identity management in a federated environment us-nato tem 6 1-3 december 2009
DESCRIPTION
Identity Management in a Federated Environment US-NATO TEM 6 1-3 December 2009. Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability | NATO C3 Agency - The Hague Tel.: +31 (0)70 374 3562 | E-mail: [email protected]. NATO IdM Initiatives. - PowerPoint PPT PresentationTRANSCRIPT
Identity Management in a Identity Management in a Federated EnvironmentFederated Environment
US-NATO TEM 6US-NATO TEM 61-3 December 20091-3 December 2009
Alan MurdockAlan MurdockDr. Robert MalewiczDr. Robert Malewicz
Dr. Sven KuehneDr. Sven KuehneCAT-2 Interoperability | NATO C3 Agency - The HagueCAT-2 Interoperability | NATO C3 Agency - The Hague
Tel.: +31 (0)70 374 3562 | E-mail: Tel.: +31 (0)70 374 3562 | E-mail: [email protected]
NATO IdM InitiativesNATO IdM Initiatives
SC/4-SC/5 NATO IdM Workshop SC/4-SC/5 NATO IdM Workshop (2008/09)(2008/09) output: NATO IdM Strawman Paperoutput: NATO IdM Strawman Paper directory services oriented view directory services oriented view focused on alliance aspect of NATO IdMfocused on alliance aspect of NATO IdM identifies IdM use cases in NATOidentifies IdM use cases in NATO
SC/4 Service Management Infrastructure AHWG SC/4 Service Management Infrastructure AHWG ((2008/092008/09)) output: output: SMI Technical Services Definitions working paperSMI Technical Services Definitions working paper Security Management architecture Security Management architecture viewview requirements/standards/technology agnostic approachrequirements/standards/technology agnostic approach identifies interfaces with other security management identifies interfaces with other security management
services services NATO UNCLASSIFIED 2
TerminologyTerminology
Identity Management is ambiguous!Identity Management is ambiguous!
Identity Management includes:Identity Management includes: Identity AssuranceIdentity Assurance Identity Employment or UtilizationIdentity Employment or Utilization Identity ServicesIdentity Services
What is an “Identity”What is an “Identity” … … a PKI certificate?a PKI certificate? … … a set of attributes?a set of attributes? … … the same for every entity in the enterprise?the same for every entity in the enterprise?
Different view on IdMDifferent view on IdM
NATO has a two-dimensional challenge:NATO has a two-dimensional challenge: IdM in the IdM in the NATO Alliance NATO Alliance
28 NATO nations 28 NATO nations and partners and partners constitute a constitute a federation federation
IdM in the IdM in the NATO OrganizationNATO Organization NATO HQs NATO HQs and NATO agencies and NATO agencies constitute an constitute an enterpriseenterprise (?) (?)
NATO UNCLASSIFIED 4
ChallengesChallenges
• The concept of NATO IdM is in a very early stage of The concept of NATO IdM is in a very early stage of formalizationformalization
• Requirements for NATO IdM need to be definedRequirements for NATO IdM need to be defined• Two dimensions of the NATO IdM has potential to Two dimensions of the NATO IdM has potential to
cause conflicts for IdMcause conflicts for IdM• Emerging technologies (Identity 2.0) not reflectEmerging technologies (Identity 2.0) not reflecteded
either in NATO IdM Strawman Paper or in SMI either in NATO IdM Strawman Paper or in SMI working paperworking paper
• Policy document for NATO IdMPolicy document for NATO IdM• Interoperability at all levelsInteroperability at all levels
NATO UNCLASSIFIED 5
Way forwardWay forward
What can we accomplish today?What can we accomplish today?
• Listen Listen • Inform Inform • Plan for the futurePlan for the future
NC3A Identity Management Test Campaign
IdM Concept ValidationIdM Concept Validation
Purpose: Purpose: • Identify NATO IdM requirements based on IdM use casesIdentify NATO IdM requirements based on IdM use cases
• Verify architectures and solutions for identified IdM use cases Verify architectures and solutions for identified IdM use cases
ScopeScope• Validation focused on federated scenarios within NATO Alliance Validation focused on federated scenarios within NATO Alliance
Test FacilityTest Facility• Classification: NATO Unclassified Classification: NATO Unclassified
• NNEC CES Testbed as an investigation platform on the NATO sideNNEC CES Testbed as an investigation platform on the NATO side
• National TestbedsNational Testbeds
ProcedureProcedure• VPN Joining InstructionVPN Joining Instruction
• IdM Joining Instructions (based on ACP145 and ARH forms)IdM Joining Instructions (based on ACP145 and ARH forms) agreed test scope (use cases) and scheduleagreed test scope (use cases) and schedule
NATO UNCLASSIFIED 7
NNEC CES NNEC CES TTestbedestbed L Layoutayout
NATO UNCLASSIFIED 8
CES Testbed on NATO Unclassified DMZ
(Simulated) National Domain
Others ...
NATOUnclassified
Internet
NATO Domain
Production
DevelopmentProductionDemo
Management
DemoDemoRegional IEG
National IEG
IdM Use CasesIdM Use Cases
IdM use cases defined in NIdM Strawman PaperIdM use cases defined in NIdM Strawman Paper• Access to C2 Data/Services in NATO SECRET DomainAccess to C2 Data/Services in NATO SECRET Domain• Single Sign On in Cross-Domain Federation ScenarioSingle Sign On in Cross-Domain Federation Scenario• Use of certificates bound to the identityUse of certificates bound to the identity• NATO Pass SystemNATO Pass System• Use of national military ID-CardUse of national military ID-Card
Technology/Solution specific IdM use cases for Technology/Solution specific IdM use cases for testingtesting• Cross-domain group managementCross-domain group management• Security token based authentication for Web Services Security token based authentication for Web Services • Portal access (based on SharePoint Server)Portal access (based on SharePoint Server)• Collaboration tools (based on JChat application)Collaboration tools (based on JChat application)• Access to legacy applicationsAccess to legacy applications• Others …Others …
NATO UNCLASSIFIED 9
IdM Strawman and IdM Strawman and TTechnology/echnology/SSolution olution
DrivenDriven UUse se CCases ases RRelevance elevance MMapping apping
NATO UNCLASSIFIED 10
Strawman Paper
Technology/ Solution
Access to C2 Data and Services
SSO in Federation
Use of certificates
NATO Pass System
Use of national military ID-Card
Group Management
Security Token based authentication
Portal Access
Collaboration Tools
Access to Legacy Systems
???
IdM Use Case Validation EnvironmentIdM Use Case Validation Environment
NATO UNCLASSIFIED 11
Service Service ComponentsComponents
Information Exchange Gateway scenario B (IEGInformation Exchange Gateway scenario B (IEG B) B) NATO Enterprise Directory Service (NEDS) NATO Enterprise Directory Service (NEDS) Allied Replication Hub (ARH) Allied Replication Hub (ARH) Border Directory Services Border Directory Services NATO Public Key Infrastructure (NPKI) Certificate AuthorityNATO Public Key Infrastructure (NPKI) Certificate Authority Security Token Service (STS)Security Token Service (STS) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) Policy Decision Point (PDP)Policy Decision Point (PDP) Web serversWeb servers/portals/portals and clients and clients Web ProxyWeb Proxy Web ConcentratorWeb Concentrator Collaboration tool servers and clientsCollaboration tool servers and clients Identity Data SIdentity Data Sourcesources
NATO UNCLASSIFIED 12
Use CasesUse Cases
• Cross-domain group managementCross-domain group management• Security token based authentication for Web Services Security token based authentication for Web Services • Portal access (based on SharePoint Server)Portal access (based on SharePoint Server)• Collaboration tools (based on JChat application)Collaboration tools (based on JChat application)• Access to legacy applicationsAccess to legacy applications
Group Management Use CaseGroup Management Use Case
Foundation for other use casesFoundation for other use cases
Foundation for a formal access control mechanism Foundation for a formal access control mechanism implementation. Access control models being considered: implementation. Access control models being considered:
role based access control (RBAC) currently used in many C2 systems, role based access control (RBAC) currently used in many C2 systems, attribute based access control (ABAC) anticipated to be more exploited attribute based access control (ABAC) anticipated to be more exploited
in future service-oriented systemsin future service-oriented systems
Potential areas of usage (examples)Potential areas of usage (examples) cross-domain group management delegation cross-domain group management delegation cross-domain group mappingcross-domain group mapping
StatusStatus directory components installed directory components installed meta-tools installed, configured, jobs implementedmeta-tools installed, configured, jobs implemented initial testing completedinitial testing completed
NATO UNCLASSIFIED 14
IdM in IdM in Group ManagementGroup Management
NATO UNCLASSIFIED 15
NNEC HintsNNEC Hints
““NNetwork of networks”etwork of networks” is o is one of the main concepts ne of the main concepts of NNEC vision of NNEC vision –– environment be made up of many environment be made up of many separateseparate networks networks linked together linked together
Community of Interest (CoI)Community of Interest (CoI) a driver for access a driver for access control in NNECcontrol in NNEC
Sharing of identity information between these Sharing of identity information between these different networks is crucial for providing access different networks is crucial for providing access control control
Service Oriented Architecture (SOA)Service Oriented Architecture (SOA) based on Web based on Web services is a candidate technology to services is a candidate technology to materialize thmaterialize the e NNECNNEC vision vision,, where services can be (dynamically) where services can be (dynamically) discovered and called by different clients discovered and called by different clients
NATO UNCLASSIFIED 16
Security Security Token Based Access Use Token Based Access Use CaseCase
Simple services can be combined into more complex ones Simple services can be combined into more complex ones (“orchestration”) (“orchestration”)
Typically Typically users users interact with web services using different kinds interact with web services using different kinds of GUIs (web and form basedof GUIs (web and form based ones ones). ).
Service provider/consumer Service provider/consumer interoperabilityinteroperability standardstandard protocols protocols like SOAP, HTTP like SOAP, HTTP Web services related standardsWeb services related standards, , including the WS-* stack (e.g. WS-including the WS-* stack (e.g. WS-
Security, WS-Trust, WS-Federation etc .)Security, WS-Trust, WS-Federation etc .)
Secure SOA-based data/services exchange scenarios in a Secure SOA-based data/services exchange scenarios in a federated environment to be demonstratedfederated environment to be demonstrated
Status: Status:
NATO UNCLASSIFIED 17
all components installed, all components installed, not all configured yetnot all configured yet not all tested yetnot all tested yet not integrated with directory yetnot integrated with directory yet
SecureSecure Token Based Access Token Based Access
NATO UNCLASSIFIED 18
… … Integrated Integrated with Directory Serviceswith Directory Services
NATO UNCLASSIFIED 19
Access to PortalAccess to Portal
Web portal access handling Web portal access handling is one of theis one of the most common and most common and basic information sharing requirementsbasic information sharing requirements
Access Access granularity is a desired feature that needs to be granularity is a desired feature that needs to be implemented in future NATO portals implemented in future NATO portals
Microsoft SharePoint is identified as a Microsoft SharePoint is identified as a future future NATO portal NATO portal product. The next version to be integrated with Microsoft's product. The next version to be integrated with Microsoft's Identity Architecture, and so will be able to act as a relying party Identity Architecture, and so will be able to act as a relying party to XML security tokens.to XML security tokens.
Initially, Initially, access access from national domain from national domain to NATO portalto NATO portalss is the is the most expected operational scenariomost expected operational scenario
Status:Status:
NATO UNCLASSIFIED 20
IdM in IdM in Access to PortalAccess to Portal
NATO UNCLASSIFIED 21
Collaboration ToolsCollaboration Tools Use Case Use Case
NATO UNCLASSIFIED 22
XMPP is an open technology for real-time communication, which XMPP is an open technology for real-time communication, which powers a wide range of applicationspowers a wide range of applications, e.g.:, e.g.:
XMPP is a mandatory collaboration standard for military usage XMPP is a mandatory collaboration standard for military usage in many NATO nations in many NATO nations
JChat application, a standard NATO collaboration toolJChat application, a standard NATO collaboration tool, to be , to be used oused on the NATO side n the NATO side
Status: not implemented yetStatus: not implemented yet
IdM in IdM in Collaboration ToolsCollaboration Tools
NATO UNCLASSIFIED 23
Access to Legacy ApplicationsAccess to Legacy Applications
There are still applications in NATO CIS, which are not PKI There are still applications in NATO CIS, which are not PKI and/or Web services enabled and/or Web services enabled
Authentication/Authorization mechanisms:Authentication/Authorization mechanisms: implemented as an integral part of the applications (usernames implemented as an integral part of the applications (usernames
and passwords stored in a local database), which results in and passwords stored in a local database), which results in application specific solutions, orapplication specific solutions, or
are not implemented at allare not implemented at all
FFor completeness of the IdM use case validation picture legacy or completeness of the IdM use case validation picture legacy systems should be includedsystems should be included
Status: not implemented yetStatus: not implemented yet
NATO UNCLASSIFIED 24
IdM in IdM in Legacy SystemsLegacy Systems
NATO UNCLASSIFIED 25
SummarySummary
The concept of IdM in a federated NATO environment The concept of IdM in a federated NATO environment (NATO plus NATO nations) is in an early stage of (NATO plus NATO nations) is in an early stage of formalizationformalization
List of use cases for IdM is openList of use cases for IdM is open
NC3A CES/NNEC testbed provides an infrastructure NC3A CES/NNEC testbed provides an infrastructure for complex IdM validation to be performed with for complex IdM validation to be performed with Alliance partnersAlliance partners
NATO UNCLASSIFIED 26
Why Identity Management matters …Why Identity Management matters …
NATO UNCLASSIFIED 28
CONTACTING NC3ACONTACTING NC3A
NC3A Brussels
Visiting address:
Bâtiment ZAvenue du Bourget 140B-1110 BrusselsTelephone +32 (0)2 7074111Fax +32 (0)2 7078770
Postal address:NATO C3 AgencyBoulevard Leopold IIIB-1110 Brussels - Belgium
NC3A The Hague
Visiting address:
Oude Waalsdorperweg 612597 AK The Hague
Telephone +31 (0)70 3743000Fax +31 (0)70 3743239
Postal address:NATO C3 AgencyP.O. Box 1742501 CD The HagueThe Netherlands