SlideShare une entreprise Scribd logo
1  sur  19
Télécharger pour lire hors ligne
Managing PIV Life-cycle
&
Converging
Physical & Logical Access Control


Ramesh Nagappan
Sun Microsystems
ramesh.nagappan@sun.com
Smart cards in Government Conference
Oct 23, 2008
Ronald Reagan International Center, Washington DC
Setting Expectations
What you can take away !




          Explore the Personal Identity Verification (PIV)
           Life-cycle and its pre- and post-issuance
           deployment challenges.
          Architectural characteristics of managing PIV
           Life-cycle and converging Physical and Logical
           Access Control Systems.
          Role and relevance of adopting to an Identity
           Management Solution (IDMS) for delivering and
           managing an end-to-end PIV lifecycle.
                                                              2
Personal Identity Verification (PIV)
• Personal Identity Verification has become a
  Fiduciary Responsibility of many National
  Governments.
  > Adopting to common credentials with verified identity
      enables secure and reliable form of personal
      identification.
• Host of PIV standards initiatives and regulatory
  mandates currently being adopted on a
  national/global basis.
  > US Homeland Security Presidential Directive (HSPD-12
      2004)‫‏‬
  >   UK Identity Cards Act (2006)‫‏‬
  >   French INES (Identité Nationale Electronique Sécurisée)‫‏‬
  >   ICAO 9303 ePassport / eId
  >   EU Citizen Card, EU EAC (EC 2252/2004)‫‏‬
  >   Belgian eID, Finesse eID, Taiwan eID, India ePassport and
      several others (in progress).                               3
4
PIV Card Issuance and Management
FIPS-201 defined PIV Card Issuance and Management




  Source: FIPS 201-1
                                                    5
The PIV Life-cycle
PIV Identity Management Activities (From registration to till its retirement)


                                        Identity
                                      Registration



                    PIV                                        Identity
                 Credential                                  Enrolment &
                 Termination                                 Adjudication




                    PIV                                          PIV
                 Credential                                   Credential
                Maintenance                                   Issuance

                                          PIV
                                       Physical &
                                     Logical Access
                                        Control

                                                                                6
The PIV Ecosystem
Core technology components of a PIV Lifecycle


                                            Demographic
                                               Data/
                                             Documents
                  Security
                   Event                                           Biometric
                 Monitoring                                        samples
                                             Enroll


                                         Identity
             Physical/
                                       Management
                              Te




              Logical                   Solution
                                rm




              Access                                      ge             Identity
                                  in




             Control                                     n              Proofing &
                                                       ha
                                    at




             Systems                                  C                Adjudication
                                      e




                         Credentials                   Public-Key
                          Issuance                    Infrastructure
                         ( Smartcard/PKI/
                            Biometrics)


                                                                                      7
PIV Card Credentials
FIPS-201 Mandatory and Optional On-Card Credentials


 Mandatory Credentials
    PIN (Personal Identification Number)
    Cardholder Unique Identifier (CHUID)‫‏‬
    PIV Authentication Data (asymmetric key pair and
    corresponding PKI certificate)‫‏‬
    Two biometric fingerprints (CBEFF)‫‏‬

 Optional Credentials
    An asymmetric key pair and corresponding certificate
    for digital signatures                                 Source: GSA USAccess
    An asymmetric key pair and corresponding certificate
    for key management
    Asymmetric or symmetric card authentication keys for
    supporting additional physical access applications
    Symmetric key(s) associated with the card
    management system                                                             8
PIV Lifecycle: Known Challenges
Understanding Real-world Pain Points

  • Defining an authoritative source for managing and
    maintaining PIV information life-cycle.
     Silos of point solutions and repositories - Biometric/Enroll
      middleware, CMS, PACS, LACS, SIEM, IAM and more !
     No single administration console for management.
     Too many PIV life-cycle events and operations - right from
      identity registration and till its retirement !
  • Establishing administrative controls, authorization
    workflows and authority approvals/denials for lifecycle
    operations.
     Managing and maintaining authorization workflow,
      approval/denial actions and notification.
     Enforcing segregation of duties (separation of powers).
     Enforcement of access control policies, Role based Access
      control (RBAC) and procedures (ex. Emergency access/exit).
                                                                     9
PIV Lifecycle: Known Challenges                       …continued
Understanding Real-world Pain points
 • Provisioning and De-Provisioning complexities with
   disparate PIV/FIPS-201 solutions and downstream
   applications.
     Initiating instantaneous Provisioning and De-provisioning of PIV
      enrollment data and its changes to support Identity lifecycle
      events - Identity registration to till its termination.
     Detecting and thwarting dormant/back-door user account
      creation/modification and circumventing controls.
 • Managing changes and re-verification/re-enrollment
   issues related to profiles, roles, privileges and policies.
     Identity attribute changes and propagation to heterogeneous
      PIV based applications ?
     Supporting re-verification and re-enrollment requirements
      related to lifecycle events and attribute changes.
     Certify and attest role and access privileges changes.
                                                                         10
Converging Physical/Logical Access:
Known Challenges
• Enabling PIV credentials to authenticate disparate
  Physical Access Control Systems (PACS) and Logical
  Access Control Systems (LACS).
   Using PIV credentials such as CHUID, PIN, PKI certificates and
    Biometrics for authentication.
   Use PIV credentials based digitally-signed approvals or denials
    for authorization workflow and maintaining tamper-proof
    logs/records of authorization information.
   Enabling PIV credentials based Single Sign-on (SSO) to IT
    applications and Desktops and furthering SSO to participate in
    Federation (eAuthentication Scenarios).
   Integration, extensibility limitations and maintenance issues are
    common due to proprietary nature of interfaces related to
    PACS.

                                                                        11
Converging Physical/Logical Access:
Known Challenges              …. continued
• Initiating and managing the authentication process using
  PIV Credentials.
   PKI certificate validation via OCSP or CRL DPs of the PKI SSP.
   Enabling PACS authentication using CHUID/PKI/PIN credentials
    (Based on Contact/Contact-less/Hybrid readers).
   On/Off-the-card Biometric authentication using Biometric
    authentication middleware.
• Managing requests and reporting the status of scenarios
  such as Forgotten PIN, Temporary card requests and Lost
  PIV card scenarios ?
   Managing and reporting the status of Lost/Forgotten card-
    requests/approvals, certificate revocation, key escrow and
    recovery operations.


                                                                     12
Logical PIV Architecture Solution
Putting it all together
                             Identity Enrollment and Adjudication Services

       Identity                                                                          Identity
     Registration/                    Demographic PIV Request w/
                                                   Document    Biometric                Proofing/
      Enrollment                         data      Credentials samples
                                                  Sponsor approval                     Adjudication




                 Identity Life-cycle Management Services                                    Smartcard
                                                                                            Issuance/
                          Auditing      Authorization     Credential                       Management
    Provisioning                                                        User/Role            Services
                          Logging         Workflow         Change
   De-provisioning                                                     Management
                         Compliance   Signed Approvals   Management




               Physical and Logical Access Control Services
                                                               IT Applications                 Public
       PKI / Biometric            Physical Access             eAuthentication                   Key
       Authentication             Control Systems        Single Sign-on / Federation       Infrastructure
                                                                                                            13
PIV Authorization Workflow
                      Hiring                     Enrollment                          HR
                     Manager                      Officer                           Officer
                     Approval/                   Approval/                         Approval/
                      Denial                       Denial                           Denial


                                Biometrics                      Identity                 Card Issuance &
      Applicant             Breeder Documents                 Proofing &
     Registration                                                                          Activation
                                Enrollment                    Adjudication




                                       HR                             Enrollment                    Hiring
                                     Manager                           Officer                     Manager
                                     Approval/                        Approval/                    Approval/
                                      Denial                            Denial                      Denial



                    Retirement /                   Credential                  Physical &
                    Termination                   Maintenance                 Logical Access



• IDMS manages the authorization workflow and authority approval and denials.
   > Digitally signed approvals using PIV card credentials verified against a PKI provider.
• IDMS facilitates Work-flow driven provisioning and de-provisioning of PIV
  information and credentials to PIV/FIPS-201 mandated resources.
                                                                                                               14
Choosing an IDMS
IDMS Requirements for managing PIV lifecycle
• Automated Provisioning & De-Provisioning and
  Synchronization Services
    Automated operations for Creation, Maintenance and Termination of
     Identity profile (s) and its access privileges .
    Integration and interoperability with FIPS-201 compliant Biometric
     middleware, Document verification, CMS, PACS, IAM and other
     supporting IT applications.
    Instantaneous provisioning/de-provisioning and synchronization of
     User profile attributes, PIV credentials (PIN/PKI/Biometrics), roles,
     status/attribute changes, access privileges, rules and policies to/from
     target resources.
• Automated Authorization and Approval/Denial workflows and
  notifications.
    Workflow-driven provisioning/de-provisioning/change requests,
     approvals/denials, notifications and escalations.
    PIV credentials based digitally-signed approvals and denials.
                                                                               15
Choosing an IDMS …. continued
Core IDMS Requirements for managing PIV lifecycle
 • Role Engineering and Management
   • Establish internal controls for enforcing “Segregation of Duties” and
     “Least privilege”. (Ex. FISMA compliance)
 • Auditing, Access Certification and Compliance reporting
   • Who has access ? Who accessed it ?
   • What went wrong ? Who authorized it ? When it happened ?
   • Periodic access review (Attestation and Recertification)
   • Detect and report potential violations
   • Integration with Security Information and Event monitoring (SIEM).
 • Single administration console and dashboard for all PIV user
   profile information and status of requests/operations for all target
   resources.
 • Self-service user administration and delegated administration.
 • Message and Transport-level Security (FIPS-140 mode)
                                                                             16
Industry Standards
Contributing standards for Managing PIV and Convergence of P/LACS
• OASIS SPML 2.0 - Service Provisioning Markup Language.
    XML Protocol for Identity Provisioning and De-Provisioning.
• OASIS SAML 2.0 - Security Assertions Markup Language.
    XML Protocol for representing Authentication and Authorization
     assertions.
• OASIS XACML 2.0 - eXtensible Access Control Markup
  Language.
    XML Protocol for representing Access Control Policies.
• Liberty Alliance Standards (ID-*)
    Open Standards for representing Identity Federation across
     networks.
• OASIS WS-Security and WS-* Standards for Securing
  XML Web Services.
• Finally….FIPS-201 and its related special publications.             17
PIV Solution from Sun and ISV Partners
Pre-Integrated, Pre-Verified and Pre-Tested for PIV Deployment



                                                     Smartcard
                           Identity                  Issuance and
                           Enrollment &              Management
                           Adjudication
                              • Aware BioSP             • ActivIdentity CMS
                              • CrossMatch              • Bell-ID ANDiS
                              • Secugen

                                                         Aware BioSP

                                            Sun                Public-key
                                          Identity             Infrastructure SSP
              Security Information
              & Event Monitoring        Management              • Entrust
              (SIEM)                       Suite                • Cybertrust
                                                                • Verisign
                    • ArcSight                                  • Exostar
                    • LogLogic

                                     Physical & Logical Verisign PKI
                                     Access control
                                       • Quantum Secure SAFE
                                       • Aware BioSP
                                       • BioBex
                                       • ActivIdentity ESSO
                                                                                    18
Thank You




Ramesh Nagappan
Sun Microsystems
ramesh.nagappan@sun.com




Smart cards in Government Conference
Oct 23, 2008
Ronald Reagan International Center, Washington DC   19

Contenu connexe

Tendances

Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lectureynamoto
 
OSC2012: Identity Analytics: Exploiting Digital Breadcrumbs
OSC2012: Identity Analytics: Exploiting Digital BreadcrumbsOSC2012: Identity Analytics: Exploiting Digital Breadcrumbs
OSC2012: Identity Analytics: Exploiting Digital BreadcrumbsAccenture the Netherlands
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketOKsystem
 
SmartCard Forum 2009 - New trends in smart-cards technology
SmartCard Forum 2009 - New trends in smart-cards technologySmartCard Forum 2009 - New trends in smart-cards technology
SmartCard Forum 2009 - New trends in smart-cards technologyOKsystem
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonEduserv
 
Ict project (1)
Ict project (1)Ict project (1)
Ict project (1)spy007s
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...E-Government Center Moldova
 
Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12lfilliat
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingOKsystem
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Systems, Inc.
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust Datacard
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
 

Tendances (20)

Ynamono Hs Lecture
Ynamono Hs LectureYnamono Hs Lecture
Ynamono Hs Lecture
 
Sms passcode
Sms passcodeSms passcode
Sms passcode
 
OSC2012: Identity Analytics: Exploiting Digital Breadcrumbs
OSC2012: Identity Analytics: Exploiting Digital BreadcrumbsOSC2012: Identity Analytics: Exploiting Digital Breadcrumbs
OSC2012: Identity Analytics: Exploiting Digital Breadcrumbs
 
SmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication marketSmartCard Forum 2011 - Evolution of authentication market
SmartCard Forum 2011 - Evolution of authentication market
 
SmartCard Forum 2009 - New trends in smart-cards technology
SmartCard Forum 2009 - New trends in smart-cards technologySmartCard Forum 2009 - New trends in smart-cards technology
SmartCard Forum 2009 - New trends in smart-cards technology
 
Sabett: ESRA Identity Management 11-09-10
Sabett:  ESRA Identity Management 11-09-10Sabett:  ESRA Identity Management 11-09-10
Sabett: ESRA Identity Management 11-09-10
 
Wayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan RichardsonWayfs and Strays - Jonathan Richardson
Wayfs and Strays - Jonathan Richardson
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
20120510 università
20120510 università20120510 università
20120510 università
 
Ict project (1)
Ict project (1)Ict project (1)
Ict project (1)
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
 
Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...
 
Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12Cidway Secure Mobile Access Transactions Short 05 12
Cidway Secure Mobile Access Transactions Short 05 12
 
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud ComputingSmart Cards & Devices Forum 2012 - Securing Cloud Computing
Smart Cards & Devices Forum 2012 - Securing Cloud Computing
 
Security
SecuritySecurity
Security
 
Bio Metrics
Bio MetricsBio Metrics
Bio Metrics
 
Hitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB ComplianceHitachi ID Solutions Support GLB Compliance
Hitachi ID Solutions Support GLB Compliance
 
Entrust IdentityGuard Mobile
Entrust IdentityGuard MobileEntrust IdentityGuard Mobile
Entrust IdentityGuard Mobile
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 

Similaire à Managing PIV Card Lifecycle and Converging Physical & Logical Access Control

ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture reviewRamesh Nagappan
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for GovernmentCarahsoft
 
US FICAM Overview
US FICAM OverviewUS FICAM Overview
US FICAM OverviewUS FICAM
 
Ecrime Practical Biometric
Ecrime Practical BiometricEcrime Practical Biometric
Ecrime Practical BiometricJorge Sebastiao
 
Sunera business & technology risk consulting services -slide share
Sunera  business & technology risk consulting services -slide shareSunera  business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
13 biometrics - fool proof security
13 biometrics  - fool proof security13 biometrics  - fool proof security
13 biometrics - fool proof securitySrikanth457
 
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Hai Nguyen
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
US Security for Cyber Security
US Security for Cyber SecurityUS Security for Cyber Security
US Security for Cyber SecurityArtanContracting
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Ramesh Nagappan
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays
 
ISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementPhil Griffin
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryProlifics
 
Thornton e authentication guidance
Thornton   e authentication guidanceThornton   e authentication guidance
Thornton e authentication guidanceHai Nguyen
 
Certificate Management Made Easy
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made EasyJason Newell
 

Similaire à Managing PIV Card Lifecycle and Converging Physical & Logical Access Control (20)

ICAM - Demo Architecture review
ICAM - Demo Architecture reviewICAM - Demo Architecture review
ICAM - Demo Architecture review
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
 
US FICAM Overview
US FICAM OverviewUS FICAM Overview
US FICAM Overview
 
(2007) Privacy Preserving Multi-Factor Authentication with Biometrics
(2007) Privacy Preserving Multi-Factor Authentication with Biometrics(2007) Privacy Preserving Multi-Factor Authentication with Biometrics
(2007) Privacy Preserving Multi-Factor Authentication with Biometrics
 
Ecrime Practical Biometric
Ecrime Practical BiometricEcrime Practical Biometric
Ecrime Practical Biometric
 
Uid security
Uid securityUid security
Uid security
 
Sunera business & technology risk consulting services -slide share
Sunera  business & technology risk consulting services -slide shareSunera  business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide share
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
 
(2007) BioKey - Privacy Preserving Biometric Authentication
(2007) BioKey - Privacy Preserving Biometric Authentication(2007) BioKey - Privacy Preserving Biometric Authentication
(2007) BioKey - Privacy Preserving Biometric Authentication
 
13 biometrics - fool proof security
13 biometrics  - fool proof security13 biometrics  - fool proof security
13 biometrics - fool proof security
 
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
US Security for Cyber Security
US Security for Cyber SecurityUS Security for Cyber Security
US Security for Cyber Security
 
Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005Biometric Authentication for J2EE applications - JavaONE 2005
Biometric Authentication for J2EE applications - JavaONE 2005
 
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...
 
ISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security ManagementISSA Web Conference - Biometric Information Security Management
ISSA Web Conference - Biometric Information Security Management
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
 
bioChec Overview
bioChec OverviewbioChec Overview
bioChec Overview
 
Thornton e authentication guidance
Thornton   e authentication guidanceThornton   e authentication guidance
Thornton e authentication guidance
 
Certificate Management Made Easy
Certificate Management Made EasyCertificate Management Made Easy
Certificate Management Made Easy
 

Plus de Ramesh Nagappan

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewRamesh Nagappan
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldRamesh Nagappan
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterRamesh Nagappan
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Ramesh Nagappan
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...Ramesh Nagappan
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyRamesh Nagappan
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentRamesh Nagappan
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security ArchitectureRamesh Nagappan
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSORamesh Nagappan
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityRamesh Nagappan
 

Plus de Ramesh Nagappan (11)

Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
Interoperable Provisioning in a distributed world
Interoperable Provisioning in a distributed worldInteroperable Provisioning in a distributed world
Interoperable Provisioning in a distributed world
 
Secure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperClusterSecure Multitenancy on Oracle SuperCluster
Secure Multitenancy on Oracle SuperCluster
 
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
Secure Multi-tenancy on Private Cloud Environment (Oracle SuperCluster)
 
High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...High Performance Security and Virtualization for Oracle Database and Cloud-En...
High Performance Security and Virtualization for Oracle Database and Cloud-En...
 
High Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted CryptographyHigh Performance Security With SPARC T4 Hardware Assisted Cryptography
High Performance Security With SPARC T4 Hardware Assisted Cryptography
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
PIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environmentPIV Card based Identity Assurance in Sun Ray and IDM environment
PIV Card based Identity Assurance in Sun Ray and IDM environment
 
Java Platform Security Architecture
Java Platform Security ArchitectureJava Platform Security Architecture
Java Platform Security Architecture
 
Stronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSOStronger Authentication with Biometric SSO
Stronger Authentication with Biometric SSO
 
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE SecurityWire-speed Cryptographic Acceleration for SOA and Java EE Security
Wire-speed Cryptographic Acceleration for SOA and Java EE Security
 

Dernier

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 

Dernier (20)

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 

Managing PIV Card Lifecycle and Converging Physical & Logical Access Control

  • 1. Managing PIV Life-cycle & Converging Physical & Logical Access Control Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC
  • 2. Setting Expectations What you can take away !  Explore the Personal Identity Verification (PIV) Life-cycle and its pre- and post-issuance deployment challenges.  Architectural characteristics of managing PIV Life-cycle and converging Physical and Logical Access Control Systems.  Role and relevance of adopting to an Identity Management Solution (IDMS) for delivering and managing an end-to-end PIV lifecycle. 2
  • 3. Personal Identity Verification (PIV) • Personal Identity Verification has become a Fiduciary Responsibility of many National Governments. > Adopting to common credentials with verified identity enables secure and reliable form of personal identification. • Host of PIV standards initiatives and regulatory mandates currently being adopted on a national/global basis. > US Homeland Security Presidential Directive (HSPD-12 2004)‫‏‬ > UK Identity Cards Act (2006)‫‏‬ > French INES (Identité Nationale Electronique Sécurisée)‫‏‬ > ICAO 9303 ePassport / eId > EU Citizen Card, EU EAC (EC 2252/2004)‫‏‬ > Belgian eID, Finesse eID, Taiwan eID, India ePassport and several others (in progress). 3
  • 4. 4
  • 5. PIV Card Issuance and Management FIPS-201 defined PIV Card Issuance and Management Source: FIPS 201-1 5
  • 6. The PIV Life-cycle PIV Identity Management Activities (From registration to till its retirement) Identity Registration PIV Identity Credential Enrolment & Termination Adjudication PIV PIV Credential Credential Maintenance Issuance PIV Physical & Logical Access Control 6
  • 7. The PIV Ecosystem Core technology components of a PIV Lifecycle Demographic Data/ Documents Security Event Biometric Monitoring samples Enroll Identity Physical/ Management Te Logical Solution rm Access ge Identity in Control n Proofing & ha at Systems C Adjudication e Credentials Public-Key Issuance Infrastructure ( Smartcard/PKI/ Biometrics) 7
  • 8. PIV Card Credentials FIPS-201 Mandatory and Optional On-Card Credentials Mandatory Credentials PIN (Personal Identification Number) Cardholder Unique Identifier (CHUID)‫‏‬ PIV Authentication Data (asymmetric key pair and corresponding PKI certificate)‫‏‬ Two biometric fingerprints (CBEFF)‫‏‬ Optional Credentials An asymmetric key pair and corresponding certificate for digital signatures Source: GSA USAccess An asymmetric key pair and corresponding certificate for key management Asymmetric or symmetric card authentication keys for supporting additional physical access applications Symmetric key(s) associated with the card management system 8
  • 9. PIV Lifecycle: Known Challenges Understanding Real-world Pain Points • Defining an authoritative source for managing and maintaining PIV information life-cycle.  Silos of point solutions and repositories - Biometric/Enroll middleware, CMS, PACS, LACS, SIEM, IAM and more !  No single administration console for management.  Too many PIV life-cycle events and operations - right from identity registration and till its retirement ! • Establishing administrative controls, authorization workflows and authority approvals/denials for lifecycle operations.  Managing and maintaining authorization workflow, approval/denial actions and notification.  Enforcing segregation of duties (separation of powers).  Enforcement of access control policies, Role based Access control (RBAC) and procedures (ex. Emergency access/exit). 9
  • 10. PIV Lifecycle: Known Challenges …continued Understanding Real-world Pain points • Provisioning and De-Provisioning complexities with disparate PIV/FIPS-201 solutions and downstream applications.  Initiating instantaneous Provisioning and De-provisioning of PIV enrollment data and its changes to support Identity lifecycle events - Identity registration to till its termination.  Detecting and thwarting dormant/back-door user account creation/modification and circumventing controls. • Managing changes and re-verification/re-enrollment issues related to profiles, roles, privileges and policies.  Identity attribute changes and propagation to heterogeneous PIV based applications ?  Supporting re-verification and re-enrollment requirements related to lifecycle events and attribute changes.  Certify and attest role and access privileges changes. 10
  • 11. Converging Physical/Logical Access: Known Challenges • Enabling PIV credentials to authenticate disparate Physical Access Control Systems (PACS) and Logical Access Control Systems (LACS).  Using PIV credentials such as CHUID, PIN, PKI certificates and Biometrics for authentication.  Use PIV credentials based digitally-signed approvals or denials for authorization workflow and maintaining tamper-proof logs/records of authorization information.  Enabling PIV credentials based Single Sign-on (SSO) to IT applications and Desktops and furthering SSO to participate in Federation (eAuthentication Scenarios).  Integration, extensibility limitations and maintenance issues are common due to proprietary nature of interfaces related to PACS. 11
  • 12. Converging Physical/Logical Access: Known Challenges …. continued • Initiating and managing the authentication process using PIV Credentials.  PKI certificate validation via OCSP or CRL DPs of the PKI SSP.  Enabling PACS authentication using CHUID/PKI/PIN credentials (Based on Contact/Contact-less/Hybrid readers).  On/Off-the-card Biometric authentication using Biometric authentication middleware. • Managing requests and reporting the status of scenarios such as Forgotten PIN, Temporary card requests and Lost PIV card scenarios ?  Managing and reporting the status of Lost/Forgotten card- requests/approvals, certificate revocation, key escrow and recovery operations. 12
  • 13. Logical PIV Architecture Solution Putting it all together Identity Enrollment and Adjudication Services Identity Identity Registration/ Demographic PIV Request w/ Document Biometric Proofing/ Enrollment data Credentials samples Sponsor approval Adjudication Identity Life-cycle Management Services Smartcard Issuance/ Auditing Authorization Credential Management Provisioning User/Role Services Logging Workflow Change De-provisioning Management Compliance Signed Approvals Management Physical and Logical Access Control Services IT Applications Public PKI / Biometric Physical Access eAuthentication Key Authentication Control Systems Single Sign-on / Federation Infrastructure 13
  • 14. PIV Authorization Workflow Hiring Enrollment HR Manager Officer Officer Approval/ Approval/ Approval/ Denial Denial Denial Biometrics Identity Card Issuance & Applicant Breeder Documents Proofing & Registration Activation Enrollment Adjudication HR Enrollment Hiring Manager Officer Manager Approval/ Approval/ Approval/ Denial Denial Denial Retirement / Credential Physical & Termination Maintenance Logical Access • IDMS manages the authorization workflow and authority approval and denials. > Digitally signed approvals using PIV card credentials verified against a PKI provider. • IDMS facilitates Work-flow driven provisioning and de-provisioning of PIV information and credentials to PIV/FIPS-201 mandated resources. 14
  • 15. Choosing an IDMS IDMS Requirements for managing PIV lifecycle • Automated Provisioning & De-Provisioning and Synchronization Services  Automated operations for Creation, Maintenance and Termination of Identity profile (s) and its access privileges .  Integration and interoperability with FIPS-201 compliant Biometric middleware, Document verification, CMS, PACS, IAM and other supporting IT applications.  Instantaneous provisioning/de-provisioning and synchronization of User profile attributes, PIV credentials (PIN/PKI/Biometrics), roles, status/attribute changes, access privileges, rules and policies to/from target resources. • Automated Authorization and Approval/Denial workflows and notifications.  Workflow-driven provisioning/de-provisioning/change requests, approvals/denials, notifications and escalations.  PIV credentials based digitally-signed approvals and denials. 15
  • 16. Choosing an IDMS …. continued Core IDMS Requirements for managing PIV lifecycle • Role Engineering and Management • Establish internal controls for enforcing “Segregation of Duties” and “Least privilege”. (Ex. FISMA compliance) • Auditing, Access Certification and Compliance reporting • Who has access ? Who accessed it ? • What went wrong ? Who authorized it ? When it happened ? • Periodic access review (Attestation and Recertification) • Detect and report potential violations • Integration with Security Information and Event monitoring (SIEM). • Single administration console and dashboard for all PIV user profile information and status of requests/operations for all target resources. • Self-service user administration and delegated administration. • Message and Transport-level Security (FIPS-140 mode) 16
  • 17. Industry Standards Contributing standards for Managing PIV and Convergence of P/LACS • OASIS SPML 2.0 - Service Provisioning Markup Language.  XML Protocol for Identity Provisioning and De-Provisioning. • OASIS SAML 2.0 - Security Assertions Markup Language.  XML Protocol for representing Authentication and Authorization assertions. • OASIS XACML 2.0 - eXtensible Access Control Markup Language.  XML Protocol for representing Access Control Policies. • Liberty Alliance Standards (ID-*)  Open Standards for representing Identity Federation across networks. • OASIS WS-Security and WS-* Standards for Securing XML Web Services. • Finally….FIPS-201 and its related special publications. 17
  • 18. PIV Solution from Sun and ISV Partners Pre-Integrated, Pre-Verified and Pre-Tested for PIV Deployment Smartcard Identity Issuance and Enrollment & Management Adjudication • Aware BioSP • ActivIdentity CMS • CrossMatch • Bell-ID ANDiS • Secugen Aware BioSP Sun Public-key Identity Infrastructure SSP Security Information & Event Monitoring Management • Entrust (SIEM) Suite • Cybertrust • Verisign • ArcSight • Exostar • LogLogic Physical & Logical Verisign PKI Access control • Quantum Secure SAFE • Aware BioSP • BioBex • ActivIdentity ESSO 18
  • 19. Thank You Ramesh Nagappan Sun Microsystems ramesh.nagappan@sun.com Smart cards in Government Conference Oct 23, 2008 Ronald Reagan International Center, Washington DC 19