Presentation is loading. Please wait.

Presentation is loading. Please wait.

ORNL is managed by UT-Battelle for the US Department of Energy Multifactor Authentication June 15, 2016.

Published byGregory Leonard Modified over 7 years ago

Similar presentations

Presentation on theme: "ORNL is managed by UT-Battelle for the US Department of Energy Multifactor Authentication June 15, 2016."— Presentation transcript:

1 ORNL is managed by UT-Battelle for the US Department of Energy Multifactor Authentication June 15, 2016

2 2 Any time. Any place. Any device. Topics What is Multifactor Authentication? Why Do Multifactor Authentication? Levels of Multifactor Authentication Two Types of Users in Scope Current MFA Scope Exceptions Approved for ORNL What Does MFA Mean for Privileged Users Credential and Network Segmentation What is the Process to get a Level 4 Credential? Conceptual Network Design Questions

3 3 Any time. Any place. Any device. What Is Multi-Factor Authentication (MFA)? UserID + PIN & Token Code Badge + PIN Virtual Smart Card + PIN A method of authenticating to a computer using a combination of any two or more of the following: Something you have (Badge, SecureID token) Something you know (PIN) Something you are (Fingerprint) Something you know (a password) Something you have (a badge or token) Something you are (fingerprint, picture) MFA requires 2 different types of factors, generally something you know and something you have.

4 4 Any time. Any place. Any device. Why Do Multifactor Authentication? MFA is an Office of Management & Budget mandate for all Federal agencies to be completed by 30 September 2016

5 5 Any time. Any place. Any device. Levels of Multifactor Authentication Level 1 Very high confidence in the asserted identity’s validity Requires strong enrollment and identification verification Example: HSPD-12, PIV, LSSO Level 2 High confidence in the asserted identity’s validity Requires some registration and enrollment Example: RSA Token, Virtual Smart Card Level 3 Some confidence in the asserted identity’s validity Example: UCAMS Level 4 Little or No confidence in the asserted identity’s validity Examples: XCAMS, Google account UserID + PIN & Token Code Virtual Smart Card + PIN

6 6 Any time. Any place. Any device. Two Types Of Users In Scope Privileged users –“Security significant roles” –Must use Level 4 (no exceptions or exclusions) Level 4 jump server then Level 3 to target is OK PIV or HSPD-12 required LSSO Badge OK while PIV in request, broken, lost, … Standard users –Supposed to use Level 4 (federal mandate), BUT some exceptions and exclusions –Privilege elevation on your workstation still OK

7 7 Any time. Any place. Any device. Who is a Privileged user? Windows: Member of the Administrators group on a server or a cluster in DMZ, Ops, or RAN enclaves Linux: Can log in as uid 0 or has unrestricted sudo permissions on a server or cluster in DMZ, Ops, RAN, or Supercomputing enclaves Accounts with elevated Active Directory privileges Contact cybersprintpmtm@ornl.gov if you think you were included in error. We’ll show you what systems we show you as meeting one of these criteria.cybersprintpmtm@ornl.gov

8 8 Any time. Any place. Any device. Users versus Accounts The reporting to DOE is by accounts –How many standard user accounts do we have? –How many privileged user accounts do we have? –Of these, how many must do MFA? –How many of those that must do MFA are enforced? You are a Standard User when doing email and typical business tasks. You are a Privileged User when you log into a server to do server administration.

9 9 Any time. Any place. Any device. Current MFA Scope Only interactive login is in scope –MFA for Application authentication is not required (yet) –Service accounts are also out of scope ORNL Staff (per SBMS) are in scope –Non-organizational users out of scope Standard User Exemptions (per DOE Plan) –Low/Low/Low systems (Open Research) –Computers that drive equipment or collect data (SCADA) –Off network computers –Systems designed for scientific collaboration with outsiders

10 10 Any time. Any place. Any device. Exceptions approved for ORNL Approved by the ORNL Site Office –With review by DOE Headquarters ORNL Leadership Computing Facility (OLCF) –Level 3 permitted for Standard Users –Level 4 still required for privileged users Most ORNL workstations –Level 3 permitted for Standard Users –Level 4 still required for Privileged Users –We will communicate with system owners not covered; primarily those working with M/EC data

11 11 Any time. Any place. Any device. What does MFA mean for Privileged Users? Must get a federal card (PIV or HSPD-12) –Many already in process or already have –LSSO card OK while PIV is in-request (takes months) You must know the PIN for your card –Working with Visitor Center on scheduling –Applies to LSSO and PIV/HSPD-12 Privileged interactive login must include Level 4 –Must be technically enforced –Should be secondary userID (except for OLCF) Other exceptions possible – proving compliance is our challenge –Smart card is currently the only approved Level 4 –OK to use L4 to jump server, and then L3 to target server –Level 2 to target can be approved if L3 not feasible

12 12 Any time. Any place. Any device. What Is The Process To Get A Level 4 Credential? HSPD-12 / PIV Badge –We are working with the Badge Office to initiate the requests HSPD-12 if cleared; PIV otherwise There is something called a PIV-I, but we’re not using it LSSO badge –LSSO Badge == CIV (civilian identity verification) –Used while federal badge is in request, lost, broken, ….

13 13 Any time. Any place. Any device. Two Kinds of Servers All interactive users on server are privileged users –Primary case for application servers, web servers, … –Preferred pattern: put behind jump server for rdp and ssh –Jump server enforces LOA 4 for all interactive access Some (most) interactive users are standard users –Fairly common in some science areas –Need to ensure privileged users are LOA 4, but can allow LOA 3 for standard users –Pattern 1: use secondary UIDs for privileged and restrict their login to just from jump server –Pattern 2: Require card auth for sudo (only one proof-of- concept so far on Ubuntu)

14 14 Any time. Any place. Any device. Accessing a Windows Server Need: your card, know the PIN, a card reader, and an ORNL-managed Windows workstation –ORNL managed is a DOE restriction: not permitting PIV from personally owned devices –Working on fixing this for Citrix and RDP clients –Linux and Mac users will need a Windows VM for now Use Remote Desktop to the Jump Server –Put your secondary userID into the username hint field Then use Remote Desktop from the Jump Server to your Target Server (the one you need to administer) –Card authentication generally supported, but not required for target server

15 15 Any time. Any place. Any device. Card Readers ITSD is buying them for ORNL and distributing. 3 types: tested with PIV/HSPD-12 and LSSO on Windows, Mac, and Linux. All are USB –Cherry (heavy, designed to work on desktop) –Hockey Puck (somewhat portable) –Butterfly (can put on badge lanyard) Many laptops (and all new Windows MHP laptops) have card readers. If your keyboard card reader works, great. They do have a higher failure rate.

16 16 Any time. Any place. Any device. The bottom line There’s lots of cool technology out there that may well be better than the smart card, but we are constrained by OMB requirements with a strict interpretation of NIST 800-63 Rev 2. We really wanted a second tool for L4, but the smart card is the only thing that’s been approved. In the end, we have to be able to demonstrate that standard users are logging in at L3 or better and privileged users are logging in at L4.

17 Questions Cyber Sprint PM Tm

18 18 Any time. Any place. Any device. In support of MFA, a significant effort is underway to re-architect the ORNL Unclassified network. The new architecture will further segment by information sensitivity and improve security. An enclave is the top level (as is today) –An account can only be used in one enclave –An enclave is protected by a physical firewall An enclave can have zones as well as subzones –Zones and subzones are protected with virtual firewalls –Zones and subzones inherit controls from the parent enclave, but can also be tailored to meet the requirements of the information contained within. Credential and Network Segmentation

19 19 Any time. Any place. Any device. Credential and Network Segmentation

Download ppt "ORNL is managed by UT-Battelle for the US Department of Energy Multifactor Authentication June 15, 2016."

Similar presentations

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
NIH is a Valuable Place with Valuable People: We Need to Protect it! Cyber threat is one of the most serious economic and national security challenges.

NIH is a Valuable Place with Valuable People: We Need to Protect it! Cyber threat is one of the most serious economic and national security challenges.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Department of Labor HSPD-12

Department of Labor HSPD-12
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
Access Control Methodologies

Access Control Methodologies
1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist

1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting April 10, 2015 Information Security

Information Security The University of Texas at Dallas Education – Partnership – Solutions ISC Meeting April 10, 2015 Information Security
Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.

Smart Card Deployment David Gautrey IT Manager – Microsoft New Zealaand Microsoft Corporation.
Penn State University College Of Education Understanding College of Education Resources.

Penn State University College Of Education Understanding College of Education Resources.
 Name: Hatem elbuhaisi  Name no: 120100071  University of Palestine  Miss : yasmen elboboo  Chairing Information Technology Hands-On Microsoft Windows.

 Name: Hatem elbuhaisi  Name no:  University of Palestine  Miss : yasmen elboboo  Chairing Information Technology Hands-On Microsoft Windows.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
HSPD-12 and FIPS-201 Overview v1.4. 2 Learning Objectives At the end of this course, you will be able to: Describe Homeland Security Presidential Directive.

HSPD-12 and FIPS-201 Overview v Learning Objectives At the end of this course, you will be able to: Describe Homeland Security Presidential Directive.
NIH Policy Manual 2811 Policy on Smart Card Authentication iTrust Forum Mark L. Silverman December 10, 2009

NIH Policy Manual 2811 Policy on Smart Card Authentication iTrust Forum Mark L. Silverman December 10, 2009
CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN1260 Client Operating System Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz 23-01-12.

Windows Server 2003 Overview 1 Windows 2003 Server Overview Ayaz

Similar presentations

Ads by Google