Identity management standards help DHS build networks of trust

Friday - 1/3/2014, 8:12am EST

Jason Miller interviews Donna Roy, executive director of DHS' Information Sharing Environment Office

Download mp3

The Homeland Security Department wants to build networks of trust with state, local and federal government partners, as well as with international and private sector organizations. The goal is to make information sharing easier and more secure.

One of the only ways to do that is through federated identity management. So DHS is putting the pieces in place to ease the burden of managing so many different identities.

Across the government, the homeland security agencies are a few steps ahead of most others when it comes to implementing identity management interoperability standards.

The Justice Department, for example, sponsors identity management standards that let all levels of government exchange law enforcement data.

"There's a Global Federated Identity and Privilege Management (GFIPM) standard, which allows us to exchange information from state, local, tribal, international and private sector with the federal government. It carries a set of standardized attributes, so that I know when some come with a Security Assertion Markup Language (SAML) assertion with GFIPM attributes that there is some fidelity if they come through an identity provider that has been approved by National Strategy for Trusted Identities in Cyberspace (NSTIC)," said Donna Roy, the executive director of DHS' Information Sharing Environment Office and the program director for DHS' Homeland Security Information Network and the National Information Exchange Model. "When they say they are a sworn law enforcement officer, I can trust that. I can put them into the appropriate parts of our systems that can see law enforcement data."

She said the next step is for companies and governments to adopt and use those standards, especially in software.

Rules-based access control

Roy, who spoke recently at the AFCEA Bethesda, Md., chapter's breakfast on identity management, said the goal is for agencies to share trusted attributes as part of a policy- and risk-based access control approach to securing their data.

It's the long-sought after idea of attaching roles and responsibilities to each person that are updated in real time. This approach both ensures law enforcement officers have access to the right data, at the right time, and protects sensitive or classified information from unauthorized use.

The Information Sharing Environment validated a similar approach to identity management last year. Through a back-end attribute exchange, Justice led a pilot where federal law enforcement officials shared data with local and state government police officers using a pre-determined and pre-cleared set of identity management attributes.

Roy said DHS already is heading down a role-based identity management path for its employees and contractors.

"We are also working in the department on implementing a really rigorous, what I call, the information sharing and access policy framework. A way to codify what I know about the identity of a person who needs to access a DHS system or other systems for which we steward," she said. "Everything I need to know about the data and how we need to protect the data, and then this other small piece called authorized purpose, which really codifies how we are charged to protect that data given the systems of records notices, privacy impact assessments and framework for that. I think we are putting in place some advanced interoperability standards."

DHS is applying initial pieces of this framework to the Homeland Security Information Network (HSIN). Earlier this summer, DHS launched version 3 of HSIN, adding enhanced security features as well as geospatial information system mapping tools to improve how information is shared across the user communities.

Part of those enhanced security features included the move toward two-factor authentication and away from usernames and passwords.

Initial pushback

Roy said over the last year, users migrated to the new system and had to go through a new identity proofing process.

She said 90 percent went through using an automated process, but the remaining employees had to go through a more manual background check.

"We are strengthening the network of identity as we re-released HSIN this year," Roy said. "There was a lot of push back in the identity proofing process because people didn't understand that while we were using public record information, credit reports or other types of information. We were using it through a broker so the program never saw any of that information. I think there was a lot of angst that that maybe wasn't communicated as well. We underestimated the effort to communicate exactly what was happening inside the service box that was outside the HSIN program's responsibility. We were just using a service and saying 'Tell us yes or no, did we pass the identity proofing process?'"