Program Agenda

OPENING REMARKS: SETTING THE STAGE
June Leung, Chair, OASIS IDtrust Member Section

KEYNOTE SESSION: Addressing Privacy, Trust, and Accountability
Session Chair:  John Sabo, Director, Global Government Relations, CA, Inc.

As the federal government begins to develop the details on the role of different types of authentication will play in new open government projects, privacy considerations are at the forefront of discussion. When must individuals be anonymous, when can they be pseudonymous and when must they be fully identified? What privacy concerns are raised by private sector involvement and how can they be addressed? Does government use of private sector social media sites where users are already authenticating themselves alleviate privacy concerns or raise new privacy issues? Mary Ellen Callahan, CPO of DHS and co-Chair of the Privacy Sub-Committee of the CIO Council will address these questions and offer a vision forward.

Ari Schwartz, Vice President and CPO of the Center for Democracy and Technology will respond to Callahan's remarks and provide a viewpoint of the expectations of privacy advocates, the press and Congress as authentication solutions are developed.

Keynote Speakers:

• Ari Schwartz, Vice President and Chief Operating Officer, Center for Democracy and Technology (CDT)


• Mary Ellen Callahan, Chief Privacy Officer, U.S. Department of Homeland Security
  

IMPLEMENTATION CONSIDERATIONS
Session Chair:  John Bradley, CSO, ooTao Inc.

• Experiences with Implementing OpenID for a Broad User Base: Usability and Security Considerations
  Speaker: Breno de Medeiros, Security Engineer, Google, Inc.

Open federation identity systems provide unique usability and security challenges, due to the broad user base and the lack of formal business relationships between identity providers and consumers. On October 2008, Google enabled every Google Account user for OpenID use, taking an innovative approach to the user experience and to the security of OpenID identifiers. In this presentation, the speaker will describe security considerations about the OpenID protocol, and also how usability considerations can inform communication of privacy choices to users.


• Beyond Compliance: Advanced SmartGrid Authentication
  Speaker: Paul Miller, Senior Vice President of Marketing, Product Manager, Uniloc
  
  
With the recent electrical grid hacks and infrastructure penetrations by foreign bodies, critical infrastructure security is at the top of our minds for national security. Combined with less than secure mandated smart-grid technology upgrades and NERC and FERC regulations and standards, security professionals are looking for ways to mitigate risk and control access to systems and information particularly in industries designated as critical infrastructure, including water, power, oil and gas, chemicals and transportation. Organizations responsible for critical infrastructure are struggling to enable system access by key operational and vendor support personnel, while ensuring that strong controls are in place to prevent unauthorized access and comply with industry regulations. Industries designated as critical infrastructure require security solutions that prevent the disruption of mission-critical applications and protect valued assets. The situation is compounded for these organizations due to industrial control systems, operate differently from sector to sector and from standard IT systems. This session addresses techniques and best practices, including combining traditional strong user authentication with hardware configuration-based device signatures to ensure only authorized personnel and devices can gain access.


• A Comprehensive Approach to Making Export and Intellectual Property Authorization Decisions
  Speaker: John Tolbert, Identity and Authorization Controls Architect, The Boeing Company

This presentation will discuss an XACML US export control profile that contains a list of standard attributes used in making export control authorization decisions. The profile attributes are based on the Export Administration Regulations from the U.S. Department of Commerce and the International Traffic in Arms Regulations from the U.S. Department of State. In addition, the speaker will discuss another XACML profile for intellectual property controls, which is based on an international understanding of intellectual property laws and protection schemes. This work is currently being developed as an OASIS Open Document Format for Office Applications metadata specification that contains elements that correspond to the XACML profiles mentioned above. The goal is to ultimately provide a comprehensive approach to making export and intellectual property authorization decisions using OASIS open standards.

• Use of SAML v2.0 in Government-wide Interoperable Attribute Sharing for Controlling
  Physical & Logical Access
  Speakers: Anil John, Technical Lead for DHS S&T’s Identity Management Testbed, Johns Hopkins University – APL & Karyn Higa-Smith, Program Manager for Identity Management in the DHS Science and Technology Directorate’s (DHS S&T) Command, Control and Interoperability (CCI) Division

FIPS 201 defines a government-wide interoperable identification credential for controlling physical access to federal facilities and logical access to federal information systems. The FIPS 201 credential, known as the Personal Identity Verification (PIV) Card, supports PIV Cardholder authentication using information securely stored on the PIV Card. But additional off-card information is often needed to enable physical access to facilities and logical access to information systems. This presentation describes a SAML V2.0 deployment profile and reference implementation, jointly developed by of Homeland Security (DHS) and the Department of Defense (DOD) and submitted to the Federal CIO Council ICAMSC, that specifies how a principal who has been issued a PIV Card is represented as a SAML Subject and how this off-card information (identity and authority based attributes) can be exchanged in an interoperable and secure manner across the Federal Government.


• Lessons Learned from Implementing Existing Standards: Dos and Don'ts for Implementing Authentication Standards
  Speaker: Jeff Stapleton, CTO, Cryptographic Assurance Services LLC
  
  
This session will take a look at which X9 and other standards (e.g., ISO, PCI DSS) are currently being used for authentication assessments and the effect they’ve had on combating fraud and reducing risk. The speaker will share past initiatives, current compliance programs, and new standards emerging on the horizon. Field work experience will also be discussed anecdotally to provide guidance to implementers and assessors.