190 likes | 271 Vues
Information Sharing Puzzle : Next Steps. Chris Rogers California Department of Justice April 28, 2005. Tactical Approaches. VPN / Trusted Certificates/Credentials Customized Gateways Vetted and agreed upon policies and procedures Information exchange model (IEM) XML credentials
E N D
Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005
Tactical Approaches • VPN / Trusted Certificates/Credentials • Customized Gateways • Vetted and agreed upon policies and procedures • Information exchange model (IEM) • XML credentials • System-to-System use case • IVE appliance integrated with infrastructure • Identities propagated throughout network • Tools that delegate the assignment of privileges • Certificate Policy/Practice Statement • User-to-Application use case
Acute Awareness • Primary Impediments to Information Sharing • Incompatible technologies • Identity, authentication, & authorization policies • Factors Affecting Interoperability • Numerous autonomous agencies • Multiple trust domains • Heterogeneous environments • Varied governance structures • Significant investment in legacy environments • Inconsistent or non-existent security policies & procedures • Disparate and incompatible security mechanisms
Fundamentals of Success • Identity Management • Addresses the inter-domain security problem with trust and standards • Agreements, standards, technologies make identity and entitlements portable across autonomous domains • Authenticated users can be easily recognized and consume services offered by other “federation” service providers • Privilege Management
Addressing the Problem • Nat’l Criminal Intelligence Sharing Plan (NCISP) • Global Justice Information Sharing Initiative • Advisory Committee Membership/Leadership • Advisory Committee Executive Steering Committee • Global Working Groups • Infrastructure Standards • Security • Global Security Architecture Committee • Intelligence • Privacy and Information Quality
Committee Composition • Criminal Information Sharing Alliance Network (CISAnet) • Regional Information Sharing Systems Network (RISSNET) • Justice Network (JNET) • DHS Homeland Security Information Network (HSIN)/ Joint Regional Information Exchange System (JRIES) • Automated Regional Justice Information System (ARJIS) • California Departmentof Justice • Wisconsin Departmentof Justice
Global Security Architecture Committee (GSAC) • Business Problem • Recognized networks and information systems exist that involve substantial investments in technology, governance structures, and trust relationships • Failure to enable interoperability between the available information systems continues impede law enforcement and government officials’ ability to take effective actions when they are not aware of other information that may be known about a person or event
Global Security Architecture Committee (GSAC) • Committee Scope • In response to the implementation of the National Criminal Intelligence Sharing Plan (NCISP) to develop an “overall” NCISP Interoperability Framework • To define of a set of “jointly agreed-upon and standards-based security mechanisms, communications protocols, and message formats”
Initiatives • Federated Identity and Privilege Management Security Interoperability Demonstration (GSAC participants) • Trusted Credential Project (RISS) • DHS Service Oriented Architecture • Security and Identity Management (IdM) Component (DHS)
Demonstration Federated Identity and Privilege Management Security Interoperability
Goal/Objective • A multi-directional electronic exchange of criminal intelligence information, achieved through secure systems interoperability between networks and information systems currently not capable of doing so
Scope • Develop and prove an identity and privilege management service that can be used to apply authentication and access controls by disparate systems and networks desiring to make their resources “sharable”
Scope (cont’d) What’s IN What’s OUT • Policies • Process definition • Established baseline • of vetting requirements • User-to-application • use case • Web-based • applications only • Use open source, non- • commercial software • to keep licensing • costs to a minimum
Deliverable • Demonstrate a universal mechanism, implementation-independent and non-vendor specific, designed to share trusted assertions (agreed set of attributes) that can be used to apply authentication and access controls
Use Case • A valid subscriber of System “A” can access applications of System “B” (a federation participant) • A valid subscriber of System “B” can access applications of System “A”; (a federation participant) • A subscriber is “registered” locally and is not required to re-register to another federation participant’s system or application
Use Case (cont’d) • A subscriber authenticates locally and is not required to re-authenticate to another federation application • even if that subscriber has traversed multiple applications within the federation • Subscriber information is passed to the federation system or application • access control decisions can be made withoutlocal provisioning
Participation Premise • Participants retain control over their resources (dissemination & access control decisions made locally) • Participants register & administer their subscriber base • Participants can implement local technologies • Participants agree to a minimal set of policies, procedures, and standards allowing for subscriber authentication and privilege information to be passed between participants • Participation does not preclude independent, out-of-band, bilateral agreements between participants
Progress • Cooperative Agreements • Funding • Data Requirements Survey • Industry Specs • Recommendations/Common Usage Profile • Concept Demo • Coming soon…
For more information… Christina Rogers California Department of Justice (916) 227-3124 Christina.Rogers@doj.ca.gov