220 likes | 322 Views
InCommon Assurance Certification. VA-SCAN October 3, 2013 Mary Dunker. InCommon Assurance Certification. What is it? Why would I want it? How do I get it?. Assurance certification: What is it?.
E N D
InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker
InCommon Assurance Certification • What is it? • Why would I want it? • How do I get it?
Assurance certification:What is it? • Designation by InCommon that an Identity Provider meets criteria for one or more of InCommon Identity Assurance Profiles Bronze and Silver (IAP) • Evidence that IdP meets a standard for higher education recognized by federal government • Identity Assurance Qualifier added to Identity Provider’s InCommon metadata by InCommon
Assurance certification:Why would I want it? • Improve identity & access management processes • Improve security surrounding campus credentials • Implement best practices for higher ed • Allow access to federated services that require it
Assurance certification:How do I get it? • Join the InCommon Federation • Support an Identity Provider with SAML/Shibboleth • Read Identity Assurance Assessment Framework and Identity Assurance Profiles • Evaluate scope • Bronze and/or Silver • Users • Credentials • Start a project
InCommon Assurance Project • High level sponsor • Scope Definition • Audit (Silver) or attestation • Gap analysis • Management assertions • Alternative means? • Submission
Sponsorship Enlist support of friends in high places – Vice President for Information Technology & CIO. Project will span units outside your own. • Human Resources and/or Payroll – employee identities • Registrar/Provost – student identities • ID Card-issuing office • IT Security Office • Internal (?) Audit
Define Scope • Which users will get Assurance? • What assurance level do they need? (Bronze, Silver, both?) • What credentials will they use?
Audit or Attestation? Silver requires audit; auditor’s opinion attesting to Management Assertions. Bronze requires attestation, but audit can be done. “Attester” checks Bronze box on InCommon Operations Data Form and signs Assurance Addendum. Attester = Executive or person who signed InCommon Participant Agreement
Gap Analysis – IAP Criteria 4.2.1 Business, Policy and Operational Criteria 4.2.2 Registration and Identity Proofing (primarily Silver) 4.2.3 Credential Technology 4.2.4 Credential Issuance and Management 4.2.5 Authentication Process 4.2.6 Identity Information Management 4.2.7 Assertion Content 4.2.8 Technical Environment (Silver only)
For each subsection… • Do we meet the criteria? • Yes: What/where is the supporting evidence? • Technical • Documentation • No: What work needs to be done? • Technical? Documentation? Policy? • Effort: major, moderate, or minor • Who will do the work? • When will the work be completed?
Management Assertions 4.2.1.1. InCommon Participant Virginia Tech is an InCommon Participant in good standing.
Evidence of compliance 4.2.1.1. InCommon Participant On <date>, Virginia Tech received a copy of the completed InCommon Participant Agreement, signed by John Doe of Virginia Tech, and John Krienke, InCommon CEO. Most recent membership payment of $xxxx.00 was made on <date>, with PO xxxxx. Virginia Tech is in compliance with other contractual obligations to InCommon, including posting InCommon Participant Operational Practices.
Alternative Means Equivalent or stronger methods to satisfy criteria in the IAP. • Multi-factor • Active Directory • Your alternative means here…
Alternative Means submission • Prior to applying for certification • At the time of application • Community contribution See http://www.incommonfederation.org/assurance/alternativemeans.html
Audit Report • Date • Auditor identification and qualifications • Outline of audit methodology • Statement of whether the IdPO conforms with all requirements of each IAP (Bronze, Silver.) See IAAF Section 4.2
Application Packet Bronze: Assurance Addendum Silver: • Audit summary • Assurance addendum (must also apply for Bronze) • Alternative means if applicable Approval process takes approximately one month.
Resources • The program http://www.incommonfederation.org/assurance/ • The Assessment Framework (IAAF) http://www.incommon.org/docs/assurance/IAAF.pdf • Identity Assurance Profiles (IAP) http://www.incommon.org/docs/assurance/IAP.pdf
Resources, continued… • Gap Analysis Templates https://spaces.internet2.edu/display/InCAssurance/Gap+Analysis+Templates • Generalized Management Assertions https://spaces.internet2.edu/display/InCAssurance/Generalized+Management+Assertions • Alternative Means http://www.incommonfederation.org/assurance/alternativemeans.html
Resources, continued… • Submission – See FAQ http://www.incommonfederation.org/assurance/faq.html • Audit requirements -- See IAAF section 4.2 • Assurance Addendum and US FICAM Privacy Assurance Criteria http://www.incommonfederation.org/docs/assurance/Assurance_Addendum.pdf
Resources, continued… • Virginia Tech Assurance Implementation Example https://spaces.internet2.edu/display/InCAssurance/Assurance+Implementation+Example+-+Virginia+Tech • CAS integration https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration • dunker@vt.edu