Identity Assurance Profiles & Trust

Federations

Identity Assurance Profiles & Trust

Federations

David Bantz, U AlaskaTom Barton, U ChicagoAnn West, Internet2 & InCommon

David Bantz, U AlaskaTom Barton, U ChicagoAnn West, Internet2 & InCommon

2012-04-18

Level of Assurance (LoA)Level of Assurance (LoA)

‣LoA ~ confidence that a login event identifies a specific known person

• impersonation of a legitimate user• fictitious identity

‣What’s at stake if the user is not who they assert?

• access to sensitive information• alter data• use elevated privileges to inflict damage

LoA to fit risks;defined by OMB & NIST

LoA to fit risks;defined by OMB & NIST

‣Modest risk ~ bookmarks, bulk license to campusLoA 1 or InC Bronze

‣Moderate ~ transcript, PII, HPC accessLoA 2 or InC Silver

‣Substantial ~ $$, classified researchLoA 3 (or InC Gold?)

‣Health & Safety / National SecurityLoA 4 (or InC Platinum?)

Technologies for LoAspecified in Assurance

Profiles

Technologies for LoAspecified in Assurance

Profiles‣LoA 1 or InC Bronze:

• Passwords or PINs• weak or no vetting; social identities may

be OK

‣LoA 2 or InC Silver:• Strong Passwords• ID vetting (photo ids)• encryption

‣LoA 3 & 4:• + multi-factor authN

LoA value to trust federations

LoA value to trust federations

‣Usual (as for HE members of InCommon)• integrity of systems

(thwart unapproved changes or leaks)• due diligence / best practices

‣possible K12 extensions• age- / grade-appropriate access• combining records from different schools• parental or other permissions

Why InC Bronze / Silver ?Why InC Bronze / Silver ?

‣Faster startup based on existing developed profiles, provider's consumption of LoA

‣Leverage years of work by NIST, HE, InCommon

‣Extend LoA from K12 to resources via InCommon members (Universities)

Issues / concerns re meeting IAP requirements

Issues / concerns re meeting IAP requirements

‣Control or constraint of entrenched processes; member may use less robust authN for legacy apps

‣Multiple stores for credentials with multiple controls by (some) federation members

• => reduction of entropy combined with unwillingness to increase complexity

‣Onboarding & vetting procedures may be lax per IAP

‣Meeting LoA profile might entail a second more secure credential store or use of 2-factor authN

• lack of clear applicability of 2-factor authN to meet LoA Silver profile

Attribute LoA?Attribute LoA?

‣Some hopes for “assurance” require confidence in attribute values - age, role,- rather than of authentication itself.

‣ IAPs - even InC Silver - may not provide desired confidence in role or attribute assertions for access.

InCommon Assurance Program

InCommon Assurance Program

‣2004: USG defines 4 Levels of Assurance (NIST 800-63)

‣2009: USG Identity, Credential and Access Management (ICAM)

• Establishes criteria for trust framework providers to enable interaction with federal agencies

• InCommon Approved Trust Framework Provider

Assurance Program Components

Assurance Program Components

‣Profiles/Framework‣Federation Operation Policies and Practices

‣Legal Framework‣Certification Program‣InCommon Metadata‣Practice and Implementation Outreach‣Program Oversight:Assurance Advisory Committee

Program Basics: DocumentsProgram Basics: Documents

‣ Identity Assurance Assessment Framework

‣ Identity Assurance Profiles• Bronze (Level 1)• Silver (Level 2)

‣Legal Addendum• Privacy criteria from ICAM

‣assurance.incommon.org

InCommon Identity Assurance Profiles Components

InCommon Identity Assurance Profiles Components

‣Business, Policy and Operational Criteria‣Registration and Identity Proofing‣Credential Technology‣Credential Issuance and Management‣Authentication Process‣ Identity Information Management‣Assertion Content‣Technical Environment

Identity Provider ProcessIdentity Provider Process

‣Support profile(s)‣Audit ‣Apply‣Audit Summary/Qualifications‣Assurance Addendum‣Pay Fee‣Configure SAML software

Service Provider ProccessService Provider Proccess‣Determine which qualifier to request

‣OMB 04-04 E-Authentication Guidance for Federal Agencies

‣Configure SAML Software to check metadata and request qualifier

‣Notify InCommon of your intent to request

‣No fee!

Fees for Identity Provider Operators

Fees for Identity Provider Operators

‣ Graduated to reflect• Increasing value• Early adopter

contributions

The New BronzeThe New Bronze

‣Oct 2011: Federal CIO Memo ‣30+ Federal Apps at LoA1 in InCommon now‣ ICAM encouraging broad Bronze deployment‣New Bronze available for review

• Reduces requirements to simplify deployment• Removes profile audit requirement• Review site: spaces.internet2.edu/x/KYXNAQ

ResourcesResources‣Your Peers on assurance@incommon.org

• New resources are announced here too.

‣Community Resources• AD Silver Cookbook• Multi-factor Authentication Guidance

‣Webinars• IAM Online• Monthly Calls (beginning March 7 — Noon

ET)

‣Meetings: InCommon Confab, April 26-27, in DC

‣Auditor Toolkits (coming soon)

CIC InCommon Silver Project

CIC InCommon Silver Project

‣ University of Chicago ‣ University of Illinois‣ Indiana University ‣ University of Iowa ‣ University of Michigan ‣ Michigan State

University‣ University of Minnesota‣ Northwestern University‣ Ohio State University

‣ The Pennsylvania State University

‣ Purdue University ‣ University of Wisconsin-

Madison ‣ University of Nebraska

---- Plus some friends! ----‣ Virginia Tech‣ University of Washington

CIC InCommon Silver Project

CIC InCommon Silver Project

‣ CIC CIOs set a goal in 2009 of all members achieving InCommon Silver in Fall 2011

• IdM people + Internal Auditors (who rock!)‣ Steps

• Gap analysis: existing campus practice vs IAP/IAAF v1.0

• Focused feedback to InCommon• Focused work on

- Documentation of “management assertions”- Active Directory- Multi-Factor

• InCommon refines IAP/IAAF, producing v1.1• CIC Silver project is transitioning to Phase 2

Which people need Silver?Which people need Silver?Tim

e f

ram

e

soon

er

late

r

User group size

smaller

larger

NIH TeraGrid

Open Science Grid

CILogon

NSC Nat’l Labs

CIC shared storage

CIC CourseShare

Payroll

caBIG

BenefitsStudent Loans

Financial aid

TIAA-CREF

research.gov

UChicago Silver ObjectivesUChicago Silver Objectives

‣Support research & scientific collaborations

‣Ability to deliver SaaS solutions with higher LoA

‣All faculty, staff, and students needing Silver should be able to get it, easily

‣But most won’t need it right away, so don’t make them do anything special until they do

Initial Implementation Approaches

Initial Implementation Approaches

UChicago CIC Range

Credential existing username & password

•username/password•plus 2nd factor?•OTP•PKI token

ID Proofing ID Card Office • ID Card Office•existing relationship for employees•special RA process

Credential Issuance

existing + confirmation at ID Card Office

•being explored

Silver-eligible population

ID Card holders •selected individuals• faculty/staff• faculty/staff/students• ID Card holders

‣ Who “requires” Silver: IT or functional leadership?

‣ Enhance Identity Management System (IdMS) to track which accounts currently meet Silver requirements

• Suitable proofing & credential issuance• Password recent enough• No security hold

‣ Password storage & Active Directory• Active Directory cookbook

‣ Password exposure to online guessing• Fit of NIST entropy calculation model• Applications that handle Silver passwords

Issues & SubtletiesIssues & Subtleties

InCommon Silver adoption pipeline

InCommon Silver adoption pipeline

‣CIC Silver Project: 12 CIC schools + Virginia Tech & U Washington

‣U Florida‣U Wisconsin - Milwaukee‣Many expect to be Silver certified in 2012

‣Others? You?