Security and Federated Identity Management

What's New:

 
 

 

Introduction

Achieving information sharing objectives requires that partners establish wide-scale electronic trust among the caretakers of critical information and those who need and are authorized to use that information.  The information is sensitive-inappropriate sharing is just as dangerous as lack of sharing. That is where a new and rapidly maturing technology called federated identity comes in.  Federated identity allows a user's roles, rights, and privileges to be communicated securely in the justice community and, in particular, to those who hold the information required to effectively safeguard our nation.

The Global Federated Identity and Privilege Management (GFIPM) framework provides the justice community and partner organizations with a standards-based approach for implementing federated identity.  The concept of globally understood metadata across federation systems is essential to GFIPM interoperability.  Just as a common Extensible Markup Language (XML) data model was the key to data interoperability, a standard set of XML elements and attributes about a federation user's identities, privileges, and authentication can be universally communicated.  The GFIPM metadata and framework support the following three major interoperability areas of security in the federation:

  • Identification/Authentication - Who is the end user and how were they authenticated?
  • Privilege Management - What certifications, clearances, job functions, local privileges, and organizational affiliations are associated with the end user that can serve as the basis for authorization decisions?
  • Audit - What information is needed or required for the purposes of auditing systems, systems access and use, and legal compliance of data practices?
     
The GFIPM Metadata specification is being used in a limited pilot capacity today. Lessons learned and feedback from this pilot were incorporated into the public release of the GFIPM Metadata specification.


Building a Federation for Secure and Trusted Information Sharing
''Federation'' is a fundamental concept in this framework.  The federation provides a standardized means for allowing agencies to directly provide services for trusted users that they do not directly manage.  A federation is defined as a ''group of two or more trusted partners with business and technical agreements that allow a user from one federation partner (participating agency A) to seamlessly access information resources from another federation partner (participating agency B) in a secure and trustworthy manner.''  Major organizational participants in a federation vet and maintain information on the users they manage, and each federation partner retains control over the business rules for granting access to the sensitive information it owns.  The federation partners establish the electronic trust needed to securely access information by sending standards-based electronic credentials to federation partner information service(s).  The federation partner information service(s) evaluate the trusted electronic credential to determine whether to grant or deny access to the requested service or information.

A similar business model exists in passport processing.  A federation of governmental agencies has agreed to vet and maintain information on its citizens as a prerequisite for issuing a passport.  Border agents will grant or deny access to enter or leave the country based on evaluation of a passport-a trusted credential issued by a federation partner asserting identity and citizenship of a particular country.  The country (federation partner) providing the service to enter or exit the country applies its own business rules based on the passport information and other attributes known at the time of the request.


GFIPM Components
GFIPM uses a standardized XML credential as the key part of federated identity to be used by members and partners of the justice community.  Using the GFIPM credential will allow information to be shared in a new way-with reduced management burden and improved security and on a broader scale. It represents a strategic change and dramatic improvement in the way justice organizations establish the electronic trust needed to share information.

At the highest level of concept within the GFIPM model, there are three vital components that must interact between users of multiple systems:
  • Identity Provider (IDP)
  • Service Provider (SP)
  • User Credential Assertions (Metadata)

Within a federation, organizations play one or both of two roles: identity provider and/or service provider.  The identity provider is the authoritative entity responsible for authenticating an end user and asserting an identity for that user in a trusted fashion to trusted partners. The identity provider is responsible for account creation, provisioning, password management, and general account management.  This may be achieved with existing locally accepted security mechanisms and tools.

Federation partners who offer services or share resources are known as service providers. The service provider relies on the identity provider to assert information about a user via an electronic user credential, leaving the service provider to manage access control and dissemination based on a trusted set of user credential assertions.  As mentioned above, an organization that is a service provider can also be an identity provider.


Global Advisory Committee Recommendation
In the past three to four years, federated identity deployments have grown, matured, and expanded in depth and breadth across multiple industries.  As the standards have matured, more organizations are becoming aware of the compelling business case for building federated communities. As such, a critical objective of the Global Security Working Group (GSWG) for GFIPM is to ensure compatibility by collaborating with other key ongoing projects that cross domain boundaries, such as the National Information Exchange Model, the Office of the Director of National Intelligence, and the Law Enforcement Information Sharing Program.

Federated identity is part of the GSWG's vision for promoting secure nationwide information sharing.  To this end, the Global Advisory Committee has made the following recommendations on behalf of Global:
  • Recognize GFIPM as the recommended approach for development of interoperable security functions for authentication and privilege management for information exchange among cross-domain justice information sharing systems,
  • Adopt the GFIPM: A Global Concept Activities and Progress Report as a recommended resource for next steps and activities to further the utility of GFIPM for the justice community, and
  • Urge the members of the justice community to consider GFIPM as a potential building block to a layered security solution when authenticating uses among cross-domain organizations.


GFIPM Participants
The GFIPM initiative is supported through the Office of Justice Programs, Bureau of Justice Assistance (BJA); National Institute of Justice (NIJ); and the U.S. Department of Homeland Security (DHS).  The GSWG provides oversight for this initiative.  The GSWG GFIPM Delivery Team is chaired by Mr. John Ruegg, Los Angeles County Information Systems Advisory Body.  The GFIPM specifications have evolved through a collaborative effort of BJA, NIJ, DHS, and major contributors, including the Criminal Information Sharing Alliance network, Regional Information Sharing Systems network, Pennsylvania Justice Network, and Los Angeles County Information Systems Advisory Body.  John Wandelt, Georgia Tech Research Institute, is the GFIPM Project Manager.


Contact Us
For more information about Global efforts, including the GFIPM initiative and corresponding deliverables, please use the Contact Us form. 
 
 
 

 

GFIPM Metadata Specification Version 1.0

The GFIPM Metadata specification is being used in a limited pilot capacity today. Lessons learned and feedback from this pilot were incorporated into the public release of the GFIPM Metadata specification.
Submitted: 9/25/2008 12:22:03 PM

Global Federated Identity and Privilege Management (GFIPM) Executive Summary

This executive summary provides a high-level overview for justice organizations that are looking for ways to provide secured access to information while enabling wide scaled information sharing over the Internet.  This resource details the GFIPM framework which provides mechanisms and tools for implementing a standards-based justice credential.
Submitted: 9/25/2008 12:21:33 PM

Global Federated Identity and Privilege Management (GFIPM) Project Plan

This resource provides projected project timelines and deliverables.
Submitted: 9/25/2008 12:21:10 PM

Global Federated Identity and Privilege Management (GFIPM) Security Interoperability Demonstration Project Report

This project report was submitted by The Georgia Tech Research Institute (GTRI) to describe the background, activities, and lessons learned from the GFIPM Demonstration Project.
Submitted: 9/25/2008 12:20:53 PM

Global Federated Identity and Privilege Management (GFIPM) Users' Conference Briefing

This PowerPoint presentation was submitted by the Georgia Tech Research Institute (GTRI) to provide an introduction and status of the GFIPM project.  These slides were delivered during the Chicago Users' Conference on August 21, 2007.
Submitted: 9/25/2008 12:20:29 PM
Privacy and Civil Liberties Protection
Fusion Centers and Intelligence Sharing
Justice Reference Architecture
National Information Exchange Model
Global Justice XML (Archive)
Security and Federated Identity Management
Site Tools
Amber Alert logo COPS logo Department of Homeland Security logo E-Gov logo USA dot gov logo
Contact Us | Plug-Ins | Privacy Policy
Legal Policies and Disclaimers | Notice of Federal Funding and Federal Disclaimer