Top Banner
Starting Off Phase I - Identity vs. Digital Identity Identity Who you are as an individual Does not change nor expire Digital Identity Digital representation of your identity Represented by identifiers, credentials, and attributes Can expire, depending on context 1
10

ICAM Target Architecture

Jan 21, 2017

Download

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ICAM Target Architecture

Starting Off Phase I - Identity vs. Digital Identity

► Identity

Who you are as an individual

Does not change nor expire

► Digital Identity

Digital representation of your identity

Represented by identifiers, credentials, and attributes

Can expire, depending on context

1

Page 2: ICAM Target Architecture

Important Considerations of a Digital Identity

► Context

Must be useful, relevant, trustworthy

Must uniquely identify a subject within a given context

In our case, within a specific Agency

► Consistent

Must be able to be referenced uniformly across applications

Where unique identifiers are not supported, mappings must be established

► High Assurance

Trust that a Digital Identity represents an Identity

Requires Identity Proofing, Vetting, and Adjudication

2

Page 3: ICAM Target Architecture

Building a Digital Identity – Step 1

► Create an Identifier

UUID – Universally Unique Identifier

Unique for all in-scope personnel

► Open Question – 1:1 Mapping?

Should an Identity within the Agency map to one, and only one Digital Identity?

When to assign UUID?

Collisions/Duplications?

Merging/reconciliation process?

Benefits of 1:1 Mapping

Increased security & assurance

Simplified maintenance

3

Page 4: ICAM Target Architecture

Building a Digital Identity – Step 2

► Establish Authoritative Attribute Sources

On-Boarding Systems

Background Investigations

Others?

► Important Considerations:

Should only be one source per attribute

Are policies in place defining which source is “authoritative”?

4

Page 5: ICAM Target Architecture

Building a Digital Identity – Step 3

► Build Credentials

PKI Certificate(s)

PIV Card

FAC – Facility Access Card

FLAC – Facility & Logical Access Card

► Open Question – Include UUID?

Would map back to Digital Identity

Requires modifications of current processes

If done, would help streamline credentialing process

► These credentials would become Authoritative Attributes in a Digital Identity

5

Page 6: ICAM Target Architecture

Building a Digital Identity – Step 4

► Application/System Specific Attributes

Only referenced within a specific context

User ID

Role

Legacy/proprietary application support

► Next: What does an ICAM Target Architecture look like?

Authoritative Identity Service (AIS)

6

Page 7: ICAM Target Architecture

ICAM Target Architecture – Putting Digital Identities to Work

7

Page 8: ICAM Target Architecture

ICAM Target Architecture – Digital Identity Records

8

Adjudication Results

Human Resources Attributes

Personal Identity Verification (PIV) Credential Attributes

ClearanceCriminal Background

Sponsor

Name

Address

Hire Date

PositionMedical Compensation

Dependents

Clearance

Unique Identifier

Human Resources (HR) Information

UUID

Cardholder Unique Identifier (CHUID)

Issue Date

FASC-NExpiration Date

Active Directory AttributesDisplay Name

Application #1

Application #2

Digital Identity Record

Application #2 AttributesUser ID Role

PKI AttributesIssue Date

Expiration DateCertificate

HiringReport

CredentialReport

Accountsand

Privileges

Title

Data Pull

Data Pull

Data Push

Da

ta C

on

nec

tio

n &

Exc

han

ge

Email Company Department

Office

City

Public Key Infrastructure (PKI) Issuance System

Global Address List (GAL)

Standardization Report

Data Pull

Identity Management System

(IDMS)

Active Directory

Authoritative Attribute Sources

Systems and Services

Auditing and Reporting

Att

rib

ute

Dis

cove

ry

Unique Identifier Generation System

Federal Background Investigation Systems

Phase 2 & 3 Attributes

Future Application #1Attribute 1

Attribute 2Attribute 3

Future Application #2Attribute 1 Attribute 2

Page 9: ICAM Target Architecture

Target Architecture Overview – PIV Credential Management

9

Page 10: ICAM Target Architecture

Target Architecture Overview – Logical Access Management

10