Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Assurance Profiles & Trust Federations David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon David Bantz, U Alaska Tom Barton,

Published byHugh Tatham Modified over 10 years ago

Similar presentations

Presentation on theme: "Identity Assurance Profiles & Trust Federations David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon David Bantz, U Alaska Tom Barton,"— Presentation transcript:

1 Identity Assurance Profiles & Trust Federations David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon 2012-04-18

2 Level of Assurance (LoA) ‣ LoA ~ confidence that a login event identifies a specific known person impersonation of a legitimate user fictitious identity ‣ What’s at stake if the user is not who they assert? access to sensitive information alter data use elevated privileges to inflict damage

3 LoA to fit risks; defined by OMB & NIST ‣ Modest risk ~ bookmarks, bulk license to campus LoA 1 or InC Bronze ‣ Moderate ~ transcript, PII, HPC access LoA 2 or InC Silver ‣ Substantial ~ $$, classified research LoA 3 (or InC Gold?) ‣ Health & Safety / National Security LoA 4 (or InC Platinum?)

4 Technologies for LoA specified in Assurance Profiles ‣ LoA 1 or InC Bronze: Passwords or PINs weak or no vetting; social identities may be OK ‣ LoA 2 or InC Silver: Strong Passwords ID vetting (photo ids) encryption ‣ LoA 3 & 4: + multi-factor authN

5 LoA value to trust federations ‣ Usual (as for HE members of InCommon) integrity of systems (thwart unapproved changes or leaks) due diligence / best practices ‣ possible K12 extensions age- / grade-appropriate access combining records from different schools parental or other permissions

6 Why InC Bronze / Silver ? ‣ Faster startup based on existing developed profiles, provider's consumption of LoA ‣ Leverage years of work by NIST, HE, InCommon ‣ Extend LoA from K12 to resources via InCommon members (Universities)

7 Issues / concerns re meeting IAP requirements ‣ Control or constraint of entrenched processes; member may use less robust authN for legacy apps ‣ Multiple stores for credentials with multiple controls by (some) federation members => reduction of entropy combined with unwillingness to increase complexity ‣ Onboarding & vetting procedures may be lax per IAP ‣ Meeting LoA profile might entail a second more secure credential store or use of 2-factor authN lack of clear applicability of 2-factor authN to meet LoA Silver profile

8 Attribute LoA? ‣ Some hopes for “assurance” require confidence in attribute values - age, role,- rather than of authentication itself. ‣ IAPs - even InC Silver - may not provide desired confidence in role or attribute assertions for access.

9 InCommon Assurance Program ‣ 2004: USG defines 4 Levels of Assurance (NIST 800-63) ‣ 2009: USG Identity, Credential and Access Management (ICAM) Establishes criteria for trust framework providers to enable interaction with federal agencies InCommon Approved Trust Framework Provider

10 Assurance Program Components ‣ Profiles/Framework ‣ Federation Operation Policies and Practices ‣ Legal Framework ‣ Certification Program ‣ InCommon Metadata ‣ Practice and Implementation Outreach ‣ Program Oversight: Assurance Advisory Committee

11 Program Basics: Documents ‣ Identity Assurance Assessment Framework ‣ Identity Assurance Profiles Bronze (Level 1) Silver (Level 2) ‣ Legal Addendum Privacy criteria from ICAM ‣ assurance.incommon.org

12 InCommon Identity Assurance Profiles Components ‣ Business, Policy and Operational Criteria ‣ Registration and Identity Proofing ‣ Credential Technology ‣ Credential Issuance and Management ‣ Authentication Process ‣ Identity Information Management ‣ Assertion Content ‣ Technical Environment

13 Identity Provider Process ‣ Support profile(s) ‣ Audit ‣ Apply ‣ Audit Summary/Qualifications ‣ Assurance Addendum ‣ Pay Fee ‣ Configure SAML software

14 Service Provider Proccess ‣ Determine which qualifier to request ‣ OMB 04-04 E-Authentication Guidance for Federal Agencies ‣ Configure SAML Software to check metadata and request qualifier ‣ Notify InCommon of your intent to request ‣ No fee!

15 Fees for Identity Provider Operators ‣ Graduated to reflect Increasing value Early adopter contributions

16 The New Bronze ‣ Oct 2011: Federal CIO Memo ‣ 30+ Federal Apps at LoA1 in InCommon now ‣ ICAM encouraging broad Bronze deployment ‣ New Bronze available for review Reduces requirements to simplify deployment Removes profile audit requirement Review site: spaces.internet2.edu/x/KYXNAQ

17 Resources ‣ Your Peers on assurance@incommon.orgassurance@incommon.org New resources are announced here too. ‣ Community Resources AD Silver Cookbook Multi-factor Authentication Guidance ‣ Webinars IAM Online Monthly Calls (beginning March 7 — Noon ET) ‣ Meetings: InCommon Confab, April 26-27, in DC ‣ Auditor Toolkits (coming soon)

18 CIC InCommon Silver Project ‣ University of Chicago ‣ University of Illinois ‣ Indiana University ‣ University of Iowa ‣ University of Michigan ‣ Michigan State University ‣ University of Minnesota ‣ Northwestern University ‣ Ohio State University ‣ The Pennsylvania State University ‣ Purdue University ‣ University of Wisconsin- Madison ‣ University of Nebraska ---- Plus some friends! ---- ‣ Virginia Tech ‣ University of Washington Committee on Institutional Cooperation: 12 Big Ten Schools + U Chicago

19 CIC InCommon Silver Project ‣ CIC CIOs set a goal in 2009 of all members achieving InCommon Silver in Fall 2011 IdM people + Internal Auditors (who rock!) ‣ Steps Gap analysis: existing campus practice vs IAP/IAAF v1.0 Focused feedback to InCommon Focused work on  Documentation of “management assertions”  Active Directory  Multi-Factor InCommon refines IAP/IAAF, producing v1.1 CIC Silver project is transitioning to Phase 2

20 Which people need Silver? Time frame sooner later User group size smaller larger NIH TeraGrid Open Science Grid CILogon NSCNat’l Labs CIC shared storage CIC CourseShare Payroll caBIG Benefits Student Loans Financial aid TIAA-CREF research.gov

21 UChicago Silver Objectives ‣ Support research & scientific collaborations ‣ Ability to deliver SaaS solutions with higher LoA ‣ All faculty, staff, and students needing Silver should be able to get it, easily ‣ But most won’t need it right away, so don’t make them do anything special until they do

22 Initial Implementation Approaches UChicagoCIC Range Credentialexisting username & password username/password plus 2 nd factor? OTP PKI token ID ProofingID Card Office existing relationship for employees special RA process Credential Issuance existing + confirmation at ID Card Office being explored Silver-eligible population ID Card holdersselected individuals faculty/staff faculty/staff/students ID Card holders

23 ‣ Who “requires” Silver: IT or functional leadership? ‣ Enhance Identity Management System (IdMS) to track which accounts currently meet Silver requirements Suitable proofing & credential issuance Password recent enough No security hold ‣ Password storage & Active Directory Active Directory cookbook ‣ Password exposure to online guessing Fit of NIST entropy calculation model Applications that handle Silver passwords Issues & Subtleties

24 InCommon Silver adoption pipeline ‣ CIC Silver Project: 12 CIC schools + Virginia Tech & U Washington ‣ U Florida ‣ U Wisconsin - Milwaukee ‣ Many expect to be Silver certified in 2012 ‣ Others? You?

Download ppt "Identity Assurance Profiles & Trust Federations David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon David Bantz, U Alaska Tom Barton,"

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Going for the Silver Winter 2010 CSG January 13, 2010.

Going for the Silver Winter 2010 CSG January 13, 2010.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.

NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.

InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.
Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.

Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.

EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.

1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.

Similar presentations

Ads by Google