Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office Cornell University

Topics of discussion Business drivers for Cornell’s Shibboleth implementation and participation in InCommon and eAuthentication (eAuth) Business drivers for Cornell’s Shibboleth implementation and participation in InCommon and eAuthentication (eAuth) Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s experience with it Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s experience with it Areas identified as commendable Areas identified as commendable Areas of common practice Areas of common practice Differences with the federal government’s CAF Differences with the federal government’s CAF Where next? Where next?

Cornell Legal Music Pilot with Napster in summer 2004 Cornell business drivers Library interest in: Library vendors DSpace Office of Sponsored Programs: streamlined process for grant submission Cornell University Weill Medical College Resource sharing between Cornell in Ithaca and Cornell in New York City

Broad objective of assessment Baseline exercise to determine area of common interest between eAuth Initiative and Cornell in its involvement with Shibboleth InCommon

Assessment objective clarified Evaluate Cornell practices against CAF Evaluate Cornell practices against CAF Find areas of common practice between Shibboleth community and eAuth, as well as differences Find areas of common practice between Shibboleth community and eAuth, as well as differences Suggest changes where they would be beneficial to common operations Suggest changes where they would be beneficial to common operations Evaluate whether the two communities can be an operationally good fit Evaluate whether the two communities can be an operationally good fit

Assessment components CAF – Credential Assessment Framework CAF – Credential Assessment Framework CS – Credential Service CS – Credential Service CSP – Credential Service Provider CSP – Credential Service Provider CAP – Credentials Assessment Profile CAP – Credentials Assessment Profile

Credential Assessment Framework Cornell University Credential Service Provider Credential Assessment Profile Credential Assessment Checklist NetIDs GuestIDs VMIDs Other Credential Assessment Checklist Credential Assessment Report eAuthentication assessors & Cornell staff

Assessment categories and examples Organizational maturity Organizational maturity –Valid legal entity w/authority to operate (1) –Risk management methodology (2) Identity proofing Identity proofing –Written policy on steps for identity proofing (2) Authentication protocol Authentication protocol –Secrets encrypted when transmitted over network (1) –Password not disclosed to third parties (2)

Assessment categories and examples Token strength Token strength –Password resistance to guessing, or entropy (1) –Stronger resistance to guessing (2) Status management Status management –Revoked credentials cannot be authenticated (1) –Revocation of credential within 72 hours of invalidation, compromise (2) Credential delivery Credential delivery –Credential delivered in manner that confirms postal address of record or fixed-line telephone number of record (2)

1.Assurance Level 1 1.Organizational Maturity TagDescriptionSuggested Evidence of Compliance Status Established1.The CSP shall be a valid legal entity, and a person with legal authority to commit the CSP shall submit the Assessment package. 2.The operational system will be assessed as it stands at the time of the Assessment. Planned upgrades or modifications will not be considered during the assessment. 1. Articles of incorporation, Organizational Charter, Affidavit, etc. 2. Demonstration Authorization to Operate 1.The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies. 2.The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS. 1. Copy of ATO or company authorization for Credential Service 2. Asserted in Authorization document as set forth in GSA policies General Disclosure 1.The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community. 2.In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy. 1.Terms, Conditions, & Privacy policies posted on Website 2.Document how provider will do this. Sample: CAF checklist for level 1

TagDescriptionSuggested Evidence of Compliance Status Documentation1.The CSP shall have all security related policies and procedures documented that are required to demonstrate compliance. 2.Undocumented practices will not be considered evidence. Copies or link to policies HelpdeskA helpdesk shall be available for subscribers to resolve issues related to their credentials during the CSP’s regular business hours, minimally from 9am to 5pm Monday through Friday. Observe Helpdesk Risk MgtThe CSP shall demonstrate a risk management methodology that adequately identifies and mitigates risks related to the CS. Copy of Risk Assessment 1.1 Assurance Level 2 Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and Organizational Maturity Sample: CAP checklist for level 2

Assessment process steps Submit sign-up sheet Submit sign-up sheet Schedule assessment with eAuth team Schedule assessment with eAuth team Submit documentation to eAuth team Submit documentation to eAuth team Prepare Cornell overview for assessment meeting Prepare Cornell overview for assessment meeting Contact Cornell stakeholders to inform and/or schedule for eAuth team visit Contact Cornell stakeholders to inform and/or schedule for eAuth team visit

Assessment process steps Day 1 of assessment Day 1 of assessment –Provide background information on Cornell as credential provider –First pass through assessment checklist –Tour of data center Day 2 of assessment Day 2 of assessment –Review draft of assessment report and checklist –Correct and clarify assessment checklist

Assessment process participants Identity Management team or equivalent Identity Management team or equivalent IT Security Director IT Security Director IT Policy Director IT Policy Director University Counsel University Counsel IT Auditor IT Auditor Human Resources Records Human Resources Records Computer Access staff Computer Access staff University Registrar University Registrar Business continuity planner Business continuity planner Data center manager Data center manager

Commendable areas Position of the Identity Management program within the IT organization Position of the Identity Management program within the IT organization Complete and up to date documentation for users Complete and up to date documentation for users Data center security Data center security

Cornell Information Technologies VP, Info Tech Customer Services and Marketing * Information Systems * Distributed Learning Services Security Office Network and Communication Services Systems and Operations Identity Management Authentication Authorization Directory Services Provisioning Tools Security Incident Response Vulnerability Scanning Network Anomaly Detection Client Security Security Consulting IT Security Director Advanced Technology and Architecture * Units performing account management functions connected with this credential service

Areas of common practice General approach to IT policy General approach to IT policy –IT policy framework –Quality of policy documents Effective channels for communicating policies Effective channels for communicating policies Well-established disaster recovery plan Well-established disaster recovery plan Excellent delivery procedures for credentials Excellent delivery procedures for credentials

Differences with CAF – level 1 assessment Threat protection Threat protection –Measures to prevent on-line guessing of passwords insufficient –Federal government’s baseline recommendations:  Password life rules or  Lock-out rules –Uniqueness of password/forcing password change when user logs on for first time Password life rules and lock-out are particularly problematic for universities Password life rules and lock-out are particularly problematic for universities

Differences with CAF – level 2 Business Continuity Plan should be finalized Business Continuity Plan should be finalized Written policy or practice statement documenting all identity proofing procedures Written policy or practice statement documenting all identity proofing procedures Better remote proofing procedures for alumni Better remote proofing procedures for alumni

Where next? eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore County eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore County Individual arrangements between federal government and universities will not scale Individual arrangements between federal government and universities will not scale Goal will be interoperation between eAuth and InCommon Goal will be interoperation between eAuth and InCommon InCommon does not now require the same level of accreditation as eAuth for either credential providers or service providers InCommon does not now require the same level of accreditation as eAuth for either credential providers or service providers Accreditation could become an important function for any shared identity federation Accreditation could become an important function for any shared identity federation

For more information eAuthentication: eAuthentication: eAuthentication credential assessment tool suite: eAuthentication credential assessment tool suite: Cornell IT Security Office web site (includes Identity Management): Cornell IT Security Office web site (includes Identity Management): Cornell’s policy tutorial for new students: Cornell’s policy tutorial for new students: cgi/policyPub.cgi cgi/policyPub.cgi