Joining the federal federation a campus perspective
1 / 21

Joining the Federal Federation: a Campus Perspective - PowerPoint PPT Presentation

  • Uploaded on

Joining the Federal Federation: a Campus Perspective. Institute for Computer Policy and Law June 29, 2005 Andrea Beesing [email protected] IT Security Office Cornell University. Topics of discussion.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Joining the Federal Federation: a Campus Perspective' - lea

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Joining the federal federation a campus perspective l.jpg

Joining the Federal Federation: a Campus Perspective

Institute for Computer Policy and Law

June 29, 2005

Andrea Beesing

[email protected]

IT Security Office

Cornell University

Topics of discussion l.jpg
Topics of discussion

  • Business drivers for Cornell’s Shibboleth implementation and participation in InCommon and eAuthentication (eAuth)

  • Overview of federal eAuth credentials assessment framework (CAF) and Cornell’s experience with it

  • Areas identified as commendable

  • Areas of common practice

  • Differences with the federal government’s CAF

  • Where next?

Slide3 l.jpg

Cornell University

Cornell Legal Music Pilot with Napster in summer 2004

Weill Medical College

Resource sharing between Cornell in Ithaca and Cornell in New York City

Office of Sponsored Programs: streamlined process for grant submission

  • Library interest in:

    • Library vendors

    • DSpace

Cornell business drivers

Broad objective of assessment l.jpg
Broad objective of assessment

Baseline exercise to determine area of

common interest between eAuth Initiative

and Cornell in its involvement with

Shibboleth InCommon

Assessment objective clarified l.jpg
Assessment objective clarified

  • Evaluate Cornell practices against CAF

  • Find areas of common practice between Shibboleth community and eAuth, as well as differences

  • Suggest changes where they would be beneficial to common operations

  • Evaluate whether the two communities can be an operationally good fit

Assessment components l.jpg
Assessment components

  • CAF – Credential Assessment Framework

  • CS – Credential Service

  • CSP – Credential Service Provider

  • CAP – Credentials Assessment Profile

Credential assessment framework l.jpg
Credential Assessment Framework

Credential Service Provider

Credential Assessment Profile

Credential Assessment Checklist

eAuthentication assessors & Cornell staff



Credential Assessment Checklist



Credential Assessment Report


Assessment categories and examples l.jpg
Assessment categories and examples

  • Organizational maturity

    • Valid legal entity w/authority to operate (1)

    • Risk management methodology (2)

  • Identity proofing

    • Written policy on steps for identity proofing (2)

  • Authentication protocol

    • Secrets encrypted when transmitted over network (1)

    • Password not disclosed to third parties (2)

Assessment categories and examples9 l.jpg
Assessment categories and examples

  • Token strength

    • Password resistance to guessing, or entropy (1)

    • Stronger resistance to guessing (2)

  • Status management

    • Revoked credentials cannot be authenticated (1)

    • Revocation of credential within 72 hours of invalidation, compromise (2)

  • Credential delivery

    • Credential delivered in manner that confirms postal address of record or fixed-line telephone number of record (2)

Sample caf checklist for level 1 l.jpg
Sample: CAF checklist for level 1

  • Assurance Level 1

    • Organizational Maturity

Sample cap checklist for level 2 l.jpg
Sample: CAP checklist for level 2

1.1 Assurance Level 2

Assessment at Assurance Level 2 also requires validated compliance with all Assurance Level 1 criteria. That is, Assurance Level 2 assessments are cumulative of Assurance Levels 1 and 2.

1.1.1 Organizational Maturity

Assessment process steps l.jpg
Assessment process steps

  • Submit sign-up sheet

  • Schedule assessment with eAuth team

  • Submit documentation to eAuth team

  • Prepare Cornell overview for assessment meeting

  • Contact Cornell stakeholders to inform and/or schedule for eAuth team visit

Assessment process steps13 l.jpg
Assessment process steps

  • Day 1 of assessment

    • Provide background information on Cornell as credential provider

    • First pass through assessment checklist

    • Tour of data center

  • Day 2 of assessment

    • Review draft of assessment report and checklist

    • Correct and clarify assessment checklist

Assessment process participants l.jpg

Identity Management team or equivalent

IT Security Director

IT Policy Director

University Counsel

IT Auditor

Human Resources Records

Computer Access staff

University Registrar

Business continuity planner

Data center manager

Assessment process participants

Commendable areas l.jpg
Commendable areas

  • Position of the Identity Management program within the IT organization

  • Complete and up to date documentation for users

  • Data center security

Slide16 l.jpg

Cornell Information Technologies

VP, Info Tech

Customer Services and Marketing *



Advanced Technology and Architecture

Network and Communication Services

Systems and Operations

Information Systems *

Distributed Learning Services

IT Security Director

Identity Management



Directory Services

Provisioning Tools


Incident Response

Vulnerability Scanning

Network Anomaly Detection

Client Security

Security Consulting

* Units performing account management functions connected with this credential service

Areas of common practice l.jpg
Areas of common practice

  • General approach to IT policy

    • IT policy framework

    • Quality of policy documents

  • Effective channels for communicating policies

  • Well-established disaster recovery plan

  • Excellent delivery procedures for credentials

Differences with caf level 1 assessment l.jpg
Differences with CAF – level 1 assessment

  • Threat protection

    • Measures to prevent on-line guessing of passwords insufficient

    • Federal government’s baseline recommendations:

      • Password life rules or

      • Lock-out rules

    • Uniqueness of password/forcing password change when user logs on for first time

  • Password life rules and lock-out are particularly problematic for universities

Differences with caf level 2 l.jpg
Differences with CAF – level 2

  • Business Continuity Plan should be finalized

  • Written policy or practice statement documenting all identity proofing procedures

  • Better remote proofing procedures for alumni

Where next l.jpg
Where next?

  • eAuth FastLane pilot with U. of Washington, Penn State and U. of Maryland, Baltimore County

  • Individual arrangements between federal government and universities will not scale

  • Goal will be interoperation between eAuth and InCommon

  • InCommon does not now require the same level of accreditation as eAuth for either credential providers or service providers

  • Accreditation could become an important function for any shared identity federation

For more information l.jpg
For more information

  • eAuthentication:

  • eAuthentication credential assessment tool suite:

  • Cornell IT Security Office web site (includes Identity Management):

  • Cornell’s policy tutorial for new students: