900 likes | 1.16k Views
Security and Privacy. Renee Woodten Frost Program Manager, Middleware Initiatives, Internet2 I2 Middleware Liaison, University of Michigan Telemedicine Symposium, Ann Arbor August 24, 2001. Topics. Security: based in Middleware technology Medical Middleware
E N D
Security and Privacy Renee Woodten Frost Program Manager, Middleware Initiatives, Internet2 I2 Middleware Liaison, University of Michigan Telemedicine Symposium, Ann Arbor August 24, 2001
Topics • Security: based in Middleware technology • Medical Middleware • Core middleware: the basic technologies • Issues, Good Practices, Current Activities • Identifiers • Authentication • Directories • Authorization • PKI • Shibboleth • Video Telemedicine Symposium August 24, 2001
Middleware Architecture Committee for Education (MACE) and the working groups Early Harvest - NSF catalytic grant and meeting Early Adopters – testbed campuses Higher Education partners - campuses, GRIDs, EDUCAUSE, CREN, AACRAO, NACUA, etc. Corporate partners - IBM, ATT, SUN, et al. Government partners - including NSF and the fPKI TWG International interactions Middleware Initiatives Acknowledgements Telemedicine Symposium August 24, 2001
The proliferation of customizable applications requires a centralization of “customizations” The increase in power and complexity of the network requires access to user profiles Electronic personal security services is now an impediment to the next-generation computing grids Inter-institutional applications require inter-operational deployments of institutional directories and authentication Remedial IT Architecture Telemedicine Symposium August 24, 2001
What is Middleware? • Specialized networked services that are shared by applications and users • A set of core software components that permit scaling of applications and networks • Tools that take the complexity out of application integration • A second layer of the IT infrastructure,sitting above the network • A land where technology meets policy • The intersection of what networks designers and applications developers each do not want to do Telemedicine Symposium August 24, 2001
Specifically… • Digital libraries need scalable, interoperable authentication and authorization. • The Grid is a new paradigm for a computational resource; Globus provides middleware, including security, location and allocation of resources, and scheduling. This relies on campus-based services and inter-institutional standards. • Instructional Management Systems need authentication and directories. • Next-generation portals want common authentication and storage. • Academic collaboration requires restricted sharing of materials between institutions. • What Internet1 did with communication, Internet2 may do with collaboration. Telemedicine Symposium August 24, 2001
Medical Middleware • Unique requirements - HIPAA, disparate relationships, extended community, etc. • Unique demands - 7x24, visibility • PKI seen as a key tool • MACEMed – representatives from academic medical centers - formed to explore the issues Telemedicine Symposium August 24, 2001
The complex challenges of academic medical middleware • Intra-realm issues - multiple vendors, proprietary systems, evolving regulations • Enterprise issues - security, directories, authorization; balance of institutional and medical enterprises • Inter-realm issues - standards, gateways, common operational processes and policies, performance • Multiple communities of interest - institutional, medical center, affiliated hospitals, state and federal regulatory and certification organizations, insurance companies, medical researchers, etc. Telemedicine Symposium August 24, 2001
Client (in this scenario) Server (in this scenario) Request lab data, This Soldier, this time frame VA Clinical System DoD Clinical System Who’s asking? What role? What is need to know? Convert to server’s terms Where is lab info on this person? Who is this person? Who knows this person? Request observation Health Information Locator Service (HILS) Terminology Query Service (TQS) outbound Clinical Observation Access Service (COAS) Person Identification Service (PIDS) Resource Access Decision (RAD) The applications view of medical upperware Telemedicine Symposium August 24, 2001
The Grid • A model for a distributed computing environment, addressing diverse computational resources, distributed databases, network bandwidth, object brokering, security, etc. • Globus (www.globus.org) is the software that implements most of these components; Legion is another such software environment • Needs to integrate with campus infrastructure • Gridforum (www.gridforum.org) umbrella activity of agencies and academics • Look for grids to occur locally and nationally, in physics, earthquake engineering, etc. Telemedicine Symposium August 24, 2001
A Map of Middleware Telemedicine Symposium August 24, 2001
Core Middleware • Identity - unique markers of who you (person, machine, service, group) are • Authentication - how you prove or establish that you are that identity • Directories - where an identity’s basic characteristics are kept • Authorization - what an identity is permitted to do • PKI, etc - emerging tools for security services Telemedicine Symposium August 24, 2001
UUID Student and/or emplid Person registry ID Account login ID Enterprise-LAN ID Student ID card Net ID Email address Library/departmental ID Publicly visible ID (and pseudo-SSN) Pseudonymous ID Major Campus Identifiers Telemedicine Symposium August 24, 2001
General Identifier Characteristics • Uniqueness (within a given context) • Dumb vs intelligent (i.e. whether subfields have meaning) • Readability (machine vs human vs device) • Affordance (centrally versus locally provided) • Resolver approach (how identifier is mapped to its associated object) • Metadata (both associated with the assignment and resolution of an identifier) • Persistence (permanence of relationship between identifier and specific object) • Granularity (degree to which an identifier denotes a collection or component) • Format (checkdigits) • Versions (can the defining characteristics of an identifier change over time) • Capacity (size limitations imposed on the domain or object range) • Extensibility (the capability to intelligently extend one identifier to be the basis for another identifier). Telemedicine Symposium August 24, 2001
Important Characteristics • Semantics and syntax - what it names and how does it name it • Domain - who issues and over what space is identifier unique • Revocation - can the subject ever be given a different value for the identifier • Reassignment - can the identifier ever be given to another subject • Opacity - is the real world subject easily deduced from the identifier - privacy and use issues Telemedicine Symposium August 24, 2001
Identifier Mapping Process • Map campus identifiers against a canonical set of functional needs • For each identifier, establish its key characteristics, including revocation, reassignment, privileges, and opacity • A key first step towards the loftier middleware goals Telemedicine Symposium August 24, 2001
Authentication Options • Password-based • Clear text • LDAP • Kerberos (Microsoft or K5 flavors) • Certificate-based • Others: challenge-response, biometrics • Inter-realm is now the interesting frontier Telemedicine Symposium August 24, 2001
Authentication Issues • User side management - crack, change, compromise • Central-side password management - change management, OS security • First password assignment - secure delivery • Policies - restrictions or requirements on use Telemedicine Symposium August 24, 2001
Authentication Good Practices • Precrack new passwords • Precrack using foreign dictionaries as well as US • Confirm new passwords are different than old • Require password change if possibly compromised • Use shared secrets or positive photo ID to reset forgotten passwords • US Mail a one-time password (time-bomb) • In-person with a photo ID (some require two) • For remote faculty or staff, an authorized departmental representative in person, coupled with a faxed photo ID • Initial identification/authentication will emerge as a critical component of PKI Telemedicine Symposium August 24, 2001
User ID/Password Authentication Risky • Too, too many user ID/password pairs to remember • Too easy to share passwords • User’s perception as to password’s importance • Passwords used online can easily be captured • Separate user ID/password pairs used to determine authorization rights • Too many individuals other than a user can alter a user’s password Telemedicine Symposium August 24, 2001
Digital IDs (Certificates)Authentication • Password known only to “owner” • Password never transmitted on the network • Digital ID verified by a third party • Digital ID globally recognized • Multiple mechanisms for detecting revoked digital ID • Can be a strong, two factor authentication process Telemedicine Symposium August 24, 2001
Directories • To store certificates • To store Certificate Revocation Lists (CRL) • To store private keys, for the time being • To store attributes • Implement with border directories, or Access Control Lists (ACLs) within the enterprise directory, or proprietary directories Telemedicine Symposium August 24, 2001
Directory Issues • Applications • Overall architecture • chaining and referrals, redundancy and load balancing, replication, synchronization, directory discovery • The Schema and the DIT (Directory Tree) • attributes, organizational units (ou), naming, object classes, groups • Attributes and indexing • Management • clients, delegation of access control, data feeds Telemedicine Symposium August 24, 2001
A Campus Directory Architecture border directory metadirectory enterprise directory OS directories (MS, Novell, etc) departmental directories directory database registries source systems Telemedicine Symposium August 24, 2001
Directory Management Good Practices • No trolling permitted; more search than read • LDAP client access versus web access • Give deep thought to who can update • Give deep thought to when to update • LDIF likely to be replaced by XML as exchange format • Delegation of control - scalability • “See also”, referrals, replication, synchronization in practice • Replication should not be done tree-based but should be filtered by rules and attributes Telemedicine Symposium August 24, 2001
Current Activities in Directories • LDAP Recipe • eduPerson • MACE-DIR working group • Directory of Directories for Higher Education • Metadirectories Telemedicine Symposium August 24, 2001
LDAP Recipe • How to build and operate a directory in higher education • 1 Tsp. DIT planning 1 Tbsp. schema design 3 oz. configuration 1000 lbs. of data • Good details, such as tradeoffs/recommendations on indexing, how and when to replicate, etc. • http://www.georgetown.edu/giia/internet2/ldap-recipe/ Telemedicine Symposium August 24, 2001
A directory object class intended to support inter-institutional applications Fills gaps in traditional directory schema For existing attributes, states good practices where known Specifies several new attributes and controlled vocabulary to use as values Provides suggestions on how to assign values, but leaves it to the institution to choose Version 1.0 standard; v 1.5 under discussion eduPerson Telemedicine Symposium August 24, 2001
EduPerson inherits attributes from Person, inetOrgPerson Some of those attributes need conventions about controlled vocabulary (e.g. telephones) Some of those attributes need ambiguity resolved via a consistent interpretation (e.g. email address) Some of the attributes need standards around indexing and search (e.g. compound surnames) Many of those attributes need access control and privacy decisions (e.g. JPEG photo, email address, etc.) Issues about Upper Class Attributes Telemedicine Symposium August 24, 2001
New eduPerson Attributes • edupersonAffiliation • edupersonPrimaryAffiliation • edupersonOrgDN • edupersonOrgUnitDN • edupersonPrincipalName • edupersonNickname Telemedicine Symposium August 24, 2001
Multi-valued list of relationships an individual has with institution Controlled vocabulary includes: faculty, staff, student, alum, member, affiliate, employee Applications that use: Shibboleth, digital libraries, Directory of Directories for Higher Ed eduPersonAffiliation Telemedicine Symposium August 24, 2001
userid@securitydomain EPPN may look like an email address, but it is used by different systems One must be able to authenticate against the EPPN Used in inter-realm authentication such as Shibboleth In some situations, it can be used for access control lists; if used, a site should make sure what the reassignment policy is eduPersonPrincipalName Telemedicine Symposium August 24, 2001
MeduPerson • Is there a need for a MeduPerson? • New initiative to define a Medical Person specification for use with AAMC’s faculty roster system application • Ultimate goal of leveraging registry and directory efforts Telemedicine Symposium August 24, 2001
Revisions to eduPerson 1.0 Internationalization of eduPerson; extension to GridPerson, MeduPerson Affiliated Directories Groups within directories Groups between institutions Key Issues for Mace-Dir Telemedicine Symposium August 24, 2001
A Directory of Directories (DoDHE) • An experiment to build a combined directory search service • To show the power of coordination • Will highlight the inconsistencies between institutions • Technical investigation of load and scaling issues, centralized and decentralized approaches • Human-interface issues - searching large name spaces with limits by substring, location, affiliation, etc... • Sun donated server and iPlanet license (6,000,000 DN’s) • Michael Gettes of Georgetown is project lead Telemedicine Symposium August 24, 2001
Metadirectories • www.architech.no is now Metamerge • Higher Education Contact for USA • Keith Hazelton, University of Wisconsin – Madison • hazelton@doit.wisc.edu • This product is available free of charge to Higher Ed in USA • Source code will be in escrow. Telemedicine Symposium August 24, 2001
Public Key Infrastructure (PKI) • Software, protocols, and legal agreements necessary to effectively use certificates: • - Certificate Authority • - Registration Authorities • - PKI management tools • - Directories to store certs, public keys, maybe private • - Database and key-management software • - Applications – certificate-enabled • - Trust models (hierarchy and bridges) • - Policies Telemedicine Symposium August 24, 2001
Why PKI? The Four Stages of PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other Healthcare - HIPAA State governments - E-Sign, Draft CP Corporate Deployments European activities The Industry Higher Ed – PAG, TAG, PKI Labs Current State of PKI Telemedicine Symposium August 24, 2001
Single infrastructure to provide all security services Established technology standards, though little operational experience Elegant technical underpinnings Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption Low cost in mass numbers Why PKI? Telemedicine Symposium August 24, 2001
High legal barriers Lack of mobility support Challenging user interfaces, especially with regard to privacy and scaling Persistent technical incompatibilities Overall complexity Why Not PKI? Telemedicine Symposium August 24, 2001
D. Wasley’s PKI Puzzle Telemedicine Symposium August 24, 2001
On the road to general purpose inter-realm PKI The planes represent different levels of simplification from the dream of a full inter-realm, intercommunity, multipurpose PKI Simplifications in policies, technologies, applications, scope Each plane provides experience and value The Four Planes of PKI Telemedicine Symposium August 24, 2001
Full inter-realm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple inter-realm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane... The Four Planes are Telemedicine Symposium August 24, 2001
Spectrum of Assurance Levels Signature Algorithms Permitted Range of Applications Enabled Revocation Requirements and Approaches Subject Naming Requirements Treatment of Mobility ... Examples of Areas of Simplification Telemedicine Symposium August 24, 2001
CP: Wasley, etal. Draft HE Certificate Policy reduced to basic/rudimentary CRL: ? Applications: (Signed email) Mobility: Password enabled Signing: md5RSA Thumbprint: sha1 Naming: dc Directory Services needed: InetOrgPerson PKI-Light example Telemedicine Symposium August 24, 2001
CP: none CRL: limited lifetime Applications: VPN, Internal web authentication Mobility: not specified Signing: not specified Thumbprint: sha1 Naming: not specified Directory Services needed: none PKI-Ultralight Telemedicine Symposium August 24, 2001
fBCA NIH Pilot fPKI TWG others Internet2/NIH/NIST research conference ... Federal Activities Telemedicine Symposium August 24, 2001
HIPAA - Privacy specs issued HIPAA - Security specs not yet done Two year compliance phase-ins Little progress in community trust agreements Non-PKI HIPAA Compliance Options Healthcare Telemedicine Symposium August 24, 2001
Success stories within many individual corporations for VPN, authentication No current community ABA guidelines Others... Corporate deployments Telemedicine Symposium August 24, 2001
UCITA NECCC Draft State Certificate Policy State Governments Telemedicine Symposium August 24, 2001