Dell Software Solutions for Identity and Access Management in Government Connected Security for FICAM and SICAM with Dell One Identity Solutions
Abstract
Introduction
Cybersecurity is the foundation upon which governments provide information technology-based services to users and constituents. Critical to providing a safe and effective cybersecurity infrastructure is identity and access management (IAM)—ensuring that users have proper access to the information and applications to which they’re entitled, no more, no less.
The FICAM Roadmap and Implementation Guidance document was first published in 2009, and version 2.0 was released at the end of 2011. The Office of Management and Budget’s Memorandum 11-11 requires that agencies align their processes with that document.
The federal government’s Federal Identity, Credential and Access Management (FICAM) framework defines the required functionality for IAM in U.S. agency and organization infrastructures. A similar framework, State Identity, Credential and Access Management (SICAM), adapts FICAM for state governments. This paper explains how Dell Software’s IAM solutions can help your agency or organization achieve, maintain and prove FICAM or SICAM compliance.
The State Identity Credential and Access Management (SICAM) Guidance and Roadmap document was published in September 2012 by the National Association of State Chief Information Officers (NASCIO). It should be noted that these are functional frameworks, and can be applied by local governments as well. Adhering to FICAM is a requirement for all federal agencies and organizations, per the 2011 Office of Management and Budget (OMB) Memorandum 11-11. SICAM is not a mandate, but it has particular significance in that it focuses on interoperability
given reliance on federal funding for specific programs.
with federal agencies and organizations, something that state and local governments need to account for Credential management
Sponsorship
Enrollment
Issuance
Credential production
Identity management
Background investigation
On-boarding
Authoritative attribute sources
Auditing and reporting Digital identity lifecycle management
Credential lifecycle management
Provisioning/Deprovisioning
Federation
Access management • Identity • Attributes • Credentials • Time • Privileges • Role • Location • Status
• Roles • Entitlement attributes
External agency
State, local, or tribal govermnent
Resource management
Business partner
Citizen
Physical access
Privilege management
Policy management
Logical access
Figure 1. Components of the Federal Identity, Credential and Access Management Framework include identity management, access management, credential management, federation and reporting, and auditing and reporting.
Credential management
Sponsorship
Enrollment
Issuance
Credential production
Identity management
Attribute check
On-boarding
Authoritative attribute
Digital identity lifecycle management
Credential lifecycle management
Provisioning/Deprovisioning
Federation
Access management • Roles • Entitlement attributes
External agency or department
Federal, state, local, international or tribal government
Resource management
• Identity • Attributes • Credentials • Time • Privileges • Role • Location • Status
Privilege management
Policy management
Business partner
Citizen
Physical access
Logical access
Figure 2. SICAM framework: The State Identity Credential and Access Management architecture is derived from FICAM, though not fully identical.
2
Dell Software solutions for FICAM and SICAM compliance Meeting the specific requirements of these frameworks is no easy task. Few, if any, government agencies can afford the expense or potential disruption in services that would naturally accompany a complete IAM rebuild. The Dell One Identity family of IAM solutions easily integrates into existing IAM implementations to provide the features and functionality necessary to become FICAM or SICAM compliant. Dell One Identity covers all components of these frameworks, and is a key part of Dell Software’s end-to-end Connected Security hardware, software and services. The following sections describe the components of FICAM and SICAM frameworks, and note which Dell Software solutions can help in each area; for more information about those solutions, see Table 1 later in this paper. The component descriptions originate, with minor modifications, from the FICAM Implementation and Guidance Roadmap v2.0. Identity management Identity management is the combination of technical systems, policies and processes that create, define, govern and synchronize the ownership, utilization and safeguarding of identity information. The primary goal of identity management is to establish a trustworthy process for assigning attributes to a digital identity, and to connect that identity to an individual.1 Identity management includes the processes for maintaining and protecting the identity data of an individual over its life cycle. Many of the processes and technologies used to manage a person‘s identity may also be applied to non-
person entities (NPEs) to further security goals within the enterprise. Dell Software’s solutions for identity management include: • Identity Manager • Identity Manager-Active Directory Edition
Access management Access management is the management and control of the ways in which entities are granted or denied access to resources. The purpose of access management is to ensure that the proper identity verification is made when an individual attempts to access security sensitive buildings, computer systems or data.2 It has two areas of operations: • Logical access is the access to an IT network, system, service or application. • Physical access is the access to a physical location such as a building, parking lot, garage or office.
Access management leverages identities, credentials and privileges to determine access to resources by authenticating credentials. After authentication, a decision on whether the user is authorized to access the resource can be made. These processes allow agencies to obtain a level of assurance in the identity of the individual attempting access to meet the following: • Authentication—Ensuring that all individuals attempting access are properly validated • Confidentiality—Ensuring that all access to information is authorized • Integrity—Protecting information from unauthorized creation, modification or deletion • Reliability, maintainability and availability— Ensuring that authorized parties are able to access needed information • Non-repudiation—Ensuring the accountability of parties when gaining access and performing actions
“Identity Management Task Force Report,” National Science and Technology Council (NSTC) Subcommittee on Biometrics and Identity Management, 2008. 2 FIPS Publication 201, “Personal Identity Verification (PIV) of Federal Employees and Contractors,” March 2006. 1
3
Dell One Identity can easily integrate into existing IAM implementations to provide the features and functionality necessary to become FICAM or SICAM compliant.
Federation includes the technology, standards, policies and processes that allow an organization to trust digital identities, identity attributes and credentials created and issued by another organization.
In addition, access control sets the stage for additional activities outside of the traditional access control paradigm. One corollary to access management is the ability to ensure that all individuals attempting access have a genuine need. This is tied to authentication and authorization, but also to the business rules surrounding the data itself. Privacy is provided by properly ensuring confidentiality, and by refraining from collecting more information than is necessary. Dell Software’s solutions for access management include: • • • • • • • • • •
Credential management A credential is an object that authoritatively binds an identity (and optionally, additional attributes) to a token possessed and controlled by a person.3 The credentialing process principals and elements can also be applied for NPE digital identities. However, steps may vary during the credential issuance process (sponsorship, adjudication and so on) based on an organization’s security requirements. For examples of NPE credential issuance, please refer to the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework, Version 3647–1.6, February 11, 2009.
3 4
4
Identity Manager Quick Connect Virtual Directory Server Active Roles Privileged Password Manager Privileged Session Manager Authentication Services Enterprise Single Sign-on Cloud Access Manager Defender
Credential management supports the lifecycle of the credential itself. In the federal government, examples of credentials are smart cards, private and public cryptographic keys, and digital certificates. The policies around credential management, from identity proofing to issuance to revocation, are fairly mature compared to the other parts of ICAM. The PIV standards4 and Federal PKI Common Policy are examples of documents that have been in place and that are foundational to agency-specific credential implementations. Dell Software’s solutions for credential management include: • Enterprise Single Sign-on • Defender
Federation Federation is a trust relationship between discrete digital identity providers that enable a relying party to accept credentials for an external identity provider in order to make access control decisions. Federation provides path discovery and secure access to the credentials needed for authentication, and federated services typically perform security operations at run time using valid NPE credentials. In implementation, federation includes the technology, standards, policies and processes that allow an organization to trust digital identities, identity attributes and credentials created and issued by another organization. Dell Software’s solutions for federation include: • Cloud Access Manager • Quick Connect • Virtual Directory Server
NIST SP 800-63, “Electronic Authentication Guideline,” Version 1.0.2, NIST, April 2006. Federal Information Processing Standards Publication 201 [FIPS 201], NIST SP 800-73,16 etc.
Auditing and reporting Across the federal government, information systems, including physical access control system (PACS) solutions, are designed and built to comply with specific accountability requirements, which mandate the capability to review and report on various access events within individual applications. Each application administrator (or a designee) is responsible for tracking and reviewing access control events within their applications, and investigating anomalous entries. The processes for completing this task vary widely across agencies, business units and individuals. Typically, in order to provide contextual audit information in a meaningful manner, resource owners and administrators have to manually correlate transaction event data from
multiple sources that may be paper- or technology-based. Auditing and reporting capabilities are highly dependent on technological constraints such as network limitations, application setup, application age and network infrastructure. In addition, to meet the audit and reporting requirements for all IT resources, PACS solutions must be capable of providing additional reporting services for physical access events within the organization, as defined in the 2009 Interagency Security Committee (ISC) document, “Use of Physical Security Performance Measures.” Dell Software’s solutions for auditing and reporting include: • Identity Manager • Change Auditor • InTrust
Descriptions of Dell Software solutions for FICAM and SICAM compliance
Solution
Description
Active Roles
Active Roles simplifies the security and protection of Microsoft® Active Directory® (AD) by providing automated tools to efficiently manage users and groups, as well as Active Directory delegation. Active Roles helps you to overcome Active Directory’s native limitations, enabling you to do your job faster. And thanks to Active Roles modular architecture, you can afford to meet your business requirements today and in the future.
Authentication Services
Integrate Unix, Linux and Mac OS X into Active Directory while extending the compliance and security of AD across your enterprise using Authentication Services, part of the Privileged Access Suite for Unix.
Change Auditor
The Change Auditor solution family audits, alerts and reports on all changes and deletions made to Microsoft Active Directory, Exchange, SharePoint®, VMware vCenter®, EMC®, NetApp®, SQL Server®, Windows Server® and even LDAP queries against Active Directory—all in real time and without enabling native auditing. A central console eliminates the need for multiple IT audit solutions, reducing complexity.
Cloud Access Manager
Cloud Access Manager enables you to deploy and manage enterprise-class applications across your private, public and hybrid clouds. It provides a suite of tools for managing your cloud infrastructure, including the provisioning, management and automation of applications across the leading private and public cloud platforms.
Defender
Defender uses your current identity store within Active Directory to enable two-factor authentication, taking advantage of AD’s inherent scalability and security, and eliminating the costs and time involved to set up and maintain proprietary databases. Defender’s web-based administration, user self-registration and ZeroIMPACT migration capabilities ease the implementation of two-factor authentication for both administrators and users. In addition, Defender utilizes the full battery life of hardware tokens—typically five to seven years—and offers software tokens that never expire.
5
Defender uses your current identity store within Active Directory to enable two-factor authentication.
Solution
Description
Identity Manager
Identity Manager makes it easy to manage user identities, privileges and security across the enterprise. The solution’s automated provisioning of all resources simplifies the access management process, helps ensure that each user has only the appropriate access rights, and reduces the burden on IT.
Identity ManagerActive Directory Edition
Identity Manager-Active Directory Edition provides Active Directory self-service group management: your line-of-business employees can fulfill their own Active Directory group management access requests and attestation using a simple, easy-to-deploy and customizable request portal with summary dashboards and detailed reporting. The burden of managing these user access requests is transferred from IT staff to business owners The solution also offers advanced role-based access control to help you achieve your compliance, security and governance objectives.
Enterprise Single Sign-on
Enterprise Single Sign-on enables your organization to streamline both end-user management and enterprise-wide administration of single sign-on (SSO). It bases application and system user logins on your existing Active Directory identities, so there’s no infrastructure for you to manage.
InTrust
InTrust enables you to securely collect, store, and report and alert on event log data from your Windows, Unix and Linux systems, ensuring compliance with external regulations, internal policies and security best practices. InTrust helps you gain insight into user activity by auditing user access to critical systems from logon to logoff. It also detects inappropriate or suspicious access-related events in real time.
Privileged Password Manager
Privileged Password Manager empowers you to control the process of granting administrators the credentials necessary to perform their duties. It automates and secures the process, ensuring that when administrators require elevated access for shared and privileged credentials, such as the Unix root password, that access is granted according to established policy. With Privileged Password Manager, you’re assured that only appropriate access is granted based on required approvals, that all actions are fully audited and tracked, and that the password is changed immediately upon its return.
Privileged Session Manager
Privileged Session Manager enables you to issue privileged access while meeting auditing and compliance requirements. Privileged Session Manager is deployed on a secure, hardened appliance and allows you to grant access to administrators, remote vendors and high-risk users for a specific period or session, with full recording and replay for auditing and compliance.
Quick Connect
Quick Connect synchronizes identity data (users, groups and supporting data for roles) enterprise-wide to support a unified and intelligent approach to identity and access management. By integrating identities with Active Roles Server, Identity Manager, Password Manager, Active Directory-based tools or enterprise solutions, Quick Connect automates the provisioning process to control user access, reduce errors, save administrative time and lower costs.
Virtual Directory Server
Modify the presentation of data on the fly with Virtual Directory Server, a middleware application that abstracts back-end data from client applications. Virtual Directory Server allows you to easily integrate new applications into your existing identity infrastructure without having to alter directory information. That means your data stays put and in the same format.
Table 1. Dell Software solutions for FICAM and SICAM compliance
6
Conclusion
For more information
FICAM and SICAM provide logical, functionally-rooted frameworks for cybersecurity at the federal, state and local levels. FICAM and SICAM guidelines for identity management, access management, credential management, and auditing and reporting are complex but comprehensive. Dell Software can play an important role in helping your organization simplify adherence with these frameworks and improve the security of your physical infrastructure, applications and data.
Federal ICAM website FICAM v2.0 Roadmap and Implementation Guidance State Identity Credential and Access Management (SICAM) Guidance and Roadmap Dell Connected Security
7
Dell Software solutions: • • • • • • •
Email security Endpoint management Endpoint security Identity and access management Network security Secure remote access Security
Dell Software can play an important role in helping your organization simplify adherence with the FICAM and SICAM frameworks.
For More Information © 2014 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”). Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
About Dell Software Dell Software helps customers unlock greater potential through the power of technology—delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.
If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com Refer to our Web site for regional and international office information.
8 TechBrief-IAM-Govt-US-KS-24070
DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.