“Federated identity management is about leveraging identity management work being done by individual organizations so they can be used elsewhere,” says Jeremy Warren, Justice’s chief technology officer. “If you are a detective and you are trying to access some system at the Immigration and Customs Enforcement or DoJ or the Chicago Police, then those organizations are going to need to look you up, verify your identity and decide if you are trustworthy. They will have to give you a user name and password and it’s very wasteful. It takes a lot of time and wastes a lot of money.”
Warren, who spoke Tuesday on a panel discussion about information sharing during a breakfast sponsored by the AFCEA chapter in Bethesda, Md., says federated identity management standards and processes can end all that wasted time, effort and money.
The federation, which is similar to the federal public key infrastructure bridge run by the General Services Administration, would let different agencies go to a single portal where they can access law enforcement databases based on their roles and responsibilities.
“It’s based on trust and whether or not you trust the other organization to do their work and do it effectively,” he says. “There is good basis for it because it’s very difficult to do this work from afar. The key part is coming up with standards and policy, [that says] you have to do this or that, if you fire someone, they are out of the system immediately. Once people agree to that, and once there is some scheme to verify that people are following these processes, audits and certification, then there should be solid foundation for trust.”
The real-world test let law enforcement officials at all levels of government access specific databases using their agency’s credentials.
“We were trying to get actual users solving actual problems and dealing with actual hurdles you may never see in a lab,” he says. “It’s providing value because we understand the cost and the challenges about doing it on a national scale.”
Warren says the pilot was a success and the department’s Criminal Justice Information Services (CJIS) is taking the lead to expand it nationwide by the end of this year.
“It will enable any law enforcement organization across the country that meets the policy standards to join up and start participating either by accepting users to come to access their resources or by enabling their users to access other people’s resources,” Warren says. “In the future, the user can use whatever credentials they have today and go to a broker, and there is a portal on the broker where all of the different systems that are out there are being advertised. If you meet these requirements, you can access this system.”
Warren says the benefits of the portal are obvious, including better data access and better cybersecurity because the single sign-on requires at least two-factor authentication. He adds that many agencies are spending a lot of money managing user names and passwords, and the federation will put an end to that effort.
“On the application side, it’s not just saving money with password resets, there is much greater security,” he says. “When you talk about a CJIS system like LEO providing access to a user with the Los Angeles police department, LEO has no way of knowing on a timely basis when a user is no longer at LAPD or no longer should have access. Also they have manage another password for them that they have no way of knowing how secure someone’s being with that password and it’s way too expensive for CJIS to be giving out multi-factor credentials to everyone.”
For federal, state or local agencies to join the federation, they will have to sign a memorandum of understanding saying they will abide by the standards and policies, and must certify or have their compliance audited.
Warren says for a user it typically costs about $100,000, while for a provider of information it’s a little more than that.
“The overall costs to run the federation will be relatively low because all we are providing is a broker capability to connect the providers,” he says. “We have to get everyone agree to the policy and have formal governance of the policy by the federation.”
CJIS will be the broker for the portal, and its Advisory Policy Board, which is the national governance body to govern law enforcement databases, to govern policy.
“Going forward to really grow this, there’s individual work participants have to do” he says. “It could be firming up identity management processes in some cases, or in other cases, changes to the technology, which generally are pretty minor, or policy changes in terms of trusting users who are authenticated and managed elsewhere. Long term, it’s figuring all that out and how people are going to do it.”