Embed Size (px)
Citation preview
Credentialing in Higher EducationCredentialing in Higher Education
Michael R Gettes
Duke University
CAMP, June 2005, Denver
Michael R Gettes
Duke University
CAMP, June 2005, Denver
2
What’s this presentation about?What’s this presentation about?
• This will start out with a wide scope and seem scary.
• At the end… • a common understanding of what is “good
enough”• Tools to help you determine “good enough”• National initiatives pointing to common
understanding of credentialing
3
What is Credentialing??What is Credentialing??
• ID Proofing - Processes determining who someone claims to be prior to issuing electronic credentials.
• And then…• Associating meta-data about those processes for
repeated longer-term evaluation by applications and authN/Z infrastructure for access management. Levels of Assurance (LoA)
…
4
What is Credentialing?? (2)What is Credentialing?? (2)
• Issuance of Electronic Credentials• Initial issuance and re-cred (like password reset)
• Password Strength Mechanisms• Credential Verification Services• Validating an identity or assertion
• Methods for Application Classification with respect to Levels of Assurance
• Exposing all of this, appropriately, for evaluation by others so they can determine if they want to trust your organization.
5
Policy CalculusPolicy Calculus
• Within your institution• To effectively offer services, access to core
business systems, differentiate communities (faculty, student, staff, etc), access to resources (high perf computing). Local policy, practice, lore.
• Within Higher Education• Participation in consortia, research projects,
federations, global services is requiring exposure of credentialing practices. InCommon Participant Operational Practices Statement (POPS).
6
Policy Calculus (2)US Government ActivityPolicy Calculus (2)US Government Activity
• Homeland Security Presidential Directive #12• Policy for a Common Identification Standard for
Federal Employees and Contractors• States there will be mandatory, Government-wide
standards for secure authentication (not just E)
• OMB E-Authentication Guidance M-04-04• NIST Special Pub 800-63 (Electronic
Authentication Guideline)• Defines 4 Levels of Assurance for E-Authentication.
Impacts Credentialing.
• Federal E-Authentication Initiative• Credential Assessment Framework
7
(pause)Terminology(pause)Terminology
• CSP - Credential Service Provider - A trusted entity issuing electronic credentials to subscribers
• RA - Registration Authority - Vouches for the identity of a subscriber to a CSP
• Identity Proofing - Process by which CSP and RA uniquely identify a person/entity
• RP - Relying Party - an entity relying upon the credentials issued by a CSP
• LoA - Level of Assurance - Classification of ID proofing suitable for electronic use to control access to information
8
OMB M-04-04 (E-Authentication Guidance)OMB M-04-04 (E-Authentication Guidance)
• Defines required Level of Assurance (LoA) in terms of consequences to an authN error. As consequences become more serious, the LoA increases.
• This guidance also provides criteria for determining LoA for specific applications and transactions based on risk and likelihood of occurrence.
• Supplements the Implementation of GPEA (Government Paperwork Elimination Act)
9
NIST SP800-63Levels of Assurance (LoA)NIST SP800-63Levels of Assurance (LoA)
• Level 1: No ID Proof requirement but assures claimant is consistent. Plaintext passwords/secrets are not transmitted over the wire. Allows any token methods in Levels 2, 3 and 4.
• Level 2: Introduces ID proofing requirements (verification not required). Single factor authN methods (wide range). Allows for tokens at Levels 3 and 4 as well as passwords and PINs. Crypto methods required for attack prevention and assertion verification.
10
NIST SP800-63Levels of Assurance (LoA) (2)NIST SP800-63Levels of Assurance (LoA) (2)
• Level 3: Multi-factor AuthN required. ID Proofing materials verification required. Crypto strength needed to protect primary token. Proves possession of Key or OTP (one time password) via crypto protocol.
• Level 4: Highest Level. Similar to L3 except only “hard” crypto tokens with strengths of FIPS 140-2 Level 2 or higher with FIPS 140-2 Level 3 physical security. Strong approved crypto is used for all operations.
11
www.cio.gov/eauthenticationa.k.a. E-Authwww.cio.gov/eauthenticationa.k.a. E-Auth
• US Government’s activity to implement HSPD-12 based on NIST SP800-63 to manage access to at least 24 major areas of service within the USG.
• It will utilize technologies based on SAML and PKI/X.509 (shibboleth, Bridge Certification Authority and Hierarchical PKI models, other technologies as appropriate)
12
Credential Assessment Framework (CAF)Credential Assessment Framework (CAF)
• Processes to assess the efficacy of a CSP. We, institutions of Higher Education, can all be seen as CSPs as well as Relying Parties for the services we offer ourselves and each other.
• CAF is really only concerned for CSPs used by the Federal eAuth activities but there are lots of interconnects between HE and Fed so it impacts us in many ways. Hence, various projects active.
13
CAF - ConsiderationsCAF - Considerations
• Organizational IT Security Plan• Roles and Responsibilities of the service• Password Construction Rules
• List of IT system audits in last 2 years• Business/Operations Continuity Plan• Examples of Subscriber agreements, Terms
and Conditions and how they are disseminated.
• Summary of ID Mgmt Systems and Protocols used.
14
A Credentialing ProcessA Credentialing Process
1. Understand your applications/transaction risks and exposures. Grade these requirements to determine LoA for each appropriate application.
2. Define LoA in terms of issued credentials by a CSP for use by a RP. (Level 1-4 and their requirements)
3. Create processes and mechanisms for implementing ID proofing, electronic credential issuance, electronic authentication and authorization, systems for managing this data (identity management in particular).
4. Create a framework to assess, audit and validate the processes and mechanisms
5. Be prepared to communicate the results inside and outside your organization.
15
What WE commonly do…“the Good”What WE commonly do…“the Good”
• Send username/password by postal mail.
• ???
16
What WE commonly do…“the bad and the ugly”What WE commonly do…“the bad and the ugly”
• Hand out envelopes with name/pw and not carefully protect the envelope.
• Perform password resets based on phone calls or email requests.
• Initial passwords never expire.• Little requirement for good passwords.• We don’t assess our applications and cleanly
define their respective access requirements.
• More about all this on Wednesday (morgan/kellogg)
17
What CAN we do? InCommon POPS as a start…What CAN we do? InCommon POPS as a start…
• www.incommonfederation.org• The POPS is essentially an assessment of
your CSP environment but it gets detailed according to the needs of the federation.
• Don’t be afraid of it -- go read it. See how you stack up. You may be doing better than you think.• And if you don’t stack up -- now you know what
you need to do. How cool is that!!!
18
SummarySummary
• As you can see -- we have a confluence of activity -- Higher Ed and Fed -- developing a common set of credentialing requirements, processes, technologies and understanding.
• Become familiar with:• OMB M-04-04; NIST SP800-63; CAF Suite• InCommon POPS; Directory Roadmap and
emerging Authentication Roadmap
19
