Risk, Rewards and Repercussions, 29-30 September, Gaithersburg, MD

Program Agenda

*subject to change

Tuesday, 29 September | Identity Management Program (Day 1)

*Presentations will take place in the Green Auditorium

8:30 Coffee & Registratio in the Green Auditorium Foyer
*Open to TC members only ~ contact Dee Schur to join 

June Leung, Chair, OASIS IDtrust Member Section




Session Chair: Mary Ruddy, Founder, Meristic, Inc.

User-Driven Initiatives Roundtable

User driven identity standards such as Information Cards can help increase government transparency and public involvement, while reducing costs. Enabling government websites to have secure, privacy protected transactions with users requires new approaches to identity. Come hear how a growing community is leveraging open identity standards such as Information Cards and OpenIDs to enable more transparent government.

Panel Speakers:

  • Don Thibeau, Executive Director, OpenID Foundation

  • Drummond Reed, Executive Director, Information Card Foundation

  • Debbie Bucci, Integration Services Center Program Lead at Center for Information Technology (CIT), National Institutes of Health (NIH)

  • John Bradley, CSO, ooTao Inc.

  • Ron Carpinella, Vice President of Identity Management, Equifax
11:15 Coffee Break in the Green Auditorium Foyer

KEYNOTE SESSION: Addressing Privacy, Trust, and Accountability
Session Chair:  John Sabo, Director, Global Government Relations, CA, Inc.

As the federal government begins to develop the details on the role of different types of authentication will play in new open government projects, privacy considerations are at the forefront of discussion. When must individuals be anonymous, when can they be pseudonymous and when must they be fully identified? What privacy concerns are raised by private sector involvement and how can they be addressed? Does government use of private sector social media sites where users are already authenticating themselves alleviate privacy concerns or raise new privacy issues? Mary Ellen Callahan, CPO of DHS and co-Chair of the Privacy Sub-Committee of the CIO Council will address these questions and offer a vision forward.

Ari Schwartz, Vice President and CPO of the Center for Democracy and Technology will respond to Callahan's remarks and provide a viewpoint of the expectations of privacy advocates, the press and Congress as authentication solutions are developed.

Keynote Speakers:

  • Ari Schwartz, Vice President and Chief Operating Officer, Center for Democracy and Technology (CDT)

  • Mary Ellen Callahan, Chief Privacy Officer, U.S. Department of Homeland Security

12:30 Lunch

Session Chair:  John Bradley, CSO, ooTao Inc.

  • Experiences with Implementing OpenID for a Broad User Base: Usability and Security Considerations
    Speaker: Breno de Medeiros, Security Engineer, Google, Inc.

  • Open federation identity systems provide unique usability and security challenges, due to the broad user base and the lack of formal business relationships between identity providers and consumers. On October 2008, Google enabled every Google Account user for OpenID use, taking an innovative approach to the user experience and to the security of OpenID identifiers. In this presentation, the speaker will describe security considerations about the OpenID protocol, and also how usability considerations can inform communication of privacy choices to users.

  • Beyond Compliance: Advanced SmartGrid Authentication
    Speaker: Paul Miller, Senior Vice President of Marketing, Product Manager, Uniloc

  • With the recent electrical grid hacks and infrastructure penetrations by foreign bodies, critical infrastructure security is at the top of our minds for national security. Combined with less than secure mandated smart-grid technology upgrades and NERC and FERC regulations and standards, security professionals are looking for ways to mitigate risk and control access to systems and information particularly in industries designated as critical infrastructure, including water, power, oil and gas, chemicals and transportation. Organizations responsible for critical infrastructure are struggling to enable system access by key operational and vendor support personnel, while ensuring that strong controls are in place to prevent unauthorized access and comply with industry regulations. Industries designated as critical infrastructure require security solutions that prevent the disruption of mission-critical applications and protect valued assets. The situation is compounded for these organizations due to industrial control systems, operate differently from sector to sector and from standard IT systems. This session addresses techniques and best practices, including combining traditional strong user authentication with hardware configuration-based device signatures to ensure only authorized personnel and devices can gain access.

  • A Comprehensive Approach to Making Export and Intellectual Property Authorization Decisions
    Speaker: John Tolbert, Identity and Authorization Controls Architect, The Boeing Company

  • This presentation will discuss an XACML US export control profile that contains a list of standard attributes used in making export control authorization decisions. The profile attributes are based on the Export Administration Regulations from the U.S. Department of Commerce and the International Traffic in Arms Regulations from the U.S. Department of State. In addition, the speaker will discuss another XACML profile for intellectual property controls, which is based on an international understanding of intellectual property laws and protection schemes. This work is currently being developed as an OASIS Open Document Format for Office Applications metadata specification that contains elements that correspond to the XACML profiles mentioned above. The goal is to ultimately provide a comprehensive approach to making export and intellectual property authorization decisions using OASIS open standards.
2:45 Break
Session Chair:  June Leung, Chair, OASIS IDtrust Member Section

  • Use of SAML v2.0 in Government-wide Interoperable Attribute Sharing for Controlling
    Physical & Logical Access

    Speakers: Anil John, Technical Lead for DHS S&T’s Identity Management Testbed, Johns Hopkins University – APL & Karyn Higa-Smith, Program Manager for Identity Management in the DHS Science and Technology Directorate’s (DHS S&T) Command, Control and Interoperability (CCI) Division

  • FIPS 201 defines a government-wide interoperable identification credential for controlling physical access to federal facilities and logical access to federal information systems. The FIPS 201 credential, known as the Personal Identity Verification (PIV) Card, supports PIV Cardholder authentication using information securely stored on the PIV Card. But additional off-card information is often needed to enable physical access to facilities and logical access to information systems. This presentation describes a SAML V2.0 deployment profile and reference implementation, jointly developed by of Homeland Security (DHS) and the Department of Defense (DOD) and submitted to the Federal CIO Council ICAMSC, that specifies how a principal who has been issued a PIV Card is represented as a SAML Subject and how this off-card information (identity and authority based attributes) can be exchanged in an interoperable and secure manner across the Federal Government.

  • Lessons Learned from Implementing Existing Standards: Dos and Don'ts for Implementing Authentication Standards
    Speaker: Jeff Stapleton, CTO, Cryptographic Assurance Services LLC

  • This session will take a look at which X9 and other standards (e.g., ISO, PCI DSS) are currently being used for authentication assessments and the effect they’ve had on combating fraud and reducing risk. The speaker will share past initiatives, current compliance programs, and new standards emerging on the horizon. Field work experience will also be discussed anecdotally to provide guidance to implementers and assessors.
Break in the Green Auditorium Foyer

Session Chair:  Tim Brown, VP and Chief Architect for Security Management, CA, Inc.

  • Leveraging Relationships and Managing Identity – Two Sides of the Social Networking Coin
    Speakers: Mike Gotta, Principal Analyst, Burton Group & Alice Wang, Director, Burton Group

  • Use of social networking tools and applications to improve information sharing and collaboration will transform how organizations think about, and manage, identities. Profiles, social graphs, and activity streams enable employees to construct their own social identities across internal and external constituencies. Participation in social networks and community contributions enable employees to establish their own social roles and reputations. This session will examine the benefits, risks, and implications of more open collaboration and transparent knowledge sharing on identity management strategies.

  • Social Networking in Government Enterprises: Risks and Rewards Roundtable

    The use of social networking and Web 2.0 technology within the Govt and Enterprises has great advantages and many challenges. There is a increasing need to collaborate, to communicate and to be open. At the same time we must maintain security and privacy. How do we strike an appropriate balance? Many individuals have multiple “personas”. How do we address the challenges of mixing professional and personal personas? How do we maintain appropriate levels of identity assurance and trust within these environments? This panel of experts will address these and other aspects of social networking in the Govt/Enterprise.

      Panel Speakers:

    • Ron Plesco, CEO, NCFTA

    • Denise Tayloe, President & CEO, Privo

    • J. Brent Williams, Chief Technology Officer, Anakam, Inc.

    • Jodi Florence, Marketing Director for Identity Verification Provider, Idology Inc.

    • Alexander B. Howard, Associate Editor, SearchCompliance.com
5:35 Conference Adjourns for the Day
6:00 Cocktail Reception at the Marriott Hotel, shuttle service available