EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley

Introductions  Who we are  Who you are  Topics for Today  What’s the Problem?  Stories from the Field  Profiles Overview and Gap Analysis  Profiles to Practice: Business and Technical Implementation Considerations and Sample Timeline  Resources to Help You

What’s the Problem and Why Should You be Worrying?

Deloitte Predictions 2013 Passwords==bad  Strong? 5 hours to crack  Phishing  Bad habits  Same pwd - multiple sites  Online sources of cracked passwords  Cell encouraging numbers-only  Bad practices  Yahoo recycling addresses  Sample Articles Sample Articles

Is This a Case for Multifactor?  What questions should we be asking?  How can I address phishing?  How can I protect against inappropriate reassignment?  How can I ensure the right physical person is using that password?  InCommon’s Identity Assurance Framework and Profiles provides a step-wise and standards-based way to address these questions

Components of Assurance 6 RiskAssurance component that mitigates Fraudulently obtained Identity proofing + credential management Vetting process, Subject attributes, record keeping Inappropriate reassignment Credential management Token issuance & revocation, binding of Token to Subject, secure infrastructure, record keeping Stolen or shared Token technologies Additional factors (biometric, geolocation,...) Multi-factor (PIN + token) Second factor (OTP, “phone factor”, 2 nd password) Password/passphrase Effort to mitigate

Providing Credentials for your Credentials  2004: USG defines 4 Levels of Assurance (NIST )  2009: USG Identity, Credential and Access Management (ICAM)  Certifies trust frameworks to interact with the USG agencies  Determines comparability with  2011: InCommon ICAM Trust Provider  Higher Ed developed, USG approved  Bronze comparable to NIST LoA 1  Silver comparable to NIST LoA 2

What Guidance are You Using?

Stories from the Field

Stronger Authentication at UCB –Adopt Me Please? ●IAM Systems review – Burton report ●Pre-InCommon Assurance and campus data classification ●Still a perceived need to “tighten” assurance ●Finding a cost-effective solution

CAS Second-Level Authentication ●Much easier and less expensive to deploy than two-factor ●Developed as contribution to existing CAS open source initiative ●User to supply a second “secret” for sensitive apps ●CAS Second Level OverviewCAS Second Level Overview ●One line code change for apps already integrated with CAS

Adoption, or not… ●Adoption Round 1 – It’s the right thing to do ●Adoption Round 2 – You have to do it ●The bet

Conceding Defeat

UC Trust Compliance and InCommon Silver ●UC Trust Federation - Basic Assurance ●Decision to convert to InC Silver ●System-wide gap analysisSystem-wide gap analysis ●System-wide HR replacement ●Still no decision - likely deferred ●How to prioritize and align resources?

Your Stories from the Field?

The InCommon Assurance Profiles

03/08/ It’s All About Identity Assurance Assurance  a positive declaration intended to give confidence; a promise Identity Assurance  the ability for a party to determine, with some level of certainty, that an electronic credential representing a person can be trusted to actually belong to the person.

Risk Management Perspective Understanding the risk  Compliance  Financial  Reputational Choosing to invest in mitigation  Idaho and HIPPA Fine Idaho and HIPPA Fine

InCommon – Higher Ed OMB/NIST – Federal Agencies Relevant Assurance Docs  Identity Assurance Assessment Framework Identity Assurance Assessment Framework  Identity Assurance Profiles Identity Assurance Profiles  Bronze (Level 1)  Silver (Level 2)  Certification: Legal Addendum Legal Addendum  Privacy criteria from ICAM  OMB M04 04 E- Authentication Guidance for Federal AgenciesE- Authentication Guidance for Federal Agencies  Maps risk to four levels of assurance  NIST E- Authentication Guidelines  Describes how to implement the four levels

InCommon Bronze: Common Sense  Assign Responsibility for IdM  Establish Policy for IdM  Harden Password Management  Harden Credential Technology Infrastructure  Optional Compliance: Perform Self Assessment

InCommon Silver: Critical Business  Strengthen Identity Proofing and Registration  Enforce Strong Passwords (or Deploy MFA)  Further Harden Password Management  Harden Technical Infrastructure  Optional Compliance: Obtain Independent Audit

A Note on Compliance  Using Profiles is free, downloading is free  Compliance will be required when federating with  US Government  Other InCommon Service Providers requesting an InCommon Profile  Pros  Published on Federal and InCommon website  Shows good practice to your service providers  Bronze is free; Silver is good biz practice  Con  Due diligence – more work  Silver requires audit and fee to be certified

 Business, Policy and Operational Criteria  Registration and Identity Proofing  Credential Technology  Credential Issuance and Management  Authentication Process  Identity Information Management  Assertion Content  Technical Environment 03/08/2012 InCommon Identity Assurance Profiles 23

Functional AreaCriteriaBronzeSilver Business, Policy and Operational Criteria.1 InCommon Participant.2 Notification to InCommon.3 Continuing Compliance.4 IdPO Risk Management Profile Specifics

Functional AreaCriteriaBronzeSilver Registration and Identity Proofing.1 RA Authentication.2 Identity Verification Process.3 Registration Records.4 Identity Proofing.4.1 Existing Relationship.4.2 In-person Proofing.4.3 Remote Proofing.5 Address of Record Confirmation.6 Protection of Personally Identifiable Information

Functional AreaCriteriaBronzeSilver Credential Technology.1 Credential Unique Identifier.2 Basic Resistance to Guessing Authentication Secret.3 Strong resistance to Guessing Authentication Secret.4 Stored Authentication Secrets.5 Basic Protection of Authentication Secrets.6 Strong Protection of Authentication Secrets

Functional AreaCriteriaBronzeSilver Credential Issuance and Management.1 Credential Issuance.2 Credential Revocation or Expiration.3 Credential Renewal or Re-issuance.4 Credential Issuance Records Retention.5 Resist Token Issuance Tampering Threat

Functional AreaCriteriaBronzeSilver Authentication Process.1 Resist Replay Attack.2 Resist Eavesdropper Attack.3 Secure Communication.4 Proof of Possession.5 Resist Session Hijacking Threat.6 Mitigate Risk of Credential Compromise

Functional AreaCriteriaBronzeSilver Identity Information Management.1 Identity Record Qualification Assertion Content.1 Identity Attributes.2 Identity Assertion Qualifier.3 Cryptographic Security Technical Environment.1 Software Maintenance.2 Network Security.3 Physical Security.4 Reliable Operations

Find the Gaps ●Review the IAP table ●Where are you likely to find gaps? ●Business process, documentation ●Credential management ●Who needs to help fill them? ●Systems of Record representatives, Service Desk ●Central IT – security, credential managers systems teams ●When should you engage them? ●Estimating resources and timelines – sample gap analysis chart

BREAK

Profile to Practice

Profile to Practice: Business

Framework: Functional Model 34

Business Process Considerations ●On-boarding and the IdPO  ID proofing and bootstrapping the digital credential  HR, delegated admins or both  The “CalNet Deputy” model and CalNet Deputy Training“CalNet Deputy” CalNet Deputy Training ●Remote proofing ●Re-issuance ●Security questions? ●User education and awareness

Profile to Practice: Technology

Password/passphrase Entropy ●Password complexity ●Dictionary checks ●Expiration ●Lockouts ●Failed login counter ●Entropy CalculatorsEntropy Calculators

Credential Management ●Where is the verifier used? ●Certify other systems? ●Downgrade credentials? ●UCB proxied authentication guidelinesUCB proxied authentication guidelines

Stronger Credential Options ●Second credential ●Multi-factorMulti-factor ●Related application level concerns ●For entire app? ●For some roles?

Technical Environment ●Campus minimum standards if you have them ●Industry standards - CIS BenchmarksCIS Benchmarks

Profile to Practice: Making the Pitch

Considering Your Audience ●Elevator pitches for: ○ Audit (if not for certification) ○ IT Executives ○ IT Security ○ Functional Owners (HR, Controller, Student System)

Profile to Practice: 18 months to Better Practices

Q1Q2Q3Q4Q1Q2 Bronze gap Bronze documentation Bronze certification Silver gap Silver funding Silver mitigations Silver documentation Silver audit/certification

Resources

Standing on the Shoulders of Others  InCommon Assurance Program Website InCommon Assurance Program Website  InCommon Assurance Implementers wiki InCommon Assurance Implementers wiki  AD Cookbook for Silver  Failed Login Counter: Possible shared investment  Multi-factor Guidance  Va Tech Case Study  Password Entropy Calculators

Join the Club!  Make a community contribution to the Assurance Wiki  Participate on the mailing list  Join the monthly calls  Contribute to the reading of the Bronze spec starting this fall

Your Presenters Dedra Chamberlin Deputy Director, Identity and Access Management University of California – Berkeley Ann West Assistant Director for InCommon Assurance and Community Internet