Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

Slides:



Advertisements
Similar presentations
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Advertisements

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Functional component terminology - thoughts C. Tilton.
Authentication & Kerberos
Starting Your Roadmap: Concepts and Terms Paul Caskey, The University of Texas System Copyright Paul Caskey This work is the intellectual property.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008.
Intra-ASEAN Secure Transactions Framework Project Progress Report
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Copyright Copyright Ian Taylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Chapter 10: Authentication Guide to Computer Network Security.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,
Functional Model Workstream 1: Functional Element Development.
David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Levels of Assurance in Authentication Tim Polk April 24, 2007.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.
Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.
Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
NIST E-Authentication Technical Guidance Bill Burr Manager, Security Technology Group National Institute of Standards and Technology
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
Identity Federations: Here and Now David L. Wasley Thomas Lenggenhager Peter Alterman John Krienke.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Origins: The Requirements of Participating in Federations CAMP Shibboleth June 29, 2004 Barry Ribbeck & David Wasley.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Trusted Electronic Communications for Federal Student Aid Mark Luker Vice President EDUCAUSE Copyright Mark Luker, This work is the intellectual.
Chapter 4 Access Control. Access Control Principles RFC 4949 defines computer security as: “Measures that implement and assure security services in a.
Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.
Identity and Access Management
Tokens & Proofing De-Mystified
NAAS 2.0 Features and Enhancements
E-Authentication: What Technologies Are Effective?
Federal Requirements for Credential Assessments
HIMSS National Conference New Orleans Convention Center
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Appropriate Access InCommon Identity Assurance Profiles
Presentation transcript:

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006

Outline Policy is not an IT issue Why “trust” can be an IT issue The PKI trust model The federation trust model Other notable trust models Lots of Q & A

Why do we need policy? Trust is about mitigating risk Think about credit cards FDIC ruling re on-line banking Policy defines how the organization views risks and requires mitigation Establishes a basis for trust

Policy is not an IT issue Policy is a business issue, defined and developed by executive management Needs organizational weight behind it Policy reflects institutional goals and choices Sets the framework for practices

Policy (cont.) Not prescriptive but descriptive Specifics change Principles don’t (as often) IT supports policy using technology Must take into account external “policy” too Auditors evaluate conformance Reassures management & others

Why trust can be an IT issue IT provides tools and services, e.g. Managing secure infrastructure Supporting strong credentials Detecting and containing problems The big picture is a “trust fabric” Ensuring security and authenticity The weak link is usually people...

Implementing trust across boundaries Contracts Less formal agreements, e.g. MOA Stated policies Referrals from others you trust Community Standards (BCP) How is any of this instantiated?

The PKI trust model Root of the hierarchy defines “policy” This is the Trust Anchor Relying parties choose which policy(s) to trust Certs must contain one of the trusted policies Few applications do this (yet)

Bridged PKIs Enables trust across communities Each campus retains its own trust anchor Policy is mapped through the Bridge Bridges can/will interconnect too

Bridged PKI trust model RP trusts its TA to map “trust” (CP OIDs) appropriately TA trusts Bridge to map “trust” appropriately Trust Broker Policy is critical!

Identity Federations Otherwise independent entities that give up some degree of autonomy to achieve a common goal Essence of federation includes: Common semantics (identity attributes, etc.) Common syntax (protocols for exchange) Common basis for trust

Federation trust model Federation operator defines standards for the community May define various “levels of assurance” Operator evaluates Participants... Participants agree to abide by the policy Operator can request audits to verify this Metadata about Participants is distributed Relying Parties decide what they accept

Assurance Levels (OMB M-04-04) 1.Little or no confidence exists in the asserted identity; essentially a persistent identifier 2.Confidence exists that the asserted identity is accurate; appropriate for a wide range of business with the public; application verifies identity 3.High confidence in the asserted identity’s accuracy; Use to access restricted web services without the need for additional identity assertion controls 4.Very high confidence in the asserted identity’s accuracy. Use to assert identity and gain access to highly restricted web resources

NIST Authentication Guidelines Basis for eAuth federation credential assessment framework Builds on OMB four levels of identity assurance Focuses on identity credential primarily Levels 3 & 4 require PKI Go to See Special Publication

NIST (cont.) Four areas discussed: Identity proofing, registration and the delivery of credentials which bind an identity to a token Tokens (typically a cryptographic key or password) for proving identity Remote authentication mechanisms, that is the combination of credentials, tokens and authentication protocols used to establish that a claimant is the subscriber s/he claims to be Assertion mechanisms used to communicate the results of a remote authentication to other parties

Assurance Level 1 Minimal ID proofing at registration Prove subject has possession of token No clear text passwords on networks Protect password files Guard against password guessing Sometimes called account lockout Password strength > 2 -10

Assurance Level 2 Use of government issued IDs to register Crypto to prevent capture and replay Credential revocation within 72 hrs Stronger protection of password file Password strength > 2 -14

Assurance Level 3 Requires PKI or “one-time password device” holding a symmetric crypto key Cert and private key can be in cache Require password or biometric to unlock Crypto must be FIPS Level 1 Must use realtime proof of possession Guard against man-in-the-middle attack Credential revocation within 24 hours

Assurance Level 4 Requires PKI on hardware device with enforced PIN timeout FIPS Level 2 or higher Guard against session hijacking

eAuth Credential Assessment Implementation of NIST Framework (CAF) describes process for evaluating credential service providers Profiles identify issues for each LOA Password CAP for Levels 1 & 2 PKI CAP for levels 3 & 4 GSA does assessment for eAuth credential service providers

eAuth CAF Level 1-2 CAP

About Identity Management Where in the organization is this function? Who is in the IdM repository? What do you need to know about them? Where’s the authoritative source? How is the repository managed? Who/what gets access to it? How is privacy protected?

Other communities of trust PGP - in person exchange of keys OpenID - self asserted identity vouched for by referrals (i.e. reputation) See eBay - buyer feedback ratings USHER U.S. Higher Education (PKI) Root

USHER Intentionally minimal “policy” See pki-lite policy-practices-current.html Basically “Do what you do for student IDs” Trust is based on community Focus is on using the technology Stronger “policy” can come later

Triumverate Each has policy Credential binds a physical person to an identifier IdM ensure reliable information associated with that identifier Federation policy defines for a community Together they define a basis for intra- and inter-domain trust

Q & A © David L. Wasley, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.