Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Slides:

Advertisements

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Multi-factor Authentication Methods Taxonomy Abbie Barbir.

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Enterprise Architecture 2013 ITLC & ITAG Leadership Meeting Discussion Points April 9, 2013.

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.

Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Security Controls – What Works

Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.

Information Security Policies and Standards

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Mary Dunker Common Solutions Group January 12, 2010.

Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

Intra-ASEAN Secure Transactions Framework Project Progress Report

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.

Key Management and Distribution. YSLInformation Security – Mutual Trust2 Major Issues Involved in Symmetric Key Distribution For symmetric encryption.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Registration Teaching Council Induction Colm O’Leary Registration Officer.

NIST E-Authentication Guidance SP Fed-Ed Meeting June 16, 2004 Bill Burr

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Information Technology Audit

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,

Cloud Security Julian Lovelock VP, Product Marketing, HID Global.

UC-ITAG ANNUAL UPDATE Oct. 22, 2014 ITLC Meeting, UC Irvine.

InCommon Michigan State Common Solutions Group, January 2011 Matt Kolb

Information Technology Architecture Group ITAG, version 2.0 We need resource commitments! February ITLC.

Privacy and Security Tiger Team Trusted Identity of Providers in Cyberspace Follow-Up Recommendations September 6, 2012.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

User Provisioning Project Presented to ITLC September 28, 2010 David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary Doyle,

Levels of Assurance in Authentication Tim Polk April 24, 2007.

Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,

Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.

Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)

Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University

NIST E-Authentication Technical Guidance Bill Burr Manager, Security Technology Group National Institute of Standards and Technology

Module 7: Implementing Security Using Group Policy.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

User Provisioning Project Design Phase Presented to ITLC March 24, 2011 David Walker, ITAG Co-Chair Information and Educational Technology, UC Davis Mary.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.

LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.

Preparing For An InCommon Silver Audit – Lessons From the First Phase

Levels of Assurance OGF Activity

8/3/16 Prepared for ITLC by ITAC

InCommon Participant Operating Practices: Friend or Foe?

E-Authentication: What Technologies Are Effective?

Federal Requirements for Credential Assessments

InCommon Participant Operating Practices: Friend or Foe?

Appropriate Access InCommon Identity Assurance Profiles

Technical Issues with Establishing Levels of Assurance

Presentation transcript:

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification

Enterprise Architecture 2014 Background Lots of ongoing discussion around LoA – InCommon Bronze/Silver compliance – UCTrust audits – Among UCTrust, ITLC, ITPS, ITAG, etc. Lack of clarity around “standards” for federation – AYSO – UCPath 2

Enterprise Architecture 2014 Silver/Bronze “Omnibus” Requirements Business, Policy and Operational Criteria Credential Issuance and Management.1 InCommon Participant.1 Credential Issuance.2 Notification to InCommon.2 Credential Revocation or Expiration.3 Continuing Compliance.3 Credential Renewal or Re-issuance.4 IdPO Risk Management.4 Credential Issuance Records Retention Registration and Identity Proofing.5 Resist Token Issuance Tampering Threat.1 RA authentication Authentication Process.2 Identity Verification Process.1 Resist Replay Attack.3 Registration Records.2 Resist Eavesdropper Attack.4 Identity Proofing.3 Secure Communication.4.1 Existing Relationship.4 Proof of Possession.4.2 In-person Proofing.5 Resist Session Hijacking Threat.4.3 Remote Proofing.6 Mitigate Risk of Credential Compromise.5 Address of Record Confirmation Identity Information Management.6 Protection of Personally Identifiable Information.1 Identity Record Qualification Credential Technology Assertion Content.1 Credential Unique Identifier.1 Identity Attributes.2 Basic Resistance to Guessing Authentication Secret.2 Identity Assertion Qualifier.3 Strong Resistance to Guessing Authentication Secret.3 Cryptographic Security.4 Stored Authentication Secrets Technical Environment.5 Basic Protection of Authentication Secrets.1 Software Maintenance.6 Strong Protection of Authentication Secrets.2 Network Security.3 Physical Security.4 Reliable Operations 3

Enterprise Architecture 2014 Issues Achieving LoA Certification Large number of requirements Possibly unclear to governance what “LoA” really is Difficulty committing to meet all requirements – Scope – Budget – Interpretation of Requirements Overall LoA value to UC not well defined 4

Enterprise Architecture 2014 Mapping InCommon to EA Standards Business, Policy and Operational Criteria Credential Issuance and Management.1 InCommon Participant.1 Credential Issuance.2 Notification to InCommon.2 Credential Revocation or Expiration.3 Continuing Compliance.3 Credential Renewal or Re-issuance.4 IdPO Risk Management.4 Credential Issuance Records Retention Registration and Identity Proofing.5 Resist Token Issuance Tampering Threat.1 RA authentication Authentication Process.2 Identity Verification Process.1 Resist Replay Attack.3 Registration Records.2 Resist Eavesdropper Attack.4 Identity Proofing.3 Secure Communication.4.1 Existing Relationship.4 Proof of Possession.4.2 In-person Proofing.5 Resist Session Hijacking Threat.4.3 Remote Proofing.6 Mitigate Risk of Credential Compromise.5 Address of Record Confirmation Identity Information Management.6 Protection of Personally Identifiable Information.1 Identity Record Qualification Credential Technology Assertion Content.1 Credential Unique Identifier.1 Identity Attributes.2 Basic Resistance to Guessing Authentication Secret.2 Identity Assertion Qualifier.3 Strong Resistance to Guessing Authentication Secret.3 Cryptographic Security.4 Stored Authentication Secrets Technical Environment.5 Basic Protection of Authentication Secrets.1 Software Maintenance.6 Strong Protection of Authentication Secrets.2 Network Security.3 Physical Security.4 Reliable Operations Standard 5

Enterprise Architecture 2014 Example Standard Password complexity and resistance to guessing – Two complexity levels Technical Requirements – Low: Min 25 bits entropy[1], max brute force chance 1:2 10 [2] – High: Min 30 bits entropy[1], max brute force chance 1:2 14 [2] » [1] “Password entropy” as measured per NIST , Appendix A » [2] Maximum chance to guess (randomly) over lifetime of password Implementation pattern #1: – 6/8 character, mixed type (up/low/num/sym), no dictionary words – 5 guesses allowed every 30 minutes (via lockout/rate limit controls) – Passwords forced to be changed annually Patterns with equivalent entropy and guessing resistance allowed – Exception/Alternate Requirement for PIN-based systems InCommon compliance vs UC utility – Standard text pulled (almost) directly from Bronze/Silver – Phrased to allow application outside InCommon settings 6

Enterprise Architecture 2014 Utility outside of UCPath Provides specific assurance to applications – AYSO (redux) – UCPath (redux) Guidance even outside of federated cases – Securing local DDODS databases – Evaluating password reset practices 7

Enterprise Architecture 2014 Using EAAF for InCommon Certification 8

Enterprise Architecture 2014 BACKUP SLIDES 9

Enterprise Architecture 2014 Current and Recent LoA Efforts UCTrust leadership met with Greg Loge (UC IT Auditor) – What is audited? (Bronze, Silver, UCTrust Basic, etc) – Who should audit? (UCOP, campus team, outside vendor) – Program for auditing UCTrust discussions of audit approaches and reqts – Ongoing discussions and estimates – UCSB audit against UCTrust Basic – UCSC and UCB looking to audit against InCommon Silver Discussions at UCTrust, UCPath, ISAAC, ITPS, ITLC ITLC proposed wkgrp to identify ILTI LoA reqts. This EAAF proposed process 10