Identity becomes the primary security boundary
Jacqueline stands in front of a sign that reads "OneID"

OneID: Modernizing Digital Identities

Monday, October 21, 2019

In today’s increasingly networked world, companies and government entities must constantly strengthen their virtual guards. A crucial part of any organization’s cybersecurity is managing the users who can access their computers, networks, software applications and data. Identifying, authenticating, and authorizing individuals or groups of people to have access to applications, systems, or networks by associating user rights and restrictions with established identities is known as identity management.

LLNL is providing a solution to the Department of Energy (DOE) that allows all of its organizations, sites, labs, and plants to securely manage their users’ identities across the various resources. What began in 2012 as a small proposal written to the DOE by LLNL’s Jacqueline Peila has gone from a thumbs up with seed money to what is now known across DOE as OneID—an enterprise identity management and federated authentication solution.

“OneID provides the fundamental building blocks needed to support DOE initiatives for improving communications, collaborations, and physical and logical access decisions,” says Peila, the principal investigator for OneID.

Peila has grown the project from a seedling proposal to a complex-wide, multifaceted solution. Her team’s initial charter was to create a solution to support the use of the DOE Personal Identification Verification (PIV) card for gaining access to services hosted in a private cloud called YourCloud. The concept quickly turned into a much broader project scope for solving DOE’s core Identity Credential and Access Management (ICAM) business problems:

  • Accurately identifying all DOE organizational users
  • Managing key attributes about an individual to improve access decisions
  • Simplifying collaboration between employees, customers, and partners

Identity Is the New Security Boundary

With business moving to the cloud from traditional corporate networks, identity has become the new security boundary. With this paradigm shift, it is critical that identity information is accurate, and changes are reflected in a timely manner. Peila explains, “That’s one of the most valuable services OneID provides: correlating, reconciling, and accurately retaining identity information with associated credentials.”

OneID aggregates identity data from the 80 DOE organizations. Additionally, OneID is the official “agency data steward” for USAccess and has established interfaces for managing an individual’s encryption certificates and active clearance information. The attributes from these sources are correlated with each identity and leveraged by enterprise services for making access decisions. Many individuals work in multiple locations and in varying roles across DOE. OneID can map and retain that relationship data and associated attributes to a single DOE Unique Identifier. By using OneID, security access decisions are vastly improved, the proliferation of sensitive personally identifying information is greatly reduced, and users are “pre-registered” to expedite federated authentication.

Even the seemingly simple task of identifying “how many” people and “who” has a working relationship with DOE was made difficult because of the decentralized manner in which the plants, sites, and labs are managed and architected. The DOE ICAM program was tasked by Deputy Secretary for Energy Dan Brouillette to deliver a solution for the Office365 Global Address List (GAL) that included the entire DOE enterprise. OneID made this possible and delivered on schedule within a very short duration.

In addition to the enterprise GAL, OneID is proving its value in more than 25 key enterprise initiatives, including the Department of Homeland Security’s Continuous Diagnostic Management initiative, multifactor authentication to desktops, physical access systems, DOE-wide phone book, and multiple enterprise software as a service (SaaS) solutions. OneID is currently being evaluated for use with Enterprise Secure Network and high performance computing.

Seamless Access to Shared/Cloud Services

Peila explains, “OneID gives sites a simplified front door for their employees to authenticate to shared services, whether the services are on-premises, in the cloud, or a SaaS.”

OneID’s “front door” is called OneID Authentication Hub Services, and it has been particularly useful in streamlining access to web applications and reducing overhead effort for application owners. The Hub enables users from all 80 DOE sites, labs, plants, headquarters, and other agencies to authenticate to web applications by leveraging their existing credentials. Based on the assurance level required by each application owner, the user can leverage their existing credentials such as Active Directory, a PIV card, RSA token, or YubiKey for logging into a data system.

The Hub recently added support for citizens, universities, and business partners to authenticate to web applications through various social credentials (e.g., Google) and trust frameworks. “When you federate, you [join with] trust frameworks,” says Peila. “An example of this is InCommon, which is a trust framework for universities. The basic premise with federated authentication is when a user attempts to access a web app, they are redirected to their trusted identity provider, which then ‘asserts’ their identity. Authentication itself stays close to the source owners.”

Cloud Native and Standards Based

From day one, OneID has been designed with flexibility in mind. The team set out to use industry standards and to take advantage of new technologies whenever possible. With that mindset came one of its biggest strengths—a “cloud native architecture.” Peila praises her team on this point. “The OneID team were early adopters of things like containerization and orchestration.”

Just as the term suggests, containerization involves encapsulating an application so it includes its dependencies. The OneID program has already moved to a new system once and, with this container-based architecture, is working on moving again (to Azure). What took the full staff over three weeks the first time has been achieved in less than an hour through the containerization, orchestration, and automated deployment processes. Peila adds, “This is leading edge. We’re not trying it or starting it now; we’ve been doing it for years.”<

While the cloud-based aspects of OneID contribute to the team’s internal success, the standards-based implementation allows for ease of integration and flexibility among the consumers of the service. All integrations between OneID and consumers is based on common industry standards such as System for Cross-Domain Identity Management for identity data as well as Security Assertion Markup Language and OpenIDConnect for authentication. “By using the standards, OneID allows consumers to choose how they integrate rather than being forced to accommodate proprietary tools,” Peila says.

Read more about OneID via LLNL News: FedTech Helps Accelerate Technology Transfer.