220 likes | 230 Views
Learn about the importance of encrypting data at rest, using ECA certificates, and implementing federated authentication for federally funded research projects.
E N D
Federally Funded ResearchSecurity Scott Baily Colorado State University
Three things to cover • Encrypting Data at Rest • ECA Certificates • Federated authentication
Encrypting Data at Rest • Effective 07/03/2007, it is DoD Policy that: • All unclassified DoD data at rest that has not been approved for public release …shall be treated as sensitive unclassified information, and must be encrypted • Encryption shall be at a minimum complaint with NIST FIPS 140-2, and with a mechanism to ensure encrypted data can be recovered • See: http://www.esi.mil/uploaded_documents/0706RCK88127.pdf
Encrypting Data at Rest (cont’d) • All new computer assets procured to support the DoD enterprise must include the Trusted Platform Module (TPM) chip • DoD organizations were supposed to provide status reports regarding compliance to the DoD Information Assurance Office by 12/31/07
Definitions: • TPM – Chip attached to motherboard that stores keys, passwords, and digital certificates (see http://trustedcomputinggroup.org/groups/tpm) • Data at rest – Any data not being transmitted across a network or temporarily in memory • Sensitive Unclassified Information – Information that is not classified but is restricted from public disclosure
Encrypting Data at Rest (cont’d) • This policy applies to DoD employees as well as DoD grant recipients • Policy vs. Policing • FIPS 140-2 compliance may be an important evaluation criteria when considering encryption products
Approved Encryption Products Include: • Mobile Armor LLC’s Data Armor • Safeboot NV’s Safeboot Device Encryption • Info. Security Corp.’s Secret Agent • Encryption Solution Inc.’s SkyLock at Rest • Credant Tech. Inc’s Credant Mobile Guardian • Guardian Edge Tech.’s GuardianEdge • Several other (FIPS 140-2 compliant) solutions also qualify …
ECA Certificates • Digital certificates issued by official External Certificate Authorities enable secure communications with Feds • Certs allow • Identification • Digital Signatures • Public Key Encryption
ECA Certs are available from • IdenTrust (http://www.identrust.com) • Operational Research Consultants (ORC) (http://www.eca.orc.com) • Verisign (http://www.verisign.com/)
ECA Certs (cont’d) • Cost is approximately $250/certificate • CSU has about 120 researchers who may require ECA certs at some time • $30K problem • Becoming a local issuing agent for one of the vendors lowers the cost to about $50/certificate
Federated Authentication • Definition (from Peter Alterman, NIH) An association of credential issuers and online service providers who agree to trust electronic identity credentials issued by each other at known levels of assurance. Corollary 1: issuers and service providers implement compatible technologies; Corollary 2: issuers are responsible and authoritative for the trustworthiness of the credentials they issue
The Objective • To enable electronic commerce and electronic transactions via a common, extensible trust infrastructure • Requires a common set of terminology, assumptions, procedures and protocols
What it really means • Two federations establish a sufficient trust relationship such that when one federation asserts that credentials of one of its members are credible at a particular level of assurance (LOA), the other federation accepts that assertion as if the authentication happened locally • Commerce and other transactions are then permitted without re-authenticating
Benefits • By trusting another federation, the scope and complexity of identity management can be greatly reduced • Lets organizations do their own IdM • Potential for single sign-on
Assumptions • Similar policies exist under which credentials are issued and managed • Similar procedures for vetting individuals’ identities should lead to similar LOAs • Compatible protocols (e.g. SAML) are used to exchange credential information
Gap Analysis • Higher Ed’s federation is InCommon, which is currently regarded to be at OMB LoA 1 (level 2 is rumored to be imminent; required for anything useful regarding federally sponsored research activities) • Documenting the process of assuring identities is probably the single most significant thing you can do
Federation Conclusion • Joining InCommon federation with LoA 2 will make Federal research grant management easier for researchers • Established PKI on campus is essential • Many of the issues between InCommon and eAuth have been sorted out • Still optional; each researcher may obtain a separate username/pw authentication for each Federal agency portal
Questions • Are most welcome