EDUCAUSE Best Practices Build Better SystemsAnn West, InCommon

Dedra Chamberlin, UC Berkeley

Introductions Who we are Who you are Topics for Today

What’s the Problem? Stories from the Field Profiles Overview and Gap Analysis Profiles to Practice: Business and Technical Implementation

Considerations and Sample Timeline Resources to Help You

What’s the Problem and Why Should You be Worrying?

Deloitte Predictions 2013

Passwords==bad Strong? 5 hours to crack Phishing Bad habits

Same pwd - multiple sites Online sources of cracked

passwords Cell encouraging numbers-only

Bad practices Yahoo recycling email

addresses Sample Articles

Is This a Case for Multifactor? What questions should we be

asking? How can I address phishing? How can I protect against

inappropriate reassignment? How can I ensure the right

physical person is using that password?

InCommon’s Identity Assurance Framework and Profiles provides a step-wise and standards-based way to address these questions

6

Components of AssuranceRisk Assurance component that mitigates

Fraudulently obtained

Identity proofing + credential management• Vetting process, Subject attributes, record

keeping

Inappropriate reassignment

Credential management• Token issuance & revocation, binding of Token

to Subject, secure infrastructure, record keeping

Stolen or shared

Token technologies• Additional factors (biometric, geolocation, ...)• Multi-factor (PIN + token)• Second factor (OTP, “phone factor”, 2nd

password)• Password/passphrase

Eff

ort

to

mit

iga

te

Providing Credentials for your Credentials 2004: USG defines 4 Levels of

Assurance (NIST 800-63) 2009: USG Identity, Credential and

Access Management (ICAM) Certifies trust frameworks to interact with

the USG agencies Determines comparability with 800-63

2011: InCommon ICAM Trust Provider Higher Ed developed, USG approved Bronze comparable to NIST LoA 1 Silver comparable to NIST LoA 2

What Guidance are You Using?

Stories from the Field

Stronger Authentication at UCB –Adopt Me Please?● IAM Systems review – Burton report● Pre-InCommon Assurance and campus data classification● Still a perceived need to “tighten” assurance● Finding a cost-effective solution

CAS Second-Level Authentication● Much easier and less expensive to deploy than two-factor● Developed as contribution to existing CAS open source

initiative● User to supply a second “secret” for sensitive apps● CAS Second Level Overview● One line code change for apps already integrated with

CAS

Adoption, or not…● Adoption Round 1 – It’s the right thing to do● Adoption Round 2 – You have to do it● The bet

Conceding Defeat

UC Trust Compliance and InCommon Silver● UC Trust Federation - Basic Assurance● Decision to convert to InC Silver● System-wide gap analysis● System-wide HR replacement● Still no decision - likely deferred● How to prioritize and align resources?

Your Stories from the Field?

The InCommon Assurance Profiles

1703/08/2012

It’s All About Identity AssuranceAssurance a positive declaration intended

to give confidence; a promise

Identity Assurance the ability for a party to

determine, with some level of certainty, that an electronic credential representing a person can be trusted to actually belong to the person.

Risk Management PerspectiveUnderstanding the risk

Compliance Financial Reputational

Choosing to invest in mitigation Idaho and HIPPA Fine

InCommon – Higher Ed

OMB/NIST – Federal Agencies

Relevant Assurance Docs

Identity Assurance Assessment Framework

Identity Assurance Profiles Bronze (Level 1) Silver (Level 2)

Certification: Legal Addendum Privacy criteria from ICAM

OMB M04 04 E-Authentication Guidance for Federal Agencies Maps risk to four levels of

assurance NIST 800-63 E-

Authentication Guidelines Describes how to implement

the four levels

InCommon Bronze: Common Sense Assign Responsibility for IdM Establish Policy for IdM Harden Password Management Harden Credential Technology Infrastructure Optional Compliance: Perform Self Assessment

InCommon Silver:Critical Business Strengthen Identity Proofing and Registration Enforce Strong Passwords (or Deploy MFA) Further Harden Password Management Harden Technical Infrastructure Optional Compliance: Obtain Independent Audit

A Note on Compliance Using Profiles is free, downloading is free Compliance will be required when federating with

US Government Other InCommon Service Providers requesting an InCommon Profile

Pros Published on Federal and InCommon website Shows good practice to your service providers Bronze is free; Silver is good biz practice

Con Due diligence – more work Silver requires audit and fee to be certified

Business, Policy and Operational Criteria Registration and Identity Proofing Credential Technology Credential Issuance and Management Authentication Process Identity Information Management Assertion Content Technical Environment

03/08/2012

InCommon Identity Assurance Profiles

23

Functional Area Criteria Bronze Silver

4.2.1 Business, Policy and Operational Criteria

.1 InCommon Participant

.2 Notification to InCommon

.3 Continuing Compliance

.4 IdPO Risk Management

Profile Specifics

Functional Area Criteria Bronze Silver

4.2.2 Registration and Identity Proofing

.1 RA Authentication

.2 Identity Verification Process

.3 Registration Records

.4 Identity Proofing

.4.1 Existing Relationship

.4.2 In-person Proofing

.4.3 Remote Proofing

.5 Address of Record Confirmation

.6 Protection of Personally Identifiable Information

Functional Area Criteria Bronze Silver

4.2.3 Credential Technology

.1 Credential Unique Identifier

.2 Basic Resistance to Guessing Authentication Secret.3 Strong resistance to Guessing Authentication

Secret.4 Stored Authentication Secrets

.5 Basic Protection of Authentication Secrets

.6 Strong Protection of Authentication Secrets

Functional Area Criteria Bronze Silver

4.2.4 Credential Issuance and Management

.1 Credential Issuance

.2 Credential Revocation or Expiration

.3 Credential Renewal or Re-issuance

.4 Credential Issuance Records Retention

.5 Resist Token Issuance Tampering Threat

Functional Area Criteria Bronze Silver

4.2.5 Authentication Process

.1 Resist Replay Attack

.2 Resist Eavesdropper Attack

.3 Secure Communication

.4 Proof of Possession

.5 Resist Session Hijacking Threat

.6 Mitigate Risk of Credential Compromise

Functional Area Criteria Bronze Silver

4.2.6 Identity Information Management

.1 Identity Record Qualification

4.2.7 Assertion Content

.1 Identity Attributes

.2 Identity Assertion Qualifier

.3 Cryptographic Security

4.2.8 Technical Environment

.1 Software Maintenance

.2 Network Security

.3 Physical Security

.4 Reliable Operations

Find the Gaps● Review the IAP table● Where are you likely to find gaps?

● Business process, documentation● Credential management

● Who needs to help fill them?● Systems of Record representatives, Service Desk● Central IT – security, credential managers systems teams

● When should you engage them?● Estimating resources and timelines – sample gap analysis chart

BREAK

Profile to Practice

Profile to Practice: Business

Framework: Functional Model34

Business Process Considerations● On-boarding and the IdPO

ID proofing and bootstrapping the digital credential HR, delegated admins or both The “CalNet Deputy” model and CalNet Deputy Training

● Remote proofing● Re-issuance

● Security questions?

● User education and awareness

Profile to Practice: Technology

Password/passphrase Entropy

● Password complexity● Dictionary checks● Expiration● Lockouts● Failed login counter● Entropy Calculators

Credential Management● Where is the verifier used?● Certify other systems?● Downgrade credentials?● UCB proxied authentication guidelines

Stronger Credential Options● Second credential● Multi-factor● Related application level concerns

● For entire app?● For some roles?

Technical Environment● Campus minimum standards if you have them

https://security.berkeley.edu/taxonomy/term/71

● Industry standards - CIS Benchmarks

Profile to Practice: Making the Pitch

Considering Your Audience● Elevator pitches for:

○ Audit (if not for certification)○ IT Executives○ IT Security○ Functional Owners (HR, Controller, Student System)

Profile to Practice: 18 months to Better Practices

Q1 Q2 Q3 Q4 Q1 Q2

Bronze gap

Bronze documentation

Bronze certification

Silver gap

Silver funding

Silver mitigations

Silver documentation

Silver audit/certification

Resources

Standing on the Shoulders of Others InCommon Assurance Pr

ogram Website InCommon

Assurance Implementers wiki

AD Cookbook for Silver Failed Login Counter:

Possible shared investment

Multi-factor Guidance Va Tech Case Study Password Entropy

Calculators

Join the Club! Make a community

contribution to the Assurance Wiki

Participate on the mailing list Join the monthly calls Contribute to the reading of

the Bronze spec starting this fall

Your PresentersDedra Chamberlin

Deputy Director, Identity and Access Management

University of California – Berkeley

dedra@berkeley.edu

510.642.8706

Ann West

Assistant Director for InCommon Assurance and Community

Internet2

awest@internet2.edu

906.487.1726