OIX initiative, US only? Mapping Swedish Academic Identity Federation 2.0 Policy Framework to Open Identity Exchange (OIX) Trust Framework Provider Assessment.

Slides:



Advertisements
Similar presentations
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Advertisements

Conflict of Interest, Conflict of Commitment, and Outside Activities UTSA HOP 1.33 Non-covered UTSA staff 1.
Innovation through participation eduGAIN federation operator training Operations Team, OT, how to join eduGAIN /18 Valter Nordh, NORDUnet / GU.
Protection of privacy for all Students!
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
BOARD STRUCTURES, BYLAWS AND MEETINGS ADDRESSING THE CHALLENGES by Heman A. Marshall, III, Principal Woods Rogers PLC September 2, 2009.
An Introduction to Captive Insurance F. Hale Stewart, JD, LLM, CTEP, CWM, CAM Author of the book U.S. Captive Insurance Law Captiveinsuranceinfo.com
EMS Auditing Definitions
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
FERPA 2008 New regulations enact updates from over a decade of interpretations.
Board of Director’s Training December 5, Board’s Ultimate Responsibility.
Per Anders Eriksson
WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.
Complying With The Federal Information Security Act (FISMA)
Compliance & Internal Auditing By David N. Ricchiute
Functional Model Workstream 1: Functional Element Development.
Federal Emphasis on Accountability in Higher Education and Regional Accreditation Processes Carla D. Sanderson Commissioner, Southern Association of Colleges.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
HIPAA PRIVACY AND SECURITY AWARENESS.
The InCommon Federation The U.S. Access and Identity Management Federation
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Tax Information Exchange Agreements Formal Ratification 2011.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
Quality Assurance of Malaysian Higher Education COPIA – Code of Practice for Institutional Audit COPPA – Code of Practice for Programme Accreditation.
End Use and User of Ammunition AT05 Slide 1. Types of End Use Documents  End User Certificate (EUC)  Delivery Verification Certificate (DVC) AT05 Slide.
1 Workshop on the Directive 96/61/EC concerning (IPPC) Integrated pollution prevention and control INFRA Public participation & access to environmental.
Data Protection Act AS Module Heathcote Ch. 12.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
EGovernment Commonalities within Europe and beyond Colin Wallis & Fulup Ar Foll European Identity Conference 2011.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Understanding deployment issues on the Supply Chain Ann Harding, SWITCH, Nicole Harris, TERENA Cambridge July 2014.
APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Chapter 3-Auditing Computer-based Information Systems.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
E&O Risk Management: Meeting the Challenge of Change
General Data Protection Regulation
Overview of the FEPAC Accreditation Process
GDPR Security: How to do IT? IT reediness for competitive advantage
SCD Grants & Contracts Policy & Procedure 670.
Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop
Disability Services Agencies Briefing On HIPAA
The GDPR & Schools - An Introduction -
Federal Requirements for Credential Assessments
Canadian Auditing Standards (CAS)
FERPA For New Faculty Lawrence F. Glick Sr. Associate General Counsel
Relationship between World Bank and Romanian EA requirements
Getting to Know the New Societies Act & Societies Online
Appropriate Access InCommon Identity Assurance Profiles
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Standards and Certification Training
Presentation transcript:

OIX initiative, US only? Mapping Swedish Academic Identity Federation 2.0 Policy Framework to Open Identity Exchange (OIX) Trust Framework Provider Assessment Package Pål Axelsson, Uppsala universitet / SWAMID Valter Nordh, Göteborgs universitet / SWAMID

Agenda - outline Brief introduction to SWAMID and Sweden Legal structure of the Swedish educational system SWAMID Policy OIX mapping with highlights Conclusion

Swedish Academic Identity Federation (SWAMID) SWAMID is operated by the Swedish NREN SUNET SWAMID 2.0 Policy Framework The SWAMID Policy describes governance, membership and scope The Identity Assurance Profiles describes levels of trust in claims and organizations The Federation Technology Profiles describe concrete realizations of the Policy and Assurance Profiles in terms of specific technologies (eg SAML, eduroam etc) Identity providers must be members and represent the interest of Swedish higher educational institutions (HEI) Service providers doesn't need to be members.

Statistics about Sweden National data 449,964 sq km (slightly larger than California) 9,4M people in Sweden 21 persons per sq m Higher education 369,000 individual students per year 321,000 full-time equivalent students per year 50 HEI (universities and university colleges) with the right to award higher education qualifications 35 members in SWAMID

Legal structure of the Swedish educational system Most higher education in Sweden is done by educational governmental agencies. This means that a most HEI is considered as a part of the Swedish government. An agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority. Privately owned HEI is mostly governed by the same laws and bylaws. All Swedish higher education qualifications and awarding HEI is directly accredited in the government bylaw Higher Education Ordinance enclosure System of Qualification.

INITIAL GOAL SWAMID Federation Operator as OIX Special Accessor at LoA1 In the next set of slides we'll present the mapping from SWAMID 2.0 Policy Framework to OIX Trust Framework Provider Assessment Package. We highlight investigation areas in their own slides. SWAMID Policy to OIX mapping

SWAMID findings

Table 2 a4: Verify IdP has the financial capacity to manage the risks associated with serving as an identity provider on behalf of the Federal government OIX Applicants Response Registered Assessor must review IdP’s financial statements and verify that IdP has adequate insurance policies and limits, including Errors and Omissions coverage of at least $2,000,000, Directors and Offices coverage, and any other applicable policies. SWAMIDs finding Most SWAMID members are Swedish government agencies and as such are not allowed to buy regular insurance. Instead the The Legal, Financial and Administrative Services Agency (kammarkollegiet) provides insurance to government agencies. This insurance coverage is optional. All but a very small number of universities and university colleges are covered and the minimum coverage is 10MSEK which at todays $ rate is approximately 1.5MUSD. A typical large-scale university (Chalmers) that is a foundation (and not a government agency) are privately covered at 5 times this amount. However this requirement may be problematic and will in all likelihood prevent us from adjoining all SWAMID IdPs in an OIX upstream.

Table 2 a5: Verify IdP has understanding of, and compliance with any legal requirements incumbent on the IdP in connection to serving as an identity… …provider on behalf of the Federal government. OIX Applicants Response IdP is required to submit a written statement confirming the OIX Membership requirement of compliance with applicable law including compliance with the legal requirements in Table 1, row e, and with any other legal requirements that may be in effect for the jurisdiction in which the IdP operates. Registered Assessor must interview IdP regarding its understanding of these requirements and the policies and procedures it uses to comply with these requirements. SWAMIDs finding This requirement may pose a problem if we want to join all IdPs to an OIX upstream. Many IdPs will not see the value in learning enough US law to be able to comply with this requirement. Please note that an agency of the Swedish government is by Swedish law only accountable in a Swedish court or EU court with regards to exercise of governmental authority.

Table 3 a: Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any… …government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction. OIX Applicants Response IdP must provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement. SWAMIDs finding This requires each IdP to deploy a consent module with the accept-and-remember function turned off. This will be an issue for a large set of IdPs due to it's user unfriendliness. There is no consent module today for Shibboleth that has a per Service Provider setting for turning off accept-and-remember.

Table 3 c: Activity Tracking – Identity Provider must not disclose information on End User activities with the government to any party, or use the information… …for any purpose other than federated authentication. RP Application use of PII must be consistent with RP PIA as required by the E-Government Act of OIX Applicants Response IdP must provide Registered Assessor with documentation of how it conforms to this requirement. NOTE: The last sentence of this requirement is not applicable to IdPs. Registered Assessor must verify that the documented IdP practices conform to this requirement. SWAMIDs finding What about legal intercepts due to national legislation some built on EU directives? What about statistics gathering and reporting?

Table 3 d: Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes… …a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process. OIX Applicants Response IdP must provide Registered Assessor with documentation of how it conforms to this requirement and give specific examples. Registered Assessor must verify that the documented IdP practices conform to this requirement. SWAMIDs finding This could be fulfilled by requiring a consent-module activated for the OIX RP. Possibly not consent as such but certainly the IdP needs to notify the user when the authentication happens. Would the default login page for shibboleth fulfill these requirements?

Table 7A 6: Some effort should be made to uniquely identify and track applications. OIX Applicants Response (“Applications” means “requests for token”.) IdP must show it has reasonable means to ensure that the same party acts throughout the registration, and token and credential issuance processes as may be specified in NIST or equivalent. SWAMIDs finding This should be covered by the identity management practice statement. We need to understand this requirement better. Is it about using nonces to track a subject through the various stages of the application and registration process?

Conclusions Moving away from technical issues toward primarily legal but also economic aspects. Main problem areas: US Legal requirements vs. Swedish national legislation Strict opt-in requirements Legal requirements User friendliness vs. data protection Insurance requirements

About SWEDEN.SE: Sweden in brief About Sweden from Wikipedia.org SWAMID 2.0 Policy (Page is in Swedish but the policy framework documents are in English) National qualifications framework in Sweden rk.4.5dc5cfca11dd92979c html rk.4.5dc5cfca11dd92979c html OIX Trust Framework Provider Assessment Package tfp-assessment-package pdf tfp-assessment-package pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.