Identity management will be crucial for FirstNet to enable authentication of first responders across new applications and interoperability between agencies. A coordinated approach is needed to avoid inconvenience, security risks, and obstacles to interoperability from independent solutions. Standards-based identity management following guiding principles like single sign-on, usability, flexibility and security could provide a foundational identity layer. Developing a trust framework through stakeholder engagement would help define requirements to deliver a scalable and interoperable solution.

1. 1
IdentityManagementforFirstNet
Identity Management
May 16, 2013
MOTOROLA SOLUTIONS
Adam Lewis
Laura Lozano
Gino Scribano
Steve Upp

2. 2
IdentityManagementforFirstNet
Agenda
• What is Identity Management and why does it matter?
• How does it apply to Public Safety and FirstNet?
• What IdM standards exist in the government today?
• Recommended next steps …

3. 3
IdentityManagementforFirstNet
Introduction
• Background
– Broadband is ushering in new era of applications for first responder
• At 4:54 pm ET on Wednesday May 15th, someone downloaded the 50 billionth app
from Apple's online App Store
– Each application will want to authenticate the responder
– Each application will want to provision the responder
– Risk associated w/each solution solving this independently
– A coordinated and cohesive approach to identifying users is needed
• Identity Management solved independently =
– overall solution complexity +
– inconvenience to both the administrator and the end-user +
– weakened security +
– obstacle to interoperability
There is a fundamental need for an Identity Layer in FirstNet

4. 4
IdentityManagementforFirstNet
The Need for Identity
Identity 1.0 is broken
 Siloed approach is an obstruction to usability & interoperability
- Responder must enter (often different) credentials for every application (again, again, and again)
- Credentials required on every resource server first responder needs to access (not scalable, not dynamic)
 Passwords have failed to protect us
- 5 of 6 attacks on the Internet caused by password breaches
Identity 2.0 is needed
 Deperimiterization driven by mobile and cloud have caused disruption
- Access to data can no longer depend on traditional security controls
- User must be able to access data and resources from anyplace – stored anyplace – from any device
- Identity is the new perimeter
 Separation of Identity Provider (the one that provides your credentials and authenticates you)
and Service Provider (the one that provides you with service) enables:
- SSO
- Strong authentication
- Interoperable Identity
- Scalable trust
- Centralized authentication, distributed authorization
*** Alignment with government initiatives and deployments: FICAM, GFIPM, NSTIC ***

5. 5
IdentityManagementforFirstNet
Terminology
• Roles
– Resource Owner
• The one that owns the resource or service being requested
– Resource Requestor
• The person (or machine) that is requesting access to the resource or service
• Authentication
– The act of the requestor proving their identity to the resource
owner at some Level of Assurance (LOA)
• Authorization
– The resource owner – after having some level of assurance
that the requestor is who they claim to be – determining what
resources the requestor is able to access

6. 6
IdentityManagementforFirstNet
Real-Life Identity (1)
Identify: “Hi, I’m Bob.”
Authenticate: “Prove it.”
(presentation of credentials)
I have authenticated you, Bob.
Here is a token asserting my authentication of you …
as well as some attributes of you.
Birth certificate
Utility bill with Name
+ Address
State DMV
“Bob”
1
2

7. 7
IdentityManagementforFirstNet
Real-Life Identity (2)

8. 8
IdentityManagementforFirstNet
Token = Authenticated Attribute Assertions

9. 9
IdentityManagementforFirstNet
Obvious Advantages of Real-Life Identity
• Relying parties (air port security, insurance agent, library, other
states) do not need a complex authentication process
– The consume identity as asserted by DMV, make authorization decisions
• Our identity federates to other states (issued by State of Illinois,
Trusted by State of Texas)
• Our identity can be used to obtain higher identity (e.g. passport)
• Our identity carries attributes that can help the service provider /
relying part make authorization decisions
– Old enough to buy alcohol?
– Registered in this state?
– Certified to drive an 18-wheeler?
– No-fly list?
• DMV can move to strong authentication in the future (biometric)
without requiring changes to the relying parties

10. 10
IdentityManagementforFirstNet
Public Safety Identity (1)
Active
Directory
IdM function
Identify: “Hi, I’m Officer Bob.”
Authenticate: “Prove it.”
(presentation of credentials)
Biometric
**********
password
Public-private Key pair
I have authenticated you, Bob.
Here is a token asserting my authentication of you …
as well as some attributes of you.
Name: Officer Bob
Agency: Schaumburg Police Department
Role: Sergeant
Languages: English, Spanish, Russian
Qualifications: Firearms, CPR
Contact-mobile: 847-555-1234
Contact-email:bob@schaumburgPD.gov
User Authentication: RSA 2-factor
Signedby: Village of Schaumburg IdM
1
2

11. 11
IdentityManagementforFirstNet
Public Safety Identity (1)
Agency State/Region/Federal
Status-info
Homepage
CJIS
Web Based
App 2
CAD
Records
App 3

12. 12
IdentityManagementforFirstNet
Identity Landscape – Government & Industry
SDOs
• IETF
• OASIS
• 3GPP
• ATIS
• TIA
• OIX
• Kantara
Standards
• SAML
• WS-Trust
• OpenID
• OAuth
• OpenID
Connect
• UMA
• PersonaID
• TR 33.980
• TR 33.924
• TR 33.804
• TR 22.895
Government
Agencies
• White House
• GSA
• DOJ
• USPS
• NIST
• OMB
• DHS
• FEMA
• FBI
Government
Initiatives
• E-Gov Act 2002
• FICAM
• GFIPM
• NIEF
• NSTIC
• Federal PKI
• FCCX
• FedRAMP
• SICAM
• BAE
• PIV/PIV-I
• FRAC
• NIMS
• NIEM
• CJIS
• PIV-I/FRAC
Technology
Transition
Working Group
Government
Publications
• NIST SP800-
78
• NIST SP800-
63
• NIST SP800-
76
• NIST FIPS 201
• OMB M-04-04
• HSPD-12
** This is just a sample to illustrate the amount of work. It is not an exhaustive list.

13. 13
IdentityManagementforFirstNet
Guiding Principles for FirstNet
• An Identity ecosystem should enable single sign-on
• An identity ecosystem should enable interoperability
• An identity ecosystem shall be usable
• An identity ecosystem shall be standards-based
• An identity ecosystem shall be secure
• An identity ecosystem shall be flexible

14. 14
IdentityManagementforFirstNet
Guiding Principles (cont.)
• First Responders are typically Identity Proofed and credentialed by their respective
agency – The FirstNet system must enable agencies to reuse their existing agency issued
identity & credentials
– This might include FRAC credentials or passwords
– The FirstNet system MUST NOT make first responders remember yet another user ID and
password
• (or make their IT admin manage yet another set)
• The FirstNet system must enable a scalable identity solution for smaller public safety
agencies that don’t have sufficient funds to manage their own Identity Management
infrastructure
– E.g. must enable support of Identity Management as a Service (IdMaaS)
– Enables smaller agencies to “shop around” for an identity using an open-marketplace type
model
– FirstNet may optionally offer their own IdMaaS for smaller agencies (so long as it does not
prohibit those agencies from free choice)

15. 15
IdentityManagementforFirstNet
Many Challenges
• First there are the technical hurdles:
– A plethora of standards to choose from
– The standard that is ultimately chosen must be profiled
– Solution must account for diverse credentials types (passwords, PIV-I
/ FRAC, biometric), and diversity in size of various public safety
agencies
– (and this is the easy part)
• And there is so much to do beyond the technology:
– Legal (e.g. what are the contractual obligations of the parities?)
– Policy (e.g. Levels of Assurance, dispute resolution, privacy
requirements, etc.)
– Accreditation (e.g. ensure that parties meet the policy)
– Continued auditing (e.g. ensure that parties meet the police – over
time)

16. 16
IdentityManagementforFirstNet
To Meet the Challenges
A Trust Framework for First Responders is required
• What is a Trust Framework?
– An agreement between stakeholders consisting of:
• Selection of standards and profiles of those standards
• Identity Proofing
• Acceptable credential types
• Levels of Assurance
• Levels of Protection
• Auditing expectations
• Legal obligation and liability clauses
• Dispute resolution process
• Governance structure
• Possible venues for defining a Trust Framework for First Responder:
– Kantara Initiative
– GLOBAL Security WG

17. 17
IdentityManagementforFirstNet
Take Away
Identity will be the plumbing of Interoperable application-
layer communications between public safety agencies and
FirstNet
• A scalable Identity Trust Framework for FirstNet is
imperative
• We must either plan for it now – or it will be a disaster later
Recommendation:
• Engage public safety stakeholders to develop use cases
that reflect real-world identity requirements, resulting in a
scalable and interoperable Identity Trust Framework
between public safety agencies and the FirstNet national
system.

18. 18
IdentityManagementforFirstNet
And in Closing …
• Questions?
• Comments?
• Scrutiny?
• Thank you! :-)