Identity Management in a Federated Environment US-NATO TEM

Identity Management in a Federated Environment US-NATO TEM 6 1 -3 December 2009 Alan Murdock Dr. Robert Malewicz Dr. Sven Kuehne CAT-2 Interoperability | NATO C 3 Agency - The Hague Tel. : +31 (0)70 374 3562 | E-mail: sven. kuehne@nc 3 a. nato. int

NATO Id. M Initiatives § SC/4 -SC/5 NATO Id. M Workshop (2008/09) § § output: NATO Id. M Strawman Paper directory services oriented view focused on alliance aspect of NATO Id. M identifies Id. M use cases in NATO § SC/4 Service Management Infrastructure AHWG (2008/09) § § output: SMI Technical Services Definitions working paper Security Management architecture view requirements/standards/technology agnostic approach identifies interfaces with other security management services NATO UNCLASSIFIED 2

Terminology § Identity Management is ambiguous! § Identity Management includes: § Identity Assurance § Identity Employment or Utilization § Identity Services § What is an “Identity” § … a PKI certificate? § … a set of attributes? § … the same for every entity in the enterprise?

Different view on Id. M § NATO has a two-dimensional challenge: § Id. M in the NATO Alliance § 28 NATO nations § and partners § constitute a federation § Id. M in the NATO Organization § NATO HQs § and NATO agencies § constitute an enterprise (? ) NATO UNCLASSIFIED 4

Challenges • The concept of NATO Id. M is in a very early stage of formalization • Requirements for NATO Id. M need to be defined • Two dimensions of the NATO Id. M has potential to cause conflicts for Id. M • Emerging technologies (Identity 2. 0) not reflected either in NATO Id. M Strawman Paper or in SMI working paper • Policy document for NATO Id. M • Interoperability at all levels NATO UNCLASSIFIED 5

Way forward § What can we accomplish today? • • • Listen Inform Plan for the future NC 3 A Identity Management Test Campaign

Id. M Concept Validation § Purpose: • Identify NATO Id. M requirements based on Id. M use cases • Verify architectures and solutions for identified Id. M use cases § Scope • Validation focused on federated scenarios within NATO Alliance § Test Facility • Classification: NATO Unclassified • NNEC CES Testbed as an investigation platform on the NATO side • National Testbeds § Procedure • VPN Joining Instruction • Id. M Joining Instructions (based on ACP 145 and ARH forms) Ø agreed test scope (use cases) and schedule NATO UNCLASSIFIED 7

NNEC CES Testbed Layout NATO UNCLASSIFIED 8

Id. M Use Cases § Id. M use cases defined in NId. M Strawman Paper • • • Access to C 2 Data/Services in NATO SECRET Domain Single Sign On in Cross-Domain Federation Scenario Use of certificates bound to the identity NATO Pass System Use of national military ID-Card § Technology/Solution specific Id. M use cases for testing • • • Cross-domain group management Security token based authentication for Web Services Portal access (based on Share. Point Server) Collaboration tools (based on JChat application) Access to legacy applications Others … NATO UNCLASSIFIED 9

Id. M Strawman and Technology/Solution Driven Use Cases Relevance Mapping Strawman Paper Technology/ Solution Access to C 2 Data and Services SSO in Federation Use of certificates NATO Pass System Use of national military IDCard Group Management ü ü ü Security Token based authentication ü ü ü Portal Access ü ü Collaboration Tools ü ü ü Access to Legacy Systems ü ü ü ? ? ? NATO UNCLASSIFIED 10

Id. M Use Case Validation Environment NATO UNCLASSIFIED 11

Service Components § Information Exchange Gateway scenario B (IEG B) § § § NATO Enterprise Directory Service (NEDS) Allied Replication Hub (ARH) Border Directory Services NATO Public Key Infrastructure (NPKI) Certificate Authority Security Token Service (STS) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Web servers/portals and clients Web Proxy Web Concentrator Collaboration tool servers and clients Identity Data Sources NATO UNCLASSIFIED 12

Use Cases • • • Cross-domain group management Security token based authentication for Web Services Portal access (based on Share. Point Server) Collaboration tools (based on JChat application) Access to legacy applications

Group Management Use Case § Foundation for other use cases § Foundation for a formal access control mechanism implementation. Access control models being considered: ü ü role based access control (RBAC) currently used in many C 2 systems, attribute based access control (ABAC) anticipated to be more exploited in future service-oriented systems § Potential areas of usage (examples) ü cross-domain group management delegation ü cross-domain group mapping § Status ü directory components installed ü meta-tools installed, configured, jobs implemented ü initial testing completed NATO UNCLASSIFIED 14

Id. M in Group Management NATO UNCLASSIFIED 15

NNEC Hints § “Network of networks” is one of the main concepts of NNEC vision – environment be made up of many separate networks linked together § Community of Interest (Co. I) a driver for access control in NNEC § Sharing of identity information between these different networks is crucial for providing access control § Service Oriented Architecture (SOA) based on Web services is a candidate technology to materialize the NNEC vision, where services can be (dynamically) discovered and called by different clients NATO UNCLASSIFIED 16

Security Token Based Access Use Case § Simple services can be combined into more complex ones (“orchestration”) § Typically users interact with web services using different kinds of GUIs (web and form based ones). § Service provider/consumer interoperability ü standard protocols like SOAP, HTTP ü Web services related standards, including the WS-* stack (e. g. WSSecurity, WS-Trust, WS-Federation etc. ) § Secure SOA-based data/services exchange scenarios in a federated environment to be demonstrated § Status: ü ü all components installed, not all configured yet not all tested yet not integrated with directory yet NATO UNCLASSIFIED 17

Secure Token Based Access NATO UNCLASSIFIED 18

… Integrated with Directory Services NATO UNCLASSIFIED 19

Access to Portal § Web portal access handling is one of the most common and basic information sharing requirements § Access granularity is a desired feature that needs to be implemented in future NATO portals § Microsoft Share. Point is identified as a future NATO portal product. The next version to be integrated with Microsoft's Identity Architecture, and so will be able to act as a relying party to XML security tokens. § Initially, access from national domain to NATO portals is the most expected operational scenario § Status: ü all components installed ü meta-tools installed, configured jobs implemented ü initial testing completed ü implemented different authentication mechanisms for internal/external users ü hashed passwords for external users populated through ARH NATO UNCLASSIFIED 20

Id. M in Access to Portal NATO UNCLASSIFIED 21

Collaboration Tools Use Case § XMPP is an open technology for real-time communication, which powers a wide range of applications, e. g. : ü ü ü ü instant messaging, presence, multi-party chat, voice and video calls, collaboration, lightweight middleware, content syndication, generalized routing of XML data. § XMPP is a mandatory collaboration standard for military usage in many NATO nations § JChat application, a standard NATO collaboration tool, to be used on the NATO side § Status: not implemented yet ü all components installed ü meta-tools installed, configured jobs implemented ü hashed passwords for external users populated through ARH NATO UNCLASSIFIED 22

Id. M in Collaboration Tools NATO UNCLASSIFIED 23

Access to Legacy Applications § There are still applications in NATO CIS, which are not PKI and/or Web services enabled § Authentication/Authorization mechanisms: ü implemented as an integral part of the applications (usernames and passwords stored in a local database), which results in application specific solutions, or ü are not implemented at all § For completeness of the Id. M use case validation picture legacy systems should be included § Status: not implemented yet NATO UNCLASSIFIED 24

Id. M in Legacy Systems NATO UNCLASSIFIED 25

Summary § The concept of Id. M in a federated NATO environment (NATO plus NATO nations) is in an early stage of formalization § List of use cases for Id. M is open § NC 3 A CES/NNEC testbed provides an infrastructure for complex Id. M validation to be performed with Alliance partners NATO UNCLASSIFIED 26

Why Identity Management matters …

CONTACTING NC 3 A The Hague NC 3 A Brussels Visiting address: Bâtiment Z Avenue du Bourget 140 B-1110 Brussels Telephone +32 (0)2 7074111 Fax +32 (0)2 7078770 Oude Waalsdorperweg 61 2597 AK The Hague Postal address: NATO C 3 Agency Boulevard Leopold III B-1110 Brussels - Belgium Postal address: NATO C 3 Agency P. O. Box 174 2501 CD The Hague The Netherlands Telephone +31 (0)70 3743000 Fax +31 (0)70 3743239 NATO UNCLASSIFIED 28