1 / 19

Credentialing in Higher Education

Credentialing in Higher Education. Michael R Gettes Duke University gettes@duke.edu CAMP, June 2005, Denver. What’s this presentation about?. This will start out with a wide scope and seem scary. At the end… a common understanding of what is “good enough”

gerryt
Télécharger la présentation

Credentialing in Higher Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Credentialing in Higher Education Michael R Gettes Duke University gettes@duke.edu CAMP, June 2005, Denver

  2. What’s this presentation about? • This will start out with a wide scope and seem scary. • At the end… • a common understanding of what is “good enough” • Tools to help you determine “good enough” • National initiatives pointing to common understanding of credentialing

  3. What is Credentialing?? • ID Proofing - Processes determining who someone claims to be prior to issuing electronic credentials. • And then… • Associating meta-data about those processes for repeated longer-term evaluation by applications and authN/Z infrastructure for access management. Levels of Assurance (LoA) …

  4. What is Credentialing?? (2) • Issuance of Electronic Credentials • Initial issuance and re-cred (like password reset) • Password Strength Mechanisms • Credential Verification Services • Validating an identity or assertion • Methods for Application Classification with respect to Levels of Assurance • Exposing all of this, appropriately, for evaluation by others so they can determine if they want to trust your organization.

  5. Policy Calculus • Within your institution • To effectively offer services, access to core business systems, differentiate communities (faculty, student, staff, etc), access to resources (high perf computing). Local policy, practice, lore. • Within Higher Education • Participation in consortia, research projects, federations, global services is requiring exposure of credentialing practices. InCommon Participant Operational Practices Statement (POPS).

  6. Policy Calculus (2)US Government Activity • Homeland Security Presidential Directive #12 • Policy for a Common Identification Standard for Federal Employees and Contractors • States there will be mandatory, Government-wide standards for secure authentication (not just E) • OMB E-Authentication Guidance M-04-04 • NIST Special Pub 800-63 (Electronic Authentication Guideline) • Defines 4 Levels of Assurance for E-Authentication. Impacts Credentialing. • Federal E-Authentication Initiative • Credential Assessment Framework

  7. (pause)Terminology • CSP - Credential Service Provider - A trusted entity issuing electronic credentials to subscribers • RA - Registration Authority - Vouches for the identity of a subscriber to a CSP • Identity Proofing - Process by which CSP and RA uniquely identify a person/entity • RP - Relying Party - an entity relying upon the credentials issued by a CSP • LoA - Level of Assurance - Classification of ID proofing suitable for electronic use to control access to information

  8. OMB M-04-04 (E-Authentication Guidance) • Defines required Level of Assurance (LoA) in terms of consequences to an authN error. As consequences become more serious, the LoA increases. • This guidance also provides criteria for determining LoA for specific applications and transactions based on risk and likelihood of occurrence. • Supplements the Implementation of GPEA (Government Paperwork Elimination Act)

  9. NIST SP800-63Levels of Assurance (LoA) • Level 1: No ID Proof requirement but assures claimant is consistent. Plaintext passwords/secrets are not transmitted over the wire. Allows any token methods in Levels 2, 3 and 4. • Level 2: Introduces ID proofing requirements (verification not required). Single factor authN methods (wide range). Allows for tokens at Levels 3 and 4 as well as passwords and PINs. Crypto methods required for attack prevention and assertion verification.

  10. NIST SP800-63Levels of Assurance (LoA) (2) • Level 3: Multi-factor AuthN required. ID Proofing materials verification required. Crypto strength needed to protect primary token. Proves possession of Key or OTP (one time password) via crypto protocol. • Level 4: Highest Level. Similar to L3 except only “hard” crypto tokens with strengths of FIPS 140-2 Level 2 or higher with FIPS 140-2 Level 3 physical security. Strong approved crypto is used for all operations.

  11. www.cio.gov/eauthenticationa.k.a. E-Auth • US Government’s activity to implement HSPD-12 based on NIST SP800-63 to manage access to at least 24 major areas of service within the USG. • It will utilize technologies based on SAML and PKI/X.509 (shibboleth, Bridge Certification Authority and Hierarchical PKI models, other technologies as appropriate)

  12. Credential Assessment Framework (CAF) • Processes to assess the efficacy of a CSP. We, institutions of Higher Education, can all be seen as CSPs as well as Relying Parties for the services we offer ourselves and each other. • CAF is really only concerned for CSPs used by the Federal eAuth activities but there are lots of interconnects between HE and Fed so it impacts us in many ways. Hence, various projects active.

  13. CAF - Considerations • Organizational IT Security Plan • Roles and Responsibilities of the service • Password Construction Rules • List of IT system audits in last 2 years • Business/Operations Continuity Plan • Examples of Subscriber agreements, Terms and Conditions and how they are disseminated. • Summary of ID Mgmt Systems and Protocols used.

  14. A Credentialing Process • Understand your applications/transaction risks and exposures. Grade these requirements to determine LoA for each appropriate application. • Define LoA in terms of issued credentials by a CSP for use by a RP. (Level 1-4 and their requirements) • Create processes and mechanisms for implementing ID proofing, electronic credential issuance, electronic authentication and authorization, systems for managing this data (identity management in particular). • Create a framework to assess, audit and validate the processes and mechanisms • Be prepared to communicate the results inside and outside your organization.

  15. What WE commonly do…“the Good” • Send username/password by postal mail. • ???

  16. What WE commonly do…“the bad and the ugly” • Hand out envelopes with name/pw and not carefully protect the envelope. • Perform password resets based on phone calls or email requests. • Initial passwords never expire. • Little requirement for good passwords. • We don’t assess our applications and cleanly define their respective access requirements. • More about all this on Wednesday (morgan/kellogg)

  17. What CAN we do? InCommon POPS as a start… • www.incommonfederation.org • The POPS is essentially an assessment of your CSP environment but it gets detailed according to the needs of the federation. • Don’t be afraid of it -- go read it. See how you stack up. You may be doing better than you think. • And if you don’t stack up -- now you know what you need to do. How cool is that!!!

  18. Summary • As you can see -- we have a confluence of activity -- Higher Ed and Fed -- developing a common set of credentialing requirements, processes, technologies and understanding. • Become familiar with: • OMB M-04-04; NIST SP800-63; CAF Suite • InCommon POPS; Directory Roadmap and emerging Authentication Roadmap

More Related