Authentication Session II

From AFCEAWiki

Contents 1 Session II: Device Authentication and Authorization 2 Abstract 2.1 Moderator 2.2 Panel 2.3 Threads 3 1. Curtis Levinson 4 2. Joe Mettle 5 3. Jerry Iwanski 6 4. Brent Williams

[edit] Session II: Device Authentication and Authorization

JOIN THE ONGOING SOLUTIONS DIALOGUE ON THE GOOGLE GROUP SITE

[edit] Abstract

Trusted computing from untrusted devices: putting trust in our IT infrastructure in a world where machine to machine interaction occurs.

[edit] Moderator

• Mr. Al Mink, Principal Systems Engineer, SRA

[edit] Panel

• Mr. Curtis Levinson, CSO, Qwest Government Services
• Mr. Jerry Iwanski, Route 1
• Mr. Joe Mettle, Sr Tech Director, DoD PKI Prog Mgmt Office
• Mr. Brent Williams, CTO, Anakam

Speaker BIOS

Audio Podcast

[edit] Threads

• What type of provisioning of the IT enterprise infrastructure (e.g., Identify, enroll)?
• What is the impact on the infrastructure (e.g., load on the network, how performance is affected)?
• How do we establish and control access control lists and privileges for devices and services?
• What is our vetting process and how do we build trust in the IT infrastructure?

[edit] 1. Curtis Levinson

 a. Certification & Accredidation implications of evolving authentication approaches.  
 b. FISMA is 6 years old and out of touch for today's challenges.
    -- The notion of a "System boundary" has changed significantly
    -- A change to a system's authentication often requires a new C & A.
 c. Compliance with today's broken and burdonsome requirements not only requires too much effort an time, but it also creates a false illusion of security as FISMA is insufficient today address many security issues.

[edit] 2. Joe Mettle

 a. Controlling device access to the network is important for security, but two past attempts at procuring such a capability were terminated early because industry solutions to manage access for DoD's 35 million devices were too immature.
 b. OSD & DISA are now again in the process of considering industry solutions for network access control.

[edit] 3. Jerry Iwanski

 a. Device access is an incredibly important factor in securing our information.  Yet, this gets harder as you move to the edge (deployed forces).  We need an approach that supports core infrastructure as well as the edge of our network.
 b. Virtualization provides many benefits to the enterprise, but it complicates device authentication.  What is the device when it's been virtualized?

[edit] 4. Brent Williams

 a. Device access must start with questions about the business process and the network infrastructure.
 b. The issues in device authentication are more about humans and culture than about technology
 c. The best approach to device authentication is to abstract all entities requesting access -- people, devices, and services -- by treating them all as objects.  
 d. However, there are some unique characterisics of each class of object -- people, devices, and services -- that would affect the attributes needed for authentication and authorization.