1 / 22

Federally Funded Research Security

Learn about the importance of encrypting data at rest, using ECA certificates, and implementing federated authentication for federally funded research projects.

rgutierrez
Download Presentation

Federally Funded Research Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federally Funded ResearchSecurity Scott Baily Colorado State University

  2. Three things to cover • Encrypting Data at Rest • ECA Certificates • Federated authentication

  3. Encrypting Data at Rest • Effective 07/03/2007, it is DoD Policy that: • All unclassified DoD data at rest that has not been approved for public release …shall be treated as sensitive unclassified information, and must be encrypted • Encryption shall be at a minimum complaint with NIST FIPS 140-2, and with a mechanism to ensure encrypted data can be recovered • See: http://www.esi.mil/uploaded_documents/0706RCK88127.pdf

  4. Encrypting Data at Rest (cont’d) • All new computer assets procured to support the DoD enterprise must include the Trusted Platform Module (TPM) chip • DoD organizations were supposed to provide status reports regarding compliance to the DoD Information Assurance Office by 12/31/07

  5. Definitions: • TPM – Chip attached to motherboard that stores keys, passwords, and digital certificates (see http://trustedcomputinggroup.org/groups/tpm) • Data at rest – Any data not being transmitted across a network or temporarily in memory • Sensitive Unclassified Information – Information that is not classified but is restricted from public disclosure

  6. Encrypting Data at Rest (cont’d) • This policy applies to DoD employees as well as DoD grant recipients • Policy vs. Policing • FIPS 140-2 compliance may be an important evaluation criteria when considering encryption products

  7. Approved Encryption Products Include: • Mobile Armor LLC’s Data Armor • Safeboot NV’s Safeboot Device Encryption • Info. Security Corp.’s Secret Agent • Encryption Solution Inc.’s SkyLock at Rest • Credant Tech. Inc’s Credant Mobile Guardian • Guardian Edge Tech.’s GuardianEdge • Several other (FIPS 140-2 compliant) solutions also qualify …

  8. ECA Certificates • Digital certificates issued by official External Certificate Authorities enable secure communications with Feds • Certs allow • Identification • Digital Signatures • Public Key Encryption

  9. ECA Certs are available from • IdenTrust (http://www.identrust.com) • Operational Research Consultants (ORC) (http://www.eca.orc.com) • Verisign (http://www.verisign.com/)

  10. ECA Certs (cont’d) • Cost is approximately $250/certificate • CSU has about 120 researchers who may require ECA certs at some time • $30K problem • Becoming a local issuing agent for one of the vendors lowers the cost to about $50/certificate

  11. Federated Authentication • Definition (from Peter Alterman, NIH) An association of credential issuers and online service providers who agree to trust electronic identity credentials issued by each other at known levels of assurance. Corollary 1: issuers and service providers implement compatible technologies; Corollary 2: issuers are responsible and authoritative for the trustworthiness of the credentials they issue

  12. The Objective • To enable electronic commerce and electronic transactions via a common, extensible trust infrastructure • Requires a common set of terminology, assumptions, procedures and protocols

  13. What it really means • Two federations establish a sufficient trust relationship such that when one federation asserts that credentials of one of its members are credible at a particular level of assurance (LOA), the other federation accepts that assertion as if the authentication happened locally • Commerce and other transactions are then permitted without re-authenticating

  14. Benefits • By trusting another federation, the scope and complexity of identity management can be greatly reduced • Lets organizations do their own IdM • Potential for single sign-on

  15. Assumptions • Similar policies exist under which credentials are issued and managed • Similar procedures for vetting individuals’ identities should lead to similar LOAs • Compatible protocols (e.g. SAML) are used to exchange credential information

  16. Gap Analysis • Higher Ed’s federation is InCommon, which is currently regarded to be at OMB LoA 1 (level 2 is rumored to be imminent; required for anything useful regarding federally sponsored research activities) • Documenting the process of assuring identities is probably the single most significant thing you can do

  17. Federation Conclusion • Joining InCommon federation with LoA 2 will make Federal research grant management easier for researchers • Established PKI on campus is essential • Many of the issues between InCommon and eAuth have been sorted out • Still optional; each researcher may obtain a separate username/pw authentication for each Federal agency portal

  18. Questions • Are most welcome

  19. Thank You

More Related