Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Slides:

Advertisements

Similar presentations

Implementing Federated Identity Management across a Multi-campus Statewide System: The Texas Experience William A. Weems Assistant Vice President Academic.

Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.

Department of Health and Human Services Personal Identity Verification Training APPLICANT.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Functional component terminology - thoughts C. Tilton.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

Lecture 23 Internet Authentication Applications

Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.

CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.

PIV-I Issuing Procedures for Applicants (Current Contractors) v1.1.

Form I-9 Process An Online Training for Supervisors and Designees Presented by Human Resources Revised November 2009.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Why Users Like PKI & Directory Services William A. Weems University of Texas Health Science Center at Houston.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

2/16/2010 The Family Educational Records and Privacy Act.

FERPA The Family Educational Rights and Privacy Act.

Cooperative Research IRB Brownbag, 3/4/08. ISU Policy Cooperative research projects are those projects which involve more than one institution. The official.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

1 FERPA and Student Privacy in Records of University Research ECURE March 1, 2005 Richard Rainsberger, Ph.D. Consultant, Education Records Law and Privacy.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

PIV-I Issuing Procedures for Applicants (New Volunteers / Affiliates) v1.1.

PIV-I Issuing Procedures for Applicants (New Employees) v1.1.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic.

Managing Information UT November 13-14, 2008 Campus Identity and Access Management Services.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.

Chapter 10: Authentication Guide to Computer Network Security.

Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Identity Assurance Services For Preventing Identity Theft Bob Pinheiro Robert Pinheiro Consulting LLC

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.

PIV-I Issuing Procedures for Applicants (Current Employee) v1.1.

Guest Cycle A division of the flow of business through a hotel that identifies the physical contacts and financial exchanges between guests and hotel employees.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

1 CONFIDENTIALITY. 2 Requirement Under IDEA 34 CFR Sec (c) All staff collecting or using personally identifiable information in public education.

Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.

State of e-Authentication in Higher Education August 20, 2004.

Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.

1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

1 Family Education Rights & Privacy Act (FERPA) Training University of Kentucky Registrar’s Office.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

© 2007 Open Grid Forum Authentication Service Profile Christos Kanellopoulos 14 th EUGridPMA, Lisbon, PT October 7 th, 2008.

Identity and Access Management

State of e-Authentication in Higher Education Bernie Gleason

Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop

Welcome to the FERPA training for Faculty and Staff.

PASSHE InCommon & Federated Identity Workshop

HIMSS National Conference New Orleans Convention Center

Identity Management at the University of Florida

Appropriate Access InCommon Identity Assurance Profiles

MIT Case Study Notes Paul B. Hill

Presentation transcript:

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston

Increasingly, people must easily and securely exchange information in cyberspace among "known" individuals and to securely access restricted resources they “know” can be trusted without having to struggle with numerous and onerous security processes.

How do you prove you are who you say you are? How do you know that someone is legitimate in his or her dealings with you, and how do you get redress if things go wrong? If your identity is stolen and used fraudulently, or personal records are altered without your knowledge or permission, how do you prove that it was not you? It is difficult enough to verify someone's identity in the tangible world where forgery, impersonation and credit card fraud are everyday problems related to authentication. Such problems take on a new dimension with the movement from face-to-face interaction, to the faceless interaction of cyberspace. Identity and Authentication by Simon Rogerson

Ideally, individuals would each like a single digital credential that can be securely used to authenticate his or her identity anytime authentication of identity is required to secure any transaction.

UTHSC-H: An Identity Provider (IdP) It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific responsibilities and liabilities.

Ideally, a digital credential must positively identify a person, positively identify the certifying authority - i.e. the identity provider (IdP), be presentable only by the person it authenticates, be tamper proof, and be accepted by all systems.

Issuing a Digital Credential Individual appears before an Identity Provider (IdP) which accepts the responsibility to –positively determine and catalog a person's uniquely identifying physical characteristics (e.g. picture, two fingerprints, DNA sample), –assign a unique, everlasting digital identifier to each person identified, –issue each identified person a digital credential that can only be used by that person to authenticate his or her identity, –maintain a defined affiliation with each individual whereby the validity of the digital credential is renewed at specified intervals.

Identity Provider (IdP) uth.tmc.edu Person IdP Obtains Physical Characteristics Identity Vetting & Credentialing Identifier Permanently Bound Assigns Everlasting Identifier Digital Credential Issues Digital Credential Person Only Activation Permanent Identity Database

Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Identity Vetting & Credentialing PKI Digital ID & Strong Two Factor Authentication Permanent Identity Database

Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Permanent Identity Database ? ?

Identity Provider (IdP) uth.tmc.edu PersonIdentifierDigital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Using Network Username Password Identity Vetting & Credentialing UTHSC-H Username/Password Authentication Permanent Identity Database ??????? ?

Two Categories of Identity Physical Identity – Body Identity - Authentication –Facial picture, –Fingerprints –DNA sample Identity Attributes – Authorization Attributes –Common name, –Address, –Institutional affiliations - e.g. faculty, student, staff, contractor. –Specific group memberships –Birth date –City of Birth –Etc.

Critical Identity Issues Is a person positively identified? Is person’s digital credential valid? Is person currently affiliated with the university? –i.e. does UTHSC-H accept responsibility for this person’s Identity? Is person’s authorization attributes valid – i.e. can they be “trusted”? –Are a person’s authorizations for specific applications appropriate?

Identity Provider Liability Internal & External Services Institution provides IdP services only for internal uses. –UTHSC-H personnel (LRAAs) responsible for identity vetting & credentialing – subject to audit. –Contracts with external organizations to provide vetting for their personnel having affiliations with UTHSC-H – defined as UTHSC-H Guests Contract likely not auditable. Institution provides IdP services to relying parties – e.g. U.T. System Federation members. –IdP services to relying parties should not be provided for “Guests”.

Identity & Authentication Attributes Identity Vetting –Basic Trust Level –Medium Trust Level –High Trust Level Credential Strength –Two-factor PKI Biometric Token –Two-factor PKI Password Token –One-factor Network Username/Password

UTHSC-H Strategic Authentication Goals Two authentication mechanisms. –Single university ID (UID) and password. –Digital ID (DID) Digital ID can be used to set password for UTHSC-H user ID –No one but “owner” ever knows UID password. –When password of UID is “aged” say every 90 days, user can use DID to reset the password. User never has to contact help desk; thus, freeing help desk to do other tasks!

Policy and procedures associated with identifying, credentialing and authenticating employees, students and residents are reasonably appropriate at the university. However, another group of individuals such as contractors, research collaborators and others having legitimate, professional affiliations with the university do not have digital credentials issued by identity providers having relying partying agreements with UTHSC-H.

Currently, the university accepts the legal responsibility of identifying these individuals, designated as guests, and issuing them digital credentials which they can use to authenticate their university certified identity to others. Individuals in this group are designated as “guests”.

Because of the extremely varied circumstances associated with how “guest” affiliations arise and terminate, it is difficult to determine the current status of “guest” affiliations and associated levels of “trust”. To ensure that appropriate assurance levels can be asserted by UTHSC-H as an identity provider, special policies exist for identity proofing and credentialing of persons sponsored by individual university personnel.

One such policy is the requirement that individuals being considered for an extension of their guest status for an additional year must have their identity formally re-vetted by the university, and their sole control of their digital credentials re-affirmed. It has been requested that this policy be reviewed.

UTHSC-H requires individuals requesting an extension of their “Guest” status have their physically identity annually re- vetted and sign a statement attesting they: are affiliated with the university as described by their sponsor, have maintained and will maintain sole control of their digital credentials, will immediately notify UTHSC-H if such control is comprised or if they are no longer affiliated with the university, and their contact information, as presented, is correct.

Individuals wanting to extend their “Guest” status and having a UTHSC-H digital ID/token can digitally sign a reaffirmation stating they are affiliated with the university as described by their sponsor, have maintained and will maintain sole control of their digital credentials, will immediately notify UTHSC-H if such control is comprised or if they are no longer affiliated with the university, and assert their contact information, as presented, is correct.

Inter-institutional Identity Reconciliation Problem: –Multiple identity providers (IdPs) in a Federation. –Individuals with multiple digital credentials issued by different IdPs. Example: –Jane Doe is provisioned into Application A with UTMDACC credentials. –Moves to BCM & obtains new credentials. –How does application A handle this change of identity?