1. EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley

2. Introductions  Who we are  Who you are  Topics for Today  What’s the Problem?  Stories from the Field  Profiles Overview and Gap Analysis  Profiles to Practice: Business and Technical Implementation Considerations and Sample Timeline  Resources to Help You

3. What’s the Problem and Why Should You be Worrying?

4. Deloitte Predictions 2013 Passwords==bad  Strong? 5 hours to crack  Phishing  Bad habits  Same pwd - multiple sites  Online sources of cracked passwords  Cell encouraging numbers-only  Bad practices  Yahoo recycling email addresses  Sample Articles Sample Articles

5. Is This a Case for Multifactor?  What questions should we be asking?  How can I address phishing?  How can I protect against inappropriate reassignment?  How can I ensure the right physical person is using that password?  InCommon’s Identity Assurance Framework and Profiles provides a step-wise and standards-based way to address these questions

6. Components of Assurance 6 RiskAssurance component that mitigates Fraudulently obtained Identity proofing + credential management Vetting process, Subject attributes, record keeping Inappropriate reassignment Credential management Token issuance & revocation, binding of Token to Subject, secure infrastructure, record keeping Stolen or shared Token technologies Additional factors (biometric, geolocation,...) Multi-factor (PIN + token) Second factor (OTP, “phone factor”, 2 nd password) Password/passphrase Effort to mitigate

7. Providing Credentials for your Credentials  2004: USG defines 4 Levels of Assurance (NIST 800-63)  2009: USG Identity, Credential and Access Management (ICAM)  Certifies trust frameworks to interact with the USG agencies  Determines comparability with 800-63  2011: InCommon ICAM Trust Provider  Higher Ed developed, USG approved  Bronze comparable to NIST LoA 1  Silver comparable to NIST LoA 2

8. What Guidance are You Using?

9. Stories from the Field

10. Stronger Authentication at UCB –Adopt Me Please? ●IAM Systems review – Burton report ●Pre-InCommon Assurance and campus data classification ●Still a perceived need to “tighten” assurance ●Finding a cost-effective solution

11. CAS Second-Level Authentication ●Much easier and less expensive to deploy than two-factor ●Developed as contribution to existing CAS open source initiative ●User to supply a second “secret” for sensitive apps ●CAS Second Level OverviewCAS Second Level Overview ●One line code change for apps already integrated with CAS

12. Adoption, or not… ●Adoption Round 1 – It’s the right thing to do ●Adoption Round 2 – You have to do it ●The bet

13. Conceding Defeat

14. UC Trust Compliance and InCommon Silver ●UC Trust Federation - Basic Assurance ●Decision to convert to InC Silver ●System-wide gap analysisSystem-wide gap analysis ●System-wide HR replacement ●Still no decision - likely deferred ●How to prioritize and align resources?

15. Your Stories from the Field?

16. The InCommon Assurance Profiles

17. 03/08/2012 17 It’s All About Identity Assurance Assurance  a positive declaration intended to give confidence; a promise Identity Assurance  the ability for a party to determine, with some level of certainty, that an electronic credential representing a person can be trusted to actually belong to the person.

18. Risk Management Perspective Understanding the risk  Compliance  Financial  Reputational Choosing to invest in mitigation  Idaho and HIPPA Fine Idaho and HIPPA Fine

19. InCommon – Higher Ed OMB/NIST – Federal Agencies Relevant Assurance Docs  Identity Assurance Assessment Framework Identity Assurance Assessment Framework  Identity Assurance Profiles Identity Assurance Profiles  Bronze (Level 1)  Silver (Level 2)  Certification: Legal Addendum Legal Addendum  Privacy criteria from ICAM  OMB M04 04 E- Authentication Guidance for Federal AgenciesE- Authentication Guidance for Federal Agencies  Maps risk to four levels of assurance  NIST 800-63 E- Authentication Guidelines  Describes how to implement the four levels

20. InCommon Bronze: Common Sense  Assign Responsibility for IdM  Establish Policy for IdM  Harden Password Management  Harden Credential Technology Infrastructure  Optional Compliance: Perform Self Assessment

21. InCommon Silver: Critical Business  Strengthen Identity Proofing and Registration  Enforce Strong Passwords (or Deploy MFA)  Further Harden Password Management  Harden Technical Infrastructure  Optional Compliance: Obtain Independent Audit

22. A Note on Compliance  Using Profiles is free, downloading is free  Compliance will be required when federating with  US Government  Other InCommon Service Providers requesting an InCommon Profile  Pros  Published on Federal and InCommon website  Shows good practice to your service providers  Bronze is free; Silver is good biz practice  Con  Due diligence – more work  Silver requires audit and fee to be certified

23.  Business, Policy and Operational Criteria  Registration and Identity Proofing  Credential Technology  Credential Issuance and Management  Authentication Process  Identity Information Management  Assertion Content  Technical Environment 03/08/2012 InCommon Identity Assurance Profiles 23

24. Functional AreaCriteriaBronzeSilver 4.2.1 Business, Policy and Operational Criteria.1 InCommon Participant.2 Notification to InCommon.3 Continuing Compliance.4 IdPO Risk Management Profile Specifics

25. Functional AreaCriteriaBronzeSilver 4.2.2 Registration and Identity Proofing.1 RA Authentication.2 Identity Verification Process.3 Registration Records.4 Identity Proofing.4.1 Existing Relationship.4.2 In-person Proofing.4.3 Remote Proofing.5 Address of Record Confirmation.6 Protection of Personally Identifiable Information

26. Functional AreaCriteriaBronzeSilver 4.2.3 Credential Technology.1 Credential Unique Identifier.2 Basic Resistance to Guessing Authentication Secret.3 Strong resistance to Guessing Authentication Secret.4 Stored Authentication Secrets.5 Basic Protection of Authentication Secrets.6 Strong Protection of Authentication Secrets

27. Functional AreaCriteriaBronzeSilver 4.2.4 Credential Issuance and Management.1 Credential Issuance.2 Credential Revocation or Expiration.3 Credential Renewal or Re-issuance.4 Credential Issuance Records Retention.5 Resist Token Issuance Tampering Threat

28. Functional AreaCriteriaBronzeSilver 4.2.5 Authentication Process.1 Resist Replay Attack.2 Resist Eavesdropper Attack.3 Secure Communication.4 Proof of Possession.5 Resist Session Hijacking Threat.6 Mitigate Risk of Credential Compromise

29. Functional AreaCriteriaBronzeSilver 4.2.6 Identity Information Management.1 Identity Record Qualification 4.2.7 Assertion Content.1 Identity Attributes.2 Identity Assertion Qualifier.3 Cryptographic Security 4.2.8 Technical Environment.1 Software Maintenance.2 Network Security.3 Physical Security.4 Reliable Operations

30. Find the Gaps ●Review the IAP table ●Where are you likely to find gaps? ●Business process, documentation ●Credential management ●Who needs to help fill them? ●Systems of Record representatives, Service Desk ●Central IT – security, credential managers systems teams ●When should you engage them? ●Estimating resources and timelines – sample gap analysis chart

31. BREAK

32. Profile to Practice

33. Profile to Practice: Business

34. Framework: Functional Model 34

35. Business Process Considerations ●On-boarding and the IdPO  ID proofing and bootstrapping the digital credential  HR, delegated admins or both  The “CalNet Deputy” model and CalNet Deputy Training“CalNet Deputy” CalNet Deputy Training ●Remote proofing ●Re-issuance ●Security questions? ●User education and awareness

36. Profile to Practice: Technology

37. Password/passphrase Entropy ●Password complexity ●Dictionary checks ●Expiration ●Lockouts ●Failed login counter ●Entropy CalculatorsEntropy Calculators

38. Credential Management ●Where is the verifier used? ●Certify other systems? ●Downgrade credentials? ●UCB proxied authentication guidelinesUCB proxied authentication guidelines

39. Stronger Credential Options ●Second credential ●Multi-factorMulti-factor ●Related application level concerns ●For entire app? ●For some roles?

40. Technical Environment ●Campus minimum standards if you have them https://security.berkeley.edu/taxonomy/term/71 ●Industry standards - CIS BenchmarksCIS Benchmarks

41. Profile to Practice: Making the Pitch

42. Considering Your Audience ●Elevator pitches for: ○ Audit (if not for certification) ○ IT Executives ○ IT Security ○ Functional Owners (HR, Controller, Student System)

43. Profile to Practice: 18 months to Better Practices

44. Q1Q2Q3Q4Q1Q2 Bronze gap Bronze documentation Bronze certification Silver gap Silver funding Silver mitigations Silver documentation Silver audit/certification

45. Resources

46. Standing on the Shoulders of Others  InCommon Assurance Program Website InCommon Assurance Program Website  InCommon Assurance Implementers wiki InCommon Assurance Implementers wiki  AD Cookbook for Silver  Failed Login Counter: Possible shared investment  Multi-factor Guidance  Va Tech Case Study  Password Entropy Calculators

47. Join the Club!  Make a community contribution to the Assurance Wiki  Participate on the mailing list  Join the monthly calls  Contribute to the reading of the Bronze spec starting this fall

48. Your Presenters Dedra Chamberlin Deputy Director, Identity and Access Management University of California – Berkeley dedra@berkeley.edu 510.642.8706 Ann West Assistant Director for InCommon Assurance and Community Internet2 awest@internet2.edu 906.487.1726