Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | meredith-alexander |
View: | 219 times |
Download: | 5 times |
Joining the Federal Joining the Federal Federation: a Campus Federation: a Campus
PerspectivePerspectiveInstitute for Computer Policy and LawInstitute for Computer Policy and Law
June 29, 2005June 29, 2005
Andrea BeesingAndrea [email protected]@cornell.eduIT Security OfficeIT Security OfficeCornell UniversityCornell University
Topics of discussionTopics of discussion Business drivers for Cornell’s Shibboleth Business drivers for Cornell’s Shibboleth
implementation and participation in implementation and participation in InCommon and eAuthentication (eAuth)InCommon and eAuthentication (eAuth)
Overview of federal eAuth credentials Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s assessment framework (CAF) and Cornell’s experience with itexperience with it
Areas identified as commendableAreas identified as commendable Areas of common practiceAreas of common practice Differences with the federal government’s Differences with the federal government’s
CAFCAF Where next?Where next?
Cornell Legal Music Pilot with Napster in summer 2004
Cornell business driversCornell business drivers
Library interest in:Library interest in:Library vendorsLibrary vendorsDSpaceDSpace
Office of Sponsored Office of Sponsored Programs: streamlined Programs: streamlined process for grant process for grant submissionsubmission
Cornell University
Weill Medical College
Resource sharing between Resource sharing between Cornell in Ithaca and Cornell in Cornell in Ithaca and Cornell in New York CityNew York City
Broad objective of Broad objective of assessmentassessment
Baseline exercise to determine area of Baseline exercise to determine area of
common interest between eAuth common interest between eAuth Initiative Initiative
and Cornell in its involvement with and Cornell in its involvement with
Shibboleth InCommonShibboleth InCommon
Assessment objective Assessment objective clarified clarified
Evaluate Cornell practices against CAFEvaluate Cornell practices against CAF Find areas of common practice Find areas of common practice
between Shibboleth community and between Shibboleth community and eAuth, as well as differenceseAuth, as well as differences
Suggest changes where they would be Suggest changes where they would be beneficial to common operationsbeneficial to common operations
Evaluate whether the two communities Evaluate whether the two communities can be an operationally good fitcan be an operationally good fit
Assessment componentsAssessment components
CAF – Credential Assessment CAF – Credential Assessment FrameworkFramework
CS – Credential ServiceCS – Credential Service CSP – Credential Service ProviderCSP – Credential Service Provider CAP – Credentials Assessment ProfileCAP – Credentials Assessment Profile
Credential Assessment Credential Assessment FrameworkFramework
Cre
de
ntia
l Se
rvic
es
Cornell University
Credential Service Provider
Credential Assessmen
t Profile
Credential Assessment Checklist
NetIDs
GuestIDs
VMIDs
Other
Credential Assessment Checklist
Credential Assessmen
t Report
eAuthentication assessors & Cornell staff
Assessment categories and Assessment categories and examplesexamples
Organizational maturityOrganizational maturity– Valid legal entity w/authority to operate (1)Valid legal entity w/authority to operate (1)– Risk management methodology (2)Risk management methodology (2)
Identity proofingIdentity proofing– Written policy on steps for identity proofing (2)Written policy on steps for identity proofing (2)
Authentication protocolAuthentication protocol– Secrets encrypted when transmitted over Secrets encrypted when transmitted over
network (1)network (1)– Password not disclosed to third parties (2)Password not disclosed to third parties (2)
Assessment categories and Assessment categories and examplesexamples
Token strengthToken strength– Password resistance to guessing, or entropy (1)Password resistance to guessing, or entropy (1)– Stronger resistance to guessing (2)Stronger resistance to guessing (2)
Status managementStatus management– Revoked credentials cannot be authenticated (1)Revoked credentials cannot be authenticated (1)– Revocation of credential within 72 hours of Revocation of credential within 72 hours of
invalidation, compromise (2)invalidation, compromise (2) Credential deliveryCredential delivery
– Credential delivered in manner that confirms Credential delivered in manner that confirms postal address of record or fixed-line telephone postal address of record or fixed-line telephone number of record (2)number of record (2)
1.Assurance Level 11.Organizational Maturity
Tag Description Suggested Evidence of Compliance
Status
Established 1. The CSP shall be a valid legal entity, and a person with legal authority to commit the CSP shall submit the Assessment package.
2. The operational system will be assessed as it stands at the time of the Assessment. Planned upgrades or modifications will not be considered during the assessment.
1. Articles of incorporation, Organizational Charter, Affidavit, etc.
2. Demonstration
Authorization to Operate
1. The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies.
2. The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS.
1. Copy of ATO or company authorization for Credential Service
2. Asserted in Authorization document as set forth in GSA policies
General Disclosure
1. The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community.
2. In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy.
1. Terms, Conditions, & Privacy policies posted on Website
2. Document how provider will do this.
Sample: CAF checklist for level Sample: CAF checklist for level 11
Tag Description Suggested Evidence of Compliance
Status
Documentation 1. The CSP shall have all security related policies and procedures documented that are required to demonstrate compliance.
2. Undocumented practices will not be considered evidence.
Copies or link to policies
Helpdesk A helpdesk shall be available for subscribers to resolve issues related to their credentials during the CSP’s regular business hours, minimally from 9am to 5pm Monday through Friday.
Observe Helpdesk
Risk Mgt The CSP shall demonstrate a risk management methodology that adequately identifies and mitigates risks related to the CS.
Copy of Risk Assessment
1.1 Assurance Level 2Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and 2.
1.1.1 Organizational Maturity
Sample: CAP checklist for level Sample: CAP checklist for level 22
Assessment process stepsAssessment process steps
Submit sign-up sheetSubmit sign-up sheet Schedule assessment with eAuth teamSchedule assessment with eAuth team Submit documentation to eAuth teamSubmit documentation to eAuth team Prepare Cornell overview for assessment Prepare Cornell overview for assessment
meetingmeeting Contact Cornell stakeholders to inform Contact Cornell stakeholders to inform
and/or schedule for eAuth team visitand/or schedule for eAuth team visit
Assessment process stepsAssessment process steps
Day 1 of assessmentDay 1 of assessment– Provide background information on Provide background information on
Cornell as credential providerCornell as credential provider– First pass through assessment checklistFirst pass through assessment checklist– Tour of data centerTour of data center
Day 2 of assessmentDay 2 of assessment– Review draft of assessment report and Review draft of assessment report and
checklistchecklist– Correct and clarify assessment checklistCorrect and clarify assessment checklist
Assessment process Assessment process participantsparticipants
Identity Identity Management team Management team or equivalentor equivalent
IT Security DirectorIT Security Director IT Policy DirectorIT Policy Director University CounselUniversity Counsel IT AuditorIT Auditor
Human Resources Human Resources RecordsRecords
Computer Access Computer Access staffstaff
University RegistrarUniversity Registrar Business continuity Business continuity
plannerplanner Data center Data center
managermanager
Commendable areasCommendable areas
Position of the Identity Management Position of the Identity Management program within the IT organizationprogram within the IT organization
Complete and up to date Complete and up to date documentation for usersdocumentation for users
Data center securityData center security
Cornell Information TechnologiesVP, Info Tech
Customer Services and Marketing *
Information Systems *
Distributed Learning Services
Security Office
Network and Communication Services
Systems and Operations
Identity Management
AuthenticationAuthorizationDirectory ServicesProvisioning Tools
SecurityIncident ResponseVulnerability ScanningNetwork Anomaly DetectionClient SecuritySecurity Consulting
IT Security Director
Advanced Technology and Architecture
* Units performing account management functions connected with this credential service
Areas of common practiceAreas of common practice
General approach to IT policyGeneral approach to IT policy– IT policy frameworkIT policy framework– Quality of policy documentsQuality of policy documents
Effective channels for communicating Effective channels for communicating policiespolicies
Well-established disaster recovery Well-established disaster recovery planplan
Excellent delivery procedures for Excellent delivery procedures for credentialscredentials
Differences with CAF – level 1 Differences with CAF – level 1 assessmentassessment
Threat protectionThreat protection– Measures to prevent on-line guessing of Measures to prevent on-line guessing of
passwords insufficientpasswords insufficient– Federal government’s baseline Federal government’s baseline
recommendations:recommendations: Password life rules orPassword life rules or Lock-out rulesLock-out rules
– Uniqueness of password/forcing password Uniqueness of password/forcing password change when user logs on for first timechange when user logs on for first time
Password life rules and lock-out are Password life rules and lock-out are particularly problematic for universitiesparticularly problematic for universities
Differences with CAF – level Differences with CAF – level 22
Business Continuity Plan should be Business Continuity Plan should be finalizedfinalized
Written policy or practice statement Written policy or practice statement documenting all identity proofing documenting all identity proofing proceduresprocedures
Better remote proofing procedures Better remote proofing procedures for alumnifor alumni
Where next?Where next?
eAuth FastLane pilot with U. of Washington, Penn eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore CountyState and U. of Maryland, Baltimore County
Individual arrangements between federal Individual arrangements between federal government and universities will not scalegovernment and universities will not scale
Goal will be interoperation between eAuth and Goal will be interoperation between eAuth and InCommonInCommon
InCommon does not now require the same level InCommon does not now require the same level of accreditation as eAuth for either credential of accreditation as eAuth for either credential providers or service providersproviders or service providers
Accreditation could become an important function Accreditation could become an important function for any shared identity federationfor any shared identity federation
For more informationFor more information eAuthentication:eAuthentication:
http://www.cio.gov/eauthentication/http://www.cio.gov/eauthentication/ eAuthentication credential assessment tool eAuthentication credential assessment tool
suite:suite:http://http://www.cio.gov/eauthentication/CredSuite.htmwww.cio.gov/eauthentication/CredSuite.htm
Cornell IT Security Office web site (includes Cornell IT Security Office web site (includes Identity Management): Identity Management): http://http://www.cit.cornell.edu/oit/Security.htmlwww.cit.cornell.edu/oit/Security.html
Cornell’s policy tutorial for new students:Cornell’s policy tutorial for new students:https://cuweblogin2.cit.cornell.edu/cuwl-cgi/policyhttps://cuweblogin2.cit.cornell.edu/cuwl-cgi/policyPub.cgiPub.cgi