IdM Identity Proofing & Registration Gary Chapman David Millman September 2006.

Slides:



Advertisements
Similar presentations
June 27, 2005 Preparing your Implementation Plan.
Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Digital Certificate Installation & User Guide For Class-2 Certificates.
The Federation for Identity and Cross-Credentialing Systems (FiXs) FiXs ® - Federated and Secure Identity Management in Operation Implementing.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
1 1 A Synopsis of Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification (PIV) of Federal Employees and Contractors Presentation.
Public Key Infrastructure (PKI) Hosting Services.
Department of Health and Human Services Personal Identity Verification Training APPLICANT.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
Department of Labor HSPD-12
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
U.S. Department of Agriculture eGovernment Program February 2004 eAuthentication Integration Status eGovernment Program.
U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances Michelle Ferritto,
EMS Auditing Definitions
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008.
Intra-ASEAN Secure Transactions Framework Project Progress Report
Office of Inspector General (OIG) Internal Audit
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Network security policy: best practices
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Functional Model Workstream 1: Functional Element Development.
HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.
HSPD-12 and FIPS-201 Overview v Learning Objectives At the end of this course, you will be able to: Describe Homeland Security Presidential Directive.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
E-Authentication: Simplifying Access to E-Government Presented at the PESC 3 rd Annual Conference on Technology and Standards May 1, 2006.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.
Programme Objectives Analyze the main components of a competency-based qualification system (e.g., Singapore Workforce Skills) Analyze the process and.
U.S. Department of Agriculture eGovernment Program July 9, 2003 eAuthentication Initiative Update for the eGovernment Working Group eGovernment Program.
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
Identity Management Practical Issues Associated with Sharing Federated Services William A. Weems The University of Texas Health Science Center at Houston.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.
Matthew Christian Dave Maddox Tim Toennies
EDUCAUSE Fed/Higher ED PKI Coordination Meeting
E-Authentication: What Technologies Are Effective?
Federal Requirements for Credential Assessments
HIMSS National Conference New Orleans Convention Center
Appropriate Access InCommon Identity Assurance Profiles
ELECTRONIC SIGNATURES
ELECTRONIC SIGNATURES
Presentation transcript:

IdM Identity Proofing & Registration Gary Chapman David Millman September 2006

CSG 2006/9--2 Agenda Context: IdM elements & processes Definitions How things are mostly done today Internal & external drivers for change How to approach next gen designs Relationship to other IdM concepts Sample documents

CSG 2006/9--3 Context Identification and Registration are basic components of an overall IdM system. They are fundamental at the beginning of bringing people into a community, but their role continues… Other IdM functions rely on Identification and Registration processes and data. Goal: provide trustworthy electronic and physical credentials to members of a community

CSG 2006/9--4 Overview of IdM Elements

CSG 2006/9--5 We digress… a couple comments on that diagram… Has some good aspects… e.g. the common understanding we have today that authentication is something to be largely handled outside an app, and is something different from authorization But still misses many very important aspects of Identity Management, e.g. –Directory Services –Federation –Policy and Governance –Data structures, including roles and groups –Recurrent / cyclical processes –Devilish details!

CSG 2006/9--6 Definitions Identification is the process by which information about a person is gathered and used to provide some level of assurance that the person is who they claim to be. Generally, this identity verification takes place within the office (e.g. Human Resources or Student Services) that first encounters the individual and creates their record within the institutional system(s) of record. The next step is Registration. Registration (credentialing) is the process whereby users are given electronic credentials, leveraging the identification process above to ensure that they are coupled with the correct electronic identity information. For example, many campuses use a web-based mechanism to reset an initial password and establish a permanent one, ensuring a correct mapping by requiring the user to enter additional information validated against that which is contained in their record. It is important for institutions to establish rules that govern the processes used by the department or office that assigns and distributes credentials. (from the NMI-Edit Authentication Roadmap)

CSG 2006/9--7 Current Methods - BPR Analysis

CSG 2006/9--8 Current Methods - BPR Analysis

CSG 2006/9--9 Some medical “special” cases Dr’s, repeated credentialing –Require updated certification –Significant credentialing infrastructure –QC dependency on IT –Credentialing tools (nurses can check Dr’s certifications) Students –Can recommend tests & drugs –Short rotations (month-ish) –50% visiting students –Become Residents (hospital employees x 2) –Then become Attending (univ employees x 2) “Vendors” –Medical secretaries in private practice offices

CSG 2006/9--10 Drivers for Change Security: identification and registration are foundational -- the rest of “the system” is only as strong as its foundation Challenge: increasingly diverse community - increasingly seeing new populations with varying identification characteristics Challenge: increasingly diverse applications to support having different security requirements Challenge: both internal and external applications to support

CSG 2006/9--11 Guiding Concepts Risk management –In relation to a given system, how serious is a compromise or a data spill relating to inappropriate/unauthorized access? –The greater the risk, the greater the requirement for confidence that a person accessing the system is who they claim to be Levels of assurance –Increasingly common to characterize systems as requiring credentials which provide a high (or low) “level of assurance” –Identification and registration processes may be geared to provide higher or lower levels of assurance –The more rigorous the identification and registration processes in effect, the higher the level of assurance provided by issued credentials –But, of course, not all credentials are equally good (e.g. username/password versus two-factor authentication token) –So: roughly, reliability of a credential = Rigor of Process + Credential characteristics

CSG 2006/9--12 Levels of Assurance Token typeLevel 1Level 2Level 3Level 4 Hard crypto tokenXXXX One-time password device XXX Soft crypto tokenXXX Passwords & PIN’sXX Token-types allowed at each assurance level NIST SP example,

CSG 2006/9--13 Levels of Assurance Protect againstLevel 1Level 2Level 3Level 4 On-line guessingXXXX ReplayXXXX EavesdropperXXX Verifier impersonationXX Man-in-the-middleXX Session hijackingX Required protections NIST SP example,

CSG 2006/9--14 Ties to other IdM issues Certificate Authorities (levels of assurance in Federal PKI Certificate Policies) Document authenticity (diplomatics)

CSG 2006/9--15 Where to go for ideas, guidance? In evaluating your identification and registration processes, take a look at –InCommon Federation Participant Operational Practices document -- filled out by participating institutions to describe institutional policies and practices –FIPS 201 standard -- federal standard for “Personal Identity Verification (PIV) of Federal Employees and contractors” (

CSG 2006/9--16 InCommon POP Your community - how do you define set of people who are eligible to receive credentials? Your credentials - what is the administrative process used to establish electronic identities? What is (are) the office(s) of record for this purpose? What technologies are used for your identity credentials? Ever transmitted in plain text across your network? Your identifiers - everlasting or re-used? Maintaining and updating information - how is information in your identity datase acquired and updated? How can update? Any self- service? (Surprisingly, doesn’t seem to ask about registration processes, credential distribution methods, credential de-provisioning…)

CSG 2006/9--17 FIPS 201 standard Describes the very elaborate processes and procedures deemed appropriate post-911 to control access to federal facilities and electronic resources… the bar is set high! (And so presents many excellent points of comparison with existing or desired practices at one’s home institution.) Goal: issue credentials -- secure and reliable forms of identification - –based on sound criteria for verifying employee’s identity –are strongly resistant to identify fraud, tempering, counterfeiting –Can be rapidly validated electronically –Issued by accredited providers –Having graduated criteria (from least secure to most) to ensure flexibility in selecting the appropriate level of security for each application Rigorous processes, e.g. --

CSG 2006/9--18 The process shall begin with initiation of a National Agency Check with Written Inquiries… The applicant must appear in-person at least once before the issuance of a PIV credential. During identity proofing, the applicant shall be required to provide two forms of identity source documents in original form… The PIV identity proofing, registration and issuance process shall adhere to the principle of separation of duties to ensure that no single individual has the capability to issue a PIV credential without the cooperation of another authorized person. The PIV Sponsor shall complete a PIV Request for a particular Applicant, and submit the PIV Request to the PIV Registrar and the PIV Issuer. The PIV Request shall include the following: –Name, organization, and contact information of the PIV Sponsor –Name, date of birth, position, and contact information of the Applicant –Name and contact information of the designated PIV Registrar – Name and contact information of the designated PIV Issuer –Signature of the PIV Sponsor Etc etc etc etc etc

CSG 2006/9--19 Further Reading The Enterprise Authentication Implementation Roadmap (nmi-edit) EDUCAUSE/I2 Risk Assessment Framework eAuthentication, password credential assessment (cio.gov) Electronic Authentication Guideline (NIST SP )

CSG 2006/9--20 Conclusion Not simple. Cannot be done in isolation. Many contexts to consider simultaneously. One size does Not fit all.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.