Using Levels of Using Levels of AssuranceAssurance

Renee ShueyRenee Shueynmi-edit CAMP: Charting Your nmi-edit CAMP: Charting Your

Authentication RoadmapAuthentication RoadmapFebruary 8, 2007February 8, 2007

AgendaAgenda

DisclaimerDisclaimer About Penn StateAbout Penn State Level Set on Levels of AssuranceLevel Set on Levels of Assurance

– Delivering of the packageDelivering of the package Uses for LOA Uses for LOA

– Both Internal and External to the Both Internal and External to the universityuniversity

Points to PonderPoints to Ponder Discussion, Q&ADiscussion, Q&A

Penn StatePenn State

Penn StatePenn State

Established 1855, Established 1855, PA’s Land GrantPA’s Land Grant

24 campus 24 campus locationslocations

80K students, 10K 80K students, 10K faculty, 10K stafffaculty, 10K staff

$640M annual $640M annual research research expenditureexpenditure

Penn State IAM - TechnologyPenn State IAM - Technology Kerberos, DCE, Active Kerberos, DCE, Active

DirectoryDirectory

LDAP (eduPerson)LDAP (eduPerson)

Cosign (WebAccess)Cosign (WebAccess)

ShibbolethShibboleth

Member of InCommonMember of InCommon

22ndnd Factor Factor AuthenticationAuthentication

““Access Account” - Access Account” - branding for Penn branding for Penn State identity ~120KState identity ~120K

““Short Term Access Short Term Access Accounts” Accounts”

““Friends of Penn Friends of Penn State” - branding for State” - branding for external identity, external identity, ~450K~450K

Level Set - Delivering Level Set - Delivering of the Package….of the Package….

It’s all about how It’s all about how certain you are…certain you are…

And how Certain you And how Certain you need to be…need to be…

Scenario 1…

deleted image of favorite web site here…

deleted photo of well known delivery vehicle.

deleted photo of individual from well known delivery service

deleted image of nicely wrapped gift here….

Scenario 2…

deleted image of favorite website

Risk

Identity Proofing

Logical & Physical Control

Indemnification

Liability

Laws & Regulations

Data

Intellectual Property

Transaction

Identifying and Mitigating Risk

Uses for Uses for Levels of AssuranceLevels of Assurance

eCommerce ComplianceeCommerce Compliance

Payment Card Industry Questionnaire Payment Card Industry Questionnaire 8.118.11– Is there an account-lockout mechanism Is there an account-lockout mechanism

that blocks a malicious user from that blocks a malicious user from obtaining access to an account by obtaining access to an account by multiple password retries or brute force? multiple password retries or brute force? Yes No Yes No

Card Industry following bank industry Card Industry following bank industry requirement for 2requirement for 2ndnd Factor Factor AuthenticationAuthentication

Business Transactions

Electronic Signatures

Promissory Notes

W-2 Information OnlineW-2 Information Online

“THE” Demo

(at least the boss’s part)

Internet2 FastLane Demo

Points to PonderPoints to PonderDecreasing of LOADecreasing of LOAPassword ResetsPassword Resets

In Person Proofing

It’s a big, big worldNot all university affiliates are located on the campus

In fact, there are some we never see

Remote ProofingNotary

Forms of Id

Self Service - Ask Self Service - Ask Questions?Questions?

? ??

?

?

? ?? ?

Mother’s Maiden Name

Favorite Color

Favorite Pet’s Name

Create own Q & ASpouse’s Nickname

First Concert Attended

www.londonstimes.us

DistributionAt times snail mail is still preferred and more trusted…

Points to PonderPoints to PonderMultiple Registration Multiple Registration

AuthoritiesAuthorities

Multiple Registration Authorities World Campus

Registrar

Admissions

Human Resources

Accounts Office

Hershey Medical

Multiple Registration Multiple Registration AuthoritiesAuthorities

Registration Authority’s need to change Registration Authority’s need to change their requirements to meet identity their requirements to meet identity provider requirements.provider requirements.

Understand processes tied to business Understand processes tied to business such as the activation of accounts, such as the activation of accounts, resetting of passwords, etcresetting of passwords, etc

Applications relying on these processes Applications relying on these processes – Applications need to changeApplications need to change– Processes for proofing, notification, etc all need Processes for proofing, notification, etc all need

to be changedto be changed– Activation of accounts and resetting of Activation of accounts and resetting of

passwords needs to changepasswords needs to change

Multiple Registration Multiple Registration Authorities Multi-factor Authorities Multi-factor

AuthenticationAuthentication multi-factor remote network

authentication. identity proofing procedures require

verification of identifying materials and information.

based on proof of possession of a key or a one-time password through a cryptographic protocol.

Points to PonderPoints to PonderChanging the CultureChanging the Culture

Changing the CultureChanging the Culture

Identifying & Adding new applications Identifying & Adding new applications and servicesand services

Risk AssessmentRisk Assessment– OwnershipOwnership– Data, Transaction, FunctionData, Transaction, Function

Access control = authentication + LoA Access control = authentication + LoA + attributes+ attributes

To Summarize:

It’s All about how certain you are…

And How Certain you need to be…

Questions/CommentsQuestions/Comments

Contact InformationContact Information

Renee ShueyRenee Shuey

ITS Emerging Technologies GroupITS Emerging Technologies Group

Pennsylvania State UniversityPennsylvania State University

RSHUEY@PSU.EDURSHUEY@PSU.EDU

Copyright Renee Shuey 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.