1 / 21

Joining the Federal Federation: a Campus Perspective

Joining the Federal Federation: a Campus Perspective. Institute for Computer Policy and Law June 29, 2005 Andrea Beesing amb3@cornell.edu IT Security Office Cornell University. Topics of discussion.

lea
Download Presentation

Joining the Federal Federation: a Campus Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Joining the Federal Federation: a Campus Perspective Institute for Computer Policy and Law June 29, 2005 Andrea Beesing amb3@cornell.edu IT Security Office Cornell University

  2. Topics of discussion • Business drivers for Cornell’s Shibboleth implementation and participation in InCommon and eAuthentication (eAuth) • Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s experience with it • Areas identified as commendable • Areas of common practice • Differences with the federal government’s CAF • Where next?

  3. Cornell University Cornell Legal Music Pilot with Napster in summer 2004 Weill Medical College Resource sharing between Cornell in Ithaca and Cornell in New York City Office of Sponsored Programs: streamlined process for grant submission • Library interest in: • Library vendors • DSpace Cornell business drivers

  4. Broad objective of assessment Baseline exercise to determine area of common interest between eAuth Initiative and Cornell in its involvement with Shibboleth InCommon

  5. Assessment objective clarified • Evaluate Cornell practices against CAF • Find areas of common practice between Shibboleth community and eAuth, as well as differences • Suggest changes where they would be beneficial to common operations • Evaluate whether the two communities can be an operationally good fit

  6. Assessment components • CAF – Credential Assessment Framework • CS – Credential Service • CSP – Credential Service Provider • CAP – Credentials Assessment Profile

  7. Credential Assessment Framework Credential Service Provider Credential Assessment Profile Credential Assessment Checklist eAuthentication assessors & Cornell staff CornellUniversity NetIDs Credential Assessment Checklist GuestIDs VMIDs Credential Assessment Report Other

  8. Assessment categories and examples • Organizational maturity • Valid legal entity w/authority to operate (1) • Risk management methodology (2) • Identity proofing • Written policy on steps for identity proofing (2) • Authentication protocol • Secrets encrypted when transmitted over network (1) • Password not disclosed to third parties (2)

  9. Assessment categories and examples • Token strength • Password resistance to guessing, or entropy (1) • Stronger resistance to guessing (2) • Status management • Revoked credentials cannot be authenticated (1) • Revocation of credential within 72 hours of invalidation, compromise (2) • Credential delivery • Credential delivered in manner that confirms postal address of record or fixed-line telephone number of record (2)

  10. Sample: CAF checklist for level 1 • Assurance Level 1 • Organizational Maturity

  11. Sample: CAP checklist for level 2 1.1 Assurance Level 2 Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and 2. 1.1.1 Organizational Maturity

  12. Assessment process steps • Submit sign-up sheet • Schedule assessment with eAuth team • Submit documentation to eAuth team • Prepare Cornell overview for assessment meeting • Contact Cornell stakeholders to inform and/or schedule for eAuth team visit

  13. Assessment process steps • Day 1 of assessment • Provide background information on Cornell as credential provider • First pass through assessment checklist • Tour of data center • Day 2 of assessment • Review draft of assessment report and checklist • Correct and clarify assessment checklist

  14. Identity Management team or equivalent IT Security Director IT Policy Director University Counsel IT Auditor Human Resources Records Computer Access staff University Registrar Business continuity planner Data center manager Assessment process participants

  15. Commendable areas • Position of the Identity Management program within the IT organization • Complete and up to date documentation for users • Data center security

  16. Cornell Information Technologies VP, Info Tech Customer Services and Marketing * Security Office Advanced Technology and Architecture Network and Communication Services Systems and Operations Information Systems * Distributed Learning Services IT Security Director Identity Management Authentication Authorization Directory Services Provisioning Tools Security Incident Response Vulnerability Scanning Network Anomaly Detection Client Security Security Consulting * Units performing account management functions connected with this credential service

  17. Areas of common practice • General approach to IT policy • IT policy framework • Quality of policy documents • Effective channels for communicating policies • Well-established disaster recovery plan • Excellent delivery procedures for credentials

  18. Differences with CAF – level 1 assessment • Threat protection • Measures to prevent on-line guessing of passwords insufficient • Federal government’s baseline recommendations: • Password life rules or • Lock-out rules • Uniqueness of password/forcing password change when user logs on for first time • Password life rules and lock-out are particularly problematic for universities

  19. Differences with CAF – level 2 • Business Continuity Plan should be finalized • Written policy or practice statement documenting all identity proofing procedures • Better remote proofing procedures for alumni

  20. Where next? • eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore County • Individual arrangements between federal government and universities will not scale • Goal will be interoperation between eAuth and InCommon • InCommon does not now require the same level of accreditation as eAuth for either credential providers or service providers • Accreditation could become an important function for any shared identity federation

  21. For more information • eAuthentication: http://www.cio.gov/eauthentication/ • eAuthentication credential assessment tool suite: http://www.cio.gov/eauthentication/CredSuite.htm • Cornell IT Security Office web site (includes Identity Management): http://www.cit.cornell.edu/oit/Security.html • Cornell’s policy tutorial for new students: https://cuweblogin2.cit.cornell.edu/cuwl-cgi/policyPub.cgi

More Related