Joining the Federal Joining the Federal Federation: a Campus Federation: a Campus

PerspectivePerspectiveInstitute for Computer Policy and LawInstitute for Computer Policy and Law

June 29, 2005June 29, 2005

Andrea BeesingAndrea Beesingamb3@cornell.eduamb3@cornell.eduIT Security OfficeIT Security OfficeCornell UniversityCornell University

Topics of discussionTopics of discussion Business drivers for Cornell’s Shibboleth Business drivers for Cornell’s Shibboleth

implementation and participation in implementation and participation in InCommon and eAuthentication (eAuth)InCommon and eAuthentication (eAuth)

Overview of federal eAuth credentials Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s assessment framework (CAF) and Cornell’s experience with itexperience with it

Areas identified as commendableAreas identified as commendable Areas of common practiceAreas of common practice Differences with the federal government’s Differences with the federal government’s

CAFCAF Where next?Where next?

Cornell Legal Music Pilot with Napster in summer 2004

Cornell business driversCornell business drivers

Library interest in:Library interest in:Library vendorsLibrary vendorsDSpaceDSpace

Office of Sponsored Office of Sponsored Programs: streamlined Programs: streamlined process for grant process for grant submissionsubmission

Cornell University

Weill Medical College

Resource sharing between Resource sharing between Cornell in Ithaca and Cornell in Cornell in Ithaca and Cornell in New York CityNew York City

Broad objective of Broad objective of assessmentassessment

Baseline exercise to determine area of Baseline exercise to determine area of

common interest between eAuth common interest between eAuth Initiative Initiative

and Cornell in its involvement with and Cornell in its involvement with

Shibboleth InCommonShibboleth InCommon

Assessment objective Assessment objective clarified clarified

Evaluate Cornell practices against CAFEvaluate Cornell practices against CAF Find areas of common practice Find areas of common practice

between Shibboleth community and between Shibboleth community and eAuth, as well as differenceseAuth, as well as differences

Suggest changes where they would be Suggest changes where they would be beneficial to common operationsbeneficial to common operations

Evaluate whether the two communities Evaluate whether the two communities can be an operationally good fitcan be an operationally good fit

Assessment componentsAssessment components

CAF – Credential Assessment CAF – Credential Assessment FrameworkFramework

CS – Credential ServiceCS – Credential Service CSP – Credential Service ProviderCSP – Credential Service Provider CAP – Credentials Assessment ProfileCAP – Credentials Assessment Profile

Credential Assessment Credential Assessment FrameworkFramework

Cre

de

ntia

l Se

rvic

es

Cornell University

Credential Service Provider

Credential Assessmen

t Profile

Credential Assessment Checklist

NetIDs

GuestIDs

VMIDs

Other

Credential Assessment Checklist

Credential Assessmen

t Report

eAuthentication assessors & Cornell staff

Assessment categories and Assessment categories and examplesexamples

Organizational maturityOrganizational maturity– Valid legal entity w/authority to operate (1)Valid legal entity w/authority to operate (1)– Risk management methodology (2)Risk management methodology (2)

Identity proofingIdentity proofing– Written policy on steps for identity proofing (2)Written policy on steps for identity proofing (2)

Authentication protocolAuthentication protocol– Secrets encrypted when transmitted over Secrets encrypted when transmitted over

network (1)network (1)– Password not disclosed to third parties (2)Password not disclosed to third parties (2)

Assessment categories and Assessment categories and examplesexamples

Token strengthToken strength– Password resistance to guessing, or entropy (1)Password resistance to guessing, or entropy (1)– Stronger resistance to guessing (2)Stronger resistance to guessing (2)

Status managementStatus management– Revoked credentials cannot be authenticated (1)Revoked credentials cannot be authenticated (1)– Revocation of credential within 72 hours of Revocation of credential within 72 hours of

invalidation, compromise (2)invalidation, compromise (2) Credential deliveryCredential delivery

– Credential delivered in manner that confirms Credential delivered in manner that confirms postal address of record or fixed-line telephone postal address of record or fixed-line telephone number of record (2)number of record (2)

1.Assurance Level 11.Organizational Maturity

Tag Description Suggested Evidence of Compliance

Status

Established 1. The CSP shall be a valid legal entity, and a person with legal authority to commit the CSP shall submit the Assessment package.

2. The operational system will be assessed as it stands at the time of the Assessment. Planned upgrades or modifications will not be considered during the assessment.

1. Articles of incorporation, Organizational Charter, Affidavit, etc.

2. Demonstration

Authorization to Operate

1. The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies.

2. The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS.

1. Copy of ATO or company authorization for Credential Service

2. Asserted in Authorization document as set forth in GSA policies

General Disclosure

1. The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community.

2. In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy.

1. Terms, Conditions, & Privacy policies posted on Website

2. Document how provider will do this.

Sample: CAF checklist for level Sample: CAF checklist for level 11

Tag Description Suggested Evidence of Compliance

Status

Documentation 1. The CSP shall have all security related policies and procedures documented that are required to demonstrate compliance.

2. Undocumented practices will not be considered evidence.

Copies or link to policies

Helpdesk A helpdesk shall be available for subscribers to resolve issues related to their credentials during the CSP’s regular business hours, minimally from 9am to 5pm Monday through Friday.

Observe Helpdesk

Risk Mgt The CSP shall demonstrate a risk management methodology that adequately identifies and mitigates risks related to the CS.

Copy of Risk Assessment

1.1 Assurance Level 2Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and 2.

1.1.1 Organizational Maturity

Sample: CAP checklist for level Sample: CAP checklist for level 22

Assessment process stepsAssessment process steps

Submit sign-up sheetSubmit sign-up sheet Schedule assessment with eAuth teamSchedule assessment with eAuth team Submit documentation to eAuth teamSubmit documentation to eAuth team Prepare Cornell overview for assessment Prepare Cornell overview for assessment

meetingmeeting Contact Cornell stakeholders to inform Contact Cornell stakeholders to inform

and/or schedule for eAuth team visitand/or schedule for eAuth team visit

Assessment process stepsAssessment process steps

Day 1 of assessmentDay 1 of assessment– Provide background information on Provide background information on

Cornell as credential providerCornell as credential provider– First pass through assessment checklistFirst pass through assessment checklist– Tour of data centerTour of data center

Day 2 of assessmentDay 2 of assessment– Review draft of assessment report and Review draft of assessment report and

checklistchecklist– Correct and clarify assessment checklistCorrect and clarify assessment checklist

Assessment process Assessment process participantsparticipants

Identity Identity Management team Management team or equivalentor equivalent

IT Security DirectorIT Security Director IT Policy DirectorIT Policy Director University CounselUniversity Counsel IT AuditorIT Auditor

Human Resources Human Resources RecordsRecords

Computer Access Computer Access staffstaff

University RegistrarUniversity Registrar Business continuity Business continuity

plannerplanner Data center Data center

managermanager

Commendable areasCommendable areas

Position of the Identity Management Position of the Identity Management program within the IT organizationprogram within the IT organization

Complete and up to date Complete and up to date documentation for usersdocumentation for users

Data center securityData center security

Cornell Information TechnologiesVP, Info Tech

Customer Services and Marketing *

Information Systems *

Distributed Learning Services

Security Office

Network and Communication Services

Systems and Operations

Identity Management

AuthenticationAuthorizationDirectory ServicesProvisioning Tools

SecurityIncident ResponseVulnerability ScanningNetwork Anomaly DetectionClient SecuritySecurity Consulting

IT Security Director

Advanced Technology and Architecture

* Units performing account management functions connected with this credential service

Areas of common practiceAreas of common practice

General approach to IT policyGeneral approach to IT policy– IT policy frameworkIT policy framework– Quality of policy documentsQuality of policy documents

Effective channels for communicating Effective channels for communicating policiespolicies

Well-established disaster recovery Well-established disaster recovery planplan

Excellent delivery procedures for Excellent delivery procedures for credentialscredentials

Differences with CAF – level 1 Differences with CAF – level 1 assessmentassessment

Threat protectionThreat protection– Measures to prevent on-line guessing of Measures to prevent on-line guessing of

passwords insufficientpasswords insufficient– Federal government’s baseline Federal government’s baseline

recommendations:recommendations: Password life rules orPassword life rules or Lock-out rulesLock-out rules

– Uniqueness of password/forcing password Uniqueness of password/forcing password change when user logs on for first timechange when user logs on for first time

Password life rules and lock-out are Password life rules and lock-out are particularly problematic for universitiesparticularly problematic for universities

Differences with CAF – level Differences with CAF – level 22

Business Continuity Plan should be Business Continuity Plan should be finalizedfinalized

Written policy or practice statement Written policy or practice statement documenting all identity proofing documenting all identity proofing proceduresprocedures

Better remote proofing procedures Better remote proofing procedures for alumnifor alumni

Where next?Where next?

eAuth FastLane pilot with U. of Washington, Penn eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore CountyState and U. of Maryland, Baltimore County

Individual arrangements between federal Individual arrangements between federal government and universities will not scalegovernment and universities will not scale

Goal will be interoperation between eAuth and Goal will be interoperation between eAuth and InCommonInCommon

InCommon does not now require the same level InCommon does not now require the same level of accreditation as eAuth for either credential of accreditation as eAuth for either credential providers or service providersproviders or service providers

Accreditation could become an important function Accreditation could become an important function for any shared identity federationfor any shared identity federation

For more informationFor more information eAuthentication:eAuthentication:

http://www.cio.gov/eauthentication/http://www.cio.gov/eauthentication/ eAuthentication credential assessment tool eAuthentication credential assessment tool

suite:suite:http://http://www.cio.gov/eauthentication/CredSuite.htmwww.cio.gov/eauthentication/CredSuite.htm

Cornell IT Security Office web site (includes Cornell IT Security Office web site (includes Identity Management): Identity Management): http://http://www.cit.cornell.edu/oit/Security.htmlwww.cit.cornell.edu/oit/Security.html

Cornell’s policy tutorial for new students:Cornell’s policy tutorial for new students:https://cuweblogin2.cit.cornell.edu/cuwl-cgi/policyhttps://cuweblogin2.cit.cornell.edu/cuwl-cgi/policyPub.cgiPub.cgi