140 likes | 322 Vues
Identity Assurance at Virginia Tech. CSG January 13, 2010 Mary Dunker dunker@vt.edu. Background. 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security
E N D
Identity Assuranceat Virginia Tech CSG January 13, 2010 Mary Dunker dunker@vt.edu
Background • 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security charged Vice Presidents to develop a plan to continue to automate the University’s administrative systems utilizing modern information technology processes and security tools to gain process efficiencies.
Automating Processes Involves • Personal digital identities • Decisions on the part of sponsors of automated electronic systems, applications • Integration – secure authentication
Requirement Ability to determine, with some level of certainty, that the person presenting themselves in an online transaction is who they say they are. Identity Assurance
VT Enterprise Personal Digital Identities • Guest accounts – little or no assurance in identity • Personal Identifier (PID), Active Directory account, Oracle ID – some assurance in identity. • Personal Digital Certificate (PDC) on eToken – 2-factor, high assurance in identity
Identity Proofing, Issuing Credentials • Guest accounts – guest is invited via e-mail to create ID • PID – issued remotely; user answers questions based on information in university data base. Identity proofing part of admission or hiring process. • PDC – issued in person, requires PID, government-issued photo IDs.
PDC • Issued on Aladdin eToken, certified at FIPS 140-2 level 2. • Tamper-resistant • Private key cannot be exported off eToken • Face-to-face identity verification; 2 government-issued photo Ids; must match information in our Enterprise Directory • 2-person issuance process (RAA and CAA) • Available to all employees • Enabled for authentication and digital signature • Employee signs agreement not to share
Standard/Guidance for Sponsors • Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf
Process • Determine potential impact of authentication error • Map potential impact level to LOA of personal digital identity • Select credentials • Request technical review from Identity Management Services • Implement digital credentials • Validate with security review • Document; reassess annually
Integration: CAS Version 3.1+ • Recognizes login credential and assigns LOA • Passes LOA to application in SAML payload • Supports guest accounts, PID, PDC for login
Levels of Assurance using CAS LOA values defined by VT CAS, reflecting NIST 800-63 CAS client must support SAML 1.1 messages. urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1 – Guest Id/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2 - PID/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:3 - NOT USED urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4 - PDC on eToken
References References • National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf • Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • University of Wisconsin, Madison, User Authentication and Levels of Assurance; http://www.cio.wisc.edu/security/initiatives/authentication.aspx • Virginia Tech, Standard for Use of Personal Digital Identities