The Air Force is going through its 5^th generation of IT systems and is developing a single enterprise IT computing operation (700,000 users, est. eventually 10,000 applications and services). This includes a single Enterprise Level Security (ELS) (based upon a claims based approach) that is aligned with role responsibilities in a dynamic environment. When standing up a high-assurance, internet-scale, and web-service based enterprise system for information sharing, authentication and access control are primary considerations. A generalized standards-based solution is presented. Central to this system is a process for access control that provides the fine-grained authorities for use by enterprise services. In all cases, the access control, rights and privileges are done by the web service itself, though its own Access Control Lists (ACLs), and are preceded by a bi-lateral authentication in both normal and federated service requests. The enterprise system relies on a unified naming and credentialing system for identity management and a centralized Enterprise Attribute Store (EAS). This presentation provides the development process by which access control and authorization claims are developed at the enterprise level. The claims are computed using enterprise attributes, use cases, policy statements and other data together with an Attribute Based Access Control (ABAC) / Policy Based Access Control (PBAC) engine described in this presentation. These claims are then placed in a Security Assertion Markup Language (SAML) token to be used by the web service. The SAML is signed for integrity and encrypted for confidentiality. This is the first enterprise level scale-up that has provided a consistent enterprise solution to access control that has not used a centralized Access Control Service and relies solely on the service for access control and authority determination. It has been five years in development and has been tested for scale-up and is currently being implemented.
Dr. Simpson holds degrees from The Ohio State University, The George Washington University and The Virginia Polytechnic Institute and State University. He has had a number of academic, standards body, professional society, government and industry appointments. His publications number over 300 and include: two text books; journal and magazine articles; technical reports; conference papers; and standards. He is currently a member of the professional staff at the Institute for Defense Analyses, managing and executing studies and analyses as directed by US Department of Defense, Joint Program Offices, and other sponsors. He also provides evaluations, reviews and editorial information on electronics and information technology trends and products that may have application potential within the defense structure to a broad class of interested parties in the Defense Department. The emphasis in the last ten years has been information security. He was the project lead on a congressionally-directed study of the National Information Assurance Program, a partnership for information security lab certification programs under ISO 15408 – 1999 (Common Criteria). He has participated with the Defense Computer Forensics Lab in a joint task force to evaluate a set of computer intrusions, and was a principal in the damage assessment of one such intrusion. He is currently working for the Secretary of the Air Force office of the Chief Technology Officer on the next generation information assurance architecture for the Air Force Enterprise which is the model for the next generation architecture for the Department of Defense.