Presentation on theme: "EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley."— Presentation transcript:
EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley
Introductions Who we are Who you are Topics for Today What’s the Problem? Stories from the Field Profiles Overview and Gap Analysis Profiles to Practice: Business and Technical Implementation Considerations and Sample Timeline Resources to Help You
What’s the Problem and Why Should You be Worrying?
Deloitte Predictions 2013 Passwords==bad Strong? 5 hours to crack Phishing Bad habits Same pwd - multiple sites Online sources of cracked passwords Cell encouraging numbers-only Bad practices Yahoo recycling email addresses Sample Articles Sample Articles
Is This a Case for Multifactor? What questions should we be asking? How can I address phishing? How can I protect against inappropriate reassignment? How can I ensure the right physical person is using that password? InCommon’s Identity Assurance Framework and Profiles provides a step-wise and standards-based way to address these questions
Components of Assurance 6 RiskAssurance component that mitigates Fraudulently obtained Identity proofing + credential management Vetting process, Subject attributes, record keeping Inappropriate reassignment Credential management Token issuance & revocation, binding of Token to Subject, secure infrastructure, record keeping Stolen or shared Token technologies Additional factors (biometric, geolocation,...) Multi-factor (PIN + token) Second factor (OTP, “phone factor”, 2 nd password) Password/passphrase Effort to mitigate
Providing Credentials for your Credentials 2004: USG defines 4 Levels of Assurance (NIST 800-63) 2009: USG Identity, Credential and Access Management (ICAM) Certifies trust frameworks to interact with the USG agencies Determines comparability with 800-63 2011: InCommon ICAM Trust Provider Higher Ed developed, USG approved Bronze comparable to NIST LoA 1 Silver comparable to NIST LoA 2
What Guidance are You Using?
Stories from the Field
Stronger Authentication at UCB –Adopt Me Please? ●IAM Systems review – Burton report ●Pre-InCommon Assurance and campus data classification ●Still a perceived need to “tighten” assurance ●Finding a cost-effective solution
CAS Second-Level Authentication ●Much easier and less expensive to deploy than two-factor ●Developed as contribution to existing CAS open source initiative ●User to supply a second “secret” for sensitive apps ●CAS Second Level OverviewCAS Second Level Overview ●One line code change for apps already integrated with CAS
Adoption, or not… ●Adoption Round 1 – It’s the right thing to do ●Adoption Round 2 – You have to do it ●The bet
UC Trust Compliance and InCommon Silver ●UC Trust Federation - Basic Assurance ●Decision to convert to InC Silver ●System-wide gap analysisSystem-wide gap analysis ●System-wide HR replacement ●Still no decision - likely deferred ●How to prioritize and align resources?
Your Stories from the Field?
The InCommon Assurance Profiles
03/08/2012 17 It’s All About Identity Assurance Assurance a positive declaration intended to give confidence; a promise Identity Assurance the ability for a party to determine, with some level of certainty, that an electronic credential representing a person can be trusted to actually belong to the person.
Risk Management Perspective Understanding the risk Compliance Financial Reputational Choosing to invest in mitigation Idaho and HIPPA Fine Idaho and HIPPA Fine
InCommon – Higher Ed OMB/NIST – Federal Agencies Relevant Assurance Docs Identity Assurance Assessment Framework Identity Assurance Assessment Framework Identity Assurance Profiles Identity Assurance Profiles Bronze (Level 1) Silver (Level 2) Certification: Legal Addendum Legal Addendum Privacy criteria from ICAM OMB M04 04 E- Authentication Guidance for Federal AgenciesE- Authentication Guidance for Federal Agencies Maps risk to four levels of assurance NIST 800-63 E- Authentication Guidelines Describes how to implement the four levels
InCommon Bronze: Common Sense Assign Responsibility for IdM Establish Policy for IdM Harden Password Management Harden Credential Technology Infrastructure Optional Compliance: Perform Self Assessment
A Note on Compliance Using Profiles is free, downloading is free Compliance will be required when federating with US Government Other InCommon Service Providers requesting an InCommon Profile Pros Published on Federal and InCommon website Shows good practice to your service providers Bronze is free; Silver is good biz practice Con Due diligence – more work Silver requires audit and fee to be certified
Business, Policy and Operational Criteria Registration and Identity Proofing Credential Technology Credential Issuance and Management Authentication Process Identity Information Management Assertion Content Technical Environment 03/08/2012 InCommon Identity Assurance Profiles 23
Find the Gaps ●Review the IAP table ●Where are you likely to find gaps? ●Business process, documentation ●Credential management ●Who needs to help fill them? ●Systems of Record representatives, Service Desk ●Central IT – security, credential managers systems teams ●When should you engage them? ●Estimating resources and timelines – sample gap analysis chart
Profile to Practice
Profile to Practice: Business
Framework: Functional Model 34
Business Process Considerations ●On-boarding and the IdPO ID proofing and bootstrapping the digital credential HR, delegated admins or both The “CalNet Deputy” model and CalNet Deputy Training“CalNet Deputy” CalNet Deputy Training ●Remote proofing ●Re-issuance ●Security questions? ●User education and awareness
Technical Environment ●Campus minimum standards if you have them https://security.berkeley.edu/taxonomy/term/71 ●Industry standards - CIS BenchmarksCIS Benchmarks
Profile to Practice: Making the Pitch
Considering Your Audience ●Elevator pitches for: ○ Audit (if not for certification) ○ IT Executives ○ IT Security ○ Functional Owners (HR, Controller, Student System)
Profile to Practice: 18 months to Better Practices
Q1Q2Q3Q4Q1Q2 Bronze gap Bronze documentation Bronze certification Silver gap Silver funding Silver mitigations Silver documentation Silver audit/certification
Standing on the Shoulders of Others InCommon Assurance Program Website InCommon Assurance Program Website InCommon Assurance Implementers wiki InCommon Assurance Implementers wiki AD Cookbook for Silver Failed Login Counter: Possible shared investment Multi-factor Guidance Va Tech Case Study Password Entropy Calculators
Join the Club! Make a community contribution to the Assurance Wiki Participate on the mailing list Join the monthly calls Contribute to the reading of the Bronze spec starting this fall
Your Presenters Dedra Chamberlin Deputy Director, Identity and Access Management University of California – Berkeley email@example.com 510.642.8706 Ann West Assistant Director for InCommon Assurance and Community Internet2 firstname.lastname@example.org 906.487.1726