Identities Plus Attributes: A Cloud-Based B2B Federation Model

| 0 Comments | 0 TrackBacks

Page:   1   2   3   4  Next  »

Exostar's Managed Access Gateway Links Identities and Community-Derived Attributes 

Secure cloud computing: to prevent that phrase from being an oxymoron, it's necessary to address identity management--ensuring only authorized users get access to applications and data and do only what they are allowed to with those assets. That's an even greater challenge as "users" increasingly include trading partners and customers as well as employees.

To kick off Security Squared's exploration of managing identities in the cloud, we present our conversation with Vijay Takanti (pictured), vice president, security and collaboration solutions, for Exostar. The Herndon, VA-based firm provides a range of cloud-based "multi-enterprisetakanti.jpg collaboration solutions" serving the aerospace and defense (A&D) industry, which in turn must meet the stringent security requirements of such federal mandates as Homeland Security Presidential Directive 12 and the FIPS 201 technical standard that essentially calls for a converged physical/logical identity credential. Exostar is to date the only third-party firm authorized by the Department of Defense to issue such credentials on the DOD's behalf.

In December, Exostar launched its Managed Access Gateway (MAG), a cloud-based "identity hub." Lockheed Martin is using MAG to give 40,000 external vendors and their associated users access to Lockheed's "Procure-to-Pay" supplier portal, with MAG managing and controlling access to the relevant data and the associated applications. The external vendors don't need to invest in any premises software, while Lockheed Martin is insulated from managing the enrollment and provisioning of the suppliers and their users.

In this first half of our conversation, edited for clarity and length, Takanti explains the business, access and identity concepts underlying MAG and why these three factors must be addressed in tandem when federating identities among trusted trading partners--either in or via the cloud or in traditional applications.

********

Sharon J. Watson: I'm very curious about how to secure identities as people begin working more in the cloud, whether you've got people accessing something like Salesforce.com or whether a company is beginning to move its [IT] infrastructure into the cloud. I'm hoping we can talk broadly today about some of the underpinnings of securing the cloud, managing identities in the cloud.  I'd also like to understand how your Managed Access Gateway works.

Vijay Takanti: Let's review the cloud service and especially now what is being touted as hybrid cloud services. I'm sure you're familiar with cloud services: we have the internal enterprise cloud, we have the external enterprise cloud hosted by the Amazons or the Microsofts of the world, and this new notion of the security cloud or hybrid cloud, which is bridging between these two clouds, that is primarily focusing on identity management services. That's what I spend all my time on.

You mentioned Salesforce.com and those kinds of things. To set the stage, when we talk about identity management at Exostar, our primary focus is business-to-business transactions, how do we enable business transactions such that they can comply with policies. By policies, I mean simple things we take for granted [in the physical world]. You go to a meeting with two different enterprises and the first thing company A says is 'all of this information I'm sharing with you is under an NDA [nondisclosure agreement].' So how do we take that basic notion and make sure those things are actually in place before we share information in the electronic world, especially in the cloud world.

Because identities are not the business problem. The business problem is access controls on sharing information. That is the primary problem we are seeing. But to tackle the problem, we have to solve the [issue of] who is getting that information.  That is where the identity management kicks in.
Context is Key

One of the challenges in the hybrid cloud or the security cloud when we talk about identities [is that] the identity is in the context of a business transaction. For example, I am talking with someone in the DOD, so I need to know this information exchange is happening in the context of my relationship as an employee of Exostar, with somebody who is employed by the DOD, and that relationship, that exchange, is governed by a set of contracts or business authorizations. This is the model we are working on, and that expands the notion of identity. Identity is not just about a person, it's about a lot more information that I need about the person.

What we are finding in some instances is that...enterprise applications like ERP care more about the attributes of the trading partner. So at Exostar, we are not just focusing on identity management of the end-user but are also trying to standardize this notion of identity management about the community. And the community in our case involves thousands of companies who are doing business in aerospace and defense.

A Collection of Community Data Attributes


VT: We have spent a lot of time and effort with our customers implementing a robust mechanism to...collect information about companies. We also vet that information....verify the information using standard data sources. For example, in the aerospace and defense industry, a lot of emphasis is placed on national security. We don't do business with people on the denied partners list published by the Department of State, the Department of Commerce, those kinds of entities. We are to verify that.

We are to verify simple things. If I am doing a supply chain transaction, I need to know the tax ID, to subtract taxes. I may have to know the shipping and billing address because that's what my system needs. But I can't just enter 123 Main Street, Georgia, because 123 Main Street, Georgia, may not exist. I verify the address makes sense. I need to do money transfers, I need the bank routing information for the company. And so on and so forth.

You get the notion of the information I am talking about. That is where we built this robust system, and that system is not only collecting information, it also needs to support a number of workflows because you have different types of suppliers, you have different kinds of business processes to support.

Then what we've done is build our user identity management service in the context of this so-called company information. As an example: Nicole is an employee of Exostar, and I have collected a lot of information about Exostar. As part of that collection, I also set up a user, and that user has been given the privilege to add more users, delete them, allow users to do certain jobs. That is where we kick in our user identity management. It is not just about identity management, it is about identity and access management. Because as I said, identity without the notion of access doesn't make sense. In our world, we tie these two pieces together, identity and access.

Page:   1   2   3   4  Next  »

Exostar's Managed Access Gateway Links Identities and Community-Derived Attributes 

Secure cloud computing: to prevent that phrase from being an oxymoron, it's necessary to address identity management--ensuring only authorized users get access to applications and data and do only what they are allowed to with those assets. That's an even greater challenge as "users" increasingly include trading partners and customers as well as employees.

To kick off Security Squared's exploration of managing identities in the cloud, we present our conversation with Vijay Takanti (pictured), vice president, security and collaboration solutions, for Exostar. The Herndon, VA-based firm provides a range of cloud-based "multi-enterprisetakanti.jpg collaboration solutions" serving the aerospace and defense (A&D) industry, which in turn must meet the stringent security requirements of such federal mandates as Homeland Security Presidential Directive 12 and the FIPS 201 technical standard that essentially calls for a converged physical/logical identity credential. Exostar is to date the only third-party firm authorized by the Department of Defense to issue such credentials on the DOD's behalf.

In December, Exostar launched its Managed Access Gateway (MAG), a cloud-based "identity hub." Lockheed Martin is using MAG to give 40,000 external vendors and their associated users access to Lockheed's "Procure-to-Pay" supplier portal, with MAG managing and controlling access to the relevant data and the associated applications. The external vendors don't need to invest in any premises software, while Lockheed Martin is insulated from managing the enrollment and provisioning of the suppliers and their users.

In this first half of our conversation, edited for clarity and length, Takanti explains the business, access and identity concepts underlying MAG and why these three factors must be addressed in tandem when federating identities among trusted trading partners--either in or via the cloud or in traditional applications.

********

Sharon J. Watson: I'm very curious about how to secure identities as people begin working more in the cloud, whether you've got people accessing something like Salesforce.com or whether a company is beginning to move its [IT] infrastructure into the cloud. I'm hoping we can talk broadly today about some of the underpinnings of securing the cloud, managing identities in the cloud.  I'd also like to understand how your Managed Access Gateway works.

Vijay Takanti: Let's review the cloud service and especially now what is being touted as hybrid cloud services. I'm sure you're familiar with cloud services: we have the internal enterprise cloud, we have the external enterprise cloud hosted by the Amazons or the Microsofts of the world, and this new notion of the security cloud or hybrid cloud, which is bridging between these two clouds, that is primarily focusing on identity management services. That's what I spend all my time on.

You mentioned Salesforce.com and those kinds of things. To set the stage, when we talk about identity management at Exostar, our primary focus is business-to-business transactions, how do we enable business transactions such that they can comply with policies. By policies, I mean simple things we take for granted [in the physical world]. You go to a meeting with two different enterprises and the first thing company A says is 'all of this information I'm sharing with you is under an NDA [nondisclosure agreement].' So how do we take that basic notion and make sure those things are actually in place before we share information in the electronic world, especially in the cloud world.

Because identities are not the business problem. The business problem is access controls on sharing information. That is the primary problem we are seeing. But to tackle the problem, we have to solve the [issue of] who is getting that information.  That is where the identity management kicks in.
Context is Key

One of the challenges in the hybrid cloud or the security cloud when we talk about identities [is that] the identity is in the context of a business transaction. For example, I am talking with someone in the DOD, so I need to know this information exchange is happening in the context of my relationship as an employee of Exostar, with somebody who is employed by the DOD, and that relationship, that exchange, is governed by a set of contracts or business authorizations. This is the model we are working on, and that expands the notion of identity. Identity is not just about a person, it's about a lot more information that I need about the person.

What we are finding in some instances is that...enterprise applications like ERP care more about the attributes of the trading partner. So at Exostar, we are not just focusing on identity management of the end-user but are also trying to standardize this notion of identity management about the community. And the community in our case involves thousands of companies who are doing business in aerospace and defense.

A Collection of Community Data Attributes


VT: We have spent a lot of time and effort with our customers implementing a robust mechanism to...collect information about companies. We also vet that information....verify the information using standard data sources. For example, in the aerospace and defense industry, a lot of emphasis is placed on national security. We don't do business with people on the denied partners list published by the Department of State, the Department of Commerce, those kinds of entities. We are to verify that.

We are to verify simple things. If I am doing a supply chain transaction, I need to know the tax ID, to subtract taxes. I may have to know the shipping and billing address because that's what my system needs. But I can't just enter 123 Main Street, Georgia, because 123 Main Street, Georgia, may not exist. I verify the address makes sense. I need to do money transfers, I need the bank routing information for the company. And so on and so forth.

You get the notion of the information I am talking about. That is where we built this robust system, and that system is not only collecting information, it also needs to support a number of workflows because you have different types of suppliers, you have different kinds of business processes to support.

Then what we've done is build our user identity management service in the context of this so-called company information. As an example: Nicole is an employee of Exostar, and I have collected a lot of information about Exostar. As part of that collection, I also set up a user, and that user has been given the privilege to add more users, delete them, allow users to do certain jobs. That is where we kick in our user identity management. It is not just about identity management, it is about identity and access management. Because as I said, identity without the notion of access doesn't make sense. In our world, we tie these two pieces together, identity and access.

<!--nextpage-->

Using Physical World Models

For example, the DOD has a directive that any access to any of the information sites, which are unclassified, requires the highest level of identity assurance. What do they mean by identity assurance? It has to meet certain security requirements-- minimum things that we take for granted in real life.

If you get a drivers' license, you don't just fill out a form and then they issue you a license. They do an online background check.  The DOD basically said...we want that in the cyber world. In other words, if Nicole wants access to a DOD website, they want Nicole to go to somebody, show her documentation, see that Nicole has the right credentials, that she is a U.S. citizen and shows a passport or a driver's license and the picture on the driver's license and passport matches Nicole. I also verify the document that Nicole has given me is an authentic document and not a forgery. There are certain basic rules that you follow. And then I say, Nicole, I know who you are, I'll give you a credential that you can use to access the DOD website. The DOD, because it trusts me, will now trust Nicole and give her access to some applications.

The same thing in the [Department of Motor Vehicles]: I take an exam, I am certified, they give me a laminated card that gives me the privilege to drive on the road and also to specify that Vijay Takanti has to wear glasses, and without those glasses he can't drive a car.

In the technology world...we call those things like 'eyeglasses required to drive a car' the attributes of a person. In the case of the DOD website, the attributes to access that website may be: it is Nicole and she has a credential issued at this high level of identity verification. That's one. It is Nicole, she is an employee of Exostar. That's two. It is Nicole, and she is a US citizen. That's basically three attributes I need to provide to the DOD to [gain] basic access to their applications.

Within those applications I may have to give some more attributes, like Nicole has this role. That is where the industry is going, and the DOD actually calls this "attribute-based access control."

Attribute-Based Access Control

VT:
In that world of attribute-based access control, to do a business transaction, to give access to business information, there are certain attributes we have to verify. For example, if you look at the company level, I need attributes like--especially in the US--is this company minority owned? Is the company woman-owned? Those are attributes of the company.

Similarly, is Nicole employed by a company that is woman-owned? Is Nicole a U.S. citizen? Those are two attributes about Nicole. That is what we are trying essentially to formalize and set up, providers who can collect and maintain and propagate these attributes to what we call the line parties that own and operate applications, whether the Department of Defense, the Boeing Company, Lockheed Martin, so they can make the right decisions on giving access.

What is in it for those companies? They do not have to manage all these external trading partners that need access to their internal systems. What used to happen before this identity cloud service, Boeing, Lockheed Martin, everybody had to have those attributes about the business requirements. They had to collect and maintain those attributes in their internal applications. Boeing did that for Boeing, Lockheed did that for Lockheed, Raytheon did that for Raytheon, and so forth.

Most of them follow the same process because they are aerospace and defense companies. If Nicole is doing transactions with all these companies, these companies are spending a lot of money collecting information about Nicole and keeping it in their applications. That is where we at Exostar come in and say, 'Guys, listen, we'll do it once for you, you will get economies of scale. By the way, we will follow the highest levels of process that you have between these companies so you get the best assurance at a lower price.' That is what we are proposing in that hybrid cloud,

<!--nextpage-->

Flexible Levels of Assurance

We also recognize that not every transaction that Nicole participates in requires the highest levels of assurance. So we provide different levels of attributes and in the case of credentials, we call it multi-factor authentication. If Nicole is authenticating a purchase order, and it doesn't have a lot of confidential information, she can use a user ID and password just like she does to do her online banking...but if Nicole is exchanging a design document with Lockheed Martin, she needs to make sure that information doesn't end up in Iran or Iraq. So in that scenario, we have to make sure Nicole actually uses a smartcard or a token that has been issued to her after what we call in-person proofing, which means I verified Nicole's passport and everything before I gave her credentials. So I know I am really talking to Nicole in the cyber world.

What we see, Sharon, is that the number of attributes expand in the identity world because there are multiple entities I am touching. First, there is Nicole; the next problem I have is that Nicole is using a laptop or computer to access my application. Is she sitting in some café in a hotel that is infected? That is another attribute: I need to know where Nicole is coming from, what workstation is she using to access my application. You can see how that cloud computing service provider can provide a lot more information that traditionally people have not been able to collect to make decisions.

SJW: Let me take a step back and make sure I am understanding you, Vijay: When I cover the private enterprise world, some of what you are talking about might be referred to as roles-based access control versus attribute-based access control. Does that sound correct?

VT: We are actually transitioning from role-based to attribute-based because role-based became a complex problem. Depending on the business, a person might have multiple roles. Some enterprises have have thousands of roles, and the administrative cost of maintaining those roles was very high. So now that paradigm seems to be attribute-based, where they define the attributes, define the provisioning of those attributes, and it makes it easier to combine the attributes for a given business to make a decision.
 
Attributes are also flexible in the sense they can be about the role of a person or about the environment, like the machine. So that is a scalable concept. Attributes are about the company, they are about the user, they are about the service endpoint. They can also be about the application, application to application, as in a service-oriented architecture. In that context, it is not so much the user getting access to my applications as it is applications pulling or pushing data.

SJW: Is attribute-based access control synonymous with claims-based?

VT: Yes. Claims-based is the terminology used by Microsoft. But the concept is identical. They call it a claim. But there is one difference in a claim. The claim is made by a provider who is trusted. Exostar is claiming Nicole is an employee of Exostar. I trust Exostar, and I trust the claim Exostar is making...

For example, you have heard of digital certificates, x.509 certificates. That is a claim, that is nothing but an electronic document which is signed by a trusted authority which gives some basic information. It says this is Nicole, this is her e-mail address, and it is signed by somebody I trust. That is a claim.

A driver's license is a claim. It is signed by the DMV. Because I trust the DMV, I trust that Nicole can drive. It's that same real world concept we are now beginning to recognize in the IT world.

<!--nextpage-->

Converged Credentials

Now that I have this claim, obviously it's easy to manage the logical access and if you notice, most of the fraud data leakage happens in the cyber world, not the physical world. You don't hear so much about James Bonds with spy cameras taking pictures as of someone sitting in a café with a file-sharing program to get the same information.

And as my friends in the DOD tell me, the threat is asymmetric in that defenders are at a disadvantage compared to the attackers. The attacker can attack me at any time, we don't know who they are, we don't know how they'll attack. It is completely asymmetric because the information [at risk] is much more valuable than the amount of investment made in the attack to get that information.

The physical access is still a challenge but that is something we are beginning to manage. If I go to the Department of Defense, the Pentagon, they check my credentials and give me a visitor badge and an escort. I don't have an escort in the cyber world. That's why a lot of this effort is being spent on the logical world but the recognition is there that hey, we have spent so much... at the end of the day, I am providing Nicole with a token, so how can I leverage that same investment into perhaps giving her physical access. That is where we are seeing the convergence: can I leverage the investment, get a return on investment in the physical world, not just the logical world.

This has not yet materialized in the industry, but is a concept we're seeing: Typically the way we work, we go to Microsoft Outlook and set up a meeting in the calendar. I say I want to invite Nicole, and I select a conference room. My Outlook automatically would check with Nicole, ask can she come to this meeting I've designated as confidential. When Nicole actually shows up, she then flashes her badge, the same badge she used to login to the system and get logical access. The new buildings have smart readers linked into the Microsoft server, so she flashes her badge and that goes to the Outlook Exchange Server. It says, Nicole has shown up to attend this meeting, is she allowed in this meeting room because it is confidential. If she has not been asked to attend, the door won't open.

That is where we are leading. If you go to DOD meetings, there is a small poster or sign outside the wall that says 'this meeting is confidential' or 'this meeting is classified' or 'this meeting is Lockheed people only' or 'DOD people only.' If I can translate that to Outlook Exchange calendar appointment information, I can get the advantage of access using the same identity.

###

In Part 2 of our conversation with Vijay Takanti, (coming Thursday), we discuss identifying common attributes for identities in other vertical industries; how Exostar's Managed Access Gateway simplifies connections and identity and access management among trading partners; and the current limits of strong authentication, among other topics.

Want to read hard copy of this conversation? Click the Share button below for print options.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/167

Leave a comment