FICAM Roadmap and Implementation Guide articulates the need to provide government-wide services for common ICAM requirements. In addition, an execution priority for FICAM is to demonstrate the value of policy driven access control in Government systems. One of the ways that we are moving forward in this area is by piloting the operational use of attribute services, backed by attribute providers, that can act as a single point of query for relying parties.
What is an attribute provider (AP)?
The National Strategy for Trusted Identities in Cyberspace (PDF) describes an AP as being "... responsible for the processes associated with establishing and maintaining identity attributes. Attribute maintenance includes validating, updating, and revoking the attribute claim. An attribute provider asserts trusted, validated attribute claims in response to attribute requests from relying parties."
Why is this important?
- We are moving into an era where dynamic, contextual, policy driven mechanisms are needed to make real time access control decisions at the moment of need.
- The policy driven nature of the decisions require that the decision making capability be externalized from systems/applications/services and not be embedded within, and that policy be treated as a first class citizen.
- The input to these decisions are based on information about the subject, information about the resource, and contextual information that are often expressed as attributes.
- These attributes can reside in multiple sources where the level of confidence a relying party can have in an attribute may vary and has many components (Working on this one).
- The relevant attributes are retrieved (“pulled”) from the variety of sources at the moment when a subject needs to access a system and are not pre-provisioned into the system.
- Standards! Standards! Standards! All of the moving parts here (finding/correlating attributes, movement of attributes across organizational boundaries, decision control mechanisms etc.) needs to be using standards based interfaces and technologies.
How will this capability be implemented?
As a first step, we are partnering with PM-ISE on an operational pilot (real missions, real data, real systems, real users) of the FICAM Backend Attribute Exchange (BAE) capability.
The BAE capability provides a "... standards-based architecture and interface specification to securely obtain attributes of subjects from authoritative sources in order to make access control decisions."
If interested in its technical details, do check out the final version of the BAE v2 technical documentation set:
- BAE v2.0 Overview
- SAML 2.0 Identifier & Protocol Profiles for BAE v2.0
- SAML 2.0 Metadata Profile for BAE v2.0
- BAE v2.0 Governance
As someone who has been involved with the BAE since the first prototype, it is interesting for me to look back on the timeline for how we got here [Full Disclosure: Some of the links below point to blog entries from before I entered Federal Government Service; At that time, I was a Contractor supporting the DHS Science & Technology Directorate as the Technical Lead for their Identity Management Testbed]
- [2009] Prototype implementation of the BAE architecture between DHS S&T and DOD DMDC West. Focus was just on PIV/CAC driven attribute retrieval
- [2009 - Present] Ongoing, and successful, work with vendors to "bake-in" support for BAE Protocol Profiles into their products
- [2010] End-to-end proof-of-concept implementation (synthetic data) between DHS (S&T/FEMA/HSIN/OCIO) and DOD (NORTHCOM/NSA/DISA) that demonstrated the real-time ABAC capabilities possible by implementing a "pull-based" identity and access control architecture using the BAE. Expanded specification to accommodate non-smartcard driven attribute retrieval use cases
- [2010] DHS S&T submitted lessons learned and outputs of prototypes and pilots to FICAM to make it part of the FICAM work stream
- [2011] Partnership between FICAM and DHS S&T to stand up a Reference Implementation of BAE v2 in the DHS S&T Identity Management Testbed
- [2011] FICAM Stands up the E-Government Trust Services (EGTS) CA capable of issuing NPE certificates to BAE Compliant Attribute Services
- [2012 - January] Final version of the BAE v2 specification is released (also directly linked to above) which includes support for privacy/consent-based attribute release
- [Now] We are moving out ...
RELATED POSTS
- From AAES to BAE - Implementing Collection and Sharing of Identity Data
- What is new with the BAE Operational Deployment?
:- by Anil John
