For many companies thinking about moving sensitive data to the cloud, security issues remain a significant concern. But one company, Operational Research Consultants Inc. (ORC) a WidePoint Company, is proving that the cloud really can be made as safe or even safer than on-premise deployments even for organizations as security-focused as the U.S. Federal Government.
– A pioneer in federal identity management:
ORC has been a trusted partner of the U.S. government since the mid-‘90s, when the company launched the Navy Acquisition Public Key Infrastructure to support secure interactions with contractors and suppliers. As the government’s emphasis on information assurance expanded over the next two decades, ORC became a go-to partner for security solutions and one of the first companies authorized to provide government-compliant identity management solutions.
Today ORC manages more than three million identities and has issued more than 10 million federal-compliant digital certificates to a variety of employees, contractors, allies, veterans and citizens conducting business with the government.
- The need for secure and interoperable identification and authentication:
In August 2004, the Bush administration issued a Homeland Security Presidential Directive (HSPD-12) to secure federal facilities and resources by establishing a government-wide standard for secure and reliable forms of identification. Going far beyond simply issuing ID badges to government employees, this initiative would focus on the processes needed to issue secure personal credentials, on methods to validate those issuance processes and credentials and on managing risk and quality throughout the lifecycle of the credentials.
The Personal Identity Verification (PIV) program implements these processes, and FIPS (Federal Information Processing Standard) 201 specifies interface and data elements of the PIV smart card. Among the data elements on a PIV card are one or more asymmetric private cryptographic keys. Departments and agencies must use a compliant public key infrastructure (PKI) to issue digital certificates to users. The PIV initiative has also spawned other high assurance credentials that support specific Business-to-Government, Citizen-to-Government and Citizen-to-Business transactions while supporting federated interoperability between the issued credentials. These include various PIV-Interoperable (PIV-I) and PIV variants, such as: Transportation Worker Identification Credential (TWIC®), First Responder Authentication Credentials (FRAC), Commercial Identity Verification (CIV), and External Certificate Authority (ECA) PIV-I that address various regulatory requirements and are built to scale globally. The processes and policies for certificate issuance and the protections afforded to the critical root and issuing certificate authority keys in that PKI are critical factors in the overall assurance level of the system.
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Widepoint orc thales webinar 111313d - nov 2013
1. 11/14/13
1
Identity as a Service –
Strong enough for government?
Date: November 13, 2013
Time: 11:00 pm EST/ 8:00 am PST
Host: Richard Moulds, Thales e-Security
VP of Strategy and Product Marketing
Guest: Daniel E. Turissini
CEO, Operational Research Consultants
Defend
Cri.cal
Infrastructure
from
Invasive
A:ack
&
Informa.on
The?
Prevent
Terrorism
&
Promote
Na.onal
Security
Prevent
Cybercrime;
Iden.ty
The?;
Promote
Efficient
Use
of
Technology
Cyber
Security
“One
of
the
most
serious
economic
&
na2onal
security
threats
our
na2on
faces.”
-‐-‐
President
Obama
Issues
at
hand:
2
• Cost-‐effec.vely
prevent
Cyber-‐terrorism,
Cyber-‐
crime,
&
defend
our
na.on’s
cri.cal
infrastructure:
• Reduce
risk
of
un-‐authorized
disclosure
of
proprietary
&
privacy
informa.on
• Share
.mely
informa.on
securely
with
remote
workers,
vendors,
partners
&
customers
• Ensure
the
accountability
of
all
Cyber-‐transac.ons
• Avoid
unnecessary
costs
arising
from
system
“silos”
3. 11/14/13
3
Assurance
based
on
who,
not
where!
Most
communi.es
of
interest
concerned
with
Privacy
&
Security
can
no
Longer
be
defined
by
loca.on.
ORC’s
IA
solu.ons
address
access
to
mul.-‐level
secure
resources
&
message
traffic
based
on
En.ty
Iden.ty,
Roles,
&
Privileges:
5
People,
devices,
servers
,
objects,
code
….
Digital
Iden.ty
ORC’s
cyber
iden.ty
creden.als
allow
you
to
SECURELY…
6
• Access
email
via
the
internet
• Establish
a
virtual
private
network
with
your
base
network
from
anywhere
in
the
world
• Move
from
one
applica.on
to
another
without
having
to
key
password
informa.on
-‐-‐
without
losing
security
along
the
way
• Apply
on-‐line
for
access
rights
and
services
-‐-‐
and,
receive
those
services
• Digitally
sign
memos,
contracts,
delivery
orders,
etc.
• Digitally
sign
code
for
safe
distribu.on
Privacy
&
cri;cal
infrastructure
protec;on
4. 11/14/13
4
Security
Services
7
Physical (e.g. writing a check)
– Confidentiality
• Limited physical access
– Data Integrity
• Inked text
– Non Repudiation
• Cancelled check
– Identification & Authentication
• Drivers license & signature
– Privilege & Authorization
• Check for account validity
Digital
– Confidentiality
• Data Encryption
– Data Integrity
• Hashing
– Non-Repudiation
• Digital Signature
– Identification & Authentication
• CA Signature
– Privilege & Authorization
• Access/ Privilege Control
Lists
A
digital
solu;on
for
cyber
security
What’s
in
a
Digital
Cer.ficate
8
Iden;ty
Cryptographic
Strength
Authorita;ve
Source
Level
of
Assurance
Validity
Legi;mate
Cer;ficate
Authority
Or
Unknown
CA
(Untrusted)
Basic/Medium/High
Confidence
in
Iden;ty
Issued
on
mmddyyy
Expires
on
mmddyyyy
SHA-‐256,
AES
With
a
robust
revoca;on/
valida;on
infrastructure
5. 11/14/13
5
Alterna.ve
Tokens
9
Trusted
Plaporm
Module
(TPM)
SD/MicroSD
Embedded/
Removable
HW
Crypto
FIPS-‐140/
Common
Criteria
SIM
USB
Smart Card
ORC
is
a
leader
in
advanced
technology
opera;ons!
Federated
Trust
10
Subscribers (End-Entities)
Trusted Third Parties
(Certificate Authorities)
The
Trust Triangle
Relying Parties
The
right
Assurance,
Security,
Biometrics
&
PKI
Capabili;es/
Exper;se
6. 11/14/13
6
Infrastructure
Based
on
Commercial
Standards
11
Facili.es
to
Provide
Secure
&
Scalable
IT
Services
High
Availability
Data
Centers:
365x7x24,
99.999
up.me,
as
required
by
Federal
Policy
Secure
Network
Opera.ons
Centers
(SNOC):
Five
.er
physical
protec.on
• Communica.ons
traffic
is
monitored
&
upgraded
bandwidth
available
as
traffic
requirements
dictate
to
maintain
the
customer
services
with
99.999%
up
.me
• Audited
installa.on
procedures
to
ensure
that
Government
requirements
are
met
&
customer
expecta.ons
exceeded
• SNOCs
employ
UPS
coupled
with
a
constant
power
generator
&
dedicated
HVAC
-‐
at
full
load,
power
can
be
maintained
for
more
than
5
days
without
public
power
• Hardware,
so?ware,
&
vendor
service
level
agreements
associated
with
maintaining
appropriate
firewall
protec.on,
redundant
warehousing,
power
genera.on
&
Internet
connec.vity,
are
leveraged
for
each
customer.
The
know-‐how
&
access
to
leverage
exis;ng
deployments
Strong
Cer.fica.on
&
Accredita.on
Processes
12
FISMA
Compliant
-‐-‐
Prepara(on
-‐-‐
No(fica(on
&
Resource
Id
-‐-‐
Syst
Security
Baseline,
Analysis,
Update,
&
Acceptance
Ini(a(on
-‐-‐
Configura(on
Mgmt
&
Control
-‐-‐
Security
Controls
Monitoring
-‐-‐
Status
Repor(ng
&
Documenta(on
Con(nuous
Monitoring
-‐-‐
Security
Accredita(on
Decision
-‐-‐
Security
Accredita(on
Documenta(on
Security
Accredita(on
-‐-‐
Security
Controls
Assessment
-‐-‐
Security
Cer(fica(on
Documenta(on
Security
Cer(fica(on
7. 11/14/13
7
Federated
Solu.ons
13
• Federated
solu.ons
provide
support
various
strong
electronic
iden.ty
creden.al,
that
can
be
readily
electronically
validated
by
any
logical/physical
access
point
that
allows
the
decision
maker
or
databases
to
make
a
local
specific
privilege
and/or
authorized
access
decision
confident
in:
– the
iden.ty
of
the
person
a:emp.ng
access;
– the
iden.ty
of
the
device
a:emp.ng
access;
– the
iden.ty
of
ve:ed
organiza;on
that
they
represent;
– that
the
organiza.on
and
the
individual
have
a
legal
rela;onship
to
do
business
with
the
federal
government;
and,
– that
the
individual
has
been
ve`ed
in
person
and
has
undergone
a
background
inves.ga.on
consistent
with
defined
levels.
Creden;al
assures
you
are
who
you
say
you
are,
Relying
Party
confirms
what
holder
is
permi`ed
to
access!
Federated
Access
for
Enterprise
Applica.ons
14
Relying
Party’s
(Access
Rules)
Trusted
Third
Par;es
[External
Cer;ficate
Authori;es
(ECA)/
PIV-‐I]
Strong
Access
Control
Subscribers
(Creden;al
Holders)
Strong
Iden(ty
Local
Access
Decisions
Strong
creden;als
with
biometrics
consistent
with
federal
standards
are
essen;al
to
successful
Access
control
8. 11/14/13
8
Cer.fied
Creden.al
Enhanced
Access
Control
15
Remote/
Mobile
Client/
WS
1. Ini;al
Enterprise
Logon
2.
Validate
Device
Cer;ficate
Remote/
Mobile
Client/
WS
3.
Authen;cated
SSL
VPN
Established
4.
Ini;ate
Applica;on
Logon
5.
Validate
ID
Cer;ficate
6.
Access
A`ributes
Remote/
Mobile
Client/
WS
SSL
VPN
h`ps
Border
Server
Border
Server
Border
Server
Applica;on
Server
Applica;on
Server
Valida;on
Data
Valida;on
Data
FDS
More
informa;on
to
make
be`er
access
decisions
Leveraging
A
Common
Infrastructure
Currently
over
25
million
people
have
compliant
creden.als
16
Federal Government
Trading Partners & Allies
First Responders
As
this
number
grows
-‐
opportuni;es
for
efficiencies
skyrocket!
Veterans
Transportation Workers
Military
Retirees & Dependents
9. 11/14/13
9
Reduce
Cost
of
Goods
Sold
(COGS)
17
• Federated
Digital
Solu.on
– Reduces
High
Help
Desk
Costs
– Mi.gates
Risks
Associated
with
username
&
passwords
– Enhances
Fraud
Protec.on
• Syndicated
Investment/
Syndicated
Risk
• Federally
Cer.fied
&
Accredited
Products/
Services
Commercially
Priced
Chain of Trust
Privacy
Interoperability
ORC’s
Cyber
Creden.als
18
• Dis.nguished
as
1
of
only
4
Cer.fied
PKI
Shared
Service
Providers,
currently
providing
PIV
services
to
six
federal
agencies,
with
full
Authority
to
Operate
(ATO)
• Dis.nguished
as
1
of
only
4
Approved
PIV-‐Interoperable
Providers
and
is
currently
providing
PIV-‐I
services
to
three
state
governments
• Dis.nguished
as
the
1st
designated
DoD
Interim
External
Cer.ficate
Authority
(IECA-‐1)
&
the
first
US
Government
External
Cer.ficate
Authority
(ECA)
• Dis.nguished
as
1
of
2
GSA
Access
Cer.ficates
for
Electronic
Services
(ACES)
Trusted
Third
Par.es,
ci.zen
focused
PKI
• Dis.nguished
as
the
1st
commercial
GSA
E-‐Authen.ca.on
Federa.on
Creden.al
Service
Provider
at
Level
1,
2,
and
3.
• Dis.nguished
as
the
PKI
provider
for
the
Transporta.on
Worker
Iden.fica.on
Creden.al
(TWIC)
• Dis.nguished
as
the
1st
commercial
Creden.al
Issuer
under
The
Federa.on
for
Iden.ty
and
Cross-‐Creden.aling
Systems
(FiXs)
–
h:p://www.FiXs.org
4M
iden;;es
&
more
than
14M
federal
compliant
digital
cer;ficates
10. 11/14/13
10
Customers
19
• 34
of
Fortune
100
Companies
• 22
of
Top
25
Federal
Contractors
• 200+
Colleges
&
Universi.es
• 100+
Municipali.es
&
Schools
• 100+
Private
&
Public
Research
Organiza.ons
• 100+
Healthcare
Organiza.ons
• 40+
Banks
&
Financial
Ins.tu.ons
• 11
Airlines
• Numerous
Federal
Agencies
Current
Markets
Fueled
by
Government
Mandate
for
Increased
Assurance
Levels
20
Government
Security
Standards
will
be
Driven
Across
the
Business
Con;nuum
Millions
of
Users,
Servers,
Worksta;ons
and
Handheld
Devices
Tens
of
Millions
of
Users,
Servers,
Worksta;ons
and
Handheld
Devices
Global
interoperability
&
Unlimited
Computer
Resources
Ready
for
industry
to
leverage!
11. 11/14/13
11
ORC
Solu.ons
Rely
on
for
key
protec.on
21
Key
provisioning
&
cer;ficate
management
Trusted
ops
&
performance
Key
protec;on
&
a`esta;on
Summary
22
• Enhanced
Security
-‐
New
Customer
Mo.vator
• Reduced
Infrastructural
Support
Costs
• Minimal
Investment
-‐
Immediate
ROI
Payback
12. 11/14/13
12
23 Thales e-Security
Global provider of data protection and
key management solutions
Reduce the cost/complexity associated with
use of cryptography
Solutions for traditional, virtualized and cloud environments
Strategic business value
Secure cardholder data, payments and transactions
Support data privacy obligations
Protect intellectual property
Secure identities and credentials
40 year security track record
Strategic business unit of Thales Group
24 Hardware Security Modules
What are HSMs?
Hardened cryptographic devices
Isolated from host OS and applications
What do HSMs do?
Secure cryptographic operations (encrypt, sign etc.)
Generation and protection of critical cryptographic key material
Enforce policy over use of keys and key management
HSM Application Key inside
security boundary
HSM security boundary
Business Application Application Data
Decrypted
signed/
data
Data to be
signed/
decrypted
Crypto processing engine
13. 11/14/13
13
25 Dual Controls for Strong Authorization
Smart cards deliver strong authentication
Sets of smart cards deliver shared responsibility and
mutual supervision
Assigned to security personnel
Known as Operator Card Sets (OCS)
Authorization based on a “quorum” of cards & card
owners
Requires a minimum number of cards from a set, e.g. 3 of 5 cards
Creates natural redundancy and resiliency
OCSOCS OCS
Authorized
Operators
26 The Thales nShield HSM Family
nShield Connect
Network appliances
nShield Solo
Embedded PCI card
nShield Edge
Portable USB device
14. 11/14/13
14
27
Thank you !
richard.moulds@
thalesesec.com
Contact details
Dan Turissini
+1 703-246-8550
turissd@orc.com
www.orc.com
Richard Moulds
+1 954-888-6258
richard.moulds@thalesesec.com
www.thales-esecurity.com