Identity management standards help DHS build networks of trust

Jason Miller interviews Donna Roy, executive director of DHS' Information Sharing Environment Office

Jason Miller | April 17, 2015 6:02 pm

The Homeland Security Department wants to build networks of trust with state, local and federal government partners, as well as with international and private sector organizations. The goal is to make information sharing easier and more secure.

One of the only ways to do that is through federated identity management. So DHS is putting the pieces in place to ease the burden of managing so many different identities.

Across the government, the homeland security agencies are a few steps ahead of most others when it comes to implementing identity management interoperability standards.

The Justice Department, for example, sponsors identity management standards that let all levels of government exchange law enforcement data.

“There’s a Global Federated Identity and Privilege Management (GFIPM) standard, which allows us to exchange information from state, local, tribal, international and private sector with the federal government. It carries a set of standardized attributes, so that I know when some come with a Security Assertion Markup Language (SAML) assertion with GFIPM attributes that there is some fidelity if they come through an identity provider that has been approved by National Strategy for Trusted Identities in Cyberspace (NSTIC),” said Donna Roy, the executive director of DHS’ Information Sharing Environment Office and the program director for DHS’ Homeland Security Information Network and the National Information Exchange Model. “When they say they are a sworn law enforcement officer, I can trust that. I can put them into the appropriate parts of our systems that can see law enforcement data.”


She said the next step is for companies and governments to adopt and use those standards, especially in software.

Rules-based access control

Roy, who spoke recently at the AFCEA Bethesda, Md., chapter’s breakfast on identity management, said the goal is for agencies to share trusted attributes as part of a policy- and risk-based access control approach to securing their data.

It’s the long-sought after idea of attaching roles and responsibilities to each person that are updated in real time. This approach both ensures law enforcement officers have access to the right data, at the right time, and protects sensitive or classified information from unauthorized use.

The Information Sharing Environment validated a similar approach to identity management last year. Through a back-end attribute exchange, Justice led a pilot where federal law enforcement officials shared data with local and state government police officers using a pre-determined and pre-cleared set of identity management attributes.

Roy said DHS already is heading down a role-based identity management path for its employees and contractors.

“We are also working in the department on implementing a really rigorous, what I call, the information sharing and access policy framework. A way to codify what I know about the identity of a person who needs to access a DHS system or other systems for which we steward,” she said. “Everything I need to know about the data and how we need to protect the data, and then this other small piece called authorized purpose, which really codifies how we are charged to protect that data given the systems of records notices, privacy impact assessments and framework for that. I think we are putting in place some advanced interoperability standards.”

DHS is applying initial pieces of this framework to the Homeland Security Information Network (HSIN). Earlier this summer, DHS launched version 3 of HSIN, adding enhanced security features as well as geospatial information system mapping tools to improve how information is shared across the user communities.

Part of those enhanced security features included the move toward two-factor authentication and away from usernames and passwords.

Initial pushback

Roy said over the last year, users migrated to the new system and had to go through a new identity proofing process.

She said 90 percent went through using an automated process, but the remaining employees had to go through a more manual background check.

“We are strengthening the network of identity as we re-released HSIN this year,” Roy said. “There was a lot of push back in the identity proofing process because people didn’t understand that while we were using public record information, credit reports or other types of information. We were using it through a broker so the program never saw any of that information. I think there was a lot of angst that that maybe wasn’t communicated as well. We underestimated the effort to communicate exactly what was happening inside the service box that was outside the HSIN program’s responsibility. We were just using a service and saying ‘Tell us yes or no, did we pass the identity proofing process?'”

Roy said it took time to overcome some of fears of the user community. She said HSIN is in a good place now after months of struggling to gain the trust.

She said part of the communication challenge to employees was explaining the role of the identity broker. It’s the same concept that the National Institute of Standards and Technology and the Postal Service plan on using for the Federal Cloud Credential Exchange (FCCX).

“You’ll have identity providers and relying parties who want to use those identities, and in the middle is that broker who is anonymizing a lot of those transactions,” Roy said. “I think the biggest challenge in rolling out the FCCX is the same thing HSIN faced, understanding what happens in that black box. Citizens can trust their information isn’t mixed around and when they have a transaction with a commercial vendor, it’s not shared with a transaction on the federal side.”

Once DHS communicated how the broker model works, Roy said the angst quickly turned into understanding because the standards were similar to authenticating the user’s identity in the commercial world.

“What’s amazing is that we had whole communities saying, ‘We will never do that.’ Yet, the numbers, as we migrated people, never showed that. We consistently had about 90 percent go through the automated process. While the angst was there, we never realized it and we went right through to ‘Oh, it’s not that big of a deal.'”

HSPD-12 goals

Along with sharing with external partners, DHS has set internal goals for expanding the use of secure smart identity cards under Homeland Security Presidential Directive-12 (HSPD-12).

Roy, who also leads that effort, said DHS committed to the Office of Management and Budget to have 75 percent of all employees access the computer network through HSPD-12 cards by the end of 2014.

Currently, DHS is at 32 percent across the department, which was below its 50 percent goal.

“It’s not a culture issue with the federal employees. Everyone wants to make it easier — less usernames and passwords, less passwords I have to remember is something our users want,” Roy said. “It’s mostly the mix of applications that have their own authentication mechanisms that have to be changed and that does relate to resources and funding in a tight fiscal environment. Some of these are small applications and some are large so what we are after is an understanding of which ones can we do have the propensity to move us forward on the goal with the largest number of people and then do the smaller ones. It’s the smaller ones that will eventually take us from 90 to 100 percent.”


Agencies eager to understand benefits of cloud credential exchange

IT is DHS’s next challenge for better intel sharing

PM-ISE shepherds secure data sharing tool from validation to expansion