Information Sharing Puzzle Next Steps Chris Rogers California

Information Sharing Puzzle: Next Steps Chris Rogers California Department of Justice April 28, 2005

Tactical Approaches VPN / Trusted Certificates/Credentials Customized Gateways Vetted and agreed upon policies and procedures Information exchange model (IEM) – XML credentials • System-to-System use case IVE appliance integrated with infrastructure – Identities propagated throughout network – Tools that delegate the assignment of privileges – Certificate Policy/Practice Statement • User-to-Application use case

Acute Awareness Primary Impediments to Information Sharing – Incompatible technologies – Identity, authentication, & authorization policies Factors Affecting Interoperability – – – Numerous autonomous agencies Multiple trust domains Heterogeneous environments Varied governance structures Significant investment in legacy environments Inconsistent or non-existent security policies & procedures

Fundamentals of Success Identity Management – Addresses the inter-domain security problem with trust and standards – Agreements, standards, technologies make identity and entitlements portable across autonomous domains – Authenticated users can be easily recognized and consume services offered by other “federation” service providers Privilege Management

Addressing the Problem Nat’l Criminal Intelligence Sharing Plan (NCISP) Global Justice Information Sharing Initiative – Advisory Committee Membership/Leadership – Advisory Committee Executive Steering Committee – Global Working Groups • Infrastructure Standards • Security

Committee Composition Criminal Information Sharing Alliance Network (CISAnet) Regional Information Sharing Systems Network (RISSNET) Justice Network (JNET) DHS Homeland Security Information Network (HSIN)/ Joint Regional Information Exchange System (JRIES) Automated Regional Justice Information System (ARJIS) California Department of Justice

Global Security Architecture Committee (GSAC) Business Problem – Recognized networks and information systems exist that involve substantial investments in technology, governance structures, and trust relationships – Failure to enable interoperability between the available information systems continues impede law enforcement and government officials’ ability to take effective actions when they are not aware of other information that may be known about a person or event

Global Security Architecture Committee (GSAC) Committee Scope – In response to the implementation of the National Criminal Intelligence Sharing Plan (NCISP) to develop an “overall” NCISP Interoperability Framework – To define of a set of “jointly agreedupon and standards-based security mechanisms, communications protocols, and message formats”

Initiatives Federated Identity and Privilege Management Security Interoperability Demonstration (GSAC participants) Trusted Credential Project (RISS) DHS Service Oriented Architecture – Security and Identity Management (Id. M) Component (DHS)

Demonstration Federated Identity and Privilege Management Security Interoperability

Goal/Objective A multi-directional electronic exchange of criminal intelligence information, achieved through secure systems interoperability between networks and information systems currently not capable of doing so

Scope Develop and prove an identity and privilege management service that can be used to apply authentication and access controls by disparate systems and networks desiring to make their resources “sharable”

Scope (cont’d) What’s IN • User-to-application use case • Web-based applications only • Use open source, noncommercial software to keep licensing costs to a minimum What’s OUT • Policies • Process definition • Established baseline of vetting requirements

Deliverable Demonstrate a universal mechanism, implementationindependent and non-vendor specific, designed to share trusted assertions (agreed set of attributes) that can be used to apply authentication and access controls

Use Case A valid subscriber of System “A” can access applications of System “B” (a federation participant) A valid subscriber of System “B” can access applications of System “A”; (a federation participant) A subscriber is “registered” locally and is not required to re-register to another federation participant’s system or application

Use Case (cont’d) A subscriber authenticates locally and is not required to re-authenticate to another federation application – even if that subscriber has traversed multiple applications within the federation Subscriber information is passed to the federation system or application – access control decisions can be made without local provisioning

Participation Premise Participants retain control over their resources (dissemination & access control decisions made locally) Participants register & administer their subscriber base Participants can implement local technologies Participants agree to a minimal set of policies, procedures, and standards allowing for subscriber authentication and privilege information to be passed between participants Participation does not preclude independent,

Progress Cooperative Agreements Funding Data Requirements Survey – Industry Specs – Recommendations/Common Usage Profile Concept Demo – Coming soon…

For more information… Christina Rogers California Department of Justice (916) 227 -3124 Christina. Rogers@doj. ca. gov