Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida.

Slides:



Advertisements
Similar presentations
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Advertisements

PRODUCTVIEWS USERPROGRAMS with Colleen Alber Design & Implement a DKT Solution.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Directories at the University of Florida Mike Conlon Director of Data Infrastructure University of Florida.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
1 Collaborators at the Gates of Troy: Extending eServices at USC.
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Peter Deutsch Director, I&IT Systems July 12, 2005
Enterprise Portal Authentication: who are you? Authorization: what are you permitted to do? Personalization: the web pages you see are dynamically created.
System Architecture University of Maryland David Henry Office of Information Technology December 6, 2002.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
GatorAid: Identity Management at the University of Florida Mike Conlon Director of Data Infrastructure
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic.
Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Understanding Workgroups and Active Directory Lesson 3.
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.
Feide is a identity management system on a national level for the educational sector in Norway. Federated Electronic Identity for Norwegian Education Tromsø,
InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.
Managing User Accounts, Passwords and Logon Chapter 5 powered by dj.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
ROUND 3 User Security Set Up Presented by: Shirley Criscillis, Frank Green and Mollie Alberts.
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
GatorLink Password Management Policy March 31, 2004.
USERS Implementers Target Communities NMI Integration Testbed The NMI Integration Testbed NMI Participation Developed and managed by SURA Evaluate NMI.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
PubCookie Strategy and Tactics Mike Conlon Director of Data Infrastructure University of Florida.
Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.
Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Portal Services & Credentials at UT Austin CAMP Identity and Access Management Integration Workshop June 27, 2005.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Campus Community Growing Pains at the Univ. of Wisconsin Common Solutions Group Duke University, 11-Jan-2001 Keith Hazelton, Univ. of Wisconsin
Shibboleth for Middle Schools James Burger -
The Exchange Network Node Mentoring Workshop User Management on the Exchange Network Joe Carioti February 28, 2005.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Al Lilianstrom and Dr. Olga Terlyga NLIT 2016 May 4 th, 2016 Under the Hood of Fermilab’s Identity Management Service.
Campus Administrator Training March 2, 2012
Identity Management (IdM)
Current Campus Issues – From My Horizon
State of e-Authentication in Higher Education Bernie Gleason
Management of users at UNIL
PASSHE InCommon & Federated Identity Workshop
Identity Management at the University of Florida
What are IAM Key Processes.
December 2007 Dave Anderson IT Services
PLANNING A SECURE BASELINE INSTALLATION
Provisioning of Services Authentication Requirements
Technical Issues with Establishing Levels of Assurance
Presentation transcript:

Credentialing, Levels of Assurance and Risk: What’s Good Enough Dr. Michael Conlon Director of Data Infrastructure University of Florida

2 Goals A single set of managed credentials –Better for the users –Better for security –Lower cost –Enables reasonable cross boundary operations Level of Assurance appropriate for business need Strength of credential appropriate for business need

3 Authentication Usernames and passwords -- stronger passwords for stronger credentials Two factor authentication is even stronger – PKI, Biometrics, SecureID Strength of credential (password policy) determined by business requirements (affiliations and authorizations)

4 Affiliations Each person has one or more affiliations with the institution. Student, Alum, Parent, Staff, Emeritus Faculty, Contractor, … (UF has 57 affiliations) These roll up to 7 Eduperson affiliations – faculty, staff, student, alum, member, affiliate, employee Affiliations drive authorization by policy

5 Authorization The unit of authorization is a role. A role grants access to a service. Examples: –UF_PORTAL_USER – grants access to my.ufl.edu, the UF Portal. All Faculty, Staff and Students have this role –UF_GRADER – grants access to assign grades –UF_GM_BUDGET_APP – grants access to approve grant budgets –Roles are often scoped with parameters

6

7 The basic idea Control the strength of the user’s credential by the roles assigned to the user –Each role has an associated “password policy” – roles that provide limited access are assigned low password policy. Roles that provide broad access are assigned high password policy –A user’s password policy is the maximum of the password policies assigned to the roles belonging to the user. –As roles are granted or rescinded, the users password policy automatically goes up or down.

8 What’s a Password Policy? A password policy is a collection of attributes that define how the password must be managed: –How often must it be changed? –Can it be changed on line or only in person? –Can a password hint be used? –How long must the password be? –How complex must the password be? –And so on

9 UF has 5 password policies Attribute P1 P2 P3 P4 P5 1. Minimum length of password Password is character checked Yes Yes Yes Yes Yes 3. Max age of password (in days) Security class before pwd is issued No No No Yes Yes 15. Must use 2-factor authentication No No No No Yes 16. Account is expired if pwd is cracked No No No Yes Yes Each policy has 16 attributes – see

10 UF has 427 Roles (and growing) PeopleSoft Roles235 Legacy Roles126 Non-PeopleSoft Roles 86 UF has PeopleSoft HR, Finance, EPM and Portal. Expect to add 100+ roles when student is implemented

11 The Rationale for various password policies P1– used for applicants, guests, visitors – limited interaction with university information systems P2 – information about oneself. Students. Some staff P3 – provide and access information about others. Faculty and most admin staff P4 – Significant authorization to allocate university resources. Core, Dean and VP admin staff P5 – Direct access at system level to university systems

12 Password Policy Tally as of 2/1/2006 CountPCT Policy Policy 2175, Policy 313, Policy Policy Total189,

13 Password Policy is not Level of Assurance Level of Assurance answers the question “How sure are we that this person object represents that person?” UF has two levels of assurance – “Strong” (picture ID and physical presence) and “Weak” (web or mail process). LOA is an attribute of the person object in the directory. Password Policy answers the question “How strong is this credential?” Password policy is an attribute of a role.

14 Object Relationships Person -UFID -LOA Affiliation Credential -Username -Password RolePassword Policy

15 Some Technical Details 1.5 M Person Objects in Registry in mainframe in DB2 Roles are stored and managed in PeopleSoft Password Policies are stored and managed in PeopleSoft Passwords are managed in PeopleSoft Credentials are managed in legacy apps – will be managed in PeopleSoft Affiliations are managed in Registry Active Directory has all user objects with credentials LDAP has all user objects

16 Some Policy Details and Consequences Identity is established by 800 directory coordinators Identity resolution is manual, 50 cases per year Identity theft is rare, 1-2 cases per year All users are required to change passwords at least each year All passwords are strong Password hints have reduced help desk calls

17 More Information Eduperson Directory project and structure Password Policy Or write

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.