Authentication Session III

From AFCEAWiki

Contents 1 Session III: Decoupling Authentication and Authorization in the Enterprise 2 Abstract 3 Moderator 4 Panel 5 Threads 6 1. Ms. Samantha Crowell 7 2. Mr. Gordon Hannah 8 3. Ms. Trish Janssen 9 4. Rebecca Nielsen

[edit] Session III: Decoupling Authentication and Authorization in the Enterprise

JOIN THE ONGOING SOLUTIONS DIALOGUE ON THE GOOGLE GROUP SITE

[edit] Abstract

Where does Authentication service end and Privilege management service begin?

[edit] Moderator

• Mr. Al Mink, Principal Systems Engineer, SRA

[edit] Panel

• Ms. Samantha Crowell, Army NETCOM
• Mr. Gordon Hannah, Managing Director, BearingPoint
• Ms. Trish Janssen, Div Chief, Dep PM DoD PKI PMO, DISA
• Ms. Rebecca Nielsen, Senior Associate, Booz Allen Hamilton

Speaker BIOS

Audio Podcast

[edit] Threads

• What is the design of the policy enforcement engine for establishing access rules based on attributes?
• What is the design of the policy decision engine for granting access after analyzing the policy enforcement engine (PEE)output?
• What is the difference between single sign on and authentication in a Federated environment?

[edit] 1. Ms. Samantha Crowell

a. We need rapid authentication and an ability to provide partial access without a CAC
b. Like for authentication, we need a federated authorization/privilege capability
c. The Common Access Card should only contain data related to authentication, and not contain 
   other personal information

[edit] 2. Mr. Gordon Hannah

a. Credentials such as CAC often should contain more than just identity information
b. Authorization is different from authentication, but related.
c. Authentication should be based on risk -- but the challenge is implementing such an approach
d. The Federal Government is likely to follow a trend emerging in the commercial world --
   tools to refine access dynamically and at a very granular level based on risk.

[edit] 3. Ms. Trish Janssen

a. Authentication should not be synonymous with allowing access to a resource.  
   Access should be considered based on additional factors
b. "Unanticipated Users," particularly those from external organizations, is a growing
   challenge.  It complicates access decisions and requires policy in advance.  
   It also can trigger unanticipated licensing fees and other costs incurred by adding
   external users.  This also suggests that a "light portal" or some other form of limited
   access makes sense for the lighter trust often associated with external users.
c. Should access control be made at the system of data level -- or both?   
   What are the implications of each approach?

[edit] 4. Rebecca Nielsen

a. Privilege needs to be granted at different levels and the strength (trust) of an
   authentication should affect the level of access permitted.
b. Resource owners are responsible for both protecting and sharing their resources.  
   They would benefit by knowing that every authentication had an audit trail 
   -- down to the credentials itself 
   -- that clearly identified those others responsible for verifying a user's request 
      for the resources.