Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | della-harvey |
View: | 216 times |
Download: | 0 times |
Introductions Who we are Who you are Topics for Today
What’s the Problem? Stories from the Field Profiles Overview and Gap Analysis Profiles to Practice: Business and Technical Implementation
Considerations and Sample Timeline Resources to Help You
Deloitte Predictions 2013
Passwords==bad Strong? 5 hours to crack Phishing Bad habits
Same pwd - multiple sites Online sources of cracked
passwords Cell encouraging numbers-only
Bad practices Yahoo recycling email
addresses Sample Articles
Is This a Case for Multifactor? What questions should we be
asking? How can I address phishing? How can I protect against
inappropriate reassignment? How can I ensure the right
physical person is using that password?
InCommon’s Identity Assurance Framework and Profiles provides a step-wise and standards-based way to address these questions
6
Components of AssuranceRisk Assurance component that mitigates
Fraudulently obtained
Identity proofing + credential management• Vetting process, Subject attributes, record
keeping
Inappropriate reassignment
Credential management• Token issuance & revocation, binding of Token
to Subject, secure infrastructure, record keeping
Stolen or shared
Token technologies• Additional factors (biometric, geolocation, ...)• Multi-factor (PIN + token)• Second factor (OTP, “phone factor”, 2nd
password)• Password/passphrase
Eff
ort
to
mit
iga
te
Providing Credentials for your Credentials 2004: USG defines 4 Levels of
Assurance (NIST 800-63) 2009: USG Identity, Credential and
Access Management (ICAM) Certifies trust frameworks to interact with
the USG agencies Determines comparability with 800-63
2011: InCommon ICAM Trust Provider Higher Ed developed, USG approved Bronze comparable to NIST LoA 1 Silver comparable to NIST LoA 2
Stronger Authentication at UCB –Adopt Me Please?● IAM Systems review – Burton report● Pre-InCommon Assurance and campus data classification● Still a perceived need to “tighten” assurance● Finding a cost-effective solution
CAS Second-Level Authentication● Much easier and less expensive to deploy than two-factor● Developed as contribution to existing CAS open source
initiative● User to supply a second “secret” for sensitive apps● CAS Second Level Overview● One line code change for apps already integrated with
CAS
Adoption, or not…● Adoption Round 1 – It’s the right thing to do● Adoption Round 2 – You have to do it● The bet
UC Trust Compliance and InCommon Silver● UC Trust Federation - Basic Assurance● Decision to convert to InC Silver● System-wide gap analysis● System-wide HR replacement● Still no decision - likely deferred● How to prioritize and align resources?
1703/08/2012
It’s All About Identity AssuranceAssurance a positive declaration intended
to give confidence; a promise
Identity Assurance the ability for a party to
determine, with some level of certainty, that an electronic credential representing a person can be trusted to actually belong to the person.
Risk Management PerspectiveUnderstanding the risk
Compliance Financial Reputational
Choosing to invest in mitigation Idaho and HIPPA Fine
InCommon – Higher Ed
OMB/NIST – Federal Agencies
Relevant Assurance Docs
Identity Assurance Assessment Framework
Identity Assurance Profiles Bronze (Level 1) Silver (Level 2)
Certification: Legal Addendum Privacy criteria from ICAM
OMB M04 04 E-Authentication Guidance for Federal Agencies Maps risk to four levels of
assurance NIST 800-63 E-
Authentication Guidelines Describes how to implement
the four levels
InCommon Bronze: Common Sense Assign Responsibility for IdM Establish Policy for IdM Harden Password Management Harden Credential Technology Infrastructure Optional Compliance: Perform Self Assessment
InCommon Silver:Critical Business Strengthen Identity Proofing and Registration Enforce Strong Passwords (or Deploy MFA) Further Harden Password Management Harden Technical Infrastructure Optional Compliance: Obtain Independent Audit
A Note on Compliance Using Profiles is free, downloading is free Compliance will be required when federating with
US Government Other InCommon Service Providers requesting an InCommon Profile
Pros Published on Federal and InCommon website Shows good practice to your service providers Bronze is free; Silver is good biz practice
Con Due diligence – more work Silver requires audit and fee to be certified
Business, Policy and Operational Criteria Registration and Identity Proofing Credential Technology Credential Issuance and Management Authentication Process Identity Information Management Assertion Content Technical Environment
03/08/2012
InCommon Identity Assurance Profiles
23
Functional Area Criteria Bronze Silver
4.2.1 Business, Policy and Operational Criteria
.1 InCommon Participant
.2 Notification to InCommon
.3 Continuing Compliance
.4 IdPO Risk Management
Profile Specifics
Functional Area Criteria Bronze Silver
4.2.2 Registration and Identity Proofing
.1 RA Authentication
.2 Identity Verification Process
.3 Registration Records
.4 Identity Proofing
.4.1 Existing Relationship
.4.2 In-person Proofing
.4.3 Remote Proofing
.5 Address of Record Confirmation
.6 Protection of Personally Identifiable Information
Functional Area Criteria Bronze Silver
4.2.3 Credential Technology
.1 Credential Unique Identifier
.2 Basic Resistance to Guessing Authentication Secret.3 Strong resistance to Guessing Authentication
Secret.4 Stored Authentication Secrets
.5 Basic Protection of Authentication Secrets
.6 Strong Protection of Authentication Secrets
Functional Area Criteria Bronze Silver
4.2.4 Credential Issuance and Management
.1 Credential Issuance
.2 Credential Revocation or Expiration
.3 Credential Renewal or Re-issuance
.4 Credential Issuance Records Retention
.5 Resist Token Issuance Tampering Threat
Functional Area Criteria Bronze Silver
4.2.5 Authentication Process
.1 Resist Replay Attack
.2 Resist Eavesdropper Attack
.3 Secure Communication
.4 Proof of Possession
.5 Resist Session Hijacking Threat
.6 Mitigate Risk of Credential Compromise
Functional Area Criteria Bronze Silver
4.2.6 Identity Information Management
.1 Identity Record Qualification
4.2.7 Assertion Content
.1 Identity Attributes
.2 Identity Assertion Qualifier
.3 Cryptographic Security
4.2.8 Technical Environment
.1 Software Maintenance
.2 Network Security
.3 Physical Security
.4 Reliable Operations
Find the Gaps● Review the IAP table● Where are you likely to find gaps?
● Business process, documentation● Credential management
● Who needs to help fill them?● Systems of Record representatives, Service Desk● Central IT – security, credential managers systems teams
● When should you engage them?● Estimating resources and timelines – sample gap analysis chart
Business Process Considerations● On-boarding and the IdPO
ID proofing and bootstrapping the digital credential HR, delegated admins or both The “CalNet Deputy” model and CalNet Deputy Training
● Remote proofing● Re-issuance
● Security questions?
● User education and awareness
Password/passphrase Entropy
● Password complexity● Dictionary checks● Expiration● Lockouts● Failed login counter● Entropy Calculators
Credential Management● Where is the verifier used?● Certify other systems?● Downgrade credentials?● UCB proxied authentication guidelines
Stronger Credential Options● Second credential● Multi-factor● Related application level concerns
● For entire app?● For some roles?
Technical Environment● Campus minimum standards if you have them
https://security.berkeley.edu/taxonomy/term/71
● Industry standards - CIS Benchmarks
Considering Your Audience● Elevator pitches for:
○ Audit (if not for certification)○ IT Executives○ IT Security○ Functional Owners (HR, Controller, Student System)
Q1 Q2 Q3 Q4 Q1 Q2
Bronze gap
Bronze documentation
Bronze certification
Silver gap
Silver funding
Silver mitigations
Silver documentation
Silver audit/certification
Standing on the Shoulders of Others InCommon Assurance Pr
ogram Website InCommon
Assurance Implementers wiki
AD Cookbook for Silver Failed Login Counter:
Possible shared investment
Multi-factor Guidance Va Tech Case Study Password Entropy
Calculators
Join the Club! Make a community
contribution to the Assurance Wiki
Participate on the mailing list Join the monthly calls Contribute to the reading of
the Bronze spec starting this fall
Your PresentersDedra Chamberlin
Deputy Director, Identity and Access Management
University of California – Berkeley
510.642.8706
Ann West
Assistant Director for InCommon Assurance and Community
Internet2
906.487.1726