1 / 25

Enhancing Campus Security: A Case Study of Levels of Assurance

Learn how the University of Wisconsin System ensures data security through federated authentication, assessment tools, and risk mitigation strategies. Identify gaps in credential stores, measure risks, and report findings to management for effective risk reduction. Utilize the CAF Assessment Tool to assess credential store compliance and improve overall security levels across campuses. Findings from multiple assessments reveal progress but also highlight areas for improvement in identity assurance, technical controls, and documentation. Take necessary steps to meet requirements and enhance business processes for improved data security.

lstandish
Download Presentation

Enhancing Campus Security: A Case Study of Levels of Assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Appropriate Access: Levels of Assurance Stefan Wahe Office of Campus Information Security

  2. The Case Study • The University of Wisconsin System uses a loosely federated authentication system. • Each of the 16 campuses maintain their own credential store and identity proofing processes. • Business ERPs that contain personable identifiable information are beginning to use the federated authentication system

  3. Case Study: The Problem • It was unknown how each campus assures the: • Accuracy of an identity subject • Strength of the authentication token • Reliability of the controls and procedures that protect the credential store

  4. Go from ...

  5. ... to get to ...

  6. to prevent something like ... • Man-in-the-Middle • Replay Attack • Password Guessing • Brute Force • Dictionary Attack • DDoS

  7. Case Study: The Goal • Identify gaps by assessing the Credential Store against a standard. • Measure the risk by considering the gaps. • Report the risks to management: • What are the risks • How can the risks be reduced • Allow management to determine risk mitigation strategy.

  8. The CAF Assessment Tool • Can be located at: • www.doit.wisc.edu/security/resources/

  9. Creating an Self-Assessment Tool • Self-Assessment Questions were based on requirements / recommendations from: • InCommon Credential Assessment Profile r0.3 • NIST 800-63: Electronic Authentication Guideline • NIST 800-53: Recommended Security Controls for Federal Information Systems • Payment Card Industry - Data Security Standard

  10. The CAF Assessment Tool • The assessment tool consists of 37 questions (requirements). • Five “disciplines” are represented disciplines: • Operations and Management • Authentication Protocol • Token Strength • Registration and Identity Proofing • Status Management http://downloads.clipart.com/20398418.gif?t=1202940069&h=8cc1c9c2b1acac222022c31830f96681&u=swahe

  11. The Questions

  12. InCommonToken Strength: At this assurance level, the PIN (numeric-only) or Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected identity subject’s PIN or Password shall have a probability of success of less than 2-10 (1 chance in 1,024) success over the life of the PIN or Password. Refer to NIST SP 800-63 Appendix A, and the CAF Suites’s Entropy Spreadsheet to calculate resistance to online guessing.

  13. Case Study: The Process • Each campus provided: • A response to the assessment questionnaire. • A network scan of the devices that comprise the Credential Store Infrastructure. • The responses were analyzed for compliance with: • Identity Proofing • Token Strength • Technical Controls

  14. Case Study: The Process • Each Campus was provided a report that identified • Overall Status • Findings (Gaps and Risk) • Recommendation • The Governance Council was provided a report that identified the status of each campus’ credential store.

  15. Case Study: The Process • Reports are provided to applications or services owners upon request. • Reports may be provided to Legislative Auditors upon request • Re-assessments occur every six months.

  16. Who Was Involved • CIOs from each of the 16 campuses. • Campuses had a differing types of employees involved in completing the assessment * Typically employees with a strong technical understanding of the controls and requirements

  17. Findings: August ‘07 Assessment • No one campus was compliant in all five domains. • Some campuses were good at token strength. • Few campuses were positive in identity assurance. • Few campuses were strong in technical controls and processes.

  18. Findings: January ‘08 Assessment • Progress!!!! • Two campuses planned to be compliant in all five areas by October 2008. • Some campuses improved their token strength. • Many campuses still struggle with identity assurance. • Identified plans to meet requirements.

  19. Case Study: General Findings • Documentation was lacking in most cases. • Process was lacking in some cases (especially identity assurance). • Great in some technical controls and cryptographic algorithms. • Some positive answers in the first assessment were answered in the negative during the second assessment.

  20. Next Steps • We will begin conducting a third assessment in August 2008. • Some requirements will be audited (tested) during the third assessment. • Update the Self-Assessment Tool to reflect the changes in the CAP/IAP. • Provide documentation on how to meet requirements.

  21. Other Considerations Include Business Partners • Office of Admissions: Sourcing Applicants • Registrars Office: Sourcing Students • Human Resources: Sourcing Employees • Photo ID: Identity Proofing Process • Help Desk: Identity Proofing Process • Typically employees with a strong understanding of the business process. • Employees who need to be able to follow the business process.

  22. Other Considerations • Finalize the Identity Assurance Profile. • With the assumption that it will change overtime • Develop a self-assessment tool based on the IAP • Consider using a maturity scale for determining compliance. • How do we verify our state of compliance.

  23. Discussion ... • Stefan Wahe • University of Wisconsin - Madison • smwahe@doit.wisc.edu • http://www.doit.wisc.edu/security/resources/

More Related