130 likes | 240 Views
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005. Higher Education IT Environment. Open campus, easy physical access to wired and wireless network Open network, no firewall or address translation to Internet – like an ISP Heterogeneous client computers
E N D
Identity Management Realities inHigher Education NET Quarterly MeetingJanuary 12, 2005
Higher Education IT Environment • Open campus, easy physical access to wired and wireless network • Open network, no firewall or address translation to Internet – like an ISP • Heterogeneous client computers • Mix of very knowledgeable and very naïve users
IT Security Risks Escalate • More and more important information and transactions are online: • Personal identity information • Financial transactions • Course enrollment, grades • Tests, quizzes administered online • Licensed materials • Confidential research data • We must comply with increasingly strict regulations: • Health information - HIPAA: http://www.hhs.gov/ocr/hipaa/ • Educational records - FERPA: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Dartmouth’s Identity Management • Timesharing (’70s) and Dartmouth Name Directory (’80s) pre-dated LDAP and AD • LDAP now (with legacy DND interface for backwards compatibility) • Everyone has an LDAP entry • Passwords centrally managed in LDAP • Now provisioning accounts for applicants An early start, but now pretty standard fare…
More to the Picture… Having a good directory is important… but we also need to be sure the individual at the keyboard is who they claim to be. Sometimes strong identity management can reduce security by eliminating obscurity and enabling re-use of a single password for more applications.
Corrupts value of username/password for authentication Sticky notes next to computer Files (even web pages full of passwords) Logging co-workers onto a system so they can help Social engineering is a huge vulnerability! Password Sharing
Users Do Share Passwords • PKI Lab survey of 171 undergraduates: 75% of them shared passwords, < 50% changed afterwards • Social engineering examples in “Probing End-User Security Practices – Through Homework” (Prof. Sean Smith) • Offering squirt guns for passwords was 80% effective • 83% provided their password to bogus survey web www.educause.edu/ir/library/pdf/eqm0449.pdf • Need two factor authentication to address password sharing Lest you think your users are different, remember students comprise the future workforce.
Something the user has (credentials stored in the application or a smartcard or token) Something a user knows (password to unlock credentials). Significant security improvement Reduces exposure to password sharing (token is difficult to share) PKI Provides Two Factor Authentication
Asymmetric key encryption: each key only way to decrypt data encrypted by the other. Private key kept secret and carefully protected by its holder. Public key freely distributed. In authentication, server challenges client to encrypt or decrypt something with private key. Ability to do so proves client identity. Private key and password always stay in the user’s possession. Underlying Key Technology
Our computerized world still runs by handwritten signatures on paper. Digital signatures promise to revolutionize many business processes: Improve assurance of electronic transactions, verify and record digital signatures Reduce paperwork via electronic forms Faster, cheaper, more traceable business processes Fundamental building block of Web Services Federal digital signature information: http://museum.nist.gov/exhibits/timeline/item.cfm?itemId=78 Digital Signatures(Attaching Identity toElectronic Forms and Documents)
Accepting credentials issued by a trusted collaborating institution Signed forms and documents for business process (e.g. grant applications, financial aid forms, government reports) Signed and encrypted email from a colleague at another school Authentication to applications shared among consortiums of schools Inter-institutional Trust
Dartmouth PKI Lab R&D to make PKI a practical component of campus networks Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.
For More Information • Outreach web: www.dartmouth.edu/~deploypki • Dartmouth PKI Lab PKI Lab information: www.dartmouth.edu/~pkilab Dartmouth user information, getting a Dartmouth certificate: www.dartmouth.edu/~pki Mark.J.Franklin@dartmouth.edu I’ll happily send copies of these slides upon request.