Agencies look past ID cards to next phase of identity management

Kshemendra Paul - Identity and Access Management Month - Jan. 10, 2017

With 85 percent of agencies using smart identity cards to log onto computer networks, they’re starting to look ahead to the next phase of identity management: controlling who gets access to what information, and when. That requires implementing a back-end attribute exchange.

“The back-end attribute exchange is a secure way for different agencies — federal agencies, state, local and tribal agencies — to securely register and share attributes about data and about people. To help calibrate policy around privacy, around security, around information sharing,” said Kshemendra Paul, program manager of the Information Sharing Environment in the Office of the Director of National Intelligence, on Identity Access and Management Month.

The ISE has been helping on a series of successful pilots of this concept at various agencies, including the Homeland Security Information Network (HISN) at the Department of Homeland Security. He said that over the years, he’s seen an increase in standards-based direct connections, which cost less than point-to-point.

“Taken together, it’s about half-a-million registered users — federal, state, local and private sector — and we’ve then been able to support our partners’ simplified, and in many cases, single sign-on across those networks, solving a critical problem going back to 9/11,” Paul said. “And increasingly our partners are moving toward using attributes to do security trimmed, privacy trimmed federated queries, federated search.”

Advertisement

Mission shared services is another benefit agencies are seeing from these systems.

“Shared services is a key idea, but all the action in shared services is on the back-office side,” Paul said. “How do you do shared services on the mission side? It’s through interoperability and following end-user demand, almost like a market-based approach.”

The approaches differ between agencies, he said, because they all have different policies and controls for onboarding and maintaining credentials.

Paul said the back-end attribute exchange fights through the different policies and standards for onboarding folks and maintaining currency of those credentials when an employee leaves.

“Establishing those controls and harmonizing those specific controls across levels of government and across domains of activity,” he said. “It’s a business process that gets reflected eventually in an attribute that is trusted across agencies where there is no direct person-to-person relationship. Why? Because the infrastructure is there to assure that those controls are implemented, managed, audited and all the rest.”

Paul said these processes are automated and based on standards that are part of the software providing the identity management services.

“Our contribution at the ISE is our focus on standards, standards-based interoperability and not just technical standards, but business process and policy standards,” he said.

To that end, ISE defined eight mandatory authoritative attributes and close to 100 optional ones under an authoritative attributes efforts in the sensitive unclassified network federation, which includes DHS and Justice Department data platforms.

ISE has helped lead the effort to go through the governance process to gain agreement on definitions and use cases.

ISE  has been trying to address this challenge for more than five years. The ISE and the General Services Administration partnered early on to address the challenges of  identity management at the software layer.  The back-end attribute exchange pilot began in 2012. Paul said the push for secure information sharing really started in 2012 after the White House issued new guidance for information sharing and safeguarding in the wake of the Edward Snowden incident.

From those efforts, the ISE also helped shepherd a program called the attribute registry service. Paul said it’s in place today, being used by the Office of Personnel Management, the Defense Department and GSA to support better use of the smart identity card around physical access security.

“There is software on the back end that exchanges the attributes and the attribute registry service gives you the definition of what are the authoritative that are managed and shared by different participants in the federation,” he said.