LoA In Electronic Identity Jasig Dallas 2009 1 Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University.

Slides:



Advertisements
Similar presentations
PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Password Policy: Update Recommendations Identity & Access Management Committee September, 2012.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.
Functional component terminology - thoughts C. Tilton.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Security Controls – What Works
Levels of Assurance OGF Activity Michael Helm ESnet/LBNL 27 Feb 2007.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
Information Security Policies and Standards
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Intra-ASEAN Secure Transactions Framework Project Progress Report
Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
Federal Requirements for Credential Assessments Renee Shuey ITS – Penn State February 6, 2007.
Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing IT Security Office.
Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,
U.S. Department of Justice Drug Enforcement Administration Office of Diversion Control Electronic Prescriptions for Controlled Substances June 1, 2010.
The InCommon Federation The U.S. Access and Identity Management Federation
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
Levels of Assurance in Authentication Tim Polk April 24, 2007.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,
Identity Assurance: When it Matters David L. Wasley Internet2 / InCommon.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Higher Education PKI Summit Meeting August 8, 2001 The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology.
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
E-Authentication Guidance Jeanette Thornton, Office of Management and Budget “Getting to Green with E-Authentication” February 3, 2004 Executive Session.
Preparing For An InCommon Silver Audit – Lessons From the First Phase
Identity on the Internet
Levels of Assurance OGF Activity
SAML New Features and Standardization Status
InCommon Participant Operating Practices: Friend or Foe?
Service Organization Control (SOC)
Electronic Prescriptions for Controlled Substances
Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop
Red Flags Rule An Introduction County College of Morris
E-Authentication: What Technologies Are Effective?
County HIPAA Review All Rights Reserved 2002.
Federal Requirements for Credential Assessments
InCommon Participant Operating Practices: Friend or Foe?
Appropriate Access InCommon Identity Assurance Profiles
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Technical Issues with Establishing Levels of Assurance
Security in SDR & cognitive radio
Presentation transcript:

LoA In Electronic Identity Jasig Dallas Levels of Assurance In Electronic Identity Considerations for Implementation Benjamin Oshrin Rutgers University March 2009

LoA In Electronic Identity Jasig Dallas About This Presentation Based on what we think we’re going to have to do Discussion about what you think you’re going to have to do (or already are doing) would be valuable

LoA In Electronic Identity Jasig Dallas Table of Contents What Does LoA Mean? NIST Special Publication InCommon, a Higher Ed Federation Considerations For Implementation –Registration –Identity Proofing –Issuance of Credentials –Token and Credential Management –Authentication Processes –Assertions

LoA In Electronic Identity Jasig Dallas What is LoA? “Level of Assurance” –Risk assessment of electronic authentication –ie: How confident you are that the person who is authenticating really is the person who is authenticating LoA is complicated –Weakest component determines overall LoA –Partly calculated at run time due to access methods –Identity proofing generally not robustly done today

LoA In Electronic Identity Jasig Dallas NIST Recommendations NIST is the National Institute of Standards and Technology, a non-regulatory US federal agency NIST Special Publication –Prepared for use by Federal agencies –Use by others is voluntary –Purpose: “This recommendation provides technical guidelines to agencies for the implementation of electronic authentication (e- authentication).” Based on 4 levels of identity assurance, as defined in OMB (E-Authentication Guidance for Federal Agencies)

LoA In Electronic Identity Jasig Dallas OMB Levels of Authentication Intended to assess risks associated with various aspects of e-authentication

LoA In Electronic Identity Jasig Dallas E-Authentication Model Applicant applies to a Registration Authority Registration Authority vets and approves Applicant, who becomes a Subscriber of a Credential Service Provider (possibly same as the RA) Subscriber is issued a token (secret) and credentials (binds token to Subscriber name) Subscriber may participate in identity proofing, to have a verified name, or else use a pseudonym When Subscriber accesses a service, the Subscriber becomes a Claimant accessing a service provided by a Relying Party, and the Claimant’s identity is authenticated by a Verifier (probably the CSP)

LoA In Electronic Identity Jasig Dallas Calculating NIST LoA Level of Assurance is lowest level reached for 5 metrics –Registration and Issuance –Tokens –Token and Credential Management –Authentication Process –Assertions

LoA In Electronic Identity Jasig Dallas Registration and Issuance

LoA In Electronic Identity Jasig Dallas Tokens

LoA In Electronic Identity Jasig Dallas Token and Credential Management

LoA In Electronic Identity Jasig Dallas Authentication Process

LoA In Electronic Identity Jasig Dallas Assertions

LoA In Electronic Identity Jasig Dallas InCommon InCommon is a federation of over 100 higher ed, government, non profit, and commercial organizations –Includes NIH, NSF, TerraGrid, JSTOR, Microsoft, Apple, etc Certifies that IdPs conform to certain standards and may be trusted –Vs a series of point to point agreements Standards are defined as Identity Assurance Profiles (IAPs) Funding agencies may start requiring InCommon IAP

LoA In Electronic Identity Jasig Dallas InCommon IAP Tech Requirements Perform assessment of IdP policies, processes, practices, and controls against IAPs –Assessment of current conditions, not future plans Have assessment reviewed by a “sufficiently independent” IT Auditor Auditor submits report to InCommon Periodic reassessment, and notification upon material changes that could affect compliance (InCommon also requires legal agreements and registration and annual fees of $700/$1000)

LoA In Electronic Identity Jasig Dallas InCommon IAPs Bronze is interoperable with NIST Level 1 Silver is interoperable with NIST Level 2 –Funding agencies, including FAFSA (Financial Aid) are likely to require Level 2/Silver –Bronze is a subset of Silver Can have a mix of users at different levels A given user could be represented at different levels in different contexts No IAP is also possible Additional IAPs may be defined in the future

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors (Overview) Business Policy and Operational Factors Registration and Identity Proofing Digital Electronic Credential Technology Credential Issuance and Management Security and Management of Authentication Events Identity Information Management Identity Assertion Content Technical Environment

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Following factors in addition to appropriate NIST-1,-2 Business Policy and Operational Factors (Bronze, Silver) –IdP Operator is a legal entity, and designated by institutional executive management to provide IdMS services –Post terms, conditions, and privacy policies –Operations audited at least every 24 months

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Business Policy and Operational Factors (Silver) –All security policies and procedures are documented Undocumented procedures not considered –IdP Operator has sufficient staff with sufficient skills to operate according to stated policies and procedures –Outsourced services have written, binding contracts stipulating policies and procedures relevant to IAP –Helpdesk available during regular hours (M-F, 8 hours) –Risk Management Plan Background checks on critical staff ACLs over critical data Strong digital credentials Separation of duties –Logging of critical events, retained for at least 6 months

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Registration and Identity Proofing (Silver) –Identity proofing and registration processes documented (Various requirements of documentation) –Protection of personal identifying information –Retention of registration records for at least 7.5 years past revocation or expiration Identity proofing document numbers Full name Date of birth Current address of record –Ability to recover identifying information from Subject of credentials

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Digital Electronic Credential Technology (Bronze, Silver) –Unique identifiers per Subject –Subject may have multiple Tokens, not vice versa –Subject-changeable shared secret (password, PIN) Resistance to guessing per NIST-1 and -2 standards

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Credential Issuance and Management (Bronze, Silver) –Unique, non-reassignable identifiers –Revocation of credentials to prevent authentication

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Credential Issuance and Management (Silver) –Offer secure, automated mechanism for determining status of credentials, with at least 99% availability (3.65 days of downtime per year) –In the event of attempted compromise of a Subject’s credentials, do not assert Silver until credentials reset and notify Subject 10 or more failed attempts in 10 minutes requires validation backoff, lockout, or non-assertion of Silver –Credential revocation, renewal, re-assertion according to NIST-2

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Security and Management of Authentication Events (Bronze, Silver) –Secure communication, proof of possession, session authentication, protection of secrets, resistance to online guessing, resistance to eavesdropping according to NIST-1 & -2 –Storage of secrets according to NIST-2 (or higher) –Mitigate risk of sharing credentials Reminder of institutional policies Confirmation of sensitive operations via separate channels (eg: ) –Authentication via challenge-response (Bronze only, eg: Digest auth), password tunneled over TLS, zero-knowledge based password (eg: Kerberos)

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Identity Information Management (Silver) –Review of identity attributes required for Silver every 2 years Identity Assertion Content (Silver, Bronze) –Align attribute definitions with InCommon requirements eduPerson Silver, Bronze IAQ Cryptographic security per NIST-2

LoA In Electronic Identity Jasig Dallas IAP Assessment Factors Technical Environment (Silver) –Configuration management Version control Up to date on patches Logging of all software and configuration changes –Network security measures against threats including eavesdropper, replay, verifier impersonation, DNS hijacking, and man-in-the-middle attack; and intrusion detection/prevention –Physical access control and access logs for data center and other sensitive areas –Continuity of operations System failures do not cause false positives Disaster recovery and resistance –Or notification to subjects of absence of such a plan

LoA In Electronic Identity Jasig Dallas References NIST E-Authentication Guidelines – OMB E-Authentication Guidance for Federal Agencies – InCommon Identity Assurance –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.