1 / 14

Identity Assurance at Virginia Tech

Identity Assurance at Virginia Tech. CSG January 13, 2010 Mary Dunker dunker@vt.edu. Background. 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security

lavender
Télécharger la présentation

Identity Assurance at Virginia Tech

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Assuranceat Virginia Tech CSG January 13, 2010 Mary Dunker dunker@vt.edu

  2. Background • 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security charged Vice Presidents to develop a plan to continue to automate the University’s administrative systems utilizing modern information technology processes and security tools to gain process efficiencies.

  3. Automating Processes Involves • Personal digital identities • Decisions on the part of sponsors of automated electronic systems, applications • Integration – secure authentication

  4. Requirement Ability to determine, with some level of certainty, that the person presenting themselves in an online transaction is who they say they are. Identity Assurance

  5. VT Enterprise Personal Digital Identities • Guest accounts – little or no assurance in identity • Personal Identifier (PID), Active Directory account, Oracle ID – some assurance in identity. • Personal Digital Certificate (PDC) on eToken – 2-factor, high assurance in identity

  6. Identity Proofing, Issuing Credentials • Guest accounts – guest is invited via e-mail to create ID • PID – issued remotely; user answers questions based on information in university data base. Identity proofing part of admission or hiring process. • PDC – issued in person, requires PID, government-issued photo IDs.

  7. PDC • Issued on Aladdin eToken, certified at FIPS 140-2 level 2. • Tamper-resistant • Private key cannot be exported off eToken • Face-to-face identity verification; 2 government-issued photo Ids; must match information in our Enterprise Directory • 2-person issuance process (RAA and CAA) • Available to all employees • Enabled for authentication and digital signature • Employee signs agreement not to share

  8. Standard/Guidance for Sponsors • Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf

  9. Process • Determine potential impact of authentication error • Map potential impact level to LOA of personal digital identity • Select credentials • Request technical review from Identity Management Services • Implement digital credentials • Validate with security review • Document; reassess annually

  10. Potential Impact Profile Level

  11. Levels of assurance of personal digital identities

  12. Integration: CAS Version 3.1+ • Recognizes login credential and assigns LOA • Passes LOA to application in SAML payload • Supports guest accounts, PID, PDC for login

  13. Levels of Assurance using CAS LOA values defined by VT CAS, reflecting NIST 800-63 CAS client must support SAML 1.1 messages. urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1 – Guest Id/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2 - PID/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:3 - NOT USED urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4 - PDC on eToken

  14. References References • National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf • Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • University of Wisconsin, Madison, User Authentication and Levels of Assurance; http://www.cio.wisc.edu/security/initiatives/authentication.aspx • Virginia Tech, Standard for Use of Personal Digital Identities

More Related