• Opens Turnstile on Permit Decision
![Page 16: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/16.jpg)
16
Deanwood Customer Service Center
One Judiciary SquareCustomer Service Center
WilsonCustomer Service Center
DCPS Secondary Schools(DCPS Student and Staff DC One
Cards Only)
Ever in Washington, DCGet a DC One Card, they’re Free!
![Page 17: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/17.jpg)
ConclusionGood, Fast, Cheap – Pick Two
![Page 18: Securing Access Through a Multi-Purpose Credential and Digital ID](https://reader037.vdocuments.site/reader037/viewer/2022103114/554f877ab4c905435d8b4c92/html5/thumbnails/18.jpg)
Conclusion
Questions?