SSO Lab with NAC and FIPS 201 Cards

If you are like me, I would want proof positive that NAC will work with FIPS 201 smart cards. In 2007, we set out to prove it to ourselves, so we constructed an Ecosystem lab scenario to demonstrate SSO using products from two different NAC products, fips 201 smart cards, a few network switches and routers, and a directory.

Here is a video of one of many use cases we demonstrated to ourselves in the Ecosystem Lab.



Click here if you want a bigger picture view of this video.

The video clearly shows that SSO can work with NAC and FIPS 201 smart cards. Now that you know that it works, the first challenge is to make sure you purchase products that will interoperate as well as the ones in our Ecosystem lab. The second, and bigger challenge, is to 1) determine your network authentication policy and 2) to make sure you have enough data in your directory infrastructure to implement your policy.

Network Access and Identity Management Converge

In 2007 we circulated the concept with the network vendor community that Network Access Management was a critical ingredient in a modern identity management capability. We couldn't understand why network authentication was never spoken of in the same breath as identity management.

Think about it. Where is the first point of access a) your domain, b) you applications, or c) your network.

The right choice is obviously C. The network has always been the first point of access, but usually only the first point of authentication for remote access users (e.g. teleworkers). If network access is not authenticated, users or visitors might place their personal laptops on your network, and will automatically be given an IP address. If these "rogue" laptops have malware on them or have not been hardened, they can be used to launch attacks on your applications and data from the soft underbelly of your agency LAN. Network access management solves this problem by forcing users and devices to authenticate to the network FIRST before anything else can happen.

We are thrilled that Gartner put network access into their most recent identity and access management report (19 November 2007). If agencies implement network access without considering the wider enterprise identity management capability, there is a huge risk that your agency will not achieve a basic level of single sign on, and in the worst case you might find that your network access products are not interoperable with your HSPD-12 smart cards; leaving you with a the choices of 1) replacing your network access investments or 2) turning off or not deploying network access. Neither option is a good one.

You can avoid this tough decision by planning network access and domain access architectures in tandem. In a future post, we will post a screencast of single sign on using your FIPS 201 smart cards.

Obtaining Funding - Example Line of Sight

One of the identity management technologies within a modern identity managment capability is an enterprise provisioning tool. If you don't have one today, or the ones you currently have are in siloes dispersed throughout pockets of your agency you may need to obtain funding to purchase an enterprise provisioning tool.

The discipline of Enterprise Architecture offers some great models that will help you obtain your funding. Because I am so results oriented, one of my personal favorites EA models are the "line of sight" diagrams. They clearly communicate how investing in something down in the weeds can deliver real business results.

I had a conversation with Mike Tiemann at the FEAC Institute last week. As many of you know, Mike is a (if not "the") leading expert in Enterprise Architecture for Federal Agencies. According to Mike, "Line of Sight is a powerful way to get business and mission owners to see and understand the value of technologies." So, to use the right tool for the job, you may want to include a line of sight diagram in your business case.

If you are not sure what a "line of sight" diagram looks like, here is an example that I put together for an enterprise provisioning tool.





The details don't quite fit in the blog space, if you would like the visio template or would like to use this diagram as a starting point, just shoot us at noconcreterafts@litmuslogic.com from your .gov email address.

Certified Concrete Rafts - Don't let HSPD-12 become one at your agency

One of my favorite sayings is "You can certify a concrete raft, but would it float?" I picked this saying up some time ago when ISO 9000 was the big thing. Certifications are great, but they are often don't tell us that we will get real results.

The saying is equally applicable to HSPD-12 today. Your agency is being measured by OMB based on the number of cards deployed. Your HSPD-12 system, whether turnkey or through GSA's managed service, is C&A'd, which means it is also certified.

So, your progress is certified by OMB and your system is certified by security, but are you getting real results from your identity management capability?

I am going to pick on one of many identity-related metrics to think about; the time it takes to revoke a contractor's smart card after they leave the service of your agency. Is it 1 minute, 1 day, 1 month, 1 year, or rarely?

I don't have actual numbers to back this up, but my SWAG is that agencies probably hit 1 day 5% of the time and 95% of the time it is closer to 1 year. Imagine the press if a terrorist were to obtain a super secure smart card that wasn't revoked and then used it to gain remote access to your agency, or even worse, use it to gain access to another agency that trusts your credentials.

Don't get me wrong. FIPS 201 smart cards are brilliant and are the biggest success story since the Internet. But if we stop short on our identity management capabilties now, then we can claim that 1) we deployed smart cards enterprise wide and 2) we invented the first open standards smart card. This is okay. But, what we can't claim is that 3) we heightened government security, signficantly cut operating costs, and increased customer satisfaction.

What a powerful thing to say. Only clever ideas could satisfy such divergent goals simultaneously.

If you are like me, you would rather be known for #3. To get to #3, we must be persistent and carry on with modernizing our identity management capabilities. This won't be easy work. There are a lot of processes to tune, systems to link together, and data to cleanse. It can be done and it is worth doing well. If we stop short we won't achieve real results, and HSPD-12 becomes a concrete raft.

How will you use your HSPD-12 Smart Card?

Did you see the IG response to DHS's HSPD-12 progress? It wasn't too pleasant. Not only did they get hammered for not implenting in a timely fashion, they also did NOT have a plan for using the card.

Let's face it, without a usage plan, the smart card will be one expensive flash pass!!

What is in your usage plan?