1 / 17

Interoperable Trust Networks

Interoperable Trust Networks. Chris Rogers California Dept of Justice February 16, 2005. Tactical Approaches. VPN / Trusted Certificates/Credentials Customized Gateways Vetted and agreed upon policies and procedures Information exchange model (IEM) XML credentials

chardy
Télécharger la présentation

Interoperable Trust Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interoperable Trust Networks Chris Rogers California Dept of Justice February 16, 2005

  2. Tactical Approaches • VPN / Trusted Certificates/Credentials • Customized Gateways • Vetted and agreed upon policies and procedures • Information exchange model (IEM) • XML credentials • System-to-System use case • IVE appliance integrated with infrastructure • Identities propagated throughout network • Tools that delegate the assignment of privileges • Certificate Policy/Practice Statement • User-to-Application use case

  3. Acute Awareness • Primary Impediments to Information Sharing • Incompatible technologies • Identity, authentication, & authorization policies • Factors Affecting Interoperability • Numerous autonomous agencies • Multiple trust domains • Heterogeneous environments • Varied governance structures • Significant investment in legacy environments • Inconsistent or non-existent security policies & procedures • Disparate and incompatible security mechanisms

  4. Fundamentals of Success • Trusted Identities • Identity Management • Addresses the inter-domain security problem with trust and standards • Agreements, standards, technologies make identity and entitlements portable across autonomous domains • An authenticated user can be easily recognized and take part in the services offered by other “federation” service providers • Privilege Management

  5. Addressing the Problem • Nat’l Criminal Intelligence Sharing Plan (NCISP) • Global Justice Information Sharing Initiative • Advisory Committee Membership/Leadership • Advisory Committee Executive Steering Committee • Working Groups • Infrastructure Standards • Security • Global Security Architecture Committee • Intelligence • Privacy and Information Quality

  6. Committee Composition • Criminal Information Sharing Alliance Network (CISAnet) • Regional Information Sharing Systems Network (RISSNET) • Justice Network (JNET) • DHS Homeland Security Information Network (HSIN)/ Joint Regional Information Exchange System (JRIES) • Automated Regional Justice Information System (ARJIS) • California and Wisconsin Departmentsof Justice

  7. Global Security Architecture Committee (GSAC) • Business Problem • Recognized networks and information systems exist that involve substantial investments in technology, governance structures, and trust relationships • Failure to enable interoperability between the available information systems continues impede law enforcement and government officials’ ability to take effective actions when they are not aware of other information that may be known about a person or event

  8. Global Security Architecture Committee (GSAC) • Scope • In response to the implementation of the National Criminal Intelligence Sharing Plan (NCISP) to develop an “overall” NCISP Interoperability Framework • To define of a set of “jointly agreed-upon and standards-based security mechanisms, communications protocols, and message formats”

  9. Initiatives • Federated Identity and Privilege Management Security Interoperability Demonstration (GSAC) • Trusted Credential Project (RISS) • DHS Service Oriented Architecture • Security and Identity Management (IdM) Component (DHS)

  10. “Demonstration” • Scope • Develop and prove an identity and privilege management service that can be used to apply authentication and access controls by disparate systems and networks desiring to make their resources “sharable” • Deliverable • Demonstrate a universal mechanism, implementation-independent and non-vendor specific, designed to share trusted assertions (agreed set of attributes) that can be used to apply authentication and access controls

  11. Demonstration Scope What’s IN What’s OUT • Policies • Process definition • Established baseline • of vetting requirements • User-to-application • use case • Web-based • applications only • Use open source, non- • commercial software • to keep licensing • costs to a minimum

  12. Participation Premise • Participants retain control over their resources (dissemination & access control decisions made locally) • Participants register and administer their subscriber base • Participants can implement local technologies • Participants agree to a minimal set of policies, procedures, and standards allowing for subscriber authentication and privilege information to be passed between participants • Participation does not preclude independent, out-of-band, bilateral agreements between participants

  13. Use Case • User-to-Application • Premise • User “A” of System “A” needs access to the application(s) of System “B” • Problem • So… how do applications made accessible by System B identify, authenticate, authorize, entitle, and ultimately trust,users of System A?

  14. Use Case Characteristics • A valid subscriber of System “A” can access applications of System “B”; a federation participant • A valid subscriber of System “B” can access applications of System “A”; a federation participant • A subscriber is “registered” locally and is not required to re-register to another federation participant’s system or application

  15. Characteristics, cont’d • A subscriber authenticates locally and is not required to re-authenticate to another federation application • even if that subscriber has traversed multiple applications within the federation • Subscriber information is passed to the federation system or application • access control decisions can be made withoutlocal provisioning

  16. Goal/Objective • A multi-directional electronic exchange of criminal intelligence information, achieved through secure systems interoperability between networks/ information systems currently not capable of doing so.

  17. More Information… Christina Rogers CA Department of Justice (916) 227-3124 Christina.Rogers@doj.ca.gov

More Related