Building a GIG User Directory
JOINT ENTERPRISE DIRECTORY SERVICE WILL PROVIDE SECURE ACCESS TO INFORMATION ABOUT PEOPLE.
The Joint Enterprise Directory Service (JEDS) is a DISA initiative to build a Global Information Grid (GIG) directory automatically provisioned from the numerous account and identity repositories maintained across DoD. JEDS will provide a full-service directory capability for secure and stable access to information about people, organizations and other digital identities across the GIG. The objective for this modest but ambitious effort is to deliver an enterprise directory service on NIPRNet and SIPRNet to satisfy:
• The DoD’s desire for central white pages or global address list to locate contact information on individuals outside their enclave communities.
• The Assistant Secretary of Defense for Networks and Information Integration (ASD (NII)) Program Decision Memorandum III information sharing tasks for an enterprise directory service to facilitate information sharing and to provide an authoritative attribute source to make Attribute Based Access Control decisions.
• The twin NCES Milestone B Service Oriented Architecture Foundation requirements to deliver a People Discovery Service and a Security Service Attribute Retrieval Service.
Currently, the department has two types of directory services operating on the GIG. At the enterprise level, the Global Directory Service (GDS) under the DoD Public Key Infrastructure (PKI) program holds the 4.5 million public key certificates issued within DoD. It also provides a central source to look up individual email addresses and associated encryption certificates, as well to validate PKI certificates against a consolidated list of revoked certificates.
At the component and enclave level, the primary directory service is Microsoft’s Active Directory product. This directory service is what we see when we look up an e-mail address in our Microsoft Outlook email clients. It is de-centrally provisioned and maintained, and serves as the primary method for controlling user access to enclave network resources and data.
A 2005 survey identified more than 1,400 Active Directory Forests operating across the GIG. In January, Joint Task Force Global Network Operations (JTFGNO) issued a Communication Task Order directing all DoD components to register their Active Directory Forests into a Webbased database hosted at the GIG Infrastructure Management Center.
In addition to these two GIG directory services, the department and its numerous components’ personnel and human resources operations maintain repositories cataloging individual identity information. Examples include the DEERS, which is the department’s primary repository for DoD employee benefits; DIMHRS, DoD’s new repository consolidating human resource databases from the Air Force, Army and Marine Corps civilian and military personnel systems; and the JPAS, which holds DoD personnel clearance data.
AUTHORITATIVE SERVICE
JEDS will be an authoritative attribute harvesting and provisioning service. JEDS will leverage commercially available directory synchronization products to automatically harvest data from component account and personnel repositories through secure automated connections. It will consolidate and merge the harvested attribute data into a central JEDS directory database for publication via secure HTTP, Lightweight Directory Access Protocol and Web services (SOAP, SAML and XML) interfaces for use by individuals and applications across the GIG.
The four services each have meta-directory white page services that consolidate their numerous Active Directory Forests. Combining those service meta-directories with DISA’s GDS 4.5 million CAC Directory, and several smaller identity repositories, the JEDS team is looking to have an initial NIPRNet directory service by end of September 2007 and a SIPRNet service by the end of the year.
The challenge will be dealing with the multiple digital identities or roles that we have on the GIG. For example, all military members assigned to joint organizations have at least two (if not more) digital identities—their service identity and their joint identity. In the case of military reservists who also work for the department in their civilian capacity, we have factored in their civilian digital identity as either a DoD civil servant or a DoD contractor.
Many of us are also dual- or triplehatted. For example, Lieutenant General Charles Croom has at least three digital identities or roles—commander JTF-GNO with USTRATCOM accounts; director, DISA with DISA accounts; and an Air Force general officer with Air Force accounts. The integration challenge will be correlating and merging all these harvested digital identities into a single GIG identity.
Key to that integration effort is leveraging unique identifying (UID) attributes that can relate the individual’s numerous harvested identities to each other. Across the department, JEDS has identified three UID attributes: Electronic Data Interchange/Personal Identifier from DEERs, e-mail address, and Social Security number attributes. All are unique to an individual; but have not been evenly used across the numerous repositories. In the case of Social Security numbers, some come with strict data handling policies and rule sets.
With careful cross-matching rules and correlation processes JEDS will work to compile individual enterprise level identities. In the early stages of this effort, we fully expect numerous duplicate entries. These duplicates will be reduced, however, as the JEDS team fine-tunes its correlation processes and works with the authoritative sources through the NetOps command and control channels to populate one of more of these UID attributes in their repository provisioning process.
DIRECTORY ROADMAP
Achieving a GIG Joint Enterprise Directory will require the commitment and active support across the components, programs of record and associated communities of interest. DISA has drafted a JEDS Roadmap to help guide this directory data sharing effort. This roadmap calls for a spiral development approach:
• Spiral I: Establish an initial NIPRNet white pages provisioned from attributes harvested from DISA’s GDS, the Army’s Enterprise Directory Services Lite, the Air Force’s Air Force Directory Services, the Navy’s NMCI White Pages, the USMC’s GAL, and DISA GAL
• Spiral II: Establish an initial SIPRNet white pages provisioned from DISA programs of record, combatant command, intelligence community and other yet-to-be identified identity repositories.
• Spiral III: Work with the components to expand the number of provisioning sources to capture more of the GIG user population.
• Spiral IV: Expand JEDS to include non-people digital identities, such as devices, applications and organizational identities, to publish DoD Blue Pages and Yellow Pages.
• Spirals V: Expand the number of harvested attribute sets, such as clearances, nationality, biometrics, functions and skills.
The JEDS team is working through the ASD (NII) governing panels to engage the numerous organizations and stakeholders to identify and vet requirements, to address directory issues and concerns, and to develop policy recommendations. JEDS is intended to be an enterprise-level service provisioned from department component sources and used by all in building a net-centric future. This will take the cooperation of all to make a JEDS a reality for the benefit of all. ♦
