1 / 45

Meeting InCommon Silver Profile Standards at UCD and UCB

Meeting InCommon Silver Profile Standards at UCD and UCB. Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis. Topics. Introduction to InCommon Silver Profile UCD and UCB Gap Analysis Highlights UCTrust Basic and InCommon Silver Roadmap

miyo
Download Presentation

Meeting InCommon Silver Profile Standards at UCD and UCB

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Meeting InCommon Silver Profile Standards at UCD and UCB Bob Ono, UC Davis, Dedra Chamberlin, UC Berkeley, David Walker, UC Davis, Doreen Meyer, UC Davis

  2. Topics • Introduction to InCommon Silver Profile • UCD and UCB Gap Analysis Highlights • UCTrust Basic and InCommon Silver • Roadmap • Resources

  3. Introduction to InCommon Silver Profile

  4. InCommon In Action at UCD and UCB A UCD or UCB researcher accesses web-based data

  5. InCommon In Action at UCD and UCB provides account A UCD or UCB researcher accesses web-based data

  6. InCommon In Action at UCD and UCB Local applications CalendaringEmail provides account A UCD or UCB researcher accesses web-based data

  7. InCommon In Action at UCD and UCB Local applications CalendaringEmail applications At Your ServiceUC Travel (Connexxus) Learning Mgmt. System provides account A UCD or UCB researcher accesses web-based data

  8. InCommon In Action at UCD and UCB applications DOE apps NSF apps NIH apps Local applications CalendaringEmail applications At Your ServiceUC Travel (Connexxus) Learning Mgmt. System provides account A UCD or UCB researcher accesses web-based data

  9. InCommon In Action at UCD and UCB applications DOE apps NSF apps NIH apps Local applications CalendaringEmail applications At Your ServiceUC Travel (Connexxus) Learning Mgmt. System provides account A UCD or UCB researcher accesses web-based data

  10. InCommon, UC, And Moving To Silver • InCommon framework ensures that UC campuses are adequately protecting staff and faculty identities and sensitive data. • InCommon framework is consistent with the research mission of UCOP, facilitating collaboration among campuses and Federal institutions. • By acting now, UC will be in alignment with significant Federal agencies and educational institutions, and can strengthen the UCTrust Basic framework.

  11. InCommon Framework Is Based On Federal Guidelines • Federal Guidelines include • NIST Special Publication 800-63 • Level of Assurance 2 (LOA2) as defined in OMB-04-04 and FIPS 199. • LOA2: “On balance, confidence exists that the asserted identity is accurate”.

  12. InCommon Identity Assurance Program Functional areas define the standards. Identity Providers address how to meet them. For each functional area, identify the gaps between UC location identity management infrastructure and the InCommon Silver profile

  13. Identity Management Functional Model

  14. UCD and UCB Gap Analysis Highlights

  15. Approach for Meeting InCommon Silver Standards • Gap Analysis: Determine gaps between standards; determine effort to meet gaps. • Next step: Identify participants from relevant business and technical areas. • Then: Select initial tasks based on available resources and relative complexity. InCommon Silver Standards Local UCB and UCDStandards

  16. Summary of Gap Analysis for UC Davis and UC Berkeley (1.1)

  17. Business, Policy, and Operational Factors (4.2.1) Purpose: Must be an InCommon Participant in good standing.

  18. Registration and IdentityProofing (4.2.2) Purpose: Identity proofing is based on government issued ID or public records. Verified information is used to create a record for the Subject.

  19. Credential Technology (4.2.3) Purpose:. If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements.

  20. Credential Issuance and Management (4.2.4) Purpose: The authentication Credential must be bound to the physical Subject and to the IdMS record pertaining to that Subject

  21. AuthenticationEvents (4.2.5) Purpose: The Subject proves that he or she is the holder of a Credential, enabling the subsequent issuance of Assertions.

  22. Identity InformationManagement (4.2.6) Purpose: Subject records must be managed appropriately so that Assertions [issued by UCD or UDB] are valid

  23. Identity Assertion Content (4.2.7) Purpose: have processes in place to ensure that information about a Subject’s identity conveyed in an Assertion of identity to an SP is from an authoritative source.

  24. Technical Environment (4.2.8) • Purpose: Resist potential technical threats that might result in false assertions of identity • Statement 4.2.8.2.1: Appropriate measures shall be used to protect the confidentiality and integrity of network communications supporting IdMS operations.

  25. UCTrust Basic and InCommon Silver

  26. Comparing the UCTrust Basic and InCommon Silver Framework • It is possible to replace most but not all of UCTrust Basic with InCommon Silver policy. • InCommon Silver policy has more specific requirements for IdP than UCTrust Basic. InCommon Silver’s IdP requirements can replace UCTrust Basic’s IdP requirements. • InCommon Silver does not have requirements for Service Providers; UCTrust Basic does have requirements for Service Providers. • InCommon Silver requires an audit; UCTrust Basic does not require an audit.

  27. Comparing The UCTrust Basic and InCommon Silver Certification Models UCTrust IdP Operator IdP Operation IdP Certification Status IdPO Certification Service Provider Assertion with appropriate IAQs

  28. Comparing The UCTrust Basic and InCommon Silver Certification Models InCommon IdP Operator IdP Operation IdP Certification Status IdPO Certification Service Provider Assertion with appropriate IAQs

  29. Comparing The UCTrust Basic and InCommon Silver Certification Models InCommon IdP Operator IdP Operation IdP Certification Status IdPO Certification Service Provider Assertion with appropriate IAQs

  30. Comparing The UCTrust Basic and InCommon Silver Certification Models In Common Summary Report IdP Operator IdP Operation IdP Certification Status IdPO Certification Service Provider Assertion with appropriate IAQs IdP Certification Status Detailed and Summary Auditor

  31. Roadmap For Moving To Silver Roadmap to using InCommon Silver profile identities for UCTrust and InCommon applications

  32. InCommon Silver Roadmap: Past Work • UC Trust Working Group discussed issues, including how to proceed (December 2010-March 2011) • UC Berkeley and UC Davis performed a gap analysis and a level of effort analysis (October 2010 - March 2011) • UC Berkeley and UC Davis participated with CIC (Virginia Tech and Indiana U) on a joint panel presentation at the Educause Security Professionals Conference in April 2011. • UCTrust Working Group provided feedback to the InCommon Federation TAC on their 1.1 draft documents via David Walker (December 2010 – March 2011) • ITPS and UCTrust Working Group are discussing InCommon Silver in April 2011

  33. InCommon Silver Roadmap Spring 2011 • Ask each campus location to perform a high level gap analysis and report results to the UCTrust Working Group by mid-May. (See slide 16). • ITPS and UCTrust Working Group to share high level gap analysis and proposed project plan to move to InCommon Silver with the ITLC at June 2011 meeting

  34. InCommon Silver Roadmap: Next Steps If Plan is Approved • Each UC location to perform a detailed gap analysis and create their local project plan for InCommon Silver certification and report results to their CIO.UCTrust will collect the UC location project plans. • Based on the UC location project plans, ITPS and UCTrust Working Group to provide a UC-wide plan to ITLC.

  35. InCommon Silver Roadmap: Next Steps • UCTrust Working Group to update the UCTrust Policy document to align with the use of InCommon Silver Policy for IdP’s and UCTrust Basic Policy for Service Providers • UC locations to initiate work to meet InCommon Silver profile standards. • UCTrust Working Group to ask SPs to accept InCommon Silver and UCTrustassertions • UC locations run a campus audit to meet InCommon Silver profile standards, then request certification from InCommon Federation.

  36. InCommon Silver Roadmap: Next Steps • After approval from InCommon Federation, UC locations can begin to use InCommon Silver identities for UCTrust and InCommon applications. • UCTrust Working Group to tell SPs that they no longer need to accept UCTrust Basic assertions

  37. Resources

  38. InCommon Resources at http://incommonfederation.org • Case Studies - learn what has worked for others ( ITunesU) • Collaboration Groups – focus on the issues that are of most value to your institution • CAMP – learn how to get started • Toolkits – use well-developed materials to state your case • InCommon Identity Assurance Program • Also CIC InCommon Silver Project – Phase 1 report

  39. UCTrust Resources • UCTrusthttp://www.ucop.edu/irc/itlc/uctrust/ • UCTrust University of California Identity Management Federation Service Description and Policies http://www.ucop.edu/irc/itlc/uctrust/trustpolicy032707.html

  40. Questions and Contact Information • Bob Ono, UC Davis, raono@ucdavis.edu • Dedra Chamberlin,UC Berkeley, dedra@berkeley.edu • David Walker, UC Davis, dhwalker@ucdavis.edu • Doreen Meyer, UC Davis, dimeyer@ucdavis.edu

  41. Additional Information for Review

  42. Federal Assurance Framework LOA2 Adopted by InCommon and UCTrust • Level of Assurance (LOA) is based on a risk assessment of unauthorized access, authentication error, or credential misuse Risk criteria (OMB-04-04) include: • Inconvenience, distress, or damage to reputation • Financial loss or liability • Harm to agency programs or public interest • Unauthorized release of sensitive information • Personal safety • Civil or criminal violations

  43. Levels of Assurance (LOA) at UC Campuses

  44. KEY Gap: Category (4.2.criteria section number)

  45. InCommon • InCommon provides a framework of shared policies, trust-establishing processes, and technology standards for universities and service partners to follow.

More Related