View
218
Download
0
Category
Tags:
Preview:
Citation preview
Identity Assurance Profiles & Trust
Federations
Identity Assurance Profiles & Trust
Federations
David Bantz, U AlaskaTom Barton, U ChicagoAnn West, Internet2 & InCommon
David Bantz, U AlaskaTom Barton, U ChicagoAnn West, Internet2 & InCommon
2012-04-18
Level of Assurance (LoA)Level of Assurance (LoA)
‣LoA ~ confidence that a login event identifies a specific known person
• impersonation of a legitimate user• fictitious identity
‣What’s at stake if the user is not who they assert?
• access to sensitive information• alter data• use elevated privileges to inflict damage
LoA to fit risks;defined by OMB & NIST
LoA to fit risks;defined by OMB & NIST
‣Modest risk ~ bookmarks, bulk license to campusLoA 1 or InC Bronze
‣Moderate ~ transcript, PII, HPC accessLoA 2 or InC Silver
‣Substantial ~ $$, classified researchLoA 3 (or InC Gold?)
‣Health & Safety / National SecurityLoA 4 (or InC Platinum?)
Technologies for LoAspecified in Assurance
Profiles
Technologies for LoAspecified in Assurance
Profiles‣LoA 1 or InC Bronze:
• Passwords or PINs• weak or no vetting; social identities may
be OK
‣LoA 2 or InC Silver:• Strong Passwords• ID vetting (photo ids)• encryption
‣LoA 3 & 4:• + multi-factor authN
LoA value to trust federations
LoA value to trust federations
‣Usual (as for HE members of InCommon)• integrity of systems
(thwart unapproved changes or leaks)• due diligence / best practices
‣possible K12 extensions• age- / grade-appropriate access• combining records from different schools• parental or other permissions
Why InC Bronze / Silver ?Why InC Bronze / Silver ?
‣Faster startup based on existing developed profiles, provider's consumption of LoA
‣Leverage years of work by NIST, HE, InCommon
‣Extend LoA from K12 to resources via InCommon members (Universities)
Issues / concerns re meeting IAP requirements
Issues / concerns re meeting IAP requirements
‣Control or constraint of entrenched processes; member may use less robust authN for legacy apps
‣Multiple stores for credentials with multiple controls by (some) federation members
• => reduction of entropy combined with unwillingness to increase complexity
‣Onboarding & vetting procedures may be lax per IAP
‣Meeting LoA profile might entail a second more secure credential store or use of 2-factor authN
• lack of clear applicability of 2-factor authN to meet LoA Silver profile
Attribute LoA?Attribute LoA?
‣Some hopes for “assurance” require confidence in attribute values - age, role,- rather than of authentication itself.
‣ IAPs - even InC Silver - may not provide desired confidence in role or attribute assertions for access.
InCommon Assurance Program
InCommon Assurance Program
‣2004: USG defines 4 Levels of Assurance (NIST 800-63)
‣2009: USG Identity, Credential and Access Management (ICAM)
• Establishes criteria for trust framework providers to enable interaction with federal agencies
• InCommon Approved Trust Framework Provider
Assurance Program Components
Assurance Program Components
‣Profiles/Framework‣Federation Operation Policies and Practices
‣Legal Framework‣Certification Program‣InCommon Metadata‣Practice and Implementation Outreach‣Program Oversight:Assurance Advisory Committee
Program Basics: DocumentsProgram Basics: Documents
‣ Identity Assurance Assessment Framework
‣ Identity Assurance Profiles• Bronze (Level 1)• Silver (Level 2)
‣Legal Addendum• Privacy criteria from ICAM
‣assurance.incommon.org
InCommon Identity Assurance Profiles Components
InCommon Identity Assurance Profiles Components
‣Business, Policy and Operational Criteria‣Registration and Identity Proofing‣Credential Technology‣Credential Issuance and Management‣Authentication Process‣ Identity Information Management‣Assertion Content‣Technical Environment
Identity Provider ProcessIdentity Provider Process
‣Support profile(s)‣Audit ‣Apply‣Audit Summary/Qualifications‣Assurance Addendum‣Pay Fee‣Configure SAML software
Service Provider ProccessService Provider Proccess‣Determine which qualifier to request
‣OMB 04-04 E-Authentication Guidance for Federal Agencies
‣Configure SAML Software to check metadata and request qualifier
‣Notify InCommon of your intent to request
‣No fee!
Fees for Identity Provider Operators
Fees for Identity Provider Operators
‣ Graduated to reflect• Increasing value• Early adopter
contributions
The New BronzeThe New Bronze
‣Oct 2011: Federal CIO Memo ‣30+ Federal Apps at LoA1 in InCommon now‣ ICAM encouraging broad Bronze deployment‣New Bronze available for review
• Reduces requirements to simplify deployment• Removes profile audit requirement• Review site: spaces.internet2.edu/x/KYXNAQ
ResourcesResources‣Your Peers on assurance@incommon.org
• New resources are announced here too.
‣Community Resources• AD Silver Cookbook• Multi-factor Authentication Guidance
‣Webinars• IAM Online• Monthly Calls (beginning March 7 — Noon
ET)
‣Meetings: InCommon Confab, April 26-27, in DC
‣Auditor Toolkits (coming soon)
CIC InCommon Silver Project
CIC InCommon Silver Project
‣ University of Chicago ‣ University of Illinois‣ Indiana University ‣ University of Iowa ‣ University of Michigan ‣ Michigan State
University‣ University of Minnesota‣ Northwestern University‣ Ohio State University
‣ The Pennsylvania State University
‣ Purdue University ‣ University of Wisconsin-
Madison ‣ University of Nebraska
---- Plus some friends! ----‣ Virginia Tech‣ University of Washington
CIC InCommon Silver Project
CIC InCommon Silver Project
‣ CIC CIOs set a goal in 2009 of all members achieving InCommon Silver in Fall 2011
• IdM people + Internal Auditors (who rock!)‣ Steps
• Gap analysis: existing campus practice vs IAP/IAAF v1.0
• Focused feedback to InCommon• Focused work on
- Documentation of “management assertions”- Active Directory- Multi-Factor
• InCommon refines IAP/IAAF, producing v1.1• CIC Silver project is transitioning to Phase 2
Which people need Silver?Which people need Silver?Tim
e f
ram
e
soon
er
late
r
User group size
smaller
larger
NIH TeraGrid
Open Science Grid
CILogon
NSC Nat’l Labs
CIC shared storage
CIC CourseShare
Payroll
caBIG
BenefitsStudent Loans
Financial aid
TIAA-CREF
research.gov
UChicago Silver ObjectivesUChicago Silver Objectives
‣Support research & scientific collaborations
‣Ability to deliver SaaS solutions with higher LoA
‣All faculty, staff, and students needing Silver should be able to get it, easily
‣But most won’t need it right away, so don’t make them do anything special until they do
Initial Implementation Approaches
Initial Implementation Approaches
UChicago CIC Range
Credential existing username & password
•username/password•plus 2nd factor?•OTP•PKI token
ID Proofing ID Card Office • ID Card Office•existing relationship for employees•special RA process
Credential Issuance
existing + confirmation at ID Card Office
•being explored
Silver-eligible population
ID Card holders •selected individuals• faculty/staff• faculty/staff/students• ID Card holders
‣ Who “requires” Silver: IT or functional leadership?
‣ Enhance Identity Management System (IdMS) to track which accounts currently meet Silver requirements
• Suitable proofing & credential issuance• Password recent enough• No security hold
‣ Password storage & Active Directory• Active Directory cookbook
‣ Password exposure to online guessing• Fit of NIST entropy calculation model• Applications that handle Silver passwords
Issues & SubtletiesIssues & Subtleties
Recommended