Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.

Slides:

Advertisements

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Red Flag Rules: What they are? & What you need to do

Department of Health and Human Services Personal Identity Verification Training APPLICANT.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Security Controls – What Works

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008.

Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

The InCommon Federation The U.S. Access and Identity Management Federation

1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.

Signing On for FSA Systems Tokens/Two-Factor Authentication and Modifications to User Sign-on in 2013 Bridget-Anne Hampden U.S. Department of Education.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.

E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.

Electronic Submission of Medical Documentation (esMD) Identity Proofing Sub-Workgroup October 31, 2012.

Levels of Assurance in Authentication Tim Polk April 24, 2007.

Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.

Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,

Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.

Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University

State of e-Authentication in Higher Education August 20, 2004.

E-Authentication in Higher Education April 23, 2007.

NIST E-Authentication Technical Guidance Bill Burr Manager, Security Technology Group National Institute of Standards and Technology

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

The technology behind the USPS EPM. AND COMPLIANCE March 25, 2004 Adam Hoffman.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.

LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.

EAuthentication – Update on Federal Initiative Jacqueline Craig IR&C September 27, 2005.

Session 11 Other Assurance Services

E-Authentication: What Technologies Are Effective?

Federal Requirements for Credential Assessments

PASSHE InCommon & Federated Identity Workshop

Appropriate Access InCommon Identity Assurance Profiles

WEQ-012 PKI Overview March 19, 2019

Presentation transcript:

Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007

Higher Ed - eAuthentication Pilot Organized around Levels of Assurance (LOA) Organized around Levels of Assurance (LOA) –LOA 1 and 2 accept assertion-based credentials Local authentication followed by identity message to agency application Local authentication followed by identity message to agency application Business and Legal rules imposed on applications and Credential Providers alike Business and Legal rules imposed on applications and Credential Providers alike –LOA 3 and 4 imply cryptography-based PKI dominates PKI dominates Serviced by Federal PKI Policy Authority and Federal PKI Operational Authority Serviced by Federal PKI Policy Authority and Federal PKI Operational Authority Major growth area for Federal Apps in first round Major growth area for Federal Apps in first round

Higher Ed - eAuthentication Pilot Who Cornell University Cornell University Penn State Penn State University of Maryland at Baltimore County University of Maryland at Baltimore County University of Washington University of Washington General Services Admin- istration General Services Admin- istration

Higher Ed - eAuthentication Pilot What Institutional Credential Assessments, Jan '05 Institutional Credential Assessments, Jan '05 –Identified issues for meeting LOA1 requirements –Password guessing, strength, expiration –Authorization to Operate Statement –Stored secret (password resets) –Documentation –Align policies and practices Proposed solution for cultural differences Proposed solution for cultural differences –Password guessing/Denial of Service Attacks

The Low Hanging Fruit

Higher Ed - eAuthentication Pilot The Low Hanging Fruit NSF FastLane NSF FastLane –An interactive, real-time system used to conduct NSF business over the Internet –Used by faculty to submit grant proposals, check proposal status, participate in panels, perform financial transactions and reports –Credential Service Provider assessed as LOA1 –Application assessed by GSA as LOA1

Higher Ed - eAuthentication Pilot Findings CAP GAP Analysis CAP GAP Analysis CAP GAP Analysis CAP GAP Analysis –48% requirements met by all 3 schools –25% requirements met by at least 1 school –25% requirements not met by any –2% not applicable EAF Business & Operating Rules not obtainable/practical for HE EAF Business & Operating Rules not obtainable/practical for HE Institutional credential assessments would be difficult to scale for all of higher education Institutional credential assessments would be difficult to scale for all of higher education

The Next Step - Interfed It was determined that a more scalable and user friendly approach would be to establish trust between the federations It was determined that a more scalable and user friendly approach would be to establish trust between the federations An initiative established to identify issues & propose solutions for linking federations An initiative established to identify issues & propose solutions for linking federations

InCommon Participation Requirements Common descriptive information Common descriptive information Software Guidelines Software Guidelines – Transparency of Policy and Practices Transparency of Policy and Practices –POP (Participant Operational Practices) Participation Agreement Participation Agreement –Minimal “bar” to enter –Limited Liability; No Indemnification –General Liability Insurance Modest application and annual fee Modest application and annual fee

“The” Demo Internet2 Fall Member Meeting Internet2 Fall Member Meeting –Demo - POC of interoperability of InCommon and eAuthentication Federations –Chest bumps were attempted, goose bumps were achieved

Credential Assessment Profile Summary of Assessment Factors

eAuthentication Credential Assessment Profile Summary of Assessment Factors

eAuthentication Credential Assessment Profile Summary of Assessment Factors

Credential Assessment Profile Level 1

Organizational Maturity Authorization to Operate – –1. The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies. – –2. The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS.

Organizational Maturity General Disclosure – –1. The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community. – –2. In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy.

Authentication Protocol Secure Channel – –Secrets transmitted across an open network shall be encrypted.

Authentication Protocol Stored Secrets – –Secrets such as passwords shall not be stored as plaintext and access to them shall be protected by discretionary access controls that limit access to administrators and applications that require access.

Token Strength Resistance to Guessing – –At this assurance level, the PIN (numeric-only) or Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected user’s PIN or Password shall have a probability of success of less than 2-14 (1 chance in 16,384) over the life of the PIN or Password. – –The PIN (numeric-only) or Password shall have at least 10 bits of min-entropy (a measure of the difficulty that an attacker has to guess the most commonly chosen password used in a system) to protect against untargeted attack.

Token Strength Uniqueness – –1. Each subscriber shall self-select at registration time a unique token (e.g., UserID + Password). – –2. A user can have more than one token, but a token can only map to one user. – –3. Unique tokens cannot be recycled after a subscriber leaves the CS.

Credential Assessment Profile Level 2

Organizational Maturity Documentation – –1. The CSP shall have all security related policies and procedures documented that are required to demonstrate compliance. – –2. Undocumented practices will not be considered evidence.

Organizational Maturity Audit – –The CSP shall be audited by an independent auditor every 24 months to ensure the organization’s practices are consistent with the policies and procedures for the CS. At the time of the assessment, the most recent audit shall have been performed within the last 12 months.

Organizational Maturity Risk Mgt – –The CSP shall demonstrate a risk management methodology that adequately identifies and mitigates risks related to the CS.

Organizational Maturity COOP – –1. The CSP shall have a Continuity of Operations Plan (COOP) that covers disaster recovery and the resilience of the CS. – –2. Service level agreements are not assessment criteria; they are covered in the licensing arrangements. – –3. The CS shall employ failure techniques to ensure system failures do not result in false positive authentication errors.

Organizational Maturity Network Security – –The CSP shall protect their internal communications and systems with measures commensurate with Assurance Level 3 when those communications involve open networks.

Registration and Identity Proofing In Person Proofing – –The Registration Authority (RA) shall establish the applicant’s identity based on possession of a valid current primary Government Picture ID that contains applicant’s picture, and either address of record or nationality (e.g. driver’s license or passport) – –RA inspects photo-ID, compares picture to applicant, records ID number, address and date of birth. If ID appears valid and photo matches applicant then: – –a) If ID confirms address of record, authorize or issue credentials and send notice to address of record, or – –b) If ID does not confirm address of record, issue credentials in a manner that confirms address of record.

Registration and Identity Proofing Remote Proofing – –The RA shall establish the applicant’s identity based on possession of a valid Government ID (e.g. a driver’s license or passport) number and a financial account number (e.g., checking account, savings account, loan or credit card) with confirmation via records of either number. – –RA inspects both ID number and account number supplied by applicant. Verifies information provided by applicant including ID number or account number through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, date of birth, address other personal information in records are on balance consistent with the application and sufficient to identify a unique individual.

Confirming Delivery Confirming Delivery The CSP shall issue or renew credentials and tokens in a manner that confirms any one of the applicant’s: – –1. Postal address of record; OR – –2. Fixed-line telephone number of record.

References [FIPS-140-2] “Security Requirements For Cryptographic Modules”, Federal Information Processing Standard Publication 140-2, [M-04-04] The OMB E-Authentication Guidance [SP ] NIST Special Publication version 1.0.1