Streamlining Federation Within Vertical Communities via Common Identity Attributes: A B2B Federation Model Part 2

| 0 Comments | 0 TrackBacks

Page:   1   2   3   4  Next  »

Exostar's Takanti On Identity Attributes, Strong Credentials, Hub-and-Spoke Cloud Federation Efficiencies

Identity federation enables trusted business and supply chain partners to access your internal applications--a process that streamlines transactions but can increase risk if information access rights and users' identities are not tightly linked. That was a key theme in part one of Security Squared's conversation with Vijay Takanti, (pictured),takanti.jpg vice president, security and collaboration solutions for Herndon, Va.-based Exostar.

Exostar's Managed Access Gateway is a cloud-based "identity hub" that manages identity federation for big aerospace and defense companies like Lockheed Martin. Members of the supply chain can log into the gateway, which ensures they are vetted, before permitting them access to their trading partners' applications. In this scenario, the Managed Access Gateway is the hub: literally thousands of spokes emanate from it, so that a company connecting to the Gateway once can then connect to others already linked by the hub.

Key to achieving these connections is the use of attributes--details about the identities being federated--to make information access decisions. Exostar has identified and federates attributes common in the aerospace and defense community. In part 2 of our conversation, edited for clarity and length, we look at whether other vertical markets also have sets of basic attributes, the role of strong physical credentials in a federated world, and the efficiencies of a hub-and-spoke federation model.

******************

Sharon J. Watson: When you are talking about the attributes and the realization that Exostar came to that [all] these companies in the aerospace and defense business are essentially collecting the same attributes on the same people, so why not do it once and provide the economies of scale--it seems to me that would be a very well-known group of attributes you're collecting because it's in a particular industry. If you're trying to move the model outside aerospace and defense, do you think other industries have equally clear-cut, definable attributes or are they going to be very custom depending on the enterprise you're dealing with?

Vijay Takanti:
That's a very good question. Even in aerospace and defense, I wish it was as simple as I've made it sound. But what we're noticing, Sharon, is there are certain "core attributes" that are relevant independent of the industry. We are trying to standardize those core attributes across multiple industries....

The core attributes are primarily: what is the strength of the credential that Nicole is using to log into the system? It may be low, medium, high, but I need to know the strength that so I can give her access based on the strength. Who is Nicole employed by?  Everybody wants to know that, [regardless] of the vertical. What is the strength of the end point security Nicole is using to access my information?

Typically, we are talking about [protecting] intellectual property. In the pharmaceutical world, it may be drug related; in the aeronautics world, it may be manufacturing related, but at the end of the day, it is intellectual property I am trying to protect. That is the use case we are seeing. For those kinds of use cases, there are core attributes we can identify.

Now when you talk about compliance, that is where there are differences. In the aerospace industry, we have export control, a bunch of attributes like citizenship, training or certification, and so on. In the pharmaceutical world, I have [CFR Title 21] compliance, which is related to drug testing, so I need a different set of attributes. Compliance, you are absolutely right, we are seeing differences.

But the core attributes, they're almost identical.  Entities like CertiPath or The Federal Bridge [Certification Authority] in the US, they are focusing on those core attributes, and trying to make that notion consistent and common across industries. In the aerospace industry, you have CertiPath; in the pharmaceuticals industry you have SAFE.... These entities are essentially saying when you issue these credentials, they have to follow these rules.

When the Department of Motor Vehicles in Virginia issues me a drivers license, I can drive across the interstate. My driver's license from Virginia is accepted by California. So there are some core credentials about which California and Virginia have agreed. That's the same notion about [attributes in] the vertical industries.

Page:   1   2   3   4  Next  »

Exostar's Takanti On Identity Attributes, Strong Credentials, Hub-and-Spoke Cloud Federation Efficiencies

Identity federation enables trusted business and supply chain partners to access your internal applications--a process that streamlines transactions but can increase risk if information access rights and users' identities are not tightly linked. That was a key theme in part one of Security Squared's conversation with Vijay Takanti, (pictured),takanti.jpg vice president, security and collaboration solutions for Herndon, Va.-based Exostar.

Exostar's Managed Access Gateway is a cloud-based "identity hub" that manages identity federation for big aerospace and defense companies like Lockheed Martin. Members of the supply chain can log into the gateway, which ensures they are vetted, before permitting them access to their trading partners' applications. In this scenario, the Managed Access Gateway is the hub: literally thousands of spokes emanate from it, so that a company connecting to the Gateway once can then connect to others already linked by the hub.

Key to achieving these connections is the use of attributes--details about the identities being federated--to make information access decisions. Exostar has identified and federates attributes common in the aerospace and defense community. In part 2 of our conversation, edited for clarity and length, we look at whether other vertical markets also have sets of basic attributes, the role of strong physical credentials in a federated world, and the efficiencies of a hub-and-spoke federation model.

******************

Sharon J. Watson: When you are talking about the attributes and the realization that Exostar came to that [all] these companies in the aerospace and defense business are essentially collecting the same attributes on the same people, so why not do it once and provide the economies of scale--it seems to me that would be a very well-known group of attributes you're collecting because it's in a particular industry. If you're trying to move the model outside aerospace and defense, do you think other industries have equally clear-cut, definable attributes or are they going to be very custom depending on the enterprise you're dealing with?

Vijay Takanti:
That's a very good question. Even in aerospace and defense, I wish it was as simple as I've made it sound. But what we're noticing, Sharon, is there are certain "core attributes" that are relevant independent of the industry. We are trying to standardize those core attributes across multiple industries....

The core attributes are primarily: what is the strength of the credential that Nicole is using to log into the system? It may be low, medium, high, but I need to know the strength that so I can give her access based on the strength. Who is Nicole employed by?  Everybody wants to know that, [regardless] of the vertical. What is the strength of the end point security Nicole is using to access my information?

Typically, we are talking about [protecting] intellectual property. In the pharmaceutical world, it may be drug related; in the aeronautics world, it may be manufacturing related, but at the end of the day, it is intellectual property I am trying to protect. That is the use case we are seeing. For those kinds of use cases, there are core attributes we can identify.

Now when you talk about compliance, that is where there are differences. In the aerospace industry, we have export control, a bunch of attributes like citizenship, training or certification, and so on. In the pharmaceutical world, I have [CFR Title 21] compliance, which is related to drug testing, so I need a different set of attributes. Compliance, you are absolutely right, we are seeing differences.

But the core attributes, they're almost identical.  Entities like CertiPath or The Federal Bridge [Certification Authority] in the US, they are focusing on those core attributes, and trying to make that notion consistent and common across industries. In the aerospace industry, you have CertiPath; in the pharmaceuticals industry you have SAFE.... These entities are essentially saying when you issue these credentials, they have to follow these rules.

When the Department of Motor Vehicles in Virginia issues me a drivers license, I can drive across the interstate. My driver's license from Virginia is accepted by California. So there are some core credentials about which California and Virginia have agreed. That's the same notion about [attributes in] the vertical industries.

<!--nextpage-->

Strong Credentials

SJW: I'd looked at your news release about Lockheed Martin using the Managed Access Gateway, and it mentions using the different [strengths] of credentials that you talked about today, Vijay. I went back to look at the FIPS-201 standard about what it requires, and I'm struck by the lengths to which the Department of Defense and its trading partners go to issue strong credentials. You prove that you are who you are. How often are you seeing that level of verification in credentials [issued] outside of the Department of Defense area and how much does that have an impact on the service you are able to offer, if private enterprises are not going to those lengths with their credentialing?

VT: Are we seeing the demand? Yes, we are seeing the demand, primarily driven by the U.S. DOD. A number of suppliers that need access to Lockheed Martin applications need higher assurance certificates. Lockheed has specified that. We are seeing other companies follow through. One of our customers is a subsidiary of Textron which manufactures Bell helicopters. They are demanding certificates. Rolls-Royce, another of our customers, is demanding certificates. The others are catching up fast.

It is one thing to ask for certificates. It is another thing to make sure the applications know how to distinguish between certificate-based authentication and user ID password-based authentication. Applications are not built to do that, so [companies] are making investments to change their applications. Once they are ready, then they will come down and demand that from their suppliers.

In the pharmaceutical world...it may not be the FIPS-201 model, but there is the notion of 'know who you are dealing with.' You look at, for example, the financial industry. They call it 'Know your customer.' That's required by the Patriot Act. I have to know who my customer is.

So regulations, the need to protect investment in intellectual property and...increased cyber security threats, these factors are driving companies to acknowledge the Internet is good, it gives them a good access channel, but they need to share information with the same security as they would share information in the real world.

In the aerospace industry we are seeing customers so worried about security, they are sending information via FedEx rather than by e-mail because of compliance requirements. That's how they look at Exostar. We are the cyber FedEx company. We know where data has to be routed but we don't know the contents of the information.

We need to provide assurance to our customers we can do that religiously. Exostar is investing in how we provide that assurance: audit regimes, letting customers look at the processes we actually use. The credibility factor is a big issue to gaining trust. I believe that credibility is required across all vertical industries.

<!--nextpage-->

Federating Identities Via Cloud Connections

SJW:  With you doing identity in the gateway and collecting those attributes, does your service supersede identity management systems at the companies, the things that IBM, CA and Oracle sell, or is it complementary? Are you extracting information from those [IdMs] to fill your attributes?

VT: It is complementary. Our cloud service extends the identity management service of the enterprise. The typical use case we are involved in with the Managed Access Gateway is providing access to internal applications from external users--not just employees, it could be a customers, suppliers-- these users access your internal applications more and more. Companies have extended their infrastructure.

As you mentioned, many companies build infrastructure using IBM, Sun and Oracle tools. We actually work with those tools. In this hybrid cloud concept, we collect those attributes, we link them to our cloud, which is basically the extension of the enterprise identity management systems. We link those attributes back to the enterprise identity management system so [external users] can get access to the applications or services they need.

I'll give you an example to make it clearer. Lockheed Martin--a typical use case they have is a business role called a buyer. A number of people in the procurement organization have this role, and they deal with their suppliers. They send them purchase orders, they have to get them to sign contracts, those sorts of things. They would like to do it electronically.

Lockheed Martin has an internal application that lets the buyer search for a given supplier or search for a class of suppliers based on [what] they are looking for. We have a system that lets them search for the suppliers and contact them electronically. Lockheed Martin has extended that concept [through the Managed Access Gateway].
 
I'm the buyer in Lockheed Martin, I search for ABC Company, but I don't find it in my database. It does not exist because Lockheed has never done business with that company. I have a link I can click on and it takes me to the Exostar Managed Access Gateway portal. I don't need to log in, because Exostar worked with Lockheed to make it seamless. I repeat my search at the Exostar portal. It finds ABC Company because Exostar is [also] doing business with Raytheon, Rolls and various other companies, and ABC Company may be doing business with those. So the buyer sees the company and says 'I want to do business with this company' and clicks on a link to connect that company with Lockheed. It is as simple as that.

The invitation is sent electronically to ABC Company by Exostar; when the invitation is responded to, we will make sure that the ABC Company representative actually completes a legal agreement, which is an extension of the Exostar service level agreement that has the additional terms and conditions Lockheed Martin wants us to pass through. Once that is completed, we then provide that information about the supplier and the user who is authorized to access Lockheed. That authorization is actually made by the ABC Company, not Lockheed, because Lockheed is interested in doing business with ABC Company, not a specific user in this scenario.

Once we have that information at Exostar about the company and the user, we supply it back to Lockheed through the web service. Then that is provisioned within the Lockheed Martin application. They acknowledge that back to Exostar through the Web service, and we note that process is completed, so the user has been granted access to the Lockheed Martin application. We notify the user, then the user can access the application--the user clicks on a link, which is the Lockheed Martin application link.  The Exostar screen prompts him or her for the credential, which could be a digital certificate or a user ID and password, depending on the application. Once she fulfills the requirement, she is now in the Lockheed Martin application, connected with the buyer.

That is the business transaction the Exostar Managed Access Gateway enables. It used to take multiple days for Lockheed to do that. Now they can do it all electronically. More importantly, if the supplier has a problem, they call Exostar. We take care of the supplier issues, the supplier questions, as well as we can. When we don't know the answers, we do the triage with Lockheed Martin.

Lockheed doesn't need to worry about on-boarding suppliers. If a supplier doesn't exist [in the Exostar community], we have a process to onboard the supplier, to provide them training, to tell them about identity. If the supplier doesn't know about identity management, we will train them. When all that is completed, we onboard the supplier and the connection is made to Lockheed.

Because it is very specialized, we have systems that allow us to do that efficiently in a scalable manner. We grew our community from 38,000 to 70,000 trading partners last year.

SJW: Is it your hope, Vijay, to build similar communities around the pharmaceutical industry, finance and high tech?

VT: It's not just a possibility. I'm actually working with one large pharmaceutical company so I hope maybe next year to have a different conversation with you about what we've achieved there.

<!--nextpage-->

Re-educating Applications

SJW: I don't mean to beat a dead horse, Vijay, but I do want to circle back to that need for a strong credential. It seems like a lot of the security is predicated on being able to have that multi-factor level of authentication, and I just want to be clear that I'm not overplaying it: Is it a valid observation that to ensure a certain level of security when you're federating like this that a strong credential is very important?

VT
: Yes, it is important. All I'm suggesting is that it is important in the context of the business transaction. At Exostar, every day about 150,000 users log in to access various applications--Lockheed's applications, Raytheon's applications. Not all of those 150,000 people are using high assurance credentials or digital certificates in this context, which goes back to FIPS-201. Not everyone is using that. For two reasons: one, not every transaction is considered sensitive. For example, a purchase order for pizza--that level of transaction does not need a digital certificate. There, a user ID and password may be sufficient

The second reason we are not seeing traction on the FIPS-201 certificates is that the applications by themselves today are not capable of distinguishing these different authentication strengths. So Exostar is able to tell [the application] these people are logged in with user ID or password or digital certificate. We can do that. But if I give that claim about the user to the application, the application needs to know how to act on that claim, how to convert that claim into something it can base a privileged decision on.

Typically, an application bases those decisions on information in its database. For example, let's take an application like SharePoint, which is typically used in information sharing. The SharePoint application looks into its repository about users, which is an Active Directory repository and asks, 'does Nicole belong to this group? If she belongs to group, I'll give her access to the site folder.'

Now we have to change that SharePoint application's behavior. Rather than looking into that group membership in Active Directory, it has to look into the group membership coming on the wire, from the cloud. That is where we are seeing the uptake of digital certificates, of high assurance, taking time, because people have to change their applications. We think it will happen. It will happen at the pace at which we make investments in those applications.

SJW: The last thing I wanted to check: Vijay, although the Managed Access Gateway, the identity hub, is an extension of an enterprise's existing identity management system, it sounds like your federation capabilities might be competing somewhat with the federation services that Sun, Oracle, IBM and CA would like to sell. I am trying to position these different [offerings] for myself.

VT:...[If] Lockheed wants to federate its identities with Boeing, they have to set up a connection. Lockheed might use Sun, Boeing might use CA, they have to make that connection to federate. There is no need for Exostar there; that is where we see competition.

But when Lockheed has to work with Boeing--and BAE Systems--and Raytheon--they have to set up so many connections. To make it even more complex, Lockheed is not one entity; it has six different business units. That is where we see federation becoming complex, and that is where the hub and spoke [model] makes sense. That is the enhanced link concept: we integrate it, they link once with us, and we give them access to other applications or other identity providers, depending on the case.

We also mitigate the complexity of interoperability. Federation has at least two standards: one in the Microsoft world, one in the Liberty Alliance world. These standards are interoperable but they are not the same technology. There are differences: we take care of those in the Managed Access Gateway. We also try to broker those transactions in the cloud.

For example, Lockheed Martin might be using a protocol called WS Federation to connect to us. If Lockheed Martin wants exchange claims with BAE Systems, which, let's say, is using SAML, Security Assertion Markup Language, a different protocol, we bridge that gap. We make sure we do the translation properly so to BEA Systems it looks like a SAML claim; to Lockheed Martin it looks like a WS Federation claim. So the hub provides the translation service, hides the complexity, the provisioning.
 
# # #

Please be sure to read part one of our conversation with Vijay Takanti, discussing attribute-based access control. If you prefer hard copy, click the "Share" button below for print options.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/171

Leave a comment