The Global Federated Identity and Privilege Management (GFIPM) program is funded jointly by the U.S. Department of Justice (DOJ) and the U.S. Department of Homeland Security (DHS), and is under the direction of the Global Justice Information Sharing Initiative. The goal of GFIPM is to enable information sharing for state and local agencies through a federated model that is secure, scalable, and cost-effective. One of the guiding principles of GFIPM is to seek to understand and meet the needs of state and local agencies through a collaborative, consensus-based process that incorporates the input of all major stakeholders, including state and local agencies as well as the federal government.
GFIPM Concept: Federated Identity and Privilege Management
The conceptual foundation of the GFIPM project is the idea of federated identity and privilege management (FIPM). FIPM is an extension of the more common concept of federated identity management, which provides the ability to separate the management of user identities from the management of the systems and applications in which those identities are used. In a federation, user identities are managed by identity providers (IDPs) and applications and other resources are managed by service providers (SPs). It is well-understood that federated identity management provides valuable benefits for information sharing, including greater usability due to identity reuse, as well as improved privacy and security. The FIPM concept seeks to extend federated identity management by addressing the issue of authorization, or privilege management, within the systems and applications that exist in a federated environment. Each system or application in a federation typically has its own set of business requirements and access control policies, and FIPM provides a cost-effective framework that enables these systems to be made available to federated users while still respecting their native requirements.
Analysis of Real-World Law Enforcement Needs
The GFIPM concept has been designed and implemented based on a well-grounded knowledge of the needs of real-world law enforcement information sharing systems. GFIPM development began with a bottom-up analysis of the usage and access requirements of several prototypical information sharing systems at the state and local law enforcement agency level. The process also included extensive community involvement and feedback, similar to the process used in the development of GJXDM and NIEM. The end result is that GFIPM not only meets the needs of a large class of its target systems (state and local law enforcement information sharing applications), but also has achieved a broad level of acceptance within its target community and is able to grow and adapt as needed to continue meeting the target community’s needs.
Trusted Sharing of User Attributes
At the core of the GFIPM concept is the idea of collecting information attributes about users and sharing them with systems and applications in a trusted manner. These attributes serve as a framework for supporting various value-added features that are not possible with basic federated identity management. For example, one feature that trusted attribute sharing enables is dynamic provisioning of local user accounts within applications. In information sharing environments, identity administration cost and complexity is primarily driven by the need to manually provision and manage local accounts for federated users. Therefore, dynamic provisioning of local user accounts via trusted attribute sharing has the potential to significantly reduce the cost associated with information sharing in a federated environment. Another feature enabled by trusted attribute sharing is federated authorization, in which an application can make access control decisions for users based on the attribute values provided during the attribute sharing process. Sensitive-but-unclassified (SBU) information sharing systems often have rigid access control requirements. For example, systems that offer criminal intelligence data may require that a user be 28-CFR Part 23 trained and also authenticate using a two-factor authentication mechanism. In GFIPM, attributes capturing this information can be used to convey important facts about a user to the target application, thereby enabling the application to decide whether to permit or deny access without the need for manual intervention by a local security administrator. Both of these features — dynamic provisioning and federated authorization — have the potential to significantly reduce the cost of federating an application, and can also improve the user experience.
Bottom-Up Adoption Based on Compelling Value Proposition
One of the guiding principles of the GFIPM concept is that participation should be driven by the attractiveness of the GFIPM value proposition rather than by a top-down mandate. To this end, the GFIPM design anticipates and seeks to address issues such as barriers to entry, cost of adoption, and individual member agencies’ desire for autonomy. For example, GFIPM recognizes that participating agencies will have varying security policies and infrastructure. In this environment, attempting to mandate a system-high security model with a certification and accreditation process for each member agency would be a major barrier to entry for most prospective participants. So rather than incorporating a system-high approach, GFIPM incorporates a reasonable, agreed-upon common denominator of trust and security requirements for entry into the federation, along with specific roles and responsibilities for each participating agency, as identified by the GFIPM governance structure. One specific responsibility of each participant is to fully disclose its local security policies and procedures for the benefit of other federation members. Another example of GFIPM’s consideration for participants’ needs is its ability to support additional, layered agreements between participants and communities of interest on top of the basic GFIPM structure. A third example is GFIPM’s principle of transparency within the user experience: at no point during a federation transaction does a user need to visit or use a GFIPM branded portal. Characteristics such as these make GFIPM a very flexible federated framework for supporting information sharing.
Central Federation Governance with Decentralized Technical Architecture
Architecturally, the GFIPM concept is based on a common centralized Federation agreement for governance and management. Operational trust between GFIPM participants is anchored through a governance body comprised of representatives from each participating agency. The governance body defines federation policies and also directs the operation of the federation’s cryptographic trust anchor. Although this federation trust anchor in GFIPM is maintained as a centralized federation resource, network traffic flow in GFIPM is decentralized in a mesh structure. GFIPM achieves decentralized traffic flow through the use of well-defined, collaboratively developed interoperability specifications and standards that permit full interoperability between all GFIPM participants on a peer-to-peer basis without requiring the use of a centralized broker to mediate federated identity transactions.
Validation via Real-World Use
The GFIPM concept has been validated through a GFIPM Security Interoperability Demonstration Project that involved information sharing using real systems and real users. The project was sponsored jointly by DOJ and DHS, and carried out between 2005 and 2007 under the guidance of the Global Security Working Group. The demonstration project proved that the GFIPM concept is both implementable at a reasonable cost and acceptable to candidate agencies from a policy standpoint. Since mid-2007, the demonstration project has moved into an operational phase, and it exists today as the National Identity Exchange Federation (NIEF).