Presentation on theme: "Identity Assurance Profiles & Trust Federations David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon David Bantz, U Alaska Tom Barton,"— Presentation transcript:
Identity Assurance Profiles & Trust Federations David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon David Bantz, U Alaska Tom Barton, U Chicago Ann West, Internet2 & InCommon 2012-04-18
Level of Assurance (LoA) ‣ LoA ~ confidence that a login event identifies a specific known person impersonation of a legitimate user fictitious identity ‣ What’s at stake if the user is not who they assert? access to sensitive information alter data use elevated privileges to inflict damage
LoA to fit risks; defined by OMB & NIST ‣ Modest risk ~ bookmarks, bulk license to campus LoA 1 or InC Bronze ‣ Moderate ~ transcript, PII, HPC access LoA 2 or InC Silver ‣ Substantial ~ $$, classified research LoA 3 (or InC Gold?) ‣ Health & Safety / National Security LoA 4 (or InC Platinum?)
Technologies for LoA specified in Assurance Profiles ‣ LoA 1 or InC Bronze: Passwords or PINs weak or no vetting; social identities may be OK ‣ LoA 2 or InC Silver: Strong Passwords ID vetting (photo ids) encryption ‣ LoA 3 & 4: + multi-factor authN
LoA value to trust federations ‣ Usual (as for HE members of InCommon) integrity of systems (thwart unapproved changes or leaks) due diligence / best practices ‣ possible K12 extensions age- / grade-appropriate access combining records from different schools parental or other permissions
Why InC Bronze / Silver ? ‣ Faster startup based on existing developed profiles, provider's consumption of LoA ‣ Leverage years of work by NIST, HE, InCommon ‣ Extend LoA from K12 to resources via InCommon members (Universities)
Issues / concerns re meeting IAP requirements ‣ Control or constraint of entrenched processes; member may use less robust authN for legacy apps ‣ Multiple stores for credentials with multiple controls by (some) federation members => reduction of entropy combined with unwillingness to increase complexity ‣ Onboarding & vetting procedures may be lax per IAP ‣ Meeting LoA profile might entail a second more secure credential store or use of 2-factor authN lack of clear applicability of 2-factor authN to meet LoA Silver profile
Attribute LoA? ‣ Some hopes for “assurance” require confidence in attribute values - age, role,- rather than of authentication itself. ‣ IAPs - even InC Silver - may not provide desired confidence in role or attribute assertions for access.
InCommon Assurance Program ‣ 2004: USG defines 4 Levels of Assurance (NIST 800-63) ‣ 2009: USG Identity, Credential and Access Management (ICAM) Establishes criteria for trust framework providers to enable interaction with federal agencies InCommon Approved Trust Framework Provider
Assurance Program Components ‣ Profiles/Framework ‣ Federation Operation Policies and Practices ‣ Legal Framework ‣ Certification Program ‣ InCommon Metadata ‣ Practice and Implementation Outreach ‣ Program Oversight: Assurance Advisory Committee
Service Provider Proccess ‣ Determine which qualifier to request ‣ OMB 04-04 E-Authentication Guidance for Federal Agencies ‣ Configure SAML Software to check metadata and request qualifier ‣ Notify InCommon of your intent to request ‣ No fee!
Fees for Identity Provider Operators ‣ Graduated to reflect Increasing value Early adopter contributions
The New Bronze ‣ Oct 2011: Federal CIO Memo ‣ 30+ Federal Apps at LoA1 in InCommon now ‣ ICAM encouraging broad Bronze deployment ‣ New Bronze available for review Reduces requirements to simplify deployment Removes profile audit requirement Review site: spaces.internet2.edu/x/KYXNAQ
Resources ‣ Your Peers on email@example.com@incommon.org New resources are announced here too. ‣ Community Resources AD Silver Cookbook Multi-factor Authentication Guidance ‣ Webinars IAM Online Monthly Calls (beginning March 7 — Noon ET) ‣ Meetings: InCommon Confab, April 26-27, in DC ‣ Auditor Toolkits (coming soon)
CIC InCommon Silver Project ‣ University of Chicago ‣ University of Illinois ‣ Indiana University ‣ University of Iowa ‣ University of Michigan ‣ Michigan State University ‣ University of Minnesota ‣ Northwestern University ‣ Ohio State University ‣ The Pennsylvania State University ‣ Purdue University ‣ University of Wisconsin- Madison ‣ University of Nebraska ---- Plus some friends! ---- ‣ Virginia Tech ‣ University of Washington Committee on Institutional Cooperation: 12 Big Ten Schools + U Chicago
CIC InCommon Silver Project ‣ CIC CIOs set a goal in 2009 of all members achieving InCommon Silver in Fall 2011 IdM people + Internal Auditors (who rock!) ‣ Steps Gap analysis: existing campus practice vs IAP/IAAF v1.0 Focused feedback to InCommon Focused work on Documentation of “management assertions” Active Directory Multi-Factor InCommon refines IAP/IAAF, producing v1.1 CIC Silver project is transitioning to Phase 2
Which people need Silver? Time frame sooner later User group size smaller larger NIH TeraGrid Open Science Grid CILogon NSCNat’l Labs CIC shared storage CIC CourseShare Payroll caBIG Benefits Student Loans Financial aid TIAA-CREF research.gov
UChicago Silver Objectives ‣ Support research & scientific collaborations ‣ Ability to deliver SaaS solutions with higher LoA ‣ All faculty, staff, and students needing Silver should be able to get it, easily ‣ But most won’t need it right away, so don’t make them do anything special until they do
Initial Implementation Approaches UChicagoCIC Range Credentialexisting username & password username/password plus 2 nd factor? OTP PKI token ID ProofingID Card Office existing relationship for employees special RA process Credential Issuance existing + confirmation at ID Card Office being explored Silver-eligible population ID Card holdersselected individuals faculty/staff faculty/staff/students ID Card holders
‣ Who “requires” Silver: IT or functional leadership? ‣ Enhance Identity Management System (IdMS) to track which accounts currently meet Silver requirements Suitable proofing & credential issuance Password recent enough No security hold ‣ Password storage & Active Directory Active Directory cookbook ‣ Password exposure to online guessing Fit of NIST entropy calculation model Applications that handle Silver passwords Issues & Subtleties
InCommon Silver adoption pipeline ‣ CIC Silver Project: 12 CIC schools + Virginia Tech & U Washington ‣ U Florida ‣ U Wisconsin - Milwaukee ‣ Many expect to be Silver certified in 2012 ‣ Others? You?