Because of a “major gap” in the Department of Homeland Security’s (DHS) “current ability to effectively control and manage identity, credential and access-management data (DHS ICAM data) on DHS employees and contractors, the department is creating a proprietary employee ID program called the “DHS Trusted Identity Exchange” (TIE), which is being designed done in coordination with other DHS components.
According to the Privacy Impact Assessment for the DHS Trusted Identity Exchange, “Every internal DHS system, or ‘consuming’ application, uses a unique collection of the user’s digital identity and credential data to manage access to protected resources, such as federally managed facilities, information systems and data.”
According to DHS, “a consuming application is any DHS system that requires some form of identity, credential and access-management data in order to grant logical or physical access to a DHS protected resource.”
These consuming applications “may range from a physical building door reader to a computer connected to the DHS network, or to any application that resides on the DHS technical environment,” DHS said.
The program to keep tight reigns on DHS employees and contractors – especially those who necessarily have to have access to the most sensitive data maintained by DHS – DHS’s Office of the Chief Information Officer (OCIO) Information Sharing Environment Office (ISEO) Identity, Credential & Access Management Program Management Office (ICAM PMO) is overseeing implementation of TIE.
According to the privacy assessment, “Digital identity data is often described as either ‘account’ or ‘entitlement’ information. Account information is used to authenticate (i.e., log-on) end users to verify they are who they say they are, and entitlement information is used to authorize the actions each user is allowed to perform on a given system. Individual components of a user’s digital identity, called data attributes, reside in multiple systems across the enterprise, called ‘authoritative source’ systems. Each data attribute resides in an authoritative source system, and may include personally identifiable information (PII). Updates or modifications to attributes are made in their respective authoritative source systems.”
The technology behind TIE is essentially a virtual directory. TIE establishes secure connections with authoritative systems, and then generates a secure, composite “view” of data attributes based on a combination of data fields from the source systems. TIE then provides these composite views to the consuming applications in a variety of system-to-systeminterfaces.
“For performance reasons,” the assessment explained, “TIE briefly holds or ‘caches’ certain data attributes from the authoritative source systems and the consuming applications. This information only remains or ‘persists’ in TIE until the authoritative source systems update the cache. Cache updates range from seconds to minutes or hours. TIE continuously overwrites or eliminates cached data based on updates from the authoritative source systems and the consuming applications.”
Because TIE acts merely as a secure “broker,” the requirements for Personally Identifiable Information (PII) disposal or records archiving will persist from the underlying identity source system(s) or consuming application(s) that originally collect, manage and store the data.
The high level TIE governance process will be driven by the joint OCIO/Office of the Chief Security Officer (CSO) ICAM Strategic Advisory Team (ISAT) and the joint OCIO/OCSO ICAM Executive Steering Committee (ESC).
The ISAT body is chartered to review and provide technical recommendations for decision votes at the ESC. The more granular level governance is handled by Memoranda of Understanding (MOU) and Interface Control Documents (ICD) between the authoritative source system owners, the DHS ICAM PMO, DHS Privacy Office, and the consuming applications.
The assessment said, “Two practical examples … illustrate the nature of the process change with and without TIE. Example One: Using TIE to provide a new employee with account access and to authorize what activities the employee can perform with his or her account.
Without TIE, a new federal employee is on-boarding to a DHS component and requires basic access to the DHS network, email, facility control, training and time & attendance systems. The present-day process causes multiple paper forms to be generated and sent via email or faxed to a number of individuals who must then hand-enter PII from paper forms, or lookup necessary information in other systems and copy and paste information into the systems for which the new employee needs access. Volumes of PII attributes are handled by multiple people through a series of relatively insecure business processes.
With TIE, core identity information about DHS employees and contractors is available through the TIE interface, which uses DHS digital policies to automatically provide the new employee’s account access and authorization information in the network, email, facility control, training and time & attendance systems. This automation eliminates most of the human-to-system interaction with identity dataand significantly reduces the risk of unintentional disclosure of privacy-sensitive information.
Example Two: Using TIE to support fine-grain authorization decisions.
Without TIE: Currently, authorizations to DHS systems and data are based on “point-in-time” information about users and are rarely re-evaluated or evaluated with enough frequency to ensure that only truly authorized individuals continue to be granted access.
With TIE: Attribute Based Access Control (ABAC) technologies query TIE interface (again via secure system-to-system, not human-to-system interface) and use the information, such as clearance status, training currency, organization or location to make the final access decision. If a person’s privacy training, for example, is required to be current in order to access certain data on a system, and the training certification expired yesterday, TIE will prevent the user from being granted access to the system today.
“This is because TIE will have a connection to the training system data, and will provide this necessary data to the consuming application in order to make the authorization decision,” the privacy assessment said.
The scope of TIE is limited to internal DHS ICAM data for authoritative sources, and to internal DHS consuming applications.
“This means TIE applies to the Sensitive but Unclassified (SBU) security domain, and is not scoped to directly serve National Security Systems on the classified domains (i.e., ‘high side’ applications). This also means that TIE does not directly share DHS ICAM data with non-DHS (external) systems. If DHS has a requirement to share one or more internal ICAM data attributes with an external partner, TIE may share approved attribute(s) with another DHS system (consuming application) that is ultimately responsible for sharing said attribute(s) outside of DHS,” the assessment stated.
Today, most IT systems make and enforce access decisions based on static information that is provisioned at some point in time, the assessment said, noting that, “A users’ level of access tends to remain the same in a given system, as most systems do not have automated procedures in place to ‘re-certify’ that a given user or user community still has a valid need for a certain level of access. Fine-grain authorization(which sometimes materializes as ABAC) describes an IT system’s ability to make a final access determination based on near real-time information from authoritative identity sources. Because DHS has numerous authoritative identity sources, used by numerous consuming applications, TIE is necessary to provide a single interface (acting as a broker) for consuming applications to request the information required to make such a dynamic decision.”
Federal employees and contractors are issued PIV smart cards, which are secure credentials, and are required for use to access federally managed facilities and information systems. In order for these smart cards to be used as required by policy, TIE is required to broker connectivity between PIV authoritative sources and consuming applications in order to create an association between a person’s PIV card and the related user account on any given system. The data attributes and PII required to provision and de-provision access accounts and entitlements is often moved via emails, spreadsheets, comma-separated value (CSV) files and sometimes via fax. In order for a person to use his or her PIV card to log-on to the DHS network (Windows), data about the PIV card must be provisioned to Active Directory (AD).
“Today,” the assessment said, “this is accomplished through a variety of manual processes, including several stopgap solutions through which the provisioning takes place well after a person’s AD account is created. In some instances, more information than is necessary may be transmitted between consumer and source systems to provision or de-provision access. These manual processes not only elevate the risk of exposing sensitive PII to unauthorized personnel, but also prohibit or hinder the efficient transfer of data required to securely grant access to users within the DHS infrastructure.”
TIE will serve as the identity information broker required to support automation of PIV and all other access entitlement provisioning and de-provisioning, thus eliminating costly, inefficient business processes. This facet of TIE also mitigates privacy risk by reducing the risk of exposure when PII is passed via less secure email or paper-based processes.
