Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security
The Case Study • The University of Wisconsin System uses a loosely federated authentication system. • Each of the 16 campuses maintain their own credential store and identity proofing processes. • Business ERPs that contain personable identifiable information are beginning to use the federated authentication system
Case Study: The Problems • It was unknown how each campus assures the: • Accuracy of an identity subject • Strength of the authentication token • Reliability of the controls and procedures that protect the credential store • The services are not aware of threats related to identity and data attacks.
to prevent something like ... • Man-in-the-Middle • Replay Attack • Password Guessing • Brute Force • Dictionary Attack • DDoS • Non-Repudiation
Case Study: The Goal • Identify gaps by assessing the Credential Store against a standard. • Measure the risk by considering the gaps. • Report the risks to management: • What are the risks • How can the risks be reduced • Allow management to determine risk mitigation strategy.
The CAF Assessment Tool • http://www.cio.wisc.edu/security/risk.aspx
Creating an Self-Assessment Tool • Self-Assessment Questions were based on requirements / recommendations from: • InCommon Credential Assessment Profile r0.3 • NIST 800-63: Electronic Authentication Guideline • NIST 800-53: Recommended Security Controls for Federal Information Systems • Payment Card Industry - Data Security Standard
The CAF Assessment Tool • The assessment tool consists of 37 questions (requirements). • Five “disciplines” are represented disciplines: • Operations and Management • Authentication Protocol • Token Strength • Registration and Identity Proofing • Status Management http://downloads.clipart.com/20398418.gif?t=1202940069&h=8cc1c9c2b1acac222022c31830f96681&u=swahe
NIST-InCommon Token Strength: At this assurance level, the PIN (numeric-only) or Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected identity subject’s PIN or Password shall have a probability of success of less than 2-10 (1 chance in 1,024) success over the life of the PIN or Password. Refer to NIST SP 800-63 Appendix A, and the CAF Suites’s Entropy Spreadsheet to calculate resistance to online guessing.
Case Study: The Process • Each campus provided: • A response to the assessment questionnaire. • A network scan of the devices that comprise the Credential Store Infrastructure. • The responses were analyzed for compliance with: • Identity Proofing • Token Strength • Technical Controls
Case Study: The Process • Each Campus was provided a report that identified • Overall Status • Findings (Gaps and Risk) • Recommendation • The Governance Council was provided a report that identified the status of each campus’ credential store.
Case Study: The Process • Reports are provided to applications or services owners upon request. • Reports may be provided to Legislative Auditors upon request • Re-assessments occur every six months.
Who Was Involved • CIOs from each of the 16 campuses. • Campuses had a different types of employees involved in completing the assessment * Typically employees with a strong technical understanding of the controls and requirements
Case Study: General Findings • Documentation was lacking in most cases. • Process was lacking in some cases (especially identity assurance). • Great in some technical controls and cryptographic algorithms. • Some positive answers in the first assessment were answered in the negative during the second assessment.
Next Steps • We will begin conducting a third assessment in August 2008. • Some requirements will be audited (tested) during the third assessment. • Update the Self-Assessment Tool to reflect the changes in the CAP/IAP. • Provide documentation on how to meet requirements. • Identify assessment process for PKI implementations.
Other Considerations Include Business Partners • Office of Admissions: Sourcing Applicants • Registrars Office: Sourcing Students • Human Resources: Sourcing Employees • Photo ID: Identity Proofing Process • Help Desk: Identity Proofing Process • Typically employees with a strong understanding of the business process. • Employees who need to be able to follow the business process.
Other Considerations • Finalize the Identity Assurance Profile. • With the assumption that it will change overtime • Develop a self-assessment tool based on the IAP • Consider using a maturity scale for determining compliance. • How do we verify our state of compliance.
Discussion ... • Stefan Wahe • University of Wisconsin - Madison • firstname.lastname@example.org • http://www.doit.wisc.edu/security/resources/