Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Published byJuliet Ramsey Modified over 5 years ago

Similar presentations

Presentation on theme: "Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,"— Presentation transcript:

1 Copyright Copyright Ian Taylor This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Management Issues with Risk Assessments and Establishing Levels of Assurance
Ian Taylor Manager, Security Middleware Unit Computing and Communications University of Washington

3 Today’s Discussion Overview of the IAM context at the University of Washington “Explore how to do risk assessments” Drivers for Levels of Assurance User Perspective Exploring the Solution Space

4 UW’s Environment CENTRALIZED IT:
Large central IT organization (~600 staff) All networking infrastructure Data Center All major business applications , web hosting Identity and Access Management, directory services, etc. etc.

5 UW’s Environment DECENTRALIZED IT: Central business units
Academic units Research centers Many different groups on campus create or purchase software applications Central IT has little or no control over what departments do Some of them invent authentication/authorization solutions

6 UW’s Environment Many diverse populations:
80,000 + Faculty, Staff and Students (18,000 Med Center Employees) 500,000 + Alumni and Affiliates 1,000,000 + Patients Other diverse populations (Cascadia Community College, WA State K-12 students, Library Patrons, etc.)

7 UW’s Enterprise Credential (UW NetID)
A large amount of effort has gone into making the UW NetID UW’s single enterprise credential. More than 360,000 active UW NetIDs 300,000+ more potential users (1,300,000 + if we include patients) Our credentials are stored in both Kerberos and Windows AD We have 5 different UW NetID Types (not to be confused with LoAs!)

8 UW NetID Types Personal UW NetID – A UW affiliated individual’s key to online resources at the UW and beyond Shared UW NetID – Used to share centrally maintained UW computing services such as departmental websites Temporary UW NetID – Used to provide temporary access to services via the UW NetID system Applications UW NetID – Applications/ services that need to authentication and can’t use x509 certificates Reserved UW NetID – UW NetIDs that can’t authn (eg. root, mailing lists, etc)

9 LEAVING THE COMFORT ZONE
Warning! LEAVING THE COMFORT ZONE

10 What LoAs does the UW NetID Support?
One size fits all… well almost! ~ 7,400 people have 2-factor authn (SecurID) We support a group of EAuth level 1 credentials (very small test group)

11 “Explore How to do Risk Assessments”
“Risk-level Assessment is a management technique used to determine the level of exposure associated with unauthorized use of a resource. In the security area, risk-level assessments have a broader use associated with relative priorities and mitigation plans for protecting an institution’s information assets.”

12 Risk Assessment at UW Is currently instinctive (all art, no craft) with little or no formal process (which is not much of a problem, since we have only 2 levels of assurance :-) Needs to improve since we KNOW we need to institute more levels of assurance How to do it?

13 Risk E-Authentication Guidance for Federal Agencies:
Risk is a combination of a) the Consequences of exposure (cost, harm, impact) and b) the Likelihood of exposure

14 Categories of Harm and Impact
Inconvenience, distress, damage to reputation Financial loss or university liability Harm to university programs or public interests Unauthorized release of sensitive information Personal safety Civil or criminal violations

15 Risk Levels Low impact Moderate impact High impact
(See pp 8-9 for definitions and illustrations. Disastrous? Or merely Catastrophic?)

16 Whose Job is This? Who has the expertise to make these judgments?
Risk Management Office? Specialized function within IT organization? Inquiring minds …

17 Drivers for LoA Compliance Perspective - Supporting federal, state and university policy requirements. Business Perspective - Supporting university business needs. COMPLIANCE BUSINESS

18 Compliance Drivers for LoA
Regulatory – Government requirements HIPAA FERPA WA State ISB Standards WA State Security Breach Notification Law (6043) – 37 other states now have this Contractual – Liability protection issues Payment Card Industries/ Data Security Standards (PCI/DSS) Local Policy and International Standards E-Authentication ISO, NIST etc. University Policy Different (sometimes competing) requirements Applies to subsets of the NetID populations Requirements vary from common sense to unreasonable

19 Business Drivers for LoA
A subset of applications require a higher assurance level that’s costly to provide A subset of apps require low bar for entrance Globally distributed users create ID proofing challenges Provide service to individuals with little or no known personal data Password restrictions can be potentially unfriendly to certain classes of users

20 The User Perspective It’s hard to choose a usable password!
Why do I have to keep changing my password? Why do I have to give my personal information? What do you mean I have to come show my picture id? What do I need to do to access application ____?

21 Exploring the Solution Space
A formal process for performing Risk Assessments A well defined set of LoAs A set of NetID attributes used to determine LoA A user portal that reports & explains current LoA Clearly defined standards for when each LoA is required Support for LoA in authentication services

22 How are LoAs Assigned? A rollup of attributes that define level of Assurance? Or the attributes themselves? As attribute values change LoA may decrease Typically the only way LoA increases are when new ID proofing is done accompanied by a password change or additional factors are given at Authentication time

23 Attributes that Define LoA
Type of Identity Proofing # of failed authentications Password strength Password age Is Compromised? Multiple factor authentication?

24 Types of Identity Proofing
High Assurance ID Proofing Photo ID in person Notarized Photo ID via mail/ fax Phone verified ( 5 or more pieces of info ) PAC by mail Low Assurance Phone verified ( 2 pieces of info minimum ) verified Verified by trusted member

25 UW NetID Levels of Assurance (Conceptual)
NOTE: This does not reflect the current state of the UW NetID. The UW does not yet have plans to implement this or any other LoA scheme. Level F – Compromised IDs and other IDs that are not allowed to authn Level E – Shared and temporary IDs that have little or no assurance Level C – Low assurance personal UW NetIDs that have minimal id proofing Level B – Higher assurance Personal IDs that have stronger ID proofing. Compliant with EAuth Level 2. Level A – High assurance Personal IDs that authn with 2nd factor (securid for now). Compliant with EAuth Level 3.

26 More Questions, Comments, Feedback?
Ian Taylor

Download ppt "Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,"

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
While You Were Out: How Students are Transforming Information and What it Means for Publishing Kate Wittenberg The Electronic Publishing Initiative at.

While You Were Out: How Students are Transforming Information and What it Means for Publishing Kate Wittenberg The Electronic Publishing Initiative at.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission.

PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor This work is the intellectual property of the author. Permission.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Copyright Jill M. Forrester 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Identity Management: The Legacy and Real Solutions Project Overview.

Identity Management: The Legacy and Real Solutions Project Overview.
NLII - 2003 Mapping the Learning Space New Orleans, LA Colleen Carmean NLII Fellow Information Technology Director, ASU West Editor, MERLOT Faculty Development.

NLII Mapping the Learning Space New Orleans, LA Colleen Carmean NLII Fellow Information Technology Director, ASU West Editor, MERLOT Faculty Development.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Copyright Anthony K. Holden, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Anthony K. Holden, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Similar presentations

Ads by Google