Joining the federal federation a campus perspective l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Joining the Federal Federation: a Campus Perspective PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

Joining the Federal Federation: a Campus Perspective. Institute for Computer Policy and Law June 29, 2005 Andrea Beesing [email protected] IT Security Office Cornell University. Topics of discussion.

Download Presentation

Joining the Federal Federation: a Campus Perspective

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Joining the federal federation a campus perspective l.jpg

Joining the Federal Federation: a Campus Perspective

Institute for Computer Policy and Law

June 29, 2005

Andrea Beesing

[email protected]

IT Security Office

Cornell University


Topics of discussion l.jpg

Topics of discussion

  • Business drivers for Cornell’s Shibboleth implementation and participation in InCommon and eAuthentication (eAuth)

  • Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s experience with it

  • Areas identified as commendable

  • Areas of common practice

  • Differences with the federal government’s CAF

  • Where next?


Slide3 l.jpg

Cornell University

Cornell Legal Music Pilot with Napster in summer 2004

Weill Medical College

Resource sharing between Cornell in Ithaca and Cornell in New York City

Office of Sponsored Programs: streamlined process for grant submission

  • Library interest in:

    • Library vendors

    • DSpace

Cornell business drivers


Broad objective of assessment l.jpg

Broad objective of assessment

Baseline exercise to determine area of

common interest between eAuth Initiative

and Cornell in its involvement with

Shibboleth InCommon


Assessment objective clarified l.jpg

Assessment objective clarified

  • Evaluate Cornell practices against CAF

  • Find areas of common practice between Shibboleth community and eAuth, as well as differences

  • Suggest changes where they would be beneficial to common operations

  • Evaluate whether the two communities can be an operationally good fit


Assessment components l.jpg

Assessment components

  • CAF – Credential Assessment Framework

  • CS – Credential Service

  • CSP – Credential Service Provider

  • CAP – Credentials Assessment Profile


Credential assessment framework l.jpg

Credential Assessment Framework

Credential Service Provider

Credential Assessment Profile

Credential Assessment Checklist

eAuthentication assessors & Cornell staff

CornellUniversity

NetIDs

Credential Assessment Checklist

GuestIDs

VMIDs

Credential Assessment Report

Other


Assessment categories and examples l.jpg

Assessment categories and examples

  • Organizational maturity

    • Valid legal entity w/authority to operate (1)

    • Risk management methodology (2)

  • Identity proofing

    • Written policy on steps for identity proofing (2)

  • Authentication protocol

    • Secrets encrypted when transmitted over network (1)

    • Password not disclosed to third parties (2)


Assessment categories and examples9 l.jpg

Assessment categories and examples

  • Token strength

    • Password resistance to guessing, or entropy (1)

    • Stronger resistance to guessing (2)

  • Status management

    • Revoked credentials cannot be authenticated (1)

    • Revocation of credential within 72 hours of invalidation, compromise (2)

  • Credential delivery

    • Credential delivered in manner that confirms postal address of record or fixed-line telephone number of record (2)


Sample caf checklist for level 1 l.jpg

Sample: CAF checklist for level 1

  • Assurance Level 1

    • Organizational Maturity


Sample cap checklist for level 2 l.jpg

Sample: CAP checklist for level 2

1.1 Assurance Level 2

Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and 2.

1.1.1 Organizational Maturity


Assessment process steps l.jpg

Assessment process steps

  • Submit sign-up sheet

  • Schedule assessment with eAuth team

  • Submit documentation to eAuth team

  • Prepare Cornell overview for assessment meeting

  • Contact Cornell stakeholders to inform and/or schedule for eAuth team visit


Assessment process steps13 l.jpg

Assessment process steps

  • Day 1 of assessment

    • Provide background information on Cornell as credential provider

    • First pass through assessment checklist

    • Tour of data center

  • Day 2 of assessment

    • Review draft of assessment report and checklist

    • Correct and clarify assessment checklist


Assessment process participants l.jpg

Identity Management team or equivalent

IT Security Director

IT Policy Director

University Counsel

IT Auditor

Human Resources Records

Computer Access staff

University Registrar

Business continuity planner

Data center manager

Assessment process participants


Commendable areas l.jpg

Commendable areas

  • Position of the Identity Management program within the IT organization

  • Complete and up to date documentation for users

  • Data center security


Slide16 l.jpg

Cornell Information Technologies

VP, Info Tech

Customer Services and Marketing *

Security

Office

Advanced Technology and Architecture

Network and Communication Services

Systems and Operations

Information Systems *

Distributed Learning Services

IT Security Director

Identity Management

Authentication

Authorization

Directory Services

Provisioning Tools

Security

Incident Response

Vulnerability Scanning

Network Anomaly Detection

Client Security

Security Consulting

* Units performing account management functions connected with this credential service


Areas of common practice l.jpg

Areas of common practice

  • General approach to IT policy

    • IT policy framework

    • Quality of policy documents

  • Effective channels for communicating policies

  • Well-established disaster recovery plan

  • Excellent delivery procedures for credentials


Differences with caf level 1 assessment l.jpg

Differences with CAF – level 1 assessment

  • Threat protection

    • Measures to prevent on-line guessing of passwords insufficient

    • Federal government’s baseline recommendations:

      • Password life rules or

      • Lock-out rules

    • Uniqueness of password/forcing password change when user logs on for first time

  • Password life rules and lock-out are particularly problematic for universities


Differences with caf level 2 l.jpg

Differences with CAF – level 2

  • Business Continuity Plan should be finalized

  • Written policy or practice statement documenting all identity proofing procedures

  • Better remote proofing procedures for alumni


Where next l.jpg

Where next?

  • eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore County

  • Individual arrangements between federal government and universities will not scale

  • Goal will be interoperation between eAuth and InCommon

  • InCommon does not now require the same level of accreditation as eAuth for either credential providers or service providers

  • Accreditation could become an important function for any shared identity federation


For more information l.jpg

For more information

  • eAuthentication:

    http://www.cio.gov/eauthentication/

  • eAuthentication credential assessment tool suite:

    http://www.cio.gov/eauthentication/CredSuite.htm

  • Cornell IT Security Office web site (includes Identity Management): http://www.cit.cornell.edu/oit/Security.html

  • Cornell’s policy tutorial for new students:

    https://cuweblogin2.cit.cornell.edu/cuwl-cgi/policyPub.cgi


  • Login