Date post: | 22-Jan-2016 |
Category: |
Documents |
Upload: | ethan-hensley |
View: | 217 times |
Download: | 0 times |
Using Levels of Using Levels of AssuranceAssurance
Renee ShueyRenee Shueynmi-edit CAMP: Charting Your nmi-edit CAMP: Charting Your
Authentication RoadmapAuthentication RoadmapFebruary 8, 2007February 8, 2007
AgendaAgenda
DisclaimerDisclaimer About Penn StateAbout Penn State Level Set on Levels of AssuranceLevel Set on Levels of Assurance
– Delivering of the packageDelivering of the package Uses for LOA Uses for LOA
– Both Internal and External to the Both Internal and External to the universityuniversity
Points to PonderPoints to Ponder Discussion, Q&ADiscussion, Q&A
Penn StatePenn State
Penn StatePenn State
Established 1855, Established 1855, PA’s Land GrantPA’s Land Grant
24 campus 24 campus locationslocations
80K students, 10K 80K students, 10K faculty, 10K stafffaculty, 10K staff
$640M annual $640M annual research research expenditureexpenditure
Penn State IAM - TechnologyPenn State IAM - Technology Kerberos, DCE, Active Kerberos, DCE, Active
DirectoryDirectory
LDAP (eduPerson)LDAP (eduPerson)
Cosign (WebAccess)Cosign (WebAccess)
ShibbolethShibboleth
Member of InCommonMember of InCommon
22ndnd Factor Factor AuthenticationAuthentication
““Access Account” - Access Account” - branding for Penn branding for Penn State identity ~120KState identity ~120K
““Short Term Access Short Term Access Accounts” Accounts”
““Friends of Penn Friends of Penn State” - branding for State” - branding for external identity, external identity, ~450K~450K
Level Set - Delivering Level Set - Delivering of the Package….of the Package….
It’s all about how It’s all about how certain you are…certain you are…
And how Certain you And how Certain you need to be…need to be…
Scenario 1…
deleted image of favorite web site here…
deleted photo of well known delivery vehicle.
deleted photo of individual from well known delivery service
deleted image of nicely wrapped gift here….
Scenario 2…
deleted image of favorite website
Risk
Identity Proofing
Logical & Physical Control
Indemnification
Liability
Laws & Regulations
Data
Intellectual Property
Transaction
Identifying and Mitigating Risk
Uses for Uses for Levels of AssuranceLevels of Assurance
eCommerce ComplianceeCommerce Compliance
Payment Card Industry Questionnaire Payment Card Industry Questionnaire 8.118.11– Is there an account-lockout mechanism Is there an account-lockout mechanism
that blocks a malicious user from that blocks a malicious user from obtaining access to an account by obtaining access to an account by multiple password retries or brute force? multiple password retries or brute force? Yes No Yes No
Card Industry following bank industry Card Industry following bank industry requirement for 2requirement for 2ndnd Factor Factor AuthenticationAuthentication
Business Transactions
Electronic Signatures
Promissory Notes
W-2 Information OnlineW-2 Information Online
“THE” Demo
(at least the boss’s part)
Internet2 FastLane Demo
Points to PonderPoints to PonderDecreasing of LOADecreasing of LOAPassword ResetsPassword Resets
In Person Proofing
It’s a big, big worldNot all university affiliates are located on the campus
In fact, there are some we never see
Remote ProofingNotary
Forms of Id
Self Service - Ask Self Service - Ask Questions?Questions?
? ??
?
?
? ?? ?
Mother’s Maiden Name
Favorite Color
Favorite Pet’s Name
Create own Q & ASpouse’s Nickname
First Concert Attended
www.londonstimes.us
DistributionAt times snail mail is still preferred and more trusted…
Points to PonderPoints to PonderMultiple Registration Multiple Registration
AuthoritiesAuthorities
Multiple Registration Authorities World Campus
Registrar
Admissions
Human Resources
Accounts Office
Hershey Medical
Multiple Registration Multiple Registration AuthoritiesAuthorities
Registration Authority’s need to change Registration Authority’s need to change their requirements to meet identity their requirements to meet identity provider requirements.provider requirements.
Understand processes tied to business Understand processes tied to business such as the activation of accounts, such as the activation of accounts, resetting of passwords, etcresetting of passwords, etc
Applications relying on these processes Applications relying on these processes – Applications need to changeApplications need to change– Processes for proofing, notification, etc all need Processes for proofing, notification, etc all need
to be changedto be changed– Activation of accounts and resetting of Activation of accounts and resetting of
passwords needs to changepasswords needs to change
Multiple Registration Multiple Registration Authorities Multi-factor Authorities Multi-factor
AuthenticationAuthentication multi-factor remote network
authentication. identity proofing procedures require
verification of identifying materials and information.
based on proof of possession of a key or a one-time password through a cryptographic protocol.
Points to PonderPoints to PonderChanging the CultureChanging the Culture
Changing the CultureChanging the Culture
Identifying & Adding new applications Identifying & Adding new applications and servicesand services
Risk AssessmentRisk Assessment– OwnershipOwnership– Data, Transaction, FunctionData, Transaction, Function
Access control = authentication + LoA Access control = authentication + LoA + attributes+ attributes
To Summarize:
It’s All about how certain you are…
And How Certain you need to be…
Questions/CommentsQuestions/Comments
Contact InformationContact Information
Renee ShueyRenee Shuey
ITS Emerging Technologies GroupITS Emerging Technologies Group
Pennsylvania State UniversityPennsylvania State University
[email protected]@PSU.EDU
Copyright Renee Shuey 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.