Risk, Rewards and Repercussions, 29-30 September, Gaithersburg, MD

Program Agenda

*subject to change

Wednesday, 30 September | Identity Management Program (Day 2)

*Presentations will be held in the Green Auditorium

08:30 Coffee & Registration in the Green Auditorium Foyer
9:15 KEYNOTE SESSION: Addressing Privacy, Trust, Accountability
Session Chair:  Don Thibeau, Executive Director, OpenID Foundation

  • Identity Systems and People: Understanding the Values that Technical Systems Affect
    Keynote Speaker:  Jim Harper, Director of Information Policy Studies, CATO Institute

  • It is easy to lose track of the human values that technical systems affect, including privacy, fair treatement, personal security, and others. Failing to understand and embrace these values will undermine public acceptance of any program or system - especially when sensitive information is involved or when a system transfers power away from the individual. This [talk/session] will explore how identity systems, databases, and other technologies are really all about people.

  • Compliance and Comparability in Trusting Federated Identity Credentials
    Keynote Speaker:  Peter Alterman, Senior Advisor for Strategic Initiatives, National Institutes of Health (NIH)

  • Implementing the government’s e-authentication trust model requires a relying party application to rely on assertions regarding identity and perhaps associated attributes at known levels of assurance. Even after years of asserting this approach, few Agencies are willing to trust an external entity’s assertion of identity. In part, this is due to a conservative tendency for an application owner to want to control all elements of an electronic transaction, historically by issuing userID/password pairs to users. But another reason is that agency application owners, and often agency security and executive leadership, do not believe that identity credentials issued by outside entities comply with their security needs. An even further impediment, an additional degree of separation, is introduced by the concept of comparability of trust. In his talk, Peter will address the issues that continue to impede widespread adoption of federated identity authentication by federal relying party applications. Referencing a number of success stories enables him to suggest strategies for moving past this particular impediment.
Break in the Green Auditorium Foyer



Session Chair: Don Schmidt, Principal Architect, IDA Technical Strategy Group, Microsoft Corporation

  • Bridging the GAPS of Governance Models in eGov Initiatives
    Speakers: Rakesh Radhakrishnan, Chief Identity Architect and Lead Technologist in the Communications Market Area, Sun Microsystems & Badri Sriraman, Chief Architect & Development Manager, Identity & Credentialing, Unisys Corporation

  • If "Trust equates to Truth over Time", then "Transparency equates to Truth real Time", and both Trust and Transparency go hand in hand. Since 2009, President Obama's Administration has embarked on large scale Transparency Initiatives, that open up government, allows for citizen participation and ensures accountability. This presentation will cover some of the strategic Transparency initiatives embarked by this administration and will attempt to align these initiatives with the IDM Task Force Report and Recommendations that came from the OSTP in 2008. The speaker will discuss how IDM becomes the core technology, when transparency is achieved via technology -- by allowing for a Secure Conduit that can Carry Attributes, across networks, business domains, different stakeholders, multiple nations and more importantly between federal government agencies. It will also cover the notion of an Identity enabled Architecture and an Identity enabled Network, that allows for an Identity Centric Security Model, with a Pervasive Policy Paradigm and Conduit that Carries Context -- which act as the Foundation for enabling Transparency and Trust.

  • Implementation of Privacy Management Throughout the Life Cycle of Personal Information
    Speakers: Michael Willett, President, WillettWorks and John Sabo, Director, Global Government Relations, CA, Inc. Both are members of the board of the International Security Trust and Privacy Alliance (ISTPA)

  • Practical privacy management does not yet have the structured, architectural underpinnings enjoyed by security technology. This session will describe and illustrate original work by the International Security, Trust and Privacy Alliance (ISTPA) that provides a reference model for an operational implementation of privacy management throughout the life cycle of personal information. The ISTPA Privacy Management Reference Model introduces 10 implementable Services around which designers can architect and build privacy management systems. By name, the Services are Agreement, Control, Validation, Certification, Audit, Enforcement, Interaction, Usage, Agent, and Access. Each Service has a defined set of detailed functions, yet is interdependent and can be invoked flexibly within a system. Security can be applied to each Service as well as to the underlying IT infrastructure. The Reference Model provides a new tool for privacy practitioners to apply use cases in the design of privacy management architectures, system designs, protocols, specifications, and operational implementations.
12:00 Lunch in the West Square Cafeteria
Session Chair:  Michael McIntosh, Senior Technical Staff Member, IBM

  • Perspectives on the Cloud and Standards
    Speaker:  Ramaswamy Chandramouli, Supervisory Computer Scientist, Information Technology Laboratory, NIST

  • The present trends in cloud computing seem to be towards using hybrid clouds as deployment models for corporate data centers and making use of Software as a Service (Saas) for supply chain applications. In most cases, cloud-based computing services are based on a virtualization platform. This scenario has impacts in the area of operational requirements and architectures. One of the operational requirements for enterprises deploying hybrid clouds for their data center is to move their application packages seamlessly from their internal (own) data centers to a cloud provider and vice versa and manage them through a common view. This requires the use of management tools that provide mobility for virtual machines across heterogeneous hypervisors. It is in this context that emerging standards such as Open Virtualization Format (OVF) are important as they provide the means to package the application components in hyervisor-independent format for easy mobility between internal and external clouds. In the area Saas for supply chain applications, cloud-based federated identity architecture holds a great potential. To realize the benefits of this architecture, API standards are needed for Account Management (Directory synchronization, Account Provisioning), negotiation of profiles/protocols (federation) and registration of IdPs and SPs.

  • Harnessing the Power of the Cloud
    Speaker: Gregg (Skip) Bailey, Federal Competency Director with Technology Strategy and Architecture Platform, Deloitte Consulting LLC

  • Cloud computing is the phrase du jour, and many organizations are jumping on the bandwagon. Cloud computing is still in its early stages, but the commercial and government sectors are beginning to see the advantages of adopting this new trend in computing. The benefits, such as reduced IT costs, reduced management overhead, and the ability to focus on mission critical applications, are too great to overlook at this point. The speaker will talk about how the real power of cloud computing is in the potential to re-think and re-design IT architectures at a fundamental level. Companies that gain early experience will be best positioned to harness these new architectural approaches to re-shape the broader business landscape.

  • Cloud Nine? Assessing the Risks in Cloud Computing
    Remote Speaker: Giles Hogben, Network Security Policy Expert, European Network & Information Security
    Agency (ENISA)

  • How can you tell if your cloud provider is secure? One of the biggest problems for cloud providers is how to assure customers they are secure without having to let every company audit their infrastructure. ENISA (the European Network and Information Security Agency) is preparing a report on the key cloud security risks and ways of addressing them with the help of a group technical and legal experts including many major cloud providers. This talk will look at the principle security risks and benefits and how to address them.

  • Avoiding Risk - Using Federated Key Management as the Basis for Secure Cloud Computing
    Speaker: Mark Bower, Vice President of Product Management, Voltage Security

  • The goal of this presentation is to discuss federated key management and why it should be an essential part of cloud computing. To do this, the speaker will first describe key management and why it's important. Next, he will discuss how federated key management can provide the infrastructure needed to protect sensitive data when it's used in cloud computing. Finally, the speaker will talk about how cloud computing may require a key management service and describe the properties that such a service needs to have.
3:00 Break in the Green Auditorium Foyer



Session Chair:  Anil Saldhana, Lead Security Architect, Middleware, Red Hat

Challenges, Successes & Lessons Learned Roundtable

Protecting data while at rest, in motion or in use has been quite challenging for the security industry. Encryption of the data has been hampered with the challenge of managing keys in a large heterogeneous environment. The industry has struggled to bring a cohesive solution to this complex problem of managing keys. Federated Key Management remains a major obstacle to enterprises and organizations. This panel will highlight the challenges faced by Federated Key Management, efforts in the standards world towards interoperable solutions and lessons learned in implementations of Public Key Infrastructure (PKI).

Panel Speakers:

  • Lars Bagnert, Production Manager, PrimeKey Solutions
  • Brian Tokuyoshi, Product Marketing Manager, PGP Corporation
  • Marc Massar, Senior Implementation Manager, Semtek
  • Philip Hoyer, Office of the CTO of ActivIdentity, Security Architect
Conference Ends, shuttle service available