Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Published byFelicia Price Modified over 9 years ago

Similar presentations

Presentation on theme: "Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification."— Presentation transcript:

1 Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification

2 Enterprise Architecture 2014 Background Lots of ongoing discussion around LoA – InCommon Bronze/Silver compliance – UCTrust audits – Among UCTrust, ITLC, ITPS, ITAG, etc. Lack of clarity around “standards” for federation – AYSO – UCPath 2

3 Enterprise Architecture 2014 Silver/Bronze “Omnibus” Requirements 4.2.1 Business, Policy and Operational Criteria 4.2.4 Credential Issuance and Management.1 InCommon Participant.1 Credential Issuance.2 Notification to InCommon.2 Credential Revocation or Expiration.3 Continuing Compliance.3 Credential Renewal or Re-issuance.4 IdPO Risk Management.4 Credential Issuance Records Retention 4.2.2 Registration and Identity Proofing.5 Resist Token Issuance Tampering Threat.1 RA authentication 4.2.5 Authentication Process.2 Identity Verification Process.1 Resist Replay Attack.3 Registration Records.2 Resist Eavesdropper Attack.4 Identity Proofing.3 Secure Communication.4.1 Existing Relationship.4 Proof of Possession.4.2 In-person Proofing.5 Resist Session Hijacking Threat.4.3 Remote Proofing.6 Mitigate Risk of Credential Compromise.5 Address of Record Confirmation 4.2.6 Identity Information Management.6 Protection of Personally Identifiable Information.1 Identity Record Qualification 4.2.3 Credential Technology 4.2.7 Assertion Content.1 Credential Unique Identifier.1 Identity Attributes.2 Basic Resistance to Guessing Authentication Secret.2 Identity Assertion Qualifier.3 Strong Resistance to Guessing Authentication Secret.3 Cryptographic Security.4 Stored Authentication Secrets 4.2.8 Technical Environment.5 Basic Protection of Authentication Secrets.1 Software Maintenance.6 Strong Protection of Authentication Secrets.2 Network Security.3 Physical Security.4 Reliable Operations 3

4 Enterprise Architecture 2014 Issues Achieving LoA Certification Large number of requirements Possibly unclear to governance what “LoA” really is Difficulty committing to meet all requirements – Scope – Budget – Interpretation of Requirements Overall LoA value to UC not well defined 4

5 Enterprise Architecture 2014 Mapping InCommon to EA Standards 4.2.1 Business, Policy and Operational Criteria 4.2.4 Credential Issuance and Management.1 InCommon Participant.1 Credential Issuance.2 Notification to InCommon.2 Credential Revocation or Expiration.3 Continuing Compliance.3 Credential Renewal or Re-issuance.4 IdPO Risk Management.4 Credential Issuance Records Retention 4.2.2 Registration and Identity Proofing.5 Resist Token Issuance Tampering Threat.1 RA authentication 4.2.5 Authentication Process.2 Identity Verification Process.1 Resist Replay Attack.3 Registration Records.2 Resist Eavesdropper Attack.4 Identity Proofing.3 Secure Communication.4.1 Existing Relationship.4 Proof of Possession.4.2 In-person Proofing.5 Resist Session Hijacking Threat.4.3 Remote Proofing.6 Mitigate Risk of Credential Compromise.5 Address of Record Confirmation 4.2.6 Identity Information Management.6 Protection of Personally Identifiable Information.1 Identity Record Qualification 4.2.3 Credential Technology 4.2.7 Assertion Content.1 Credential Unique Identifier.1 Identity Attributes.2 Basic Resistance to Guessing Authentication Secret.2 Identity Assertion Qualifier.3 Strong Resistance to Guessing Authentication Secret.3 Cryptographic Security.4 Stored Authentication Secrets 4.2.8 Technical Environment.5 Basic Protection of Authentication Secrets.1 Software Maintenance.6 Strong Protection of Authentication Secrets.2 Network Security.3 Physical Security.4 Reliable Operations Standard 5

6 Enterprise Architecture 2014 Example Standard Password complexity and resistance to guessing – Two complexity levels Technical Requirements – Low: Min 25 bits entropy[1], max brute force chance 1:2 10 [2] – High: Min 30 bits entropy[1], max brute force chance 1:2 14 [2] » [1] “Password entropy” as measured per NIST 800-63, Appendix A » [2] Maximum chance to guess (randomly) over lifetime of password Implementation pattern #1: – 6/8 character, mixed type (up/low/num/sym), no dictionary words – 5 guesses allowed every 30 minutes (via lockout/rate limit controls) – Passwords forced to be changed annually Patterns with equivalent entropy and guessing resistance allowed – Exception/Alternate Requirement for PIN-based systems InCommon compliance vs UC utility – Standard text pulled (almost) directly from Bronze/Silver – Phrased to allow application outside InCommon settings 6

7 Enterprise Architecture 2014 Utility outside of UCPath Provides specific assurance to applications – AYSO (redux) – UCPath (redux) Guidance even outside of federated cases – Securing local DDODS databases – Evaluating password reset practices 7

8 Enterprise Architecture 2014 Using EAAF for InCommon Certification 8

9 Enterprise Architecture 2014 BACKUP SLIDES 9

10 Enterprise Architecture 2014 Current and Recent LoA Efforts UCTrust leadership met with Greg Loge (UC IT Auditor) – What is audited? (Bronze, Silver, UCTrust Basic, etc) – Who should audit? (UCOP, campus team, outside vendor) – Program for auditing UCTrust discussions of audit approaches and reqts – Ongoing discussions and estimates – UCSB audit against UCTrust Basic – UCSC and UCB looking to audit against InCommon Silver Discussions at UCTrust, UCPath, ISAAC, ITPS, ITLC ITLC proposed wkgrp to identify ILTI LoA reqts. This EAAF proposed process 10

Download ppt "Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification."

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Multi-factor Authentication Methods Taxonomy Abbie Barbir.

Multi-factor Authentication Methods Taxonomy Abbie Barbir.
1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.

Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.

Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
Enterprise Architecture 2013 ITLC & ITAG Leadership Meeting Discussion Points April 9, 2013.

Enterprise Architecture 2013 ITLC & ITAG Leadership Meeting Discussion Points April 9, 2013.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.

InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.
Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.

Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.

EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,

The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Security Controls – What Works

Security Controls – What Works
Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.

Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.
Information Security Policies and Standards

Information Security Policies and Standards

Similar presentations

Ads by Google