Identity Management in a Identity Management in a Federated EnvironmentFederated Environment

US-NATO TEM 6US-NATO TEM 61-3 December 20091-3 December 2009

Alan MurdockAlan MurdockDr. Robert MalewiczDr. Robert Malewicz

Dr. Sven KuehneDr. Sven KuehneCAT-2 Interoperability | NATO C3 Agency - The HagueCAT-2 Interoperability | NATO C3 Agency - The Hague

Tel.: +31 (0)70 374 3562 | E-mail: Tel.: +31 (0)70 374 3562 | E-mail: sven.kuehne@nc3a.nato.int

NATO IdM InitiativesNATO IdM Initiatives

SC/4-SC/5 NATO IdM Workshop SC/4-SC/5 NATO IdM Workshop (2008/09)(2008/09) output: NATO IdM Strawman Paperoutput: NATO IdM Strawman Paper directory services oriented view directory services oriented view focused on alliance aspect of NATO IdMfocused on alliance aspect of NATO IdM identifies IdM use cases in NATOidentifies IdM use cases in NATO

SC/4 Service Management Infrastructure AHWG SC/4 Service Management Infrastructure AHWG ((2008/092008/09)) output: output: SMI Technical Services Definitions working paperSMI Technical Services Definitions working paper Security Management architecture Security Management architecture viewview requirements/standards/technology agnostic approachrequirements/standards/technology agnostic approach identifies interfaces with other security management identifies interfaces with other security management

services services NATO UNCLASSIFIED 2

TerminologyTerminology

Identity Management is ambiguous!Identity Management is ambiguous!

Identity Management includes:Identity Management includes: Identity AssuranceIdentity Assurance Identity Employment or UtilizationIdentity Employment or Utilization Identity ServicesIdentity Services

What is an “Identity”What is an “Identity” … … a PKI certificate?a PKI certificate? … … a set of attributes?a set of attributes? … … the same for every entity in the enterprise?the same for every entity in the enterprise?

Different view on IdMDifferent view on IdM

NATO has a two-dimensional challenge:NATO has a two-dimensional challenge: IdM in the IdM in the NATO Alliance NATO Alliance

28 NATO nations 28 NATO nations and partners and partners constitute a constitute a federation federation

IdM in the IdM in the NATO OrganizationNATO Organization NATO HQs NATO HQs and NATO agencies and NATO agencies constitute an constitute an enterpriseenterprise (?) (?)

NATO UNCLASSIFIED 4

ChallengesChallenges

• The concept of NATO IdM is in a very early stage of The concept of NATO IdM is in a very early stage of formalizationformalization

• Requirements for NATO IdM need to be definedRequirements for NATO IdM need to be defined• Two dimensions of the NATO IdM has potential to Two dimensions of the NATO IdM has potential to

cause conflicts for IdMcause conflicts for IdM• Emerging technologies (Identity 2.0) not reflectEmerging technologies (Identity 2.0) not reflecteded

either in NATO IdM Strawman Paper or in SMI either in NATO IdM Strawman Paper or in SMI working paperworking paper

• Policy document for NATO IdMPolicy document for NATO IdM• Interoperability at all levelsInteroperability at all levels

NATO UNCLASSIFIED 5

Way forwardWay forward

What can we accomplish today?What can we accomplish today?

• Listen Listen • Inform Inform • Plan for the futurePlan for the future

NC3A Identity Management Test Campaign

IdM Concept ValidationIdM Concept Validation

Purpose: Purpose: • Identify NATO IdM requirements based on IdM use casesIdentify NATO IdM requirements based on IdM use cases

• Verify architectures and solutions for identified IdM use cases Verify architectures and solutions for identified IdM use cases

ScopeScope• Validation focused on federated scenarios within NATO Alliance Validation focused on federated scenarios within NATO Alliance

Test FacilityTest Facility• Classification: NATO Unclassified Classification: NATO Unclassified

• NNEC CES Testbed as an investigation platform on the NATO sideNNEC CES Testbed as an investigation platform on the NATO side

• National TestbedsNational Testbeds

ProcedureProcedure• VPN Joining InstructionVPN Joining Instruction

• IdM Joining Instructions (based on ACP145 and ARH forms)IdM Joining Instructions (based on ACP145 and ARH forms) agreed test scope (use cases) and scheduleagreed test scope (use cases) and schedule

NATO UNCLASSIFIED 7

NNEC CES NNEC CES TTestbedestbed L Layoutayout

NATO UNCLASSIFIED 8

CES Testbed on NATO Unclassified DMZ

(Simulated) National Domain

Others ...

NATOUnclassified

Internet

NATO Domain

Production

DevelopmentProductionDemo

Management

DemoDemoRegional IEG

National IEG

IdM Use CasesIdM Use Cases

IdM use cases defined in NIdM Strawman PaperIdM use cases defined in NIdM Strawman Paper• Access to C2 Data/Services in NATO SECRET DomainAccess to C2 Data/Services in NATO SECRET Domain• Single Sign On in Cross-Domain Federation ScenarioSingle Sign On in Cross-Domain Federation Scenario• Use of certificates bound to the identityUse of certificates bound to the identity• NATO Pass SystemNATO Pass System• Use of national military ID-CardUse of national military ID-Card

Technology/Solution specific IdM use cases for Technology/Solution specific IdM use cases for testingtesting• Cross-domain group managementCross-domain group management• Security token based authentication for Web Services Security token based authentication for Web Services • Portal access (based on SharePoint Server)Portal access (based on SharePoint Server)• Collaboration tools (based on JChat application)Collaboration tools (based on JChat application)• Access to legacy applicationsAccess to legacy applications• Others …Others …

NATO UNCLASSIFIED 9

IdM Strawman and IdM Strawman and TTechnology/echnology/SSolution olution

DrivenDriven UUse se CCases ases RRelevance elevance MMapping apping

NATO UNCLASSIFIED 10

Strawman Paper

Technology/                 Solution

Access to C2 Data and Services

SSO in Federation

Use of certificates

NATO Pass System

Use of national military ID-Card

Group Management

Security Token based authentication

Portal Access

Collaboration Tools

Access to Legacy Systems

???

IdM Use Case Validation EnvironmentIdM Use Case Validation Environment

NATO UNCLASSIFIED 11

Service Service ComponentsComponents

Information Exchange Gateway scenario B (IEGInformation Exchange Gateway scenario B (IEG B) B) NATO Enterprise Directory Service (NEDS) NATO Enterprise Directory Service (NEDS) Allied Replication Hub (ARH) Allied Replication Hub (ARH) Border Directory Services Border Directory Services NATO Public Key Infrastructure (NPKI) Certificate AuthorityNATO Public Key Infrastructure (NPKI) Certificate Authority Security Token Service (STS)Security Token Service (STS) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) Policy Decision Point (PDP)Policy Decision Point (PDP) Web serversWeb servers/portals/portals and clients and clients Web ProxyWeb Proxy Web ConcentratorWeb Concentrator Collaboration tool servers and clientsCollaboration tool servers and clients Identity Data SIdentity Data Sourcesources

NATO UNCLASSIFIED 12

Use CasesUse Cases

• Cross-domain group managementCross-domain group management• Security token based authentication for Web Services Security token based authentication for Web Services • Portal access (based on SharePoint Server)Portal access (based on SharePoint Server)• Collaboration tools (based on JChat application)Collaboration tools (based on JChat application)• Access to legacy applicationsAccess to legacy applications

Group Management Use CaseGroup Management Use Case

Foundation for other use casesFoundation for other use cases

Foundation for a formal access control mechanism Foundation for a formal access control mechanism implementation. Access control models being considered: implementation. Access control models being considered:

role based access control (RBAC) currently used in many C2 systems, role based access control (RBAC) currently used in many C2 systems, attribute based access control (ABAC) anticipated to be more exploited attribute based access control (ABAC) anticipated to be more exploited

in future service-oriented systemsin future service-oriented systems

Potential areas of usage (examples)Potential areas of usage (examples) cross-domain group management delegation cross-domain group management delegation cross-domain group mappingcross-domain group mapping

StatusStatus directory components installed directory components installed meta-tools installed, configured, jobs implementedmeta-tools installed, configured, jobs implemented initial testing completedinitial testing completed

NATO UNCLASSIFIED 14

IdM in IdM in Group ManagementGroup Management

NATO UNCLASSIFIED 15

NNEC HintsNNEC Hints

““NNetwork of networks”etwork of networks” is o is one of the main concepts ne of the main concepts of NNEC vision of NNEC vision –– environment be made up of many environment be made up of many separateseparate networks networks linked together linked together

Community of Interest (CoI)Community of Interest (CoI) a driver for access a driver for access control in NNECcontrol in NNEC

Sharing of identity information between these Sharing of identity information between these different networks is crucial for providing access different networks is crucial for providing access control control

Service Oriented Architecture (SOA)Service Oriented Architecture (SOA) based on Web based on Web services is a candidate technology to services is a candidate technology to materialize thmaterialize the e NNECNNEC vision vision,, where services can be (dynamically) where services can be (dynamically) discovered and called by different clients discovered and called by different clients

NATO UNCLASSIFIED 16

Security Security Token Based Access Use Token Based Access Use CaseCase

Simple services can be combined into more complex ones Simple services can be combined into more complex ones (“orchestration”) (“orchestration”)

Typically Typically users users interact with web services using different kinds interact with web services using different kinds of GUIs (web and form basedof GUIs (web and form based ones ones). ).

Service provider/consumer Service provider/consumer interoperabilityinteroperability standardstandard protocols protocols like SOAP, HTTP like SOAP, HTTP Web services related standardsWeb services related standards, , including the WS-* stack (e.g. WS-including the WS-* stack (e.g. WS-

Security, WS-Trust, WS-Federation etc .)Security, WS-Trust, WS-Federation etc .)

Secure SOA-based data/services exchange scenarios in a Secure SOA-based data/services exchange scenarios in a federated environment to be demonstratedfederated environment to be demonstrated

Status: Status:

NATO UNCLASSIFIED 17

all components installed, all components installed, not all configured yetnot all configured yet not all tested yetnot all tested yet not integrated with directory yetnot integrated with directory yet

SecureSecure Token Based Access Token Based Access

NATO UNCLASSIFIED 18

… … Integrated Integrated with Directory Serviceswith Directory Services

NATO UNCLASSIFIED 19

Access to PortalAccess to Portal

Web portal access handling Web portal access handling is one of theis one of the most common and most common and basic information sharing requirementsbasic information sharing requirements

Access Access granularity is a desired feature that needs to be granularity is a desired feature that needs to be implemented in future NATO portals implemented in future NATO portals

Microsoft SharePoint is identified as a Microsoft SharePoint is identified as a future future NATO portal NATO portal product. The next version to be integrated with Microsoft's product. The next version to be integrated with Microsoft's Identity Architecture, and so will be able to act as a relying party Identity Architecture, and so will be able to act as a relying party to XML security tokens.to XML security tokens.

Initially, Initially, access access from national domain from national domain to NATO portalto NATO portalss is the is the most expected operational scenariomost expected operational scenario

Status:Status:

NATO UNCLASSIFIED 20

IdM in IdM in Access to PortalAccess to Portal

NATO UNCLASSIFIED 21

Collaboration ToolsCollaboration Tools Use Case Use Case

NATO UNCLASSIFIED 22

XMPP is an open technology for real-time communication, which XMPP is an open technology for real-time communication, which powers a wide range of applicationspowers a wide range of applications, e.g.:, e.g.:

XMPP is a mandatory collaboration standard for military usage XMPP is a mandatory collaboration standard for military usage in many NATO nations in many NATO nations

JChat application, a standard NATO collaboration toolJChat application, a standard NATO collaboration tool, to be , to be used oused on the NATO side n the NATO side

Status: not implemented yetStatus: not implemented yet

IdM in IdM in Collaboration ToolsCollaboration Tools

NATO UNCLASSIFIED 23

Access to Legacy ApplicationsAccess to Legacy Applications

There are still applications in NATO CIS, which are not PKI There are still applications in NATO CIS, which are not PKI and/or Web services enabled and/or Web services enabled

Authentication/Authorization mechanisms:Authentication/Authorization mechanisms: implemented as an integral part of the applications (usernames implemented as an integral part of the applications (usernames

and passwords stored in a local database), which results in and passwords stored in a local database), which results in application specific solutions, orapplication specific solutions, or

are not implemented at allare not implemented at all

FFor completeness of the IdM use case validation picture legacy or completeness of the IdM use case validation picture legacy systems should be includedsystems should be included

Status: not implemented yetStatus: not implemented yet

NATO UNCLASSIFIED 24

IdM in IdM in Legacy SystemsLegacy Systems

NATO UNCLASSIFIED 25

SummarySummary

The concept of IdM in a federated NATO environment The concept of IdM in a federated NATO environment (NATO plus NATO nations) is in an early stage of (NATO plus NATO nations) is in an early stage of formalizationformalization

List of use cases for IdM is openList of use cases for IdM is open

NC3A CES/NNEC testbed provides an infrastructure NC3A CES/NNEC testbed provides an infrastructure for complex IdM validation to be performed with for complex IdM validation to be performed with Alliance partnersAlliance partners

NATO UNCLASSIFIED 26

Why Identity Management matters …Why Identity Management matters …

NATO UNCLASSIFIED 28

CONTACTING NC3ACONTACTING NC3A

NC3A Brussels

Visiting address:

Bâtiment ZAvenue du Bourget 140B-1110 BrusselsTelephone +32 (0)2 7074111Fax +32 (0)2 7078770

Postal address:NATO C3 AgencyBoulevard Leopold IIIB-1110 Brussels - Belgium

NC3A The Hague

Visiting address:

Oude Waalsdorperweg 612597 AK The Hague

Telephone +31 (0)70 3743000Fax +31 (0)70 3743239

Postal address:NATO C3 AgencyP.O. Box 1742501 CD The HagueThe Netherlands