Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author....
-
Upload
joseph-douglas -
Category
Documents
-
view
217 -
download
0
Transcript of Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author....
![Page 1: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/1.jpg)
Copyright
Copyright Ian Taylor 2007. This work is the intellectual property of
the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright
statement appears on the reproduced materials and notice is given that
the copying is by permission of the author. To disseminate otherwise or
to republish requires written permission from the author.
![Page 2: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/2.jpg)
Management Issues with Risk
Assessments and Establishing Levels
of AssuranceIan TaylorManager, Security Middleware UnitComputing and Communications
University of Washington
![Page 3: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/3.jpg)
Today’s Discussion
• Overview of the IAM context at the University of Washington
• “Explore how to do risk assessments”
• Drivers for Levels of Assurance • User Perspective• Exploring the Solution Space
![Page 4: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/4.jpg)
UW’s Environment• CENTRALIZED IT:
– Large central IT organization (~600 staff)– All networking infrastructure– Data Center– All major business applications– Email, web hosting– Identity and Access Management,
directory services, etc. etc.
![Page 5: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/5.jpg)
UW’s Environment
• DECENTRALIZED IT:– Central business units– Academic units– Research centers– Many different groups on campus create
or purchase software applications– Central IT has little or no control over
what departments do– Some of them invent
authentication/authorization solutions
![Page 6: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/6.jpg)
UW’s Environment
• Many diverse populations:• 80,000 + Faculty, Staff and
Students (18,000 Med Center Employees)
• 500,000 + Alumni and Affiliates• 1,000,000 + Patients• Other diverse populations (Cascadia
Community College, WA State K-12 students, Library Patrons, etc.)
![Page 7: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/7.jpg)
UW’s Enterprise Credential (UW NetID)
• A large amount of effort has gone into making the UW NetID UW’s single enterprise credential.
• More than 360,000 active UW NetIDs• 300,000+ more potential users (1,300,000 + if
we include patients)• Our credentials are stored in both Kerberos and
Windows AD• We have 5 different UW NetID Types (not to be
confused with LoAs!)
![Page 8: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/8.jpg)
UW NetID Types
• Personal UW NetID – A UW affiliated individual’s key to online resources at the UW and beyond
• Shared UW NetID – Used to share centrally maintained UW computing services such as departmental websites
• Temporary UW NetID – Used to provide temporary access to services via the UW NetID system
• Applications UW NetID – Applications/ services that need to authentication and can’t use x509 certificates
• Reserved UW NetID – UW NetIDs that can’t authn (eg. root, mailing lists, etc)
![Page 9: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/9.jpg)
Warning!
LEAVING THE COMFORT ZONE
![Page 10: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/10.jpg)
What LoAs does the UW NetID Support?
One size fits all… well almost!
• ~ 7,400 people have 2-factor authn (SecurID)
• We support a group of EAuth level 1 credentials (very small test group)
![Page 11: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/11.jpg)
“Explore How to do Risk Assessments”
• “Risk-level Assessment is a management technique used to determine the level of exposure associated with unauthorized use of a resource.
• In the security area, risk-level assessments have a broader use associated with relative priorities and mitigation plans for protecting an institution’s information assets.”
![Page 12: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/12.jpg)
Risk Assessment at UW
• Is currently instinctive (all art, no craft) with little or no formal process (which is not much of a problem, since we have only 2 levels of assurance :-)
• Needs to improve since we KNOW we need to institute more levels of assurance
• How to do it?
![Page 13: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/13.jpg)
Risk
E-Authentication Guidance for Federal Agencies:
Risk is a combination of
a) the Consequences of exposure (cost, harm, impact)
and
b) the Likelihood of exposure
![Page 14: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/14.jpg)
Categories of Harm and Impact
• Inconvenience, distress, damage to reputation
• Financial loss or university liability• Harm to university programs or public
interests• Unauthorized release of sensitive
information• Personal safety• Civil or criminal violations
![Page 15: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/15.jpg)
Risk Levels
• Low impact• Moderate impact• High impact(See pp 8-9 for definitions and
illustrations. Disastrous? Or merely Catastrophic?)
![Page 16: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/16.jpg)
Whose Job is This?
• Who has the expertise to make these judgments?
• Risk Management Office?• Specialized function within IT
organization?• Inquiring minds …
![Page 17: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/17.jpg)
Drivers for LoA
• Compliance Perspective - Supporting federal, state and university policy requirements.
• Business Perspective - Supporting university business needs.
COMPLIANCE BUSINESS
![Page 18: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/18.jpg)
Compliance Drivers for LoA
• Regulatory – Government requirements• HIPAA• FERPA• WA State ISB Standards• WA State Security Breach Notification Law (6043) – 37
other states now have this
• Contractual – Liability protection issues• Payment Card Industries/ Data Security Standards
(PCI/DSS)
• Local Policy and International Standards• E-Authentication• ISO, NIST etc.• University Policy
![Page 19: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/19.jpg)
Business Drivers for LoA
• A subset of applications require a higher assurance level that’s costly to provide
• A subset of apps require low bar for entrance • Globally distributed users create ID proofing
challenges• Provide service to individuals with little or no
known personal data• Password restrictions can be potentially
unfriendly to certain classes of users
![Page 20: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/20.jpg)
The User Perspective
• It’s hard to choose a usable password!• Why do I have to keep changing my
password?• Why do I have to give my personal
information?• What do you mean I have to come show my
picture id?• What do I need to do to access application
____?
![Page 21: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/21.jpg)
Exploring the Solution Space
• A formal process for performing Risk Assessments
• A well defined set of LoAs• A set of NetID attributes used to determine LoA• A user portal that reports & explains current LoA• Clearly defined standards for when each LoA is
required• Support for LoA in authentication services
![Page 22: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/22.jpg)
How are LoAs Assigned?
• A rollup of attributes that define level of Assurance?
• Or the attributes themselves?• As attribute values change LoA may
decrease• Typically the only way LoA increases are
when new ID proofing is done accompanied by a password change or additional factors are given at Authentication time
![Page 23: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/23.jpg)
Attributes that Define LoA
• Type of Identity Proofing• # of failed authentications• Password strength• Password age• Is Compromised?• Multiple factor authentication?
![Page 24: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/24.jpg)
Types of Identity Proofing
• High Assurance ID Proofing• Photo ID in person• Notarized Photo ID via mail/ fax• Phone verified ( 5 or more pieces of info ) • PAC by mail
• Low Assurance • PAC by mail• Phone verified ( 2 pieces of info minimum )• Email verified• Verified by trusted member
![Page 25: Copyright Copyright Ian Taylor 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,](https://reader035.fdocuments.in/reader035/viewer/2022062321/56649dc65503460f94abb1b3/html5/thumbnails/25.jpg)
UW NetID Levels of Assurance (Conceptual)
NOTE: This does not reflect the current state of the UW NetID. The UW does not yet have plans to implement this or any other LoA scheme.
• Level F – Compromised IDs and other IDs that are not allowed to authn
• Level E – Shared and temporary IDs that have little or no assurance
• Level C – Low assurance personal UW NetIDs that have minimal id proofing
• Level B – Higher assurance Personal IDs that have stronger ID proofing. Compliant with EAuth Level 2.
• Level A – High assurance Personal IDs that authn with 2nd factor (securid for now). Compliant with EAuth Level 3.