appropriate access levels of assurance n.
Skip this Video
Loading SlideShow in 5 Seconds..
Appropriate Access: Levels of Assurance PowerPoint Presentation
Download Presentation
Appropriate Access: Levels of Assurance

Loading in 2 Seconds...

play fullscreen
1 / 25

Appropriate Access: Levels of Assurance - PowerPoint PPT Presentation

Download Presentation
Appropriate Access: Levels of Assurance
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security

  2. The Case Study • The University of Wisconsin System uses a loosely federated authentication system. • Each of the 16 campuses maintain their own credential store and identity proofing processes. • Business ERPs that contain personable identifiable information are beginning to use the federated authentication system

  3. Case Study: The Problems • It was unknown how each campus assures the: • Accuracy of an identity subject • Strength of the authentication token • Reliability of the controls and procedures that protect the credential store • The services are not aware of threats related to identity and data attacks.

  4. Go from ...

  5. ... to get to ...

  6. to prevent something like ... • Man-in-the-Middle • Replay Attack • Password Guessing • Brute Force • Dictionary Attack • DDoS • Non-Repudiation

  7. Case Study: The Goal • Identify gaps by assessing the Credential Store against a standard. • Measure the risk by considering the gaps. • Report the risks to management: • What are the risks • How can the risks be reduced • Allow management to determine risk mitigation strategy.

  8. The CAF Assessment Tool •

  9. Creating an Self-Assessment Tool • Self-Assessment Questions were based on requirements / recommendations from: • InCommon Credential Assessment Profile r0.3 • NIST 800-63: Electronic Authentication Guideline • NIST 800-53: Recommended Security Controls for Federal Information Systems • Payment Card Industry - Data Security Standard

  10. The CAF Assessment Tool • The assessment tool consists of 37 questions (requirements). • Five “disciplines” are represented disciplines: • Operations and Management • Authentication Protocol • Token Strength • Registration and Identity Proofing • Status Management

  11. The Questions

  12. NIST-InCommon Token Strength: At this assurance level, the PIN (numeric-only) or Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected identity subject’s PIN or Password shall have a probability of success of less than 2-10 (1 chance in 1,024) success over the life of the PIN or Password. Refer to NIST SP 800-63 Appendix A, and the CAF Suites’s Entropy Spreadsheet to calculate resistance to online guessing.

  13. Case Study: The Process • Each campus provided: • A response to the assessment questionnaire. • A network scan of the devices that comprise the Credential Store Infrastructure. • The responses were analyzed for compliance with: • Identity Proofing • Token Strength • Technical Controls

  14. Case Study: The Process • Each Campus was provided a report that identified • Overall Status • Findings (Gaps and Risk) • Recommendation • The Governance Council was provided a report that identified the status of each campus’ credential store.

  15. Case Study: The Process • Reports are provided to applications or services owners upon request. • Reports may be provided to Legislative Auditors upon request • Re-assessments occur every six months.

  16. Who Was Involved • CIOs from each of the 16 campuses. • Campuses had a different types of employees involved in completing the assessment * Typically employees with a strong technical understanding of the controls and requirements

  17. Case Study: General Findings • Documentation was lacking in most cases. • Process was lacking in some cases (especially identity assurance). • Great in some technical controls and cryptographic algorithms. • Some positive answers in the first assessment were answered in the negative during the second assessment.

  18. Next Steps • We will begin conducting a third assessment in August 2008. • Some requirements will be audited (tested) during the third assessment. • Update the Self-Assessment Tool to reflect the changes in the CAP/IAP. • Provide documentation on how to meet requirements. • Identify assessment process for PKI implementations.

  19. Other Considerations Include Business Partners • Office of Admissions: Sourcing Applicants • Registrars Office: Sourcing Students • Human Resources: Sourcing Employees • Photo ID: Identity Proofing Process • Help Desk: Identity Proofing Process • Typically employees with a strong understanding of the business process. • Employees who need to be able to follow the business process.

  20. Other Considerations • Finalize the Identity Assurance Profile. • With the assumption that it will change overtime • Develop a self-assessment tool based on the IAP • Consider using a maturity scale for determining compliance. • How do we verify our state of compliance.

  21. Discussion ... • Stefan Wahe • University of Wisconsin - Madison • •