Technical Issues with Establishing Levels of Assurance

Slides:



Advertisements
Similar presentations
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Advertisements

Managing User, Computer and Group Accounts
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Information Security Policies and Standards
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
SE571 Security in Computing
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security
THE WHY AND HOW OF DATA SECURITY YOUR ROLE IN DATA STEWARDSHIP DEPARTMENT OF MEDICINE IT SERVICES.
Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Copyright Copyright Ian Taylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Identity Management 2.0 George O. Strawn NSF CIO.
National Science Foundation Chief Information Officer CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0 George.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Designing Active Directory for Security
GatorLink Password Management Policy March 31, 2004.
Levels of Assurance in Authentication Tim Polk April 24, 2007.
Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Internet2 Base CAMP Topics in Middleware: Authentication.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
1 EDUCAUSE Mid-Atlantic Regional Conference Top Strategies for Working with Stakeholders: Synopses of Recommendations from the Identity Management Summit.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
OpenRegistry MACE-Dir 5/18/09 1 OpenRegistry Initiative Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers University May 2009.
Identity and Access Management
Understanding Security Policies
DATA SECURITY FOR MEDICAL RESEARCH
Radius, LDAP, Radius used in Authenticating Users
Current Campus Issues – From My Horizon
What Is Tapestry? An Online learning journal system.
Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions
Overview of CSE and UW Computing Facilities
Overview of CSE and UW Computing Facilities
Higher Education Privacy Update
CSG - Policy Discussion Identity Management Practice
Identity Infrastructure Fundamentals and Key Capabilities
Overview of CSE and UW Computing Facilities
PASSHE InCommon & Federated Identity Workshop
Copyright Copyright Ian Taylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Identity & Access Management
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Identity Management at the University of Florida
Authentication & the Web
INFORMATION TECHNOLOGY NEW USER ORIENTATION
Overview of CSE and UW Computing Facilities
Appropriate Access InCommon Identity Assurance Profiles
Provisioning of Services Authentication Requirements
School of Medicine Orientation Information Security Training
Presentation transcript:

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington

Today’s Talk in one Slide Overview of the University of Washington (UW) Drivers for Levels of Assurance (LoA) Application Perspective User Perspective Exploring the Solution Space

UW’s Environment Central IT makes up about 1/4 of the IT staff Central IT has very little control over what departmental applications do Many diverse populations: 80,000 + Faculty, Staff and Students (18,000 Med Ctr Employees) 500,000 + Alumni and Affiliates 1,000,000 + Patients Other diverse populations (Cascadia Community College, WA State K-12 students, Library Patrons, etc.)

UW’s Enterprise Credential (UW NetID) A large amount of effort has gone into making the UW NetID UW’s single enterprise credential. More than 360,000 active UW NetIDs 300,000+ more potential users (1,300,000 + if we include patients) Our credentials are stored in both Kerberos and Windows AD We have 5 different UW NetID Types (not to be confused with LoAs!)

What LoAs does the UW NetID Support? One size fits all… well almost! ~ 7,400 people have 2-factor authn (SecurID) We support a group of EAuth level 1 credentials (very small test group)

A Tale of Two Populations Two populations one old one new 200K + K-12 Students and Educators (WA State Digital Learning Commons) 18K + UW Medicine Employees Some Commonalities Both need to authn Both are critical to UW’s mission Some Directly Competing Requirements Stronger password requirements vs. weaker password requirements

A Tale of Two Populations (cont) Discussion starters: How do we support both populations and uses with the same credential? What are the advantages and disadvantages to using the same credential vs separate credentials?

Drivers for LoA Compliance Perspective - Supporting federal, state and university policy requirements Access Perspective – Providing support for our diverse populations COMPLIANCE ACCESS

Compliance Drivers for LoA Regulatory – Government requirements HIPAA FERPA WA State ISB Standards WA State Security Breach Notification Law (6043) – 37 other states now have something like this Contractual – Liability protection issues Payment Card Industries/ Data Security Standards (PCI/DSS) Professional and International Standards – Represent due care E-Authentication ISO, NIST, COBIT etc. University Policy Different (sometimes competing) requirements Applies to subsets of the NetID populations Requirements vary from common sense to unreasonable

Compliance Requirements for LoA Password Requirements Expiration (120 days? 90 days? 30 days?) Lockout (3 attempts? 100K attempts?) Strength checking (minimum char length, dictionary checking, known info checking, etc) Protections ( Encrypted Authn, Strong Password Management ) Authn Requirements (Multi-factor) Logging/ Audit Requirements Identity Proofing Requirements

Access Drivers for LoA A subset of applications require a higher assurance level that’s costly to provide A subset of apps require low bar for entrance Globally distributed users create ID proofing challenges Provide service to individuals with little or no known personal data Password restrictions can be potentially unfriendly to certain classes of users

Access Requirements for LoA Support requirements of each individual application (Wireless network access vs. access to PHI) Support many different types and levels of identity proofing Allow users to access to certain applications when less ID proofing has been done Allow different password requirements based on what the user needs access to.

The Application Perspective How can existing apps be converted to use LoA? Why don’t you have population X in your system? Aren’t all your credentials people? Aren’t all your credentials highly secure? Why can’t you make it easier for people to get IDs?

The User Perspective It’s hard to choose a usable password! Why do I have to keep changing my password? Why do I have to give my personal information? What do you mean I have to come show my picture id? What do I need to do to access application ____?

Exploring the Solution Space A well defined set of assurance levels A collection of NetID and Authn characteristics are used to determine LoA An application that allows users to view their current LoA Clearly defined standards for what LoA each app type requires Support for LoA in authn services (Web Signon, Kerberos, Windows AD)

Characteristics that Defines LoA NetID Characteristics Type of Identity Proofing # of failed authns Password age Is Compromised? Shared, recycled or system credentials? Authn Time Characteristics Type of authn (single factor password authn? 2 factor? ) Time of authn

Types of Identity Proofing High Assurance ID Proofing Photo ID in person Notarized Photo ID via mail/ fax Phone verified ( 5 or more pieces of info ) One-time password by mail Low Assurance Phone verified ( 2 pieces of info minimum ) Email verified Verified by trusted member

How are LoAs Assigned? A collection of characteristics that define level of assurance As characteristics change, LoA may increase or decrease The assurance level may change when ID proofing is done accompanied by a password creation/ change The assurance level may be downgraded after a maximum password age or maximum number of failed attempts has been reached Depending on the characteristics of authn, LoA may change An additional factor or different mechanism

UW NetID Levels of Assurance (Conceptual) NOTE: This does not reflect the current state of the UW NetID. The UW does not yet have plans to implement this or any other LoA scheme. Level A – High assurance Personal IDs that authn with 2nd factor (securid for now). Compliant with EAuth Level 3 Level B – Higher assurance Personal IDs… compliant with EAuth Level 2 Level C – Lower assurance but meeting EAuth Level 1 standards Level D – Low assurance personal UW NetIDs that have minimal id proofing Level E – Shared and temporary IDs that have little or no assurance Level F – Compromised IDs and other IDs that are not allowed to authn

Credential LoAs are Just the Beginning… How do we assert the level of assurance we have that any attribute associated with the id really belongs to the specific person authenticating? How do we address back door system accounts? How is the user assured that the app they are assigning on is really what it says it is?

More Questions, Comments, Feedback? Directory Support directory-support@washington.edu Zephyr McLaughlin zephyrmc@washington.edu IDM Discussion List idm@listserv.educause.edu

UW NetID Types Personal UW NetID – A UW affiliated individual’s key to online resources at the UW and beyond Shared UW NetID – Used to share centrally maintained UW computing services such as departmental websites Temporary UW NetID – Used to provide temporary access to services via the UW NetID system Applications UW NetID – Applications/ services that need to authn and can’t use x509 certs Reserved UW NetID – UW NetIDs that can’t authn (eg. root, mailing lists, etc)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.