Presentation is loading. Please wait.

Presentation is loading. Please wait.

Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis."— Presentation transcript:

1 Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis

2 Topics  Introduction to InCommon Silver Profile  UCD and UCB Gap Analysis Highlights  UCTrust Basic and InCommon Silver  Roadmap  Resources

3 Introduction to InCommon Silver Profile

4 InCommon In Action at UCD and UCB A UCD or UCB researcher accesses web-based data

5 InCommon In Action at UCD and UCB A UCD or UCB researcher accesses web-based data provides account

6 InCommon In Action at UCD and UCB A UCD or UCB researcher accesses web-based data Calendaring Email Local applications provides account

7 InCommon In Action at UCD and UCB A UCD or UCB researcher accesses web-based data Calendaring Email Local applications provides account applications At Your Service UC Travel (Connexxus) Learning Mgmt. System

8 InCommon In Action at UCD and UCB A UCD or UCB researcher accesses web-based data Calendaring Email Local applications applications At Your Service UC Travel (Connexxus) Learning Mgmt. System provides account applications DOE apps NSF apps NIH apps

9 InCommon In Action at UCD and UCB A UCD or UCB researcher accesses web-based data Calendaring Email Local applications applications At Your Service UC Travel (Connexxus) Learning Mgmt. System provides account applications DOE apps NSF apps NIH apps

10 InCommon, UC, And Moving To Silver  InCommon framework ensures that UC campuses are adequately protecting staff and faculty identities and sensitive data.  InCommon framework is consistent with the research mission of UCOP, facilitating collaboration among campuses and Federal institutions.  By acting now, UC will be in alignment with significant Federal agencies and educational institutions, and can strengthen the UCTrust Basic framework.

11 InCommon Framework Is Based On Federal Guidelines  Federal Guidelines include  NIST Special Publication 800-63 NIST Special Publication 800-63  Level of Assurance 2 (LOA2) as defined in OMB-04-04 and FIPS 199.  LOA2: “On balance, confidence exists that the asserted identity is accurate”.

12 InCommon Identity Assurance Program  Functional areas define the standards.  Identity Providers address how to meet them.  For each functional area, identify the gaps between  UC location identity management infrastructure and  the InCommon Silver profile Identity Assurance Functional Areas Business, Policy, and Operational Factors 4.2.1 Identity Proofing 4.2.2 Electronic Credential Technology 4.2.3 Credential Issuance 4.2.4 Authentication Events 4.2.5 Identity Information Management 4.2.6 Identity Assertion Content 4.2.7 Technical Environment 4.2.8

13 Identity Management Functional Model Identity Assurance Functional Areas Business, Policy, and Operational Factors 4.2.1 Identity Proofing 4.2.2 Electronic Credential Technology 4.2.3 Credential Issuance 4.2.4 Authentication Events 4.2.5 Identity Information Management 4.2.6 Identity Assertion Content 4.2.7 Technical Environment 4.2.8

14 UCD and UCB Gap Analysis Highlights

15 Approach for Meeting InCommon Silver Standards  Gap Analysis: Determine gaps between standards; determine effort to meet gaps.  Next step: Identify participants from relevant business and technical areas.  Then: Select initial tasks based on available resources and relative complexity. Local UCB and UCD Standards InCommon Silver Standards

16 Summary of Gap Analysis for UC Davis and UC Berkeley (1.1) Audit CategoryUC DavisUC Berkeley Business, Policy, and Operational Factors 4.2.1 Identity Proofing 4.2.2 Electronic Credential Technology 4.2.3 Credential Issuance 4.2.4 Authentication Events 4.2.5 Identity Information Management 4.2.6 Identity Assertion Content 4.2.7 Technical Environment 4.2.8 > 60 days < 60 days complete

17 Business, Policy, and Operational Factors (4.2.1) Purpose: Must be an InCommon Participant in good standing. > 60 days < 60 days complete GapWhoTypeUCD Effort UCB Effort No outstanding gap.

18 Registration and Identity Proofing (4.2.2) GapWhoTypeUCD Effort UCB Effort Improve Account Deputy Program procedures for in person proofing IT, Depts. Business Process, Technical Improve Remote proofing program IT, Depts Business Process, Technical Purpose: Identity proofing is based on government issued ID or public records. Verified information is used to create a record for the Subject. > 60 days < 60 days complete

19 Credential Technology (4.2.3) GapWhoTypeUCD Effort UCB Effort Password lockout and mgmt. compliant with NIST entropy calculations ITTech., Business Process Protect Authentication Secrets: Minimize risk of exposure of Secrets to non-IDP services. ITTech., Business Process Purpose:. If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements. > 60 days < 60 days complete

20 Credential Issuance and Management (4.2.4) GapWhoTypeUCD Effort UCB Effort Same Subject during registration and Credential issuance IT, HR, Payroll Tech., Business Process Improvements in revoking, renewing, and reissuing Credentials ITTech., Business Process Maintain logs 180 days after Credential expires ITTech. Purpose: The authentication Credential must be bound to the physical Subject and to the IdMS record pertaining to that Subject > 60 days < 60 days complete

21 Authentication Events (4.2.5) GapWhoTypeUCD Effort UCB Effort Send periodic reminders to Subjects about sharing and security ITBusiness Process, Tech. Email confirmation of transaction to Subject ITTech. Purpose: The Subject proves that he or she is the holder of a Credential, enabling the subsequent issuance of Assertions. > 60 days < 60 days complete

22 Identity Information Management (4.2.6) Purpose: Subject records must be managed appropriately so that Assertions [issued by UCD or UDB] are valid GapWhoTypeUCD Effort UCB Effort No outstanding gap. > 60 days < 60 days complete

23 Identity Assertion Content (4.2.7) GapWhoTypeUCD Effort UCB Effort Establish procedures for assigning certified IAQs to assertions ITDocumen- tation Purpose: have processes in place to ensure that information about a Subject’s identity conveyed in an Assertion of identity to an SP is from an authoritative source. > 60 days < 60 days complete

24 Technical Environment (4.2.8) GapWhoTypeUCD Effort UCB Effort Inventory internal IdP systems for any communications outside of IST infrastructure ITDocumen- tation Purpose: Resist potential technical threats that might result in false assertions of identity Statement 4.2.8.2.1: Appropriate measures shall be used to protect the confidentiality and integrity of network communications supporting IdMS operations. > 60 days < 60 days complete

25 UCTrust Basic and InCommon Silver

26 Comparing the UCTrust Basic and InCommon Silver Framework  It is possible to replace most but not all of UCTrust Basic with InCommon Silver policy.  InCommon Silver policy has more specific requirements for IdP than UCTrust Basic. InCommon Silver’s IdP requirements can replace UCTrust Basic’s IdP requirements.  InCommon Silver does not have requirements for Service Providers; UCTrust Basic does have requirements for Service Providers.  InCommon Silver requires an audit; UCTrust Basic does not require an audit.

27 Comparing The UCTrust Basic and InCommon Silver Certification Models IdP Operator IdP Operation UCTrust Service Provider Assertion with appropriate IAQs IdPO Certification IdP Certification Status

28 Comparing The UCTrust Basic and InCommon Silver Certification Models IdP Operator IdP Operation InCommon Service Provider Assertion with appropriate IAQs IdPO Certification IdP Certification Status

29 Comparing The UCTrust Basic and InCommon Silver Certification Models IdP Operator IdP Operation InCommon Service Provider Assertion with appropriate IAQs IdPO Certification IdP Certification Status

30 Comparing The UCTrust Basic and InCommon Silver Certification Models IdP Operator IdP Operation In Common Service Provider Assertion with appropriate IAQs IdP Certification Status Summary Report Auditor IdP Certification Status Detailed and Summary IdPO Certification

31 Roadmap For Moving To Silver Roadmap to using InCommon Silver profile identities for UCTrust and InCommon applications

32 InCommon Silver Roadmap: Past Work  UC Trust Working Group discussed issues, including how to proceed (December 2010-March 2011)  UC Berkeley and UC Davis performed a gap analysis and a level of effort analysis (October 2010 - March 2011)  UC Berkeley and UC Davis participated with CIC (Virginia Tech and Indiana U) on a joint panel presentation at the Educause Security Professionals Conference in April 2011.  UCTrust Working Group provided feedback to the InCommon Federation TAC on their 1.1 draft documents via David Walker (December 2010 – March 2011)  ITPS and UCTrust Working Group are discussing InCommon Silver in April 2011

33 InCommon Silver Roadmap Spring 2011  Ask each campus location to perform a high level gap analysis and report results to the UCTrust Working Group by mid-May. (See slide 16).  ITPS and UCTrust Working Group to share high level gap analysis and proposed project plan to move to InCommon Silver with the ITLC at June 2011 meeting

34 InCommon Silver Roadmap: Next Steps If Plan is Approved  Each UC location to perform a detailed gap analysis and create their local project plan for InCommon Silver certification and report results to their CIO. UCTrust will collect the UC location project plans.  Based on the UC location project plans, ITPS and UCTrust Working Group to provide a UC-wide plan to ITLC.

35 InCommon Silver Roadmap: Next Steps  UCTrust Working Group to update the UCTrust Policy document to align with the use of InCommon Silver Policy for IdP’s and UCTrust Basic Policy for Service Providers  UC locations to initiate work to meet InCommon Silver profile standards.  UCTrust Working Group to ask SPs to accept InCommon Silver and UCTrust assertions  UC locations run a campus audit to meet InCommon Silver profile standards, then request certification from InCommon Federation.

36 InCommon Silver Roadmap: Next Steps  After approval from InCommon Federation, UC locations can begin to use InCommon Silver identities for UCTrust and InCommon applications.  UCTrust Working Group to tell SPs that they no longer need to accept UCTrust Basic assertions

37 Resources

38 InCommon Resources at http://incommonfederation.org  Case Studies - learn what has worked for others ( ITunesU)  Collaboration Groups – focus on the issues that are of most value to your institution  CAMP – learn how to get started  Toolkits – use well-developed materials to state your case  InCommon Identity Assurance Program  Also CIC InCommon Silver Project – Phase 1 reportCIC InCommon Silver Project – Phase 1 report

39 UCTrust Resources  UCTrust http://www.ucop.edu/irc/itlc/uctrust/http://www.ucop.edu/irc/itlc/uctrust/  UCTrust University of California Identity Management Federation Service Description and Policies http://www.ucop.edu/irc/itlc/uctrust/trustpolicy032707.html UCTrust University of California Identity Management Federation Service Description and Policies

40 Questions and Contact Information  Bob Ono, UC Davis, raono@ucdavis.eduraono@ucdavis.edu  Dedra Chamberlin,UC Berkeley, dedra@berkeley.edudedra@berkeley.edu  David Walker, UC Davis, dhwalker@ucdavis.edu  Doreen Meyer, UC Davis, dimeyer@ucdavis.edudimeyer@ucdavis.edu

41 Additional Information for Review

42 Federal Assurance Framework LOA2 Adopted by InCommon and UCTrust  Level of Assurance (LOA) is based on a risk assessment of unauthorized access, authentication error, or credential misuse Risk criteria (OMB-04-04) include:  Inconvenience, distress, or damage to reputation  Financial loss or liability  Harm to agency programs or public interest  Unauthorized release of sensitive information  Personal safety  Civil or criminal violations

43 Levels of Assurance (LOA) at UC Campuses Lower Risk of Unauthorized Access Higher Risk of Unauthorized Access Sample applicationsLocal UC email, wireless network, workstation login, calendaring NSF, DOE, NIH apps, UCTrust apps Identity Proofing, Credential Issuance self-assertedGovernment photo ID verified Authentication Methods User name and password Multi-factor authentication

44 KEY Gap: Category (4.2.criteria section number) GapWhoTypeEffort Issues requiring significant effort for a particular audit category (from UCD and/or UCB analysis) Units to resolve issue IT Information Technology including IdM HR Human Resources IA Internal Audit Dept. Campus Depts. Type of Work Business Process, Documen- tation, Technical Color code repre- senting level of effort in days. Key at top right. > 60 days < 60 days complete

45 InCommon  InCommon provides a framework of shared policies, trust- establishing processes, and technology standards for universities and service partners to follow.

Download ppt "Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis."

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.
Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,

Bronze and Silver Identity Assurance Profiles for Technical Implementers Tom Barton Senior Director for Integration University of Chicago Jim Green Manager,
Going for the Silver Winter 2010 CSG January 13, 2010.

Going for the Silver Winter 2010 CSG January 13, 2010.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Federal Identity Management

Federal Identity Management
InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.

InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker.
Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.

Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.
Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.

Enterprise Architecture 2014 EAAF as a vehicle for LoA Using EAAF processes to incrementally approach InCommon/UCTrust certification.
EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.

EDUCAUSE Best Practices Build Better Systems Ann West, InCommon Dedra Chamberlin, UC Berkeley.
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.

1 Enabling Open Government Using the OIDF/ICF Open Trust Framework OASIS Identity Management 2009 September 29, 2009 Don Thibeau, ED, OpenID Foundation.
Security Controls – What Works

Security Controls – What Works
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Similar presentations

Ads by Google