identity assurance at virginia tech n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Identity Assurance at Virginia Tech PowerPoint Presentation
Download Presentation
Identity Assurance at Virginia Tech

Loading in 2 Seconds...

play fullscreen
1 / 14

Identity Assurance at Virginia Tech - PowerPoint PPT Presentation


  • 165 Views
  • Uploaded on

Identity Assurance at Virginia Tech. CSG January 13, 2010 Mary Dunker dunker@vt.edu. Background. 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Identity Assurance at Virginia Tech


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Identity Assuranceat Virginia Tech CSG January 13, 2010 Mary Dunker dunker@vt.edu

    2. Background • 2008 Board of Visitors Resolution on increasing administrative efficiencies through expansion of automated systems and enhanced security charged Vice Presidents to develop a plan to continue to automate the University’s administrative systems utilizing modern information technology processes and security tools to gain process efficiencies.

    3. Automating Processes Involves • Personal digital identities • Decisions on the part of sponsors of automated electronic systems, applications • Integration – secure authentication

    4. Requirement Ability to determine, with some level of certainty, that the person presenting themselves in an online transaction is who they say they are. Identity Assurance

    5. VT Enterprise Personal Digital Identities • Guest accounts – little or no assurance in identity • Personal Identifier (PID), Active Directory account, Oracle ID – some assurance in identity. • Personal Digital Certificate (PDC) on eToken – 2-factor, high assurance in identity

    6. Identity Proofing, Issuing Credentials • Guest accounts – guest is invited via e-mail to create ID • PID – issued remotely; user answers questions based on information in university data base. Identity proofing part of admission or hiring process. • PDC – issued in person, requires PID, government-issued photo IDs.

    7. PDC • Issued on Aladdin eToken, certified at FIPS 140-2 level 2. • Tamper-resistant • Private key cannot be exported off eToken • Face-to-face identity verification; 2 government-issued photo Ids; must match information in our Enterprise Directory • 2-person issuance process (RAA and CAA) • Available to all employees • Enabled for authentication and digital signature • Employee signs agreement not to share

    8. Standard/Guidance for Sponsors • Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf

    9. Process • Determine potential impact of authentication error • Map potential impact level to LOA of personal digital identity • Select credentials • Request technical review from Identity Management Services • Implement digital credentials • Validate with security review • Document; reassess annually

    10. Potential Impact Profile Level

    11. Levels of assurance of personal digital identities

    12. Integration: CAS Version 3.1+ • Recognizes login credential and assigns LOA • Passes LOA to application in SAML payload • Supports guest accounts, PID, PDC for login

    13. Levels of Assurance using CAS LOA values defined by VT CAS, reflecting NIST 800-63 CAS client must support SAML 1.1 messages. urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:1 – Guest Id/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:2 - PID/password urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:3 - NOT USED urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:v1-0-2:4 - PDC on eToken

    14. References References • National Institute of Standards and Technology Special Publication 800-63, Electronic Authentication Guideline; http://csrc.nist.gov/publications/drafts/800-63-rev1/SP800-63-Rev1_Dec2008.pdf • Office of Management Budget M-04-04, E-Authentication Guidance for Federal Agencies; http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf • University of Wisconsin, Madison, User Authentication and Levels of Assurance; http://www.cio.wisc.edu/security/initiatives/authentication.aspx • Virginia Tech, Standard for Use of Personal Digital Identities