Identity Assurance: Can You Trust Me Now? RL "Bob" Morgan University of Washington/Internet2/InCommon CSG, San Diego, January 2010.

Slides:



Advertisements
Similar presentations
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Advertisements

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Going for the Silver Winter 2010 CSG January 13, 2010.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
U.S. Department of Agriculture eGovernment Program February 2004 eAuthentication Integration Status eGovernment Program.
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
Information Security Policies and Standards
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Refining Silver CSG January 2011, Duke University Renee Shuey, RL "Bob" Morgan, Tom Barton.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Copyright Copyright Ian Taylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office.
Introduction to OIX: A Market Solution to Online Identity Trust Don Thibeau.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
SWITCHaai Team Federated Identity Management.
IdM Identity Proofing & Registration Gary Chapman David Millman September 2006.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
The InCommon Federation The U.S. Access and Identity Management Federation
Interfederation RL “Bob” Morgan University of Washington and Internet2 Digital ID World 2005 San Francisco.
Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.
The ReFEDS/GÉANT Code of Conduct (CoC) An Approach to Compliance with the EU Data Protection Directive Steve Carmody April 23, 2012.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
IDENTITY ASSURANCE PROFILES AND FRAMEWORK DOCUMENTS: PEEK INTO PROPOSED FICAM CHANGES 12/12/12 1.
(Inter)Federation as Identity Management Policy Driver? RL "Bob" Morgan University of Washington.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.
Integrated Institutional Identity Infrastructure: Implications and Impacts RL “Bob” Morgan University of Washington Internet2 Member Meeting, May 2005.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
U.S. Department of Agriculture eGovernment Program July 9, 2003 eAuthentication Initiative Update for the eGovernment Working Group eGovernment Program.
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
GFIPM FICAM Status Update GFIPM Delivery Team Meeting November 2011.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Federated Authentication at NIH: Trusting External Credentials at Known Levels of Assurance Debbie Bucci and Peter Alterman November, 2009.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Don Thibeau, Executive Director, OpenID Foundation (OIDF) Drummond Reed, Executive Director, Information Card Foundation (ICF)
Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
The NIST Special Publications for Security Management By: Waylon Coulter.
Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation
Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.
The Venn of Levels RL “Bob” Morgan, University of Washington / Internet2 / InCommon TERENA/Refeds, October 2009 Rome, IT.
LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.
Data and Applications Security Developments and Directions
Internal and Governmental Financial Auditing and Operational Auditing
Federal Requirements for Credential Assessments
PASSHE InCommon & Federated Identity Workshop
Fed/ED December 2007 Jim Jokl University of Virginia
Appropriate Access InCommon Identity Assurance Profiles
National data opt-out - Preparing for implementation
Presentation transcript:

Identity Assurance: Can You Trust Me Now? RL "Bob" Morgan University of Washington/Internet2/InCommon CSG, San Diego, January 2010

CSG Identity Assurance Workshop, Jan Topics Basics Assurance elements Assurance infrastructure Campus issues Various nagging questions

CSG Identity Assurance Workshop, Jan A moral tale: grade submission at UW longtime paper process focused on... paper course bubble sheets distributed to departments eventually get to instructors, or someone who fills them out, and signs them someone, usually dept staff, gets them to dropbox in registrar's office registrar's staff processes, scans, nags about late sheets,...

CSG Identity Assurance Workshop, Jan Online submission process Instructors enticed by gradebook app in LMS Users sign on to LMS with UW NetID Instructor of record inserts grades into course page, reviews, clicks submit Registrar's office nags about late submissions... Many obvious improvements, but some new risks too

CSG Identity Assurance Workshop, Jan

7 Relying on new stuff Old process relied on longtime practices, personal relationships, physical stuff New process relies instead on: Integrity of LMS, and its connection to SIS Accuracy of authorization to course pages Reliability of UW NetID system in all its parts: signon system, password protection, client system security, user behavior, incident handling,...

CSG Identity Assurance Workshop, Jan Raising questions... Should we use two-factor authentication? extra cost, hard to use for some faculty hard to integrate into LMS (it has been working fine with single-factor only) how do our data-protection policies apply? are other schools using two-factor for this? are there regulations that tell us what to do? is someone developing standards? Do we know who the TAs are? more generally, who has what rights on a course

CSG Identity Assurance Workshop, Jan

10 Basics of identity assurance Starting point is risks to apps/services apps seek to manage risks cost-effectively identity risks are only one class of risks What is identity? from app point of view, it is anything about a requesting party on which access decisions can be made maybe just a userid, maybe lots of other info (group, role, usage history, location, etc) When identity is externalized service, app seeks formal guarantees, i.e. assurance

CSG Identity Assurance Workshop, Jan One size doesn't fit all Apps have many kinds of resources to protect, different budgets to do so can't afford "the best" identity practices always High-assurance practices are intrusive to users showing identity docs, coming to help desk, two-factor, etc; so even if affordable, users will revolt Hence, a range of useful identity management practices balancing costs and risks and agreements between identity management systems and apps on what the options are

CSG Identity Assurance Workshop, Jan Elements of IdM practice... about which apps might want assurance Registration and identity proofing creation of record in IdM system for a person external validation of personal information obtaining/verifying contact information Credential assignment e.g., username and password establishment so authentication acts can be tied to registered person also includes re-establishment as needed (aka password reset)

CSG Identity Assurance Workshop, Jan Elements of IdM practice Authentication services technology by which users establish authenticated sessions with applications wide range of technologies with cost/usability/effectiveness/risk tradeoffs User information management information often used by apps for decisions various kinds of identifiers roles, groups, privileges, etc.

CSG Identity Assurance Workshop, Jan Elements about IdM operators Organizational maturity documented procedures authority over population/orgs in question Operations change-management and security practices helpdesk and user support logging and records management user privacy management

CSG Identity Assurance Workshop, Jan "Levels of Assurance" Several sets of criteria by which apps might rate IdM systems and many options within each set, e.g. many different authentication technologies, proofing methods IdM systems serve many apps expensive to tailor option sets to serve each one apps are not the idM experts; they want to rely on "acceptable practices" from IdM services Better for all if standard sets of practices can be defined, roughly consistent cost/risk-wise

CSG Identity Assurance Workshop, Jan

CSG Identity Assurance Workshop, Jan USG leads the way OMB 04-04, December 2003 promotes e-authentication for e-government, using external identity providers describes four levels of risk and corresponding levels of identity assurance, directs NIST to develop tech standards "important to match LoA against cost and burden of solution" chartered US E-Authentication program run by GSA, to be "US government federation"

CSG Identity Assurance Workshop, Jan E-Auth and NIST E-Auth established program to evaluate IdPs aka "credential service providers" based on the four levels NIST developed "Electronic Authentication Guideline", SP , in 2004 technical guidance on identity proofing and authentication technology, specifying the four levels E-Auth incorporated this into its Credential Assessment Framework several universities evaluated under it, in 2005

CSG Identity Assurance Workshop, Jan The Four Levels OMB says: (1) "little or no", (2) "some", (3) "high", (4) "very high" in more useful terms: L1: typical Internet account  no tie to real-world identity, just repeatable authentication L2: standard business practice  person identified, good password practices L3: extra-secure business practice  small number of users, two-factor authn L4: if you have to ask, you can't afford it

CSG Identity Assurance Workshop, Jan

CSG Identity Assurance Workshop, Jan The USG moves on... E-Auth has some problems funding not stable, not serving needs of agencies... shut down March 2009 Agencies succeed in federation on their own e.g. NIH working with InCommon Federation, using technologies/practices consistent with CAF/ GSA reorganizes, promotes this approach new ICAM office centralizes identity work agencies OK if practices "comparable" InCommon Federation fills the vacuum...

CSG Identity Assurance Workshop, Jan InCommon Identity Assurance "our version" of E-Auth CAF improved, a little HE-specific supports InCommon certifying IdPs as compliant with assurance profiles consistent with E-Auth levels 1 and 2 motivated initially by interest in working with higher- sensitivity apps at NIH and NSF 2 documents: framework and profiles will be supported by InC program processes, fees, support, etc. taking applications in

CSG Identity Assurance Workshop, Jan InCommon Assurance documents Identity Assurance Assessment Framework describes overall approach, processes role of IT organization, auditors Bronze/Silver Profiles details of compliance elements much taken verbatim from E-Auth CAF also in "auditor-friendly" checklist form published November 2008 accepted by USG for use with agencies? well...

CSG Identity Assurance Workshop, Jan Gov 2.0 Obama administration seeks to transform government transparency, delivery via web new federal CIO is big fan of Web 2.0, social networking, encourages agencies to adopt new techniques social networking depends on identity, is closely associated with OpenID OpenID now supported by major consumer services: Google, Live, Yahoo, Facebook, Paypal, etc, with hundreds of millions of users mandate from CIO to support OpenID

CSG Identity Assurance Workshop, Jan

CSG Identity Assurance Workshop, Jan A big tent for protocols, trust providers ICAM creates more modular structures not just SAML and PKI, but process for blessing other identity protocols, aka "Identity Scheme Adoption" not just GSA evaluating IdPs, but a process for blessing other entities to create trust criteria and do certifications, aka "Trust Framework Provider Adoption", mostly copied from CAF/ "comparability" is the principle documents published summer 2009  profiles for OpenID (Level 1 only), Information Card protocols some organizations rev up to be TFPs...

CSG Identity Assurance Workshop, Jan

CSG Identity Assurance Workshop, Jan Who ya gonna trust? Kantara Initiative successor to Liberty Alliance, working in many identity areas has had industry-oriented group working on its own Assurance Framework, also parallel to CAF, for several years; docs published mid-2009 setting up operational Assurance Certification process quite similar to InCommon, taking applications now has applied to GSA to be Trust Framework Provider may be useful resource for InCommon going forward

CSG Identity Assurance Workshop, Jan Who ya gonna trust? (2) OpenID Foundation and Information Card Foundation industry groups promoting protocol adoption newly empowered by government interest developed "Open Identity Framework" model, promoting it in various venues; used InCommon docs as starting point channeling interests of many commercial providers: Google, Yahoo, Equifax, others vision to "add the trust to OpenID" applying to GSA to be TFP

CSG Identity Assurance Workshop, Jan Who ya gonna trust? (3) InCommon applying to be TFP... at some point Formal approval necessary... at some point some uncertainty re SAML protocol a little privacy issue...

CSG Identity Assurance Workshop, Jan Assurance and privacy TFP document is mostly traditional assurance material, but adds new privacy criteria motivated by privacy concerns of, e.g., people using Google accounts to access government services New requirements on IdPs: Adequate notice: users must be notified about use of federated authn Opt-in: users must opt in before info is sent Minimalism: only required info is sent not clear how these apply to business-to-gov situations

CSG Identity Assurance Workshop, Jan Dealing with ICAM privacy reqs InCommon developing privacy addendum to its assurance program notion is that universities (a) have privacy policies that say only minimal info is sent, (b) do inform users about use of federated signon with third parties, and (c) participation in business/academic processes constitutes opt-in university IdPs would assert they do these things seeking comments on this soon... likely a useful part of federation program going forward, even with non-USG apps

CSG Identity Assurance Workshop, Jan Assurance on the wire: NIH and InC working with NIH on federation since... researchers from ~25 universities accessing CTSA since 2008, several other apps level what? agreement to consider all InCommon members to be Level 1, for now working on pilot for eRA research-admin app, requires Level 2, working out tech details now will converge with some campuses being approved for Silver in ? will converge with InCommon being approved by ICAM as TFP in ?

CSG Identity Assurance Workshop, Jan Assurance standards in action New FERPA rules 2009 suggest that student data protection requires "good" authentication practice, but how good is good? working to get InCommon Silver blessed for this National Student Clearinghouse new student-self-service access, raises authentication quality issues, they want to impose standards on campuses working to get Silver blessed for this also for access to Meteor student loan system

CSG Identity Assurance Workshop, Jan

CSG Identity Assurance Workshop, Jan What's a campus to do? Work to comply with standard (e.g. InC Silver)? maybe; some campuses are doing this, such as CIC is "achieving compliance" the same as "making a better campus IAM system"? up to a point... useful for engaging communities: CISO, audit, medical, research, finance, etc, about IAM importance/reqs define its own levels/profiles? do the four levels really meet your (our) needs? some think there may be use in a 1.5, or some non- numeric label: "useful for applying to university" e.g.

CSG Identity Assurance Workshop, Jan

CSG Identity Assurance Workshop, Jan What means compliance? To meet Silver do all users have to be Silver? no: it is fine for one IdM system to have user entries at many different levels one user might be at different levels at different times depending on how they signed on (e.g. two-factor, or location) but system as a whole must meet Silver system criteria lifecycle considerations of moving between levels; need to label entries with assurance-related data? e.g. "process used to identity-proof"? but still: lots of people all at once, or one at a time?

CSG Identity Assurance Workshop, Jan Can we rely on existing processes? If we can't... can this work at scale? IAF permits orgs to use "existing relationships" Employees  federal I-9 should be universal, and good enough, for id proofing, but account setup? Students  student lifecycle starting very early now, does this compromise, or imply explicit L1->L2 transition? Alum/Affiliates/Armies of Gray  many looking at aligning sponsorship with formal levels Remote proofing an issue across all populations

CSG Identity Assurance Workshop, Jan

CSG Identity Assurance Workshop, Jan Who does the audit? InCommon permits university internal audit if sufficiently independent from IT organization and if auditor meets qualifications: knowledgeable about IdM issues and InC framework, etc. need for training/engagement with university audit community Could be that industry auditors fill the need e.g. those approved by Kantara program Can audits we already do serve the purpose?

CSG Identity Assurance Workshop, Jan Password issues Interpreting password-protection requirements is hardest technical part of compliance model assumes service set up just for federation, with only one store and one service interface, but this is unrealistic in any organization of any size e.g., if passwords are synced with Google or Windows Live, is that a non-compliant exposure? how about LDAP authentication used with many campus/external applications? how about password reset??? who will make these judgment calls?

CSG Identity Assurance Workshop, Jan