Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect...
-
Upload
chrystal-hoover -
Category
Documents
-
view
216 -
download
2
Transcript of Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect...
![Page 1: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/1.jpg)
Federated or Not:Secure Identity Management
Janemarie DuhIdentity Management
Systems ArchitectChair, Security Working Group
ITS, Lafayette College
![Page 2: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/2.jpg)
Security
• Has three aspects– Confidentiality– Integrity– Availability
![Page 3: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/3.jpg)
Privacy
• Is the right to control one’s identity during transactions– Revealing only what one chooses
• Identities need protection– Inadequate protections may result in
misuse and release of private information
![Page 4: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/4.jpg)
Goal
• Make identities available in a secure privacy-protected manner
![Page 5: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/5.jpg)
Security Baseline
![Page 6: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/6.jpg)
Account Management Policies
• Account creation– Administrative processes that result in a
record for an identity in a database– Who qualifies to have an electronic
identity?• Identity proofing
– Of attributes such as name and DOB– Results in credential issuance
• Account creation authorization
![Page 7: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/7.jpg)
Account Management Policies
• Account updating– Prompt notification of changes to
attributes• Results in valid data being used• Changes such as in name, address, or
employee type
![Page 8: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/8.jpg)
Account Management Policies
• Account termination– Changes due to• Termination• Retirement• Graduation
• Account removal– Retention of identifiers
![Page 9: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/9.jpg)
Account Management Policies
• Password management– Strength • Publish guidelines• Implement via application code
– Forgotten passwords• Password reset mechanism• Identity vetting for off-campus users
![Page 10: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/10.jpg)
Related IT Policies
• Acceptable Use Policy– Authorization
• Data Stewardship Policy– Storage– Transmission– Password strength
![Page 11: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/11.jpg)
Related IT Policies
• Log management policies– Privacy implications• Content• Retention
![Page 12: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/12.jpg)
Protecting Identities and PII
• Credentials– How are they communicated to the
user?–What authentication technologies are
being used?– Are passwords protected?• In transit across the network –
>encryption • At rest in a database –>hashing
![Page 13: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/13.jpg)
Protecting Identities and PII
• Reuse of identifiers• ERP and desktop security• Sharing and storage of sensitive information– Improper methods
• Email • Spreadsheets on office computers• Removable devices• Cloud (Drop Box, Google Drive)
![Page 14: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/14.jpg)
Protecting Identities and PII
• Sharing and storage of sensitive PII– Proper methods• Transmit using a secure network (VPN) or
encryption• Store on an access-restricted network share
– Consider multi-factor authentication (MFA) for those with access to sensitive data
![Page 15: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/15.jpg)
Protecting Identities and PII
• Access to the identity store– Accessible only to administrators– Accessible only to SSO technology such
as CAS or Shibboleth• No direct access and no access from outside
![Page 16: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/16.jpg)
Single Sign-on (SSO)
• Uses the results of an authentication transaction more than once
• Benefits– Technical standard –> SAML• Makes identities available in a secure
and privacy-protected manner– Fewer identifiers and passwords
![Page 17: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/17.jpg)
Single Sign-on (SSO)
• Concerns–Timeouts• Session•User-initiated termination
– May expose existing security risks
![Page 18: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/18.jpg)
Single Sign-on (SSO)
• Federated vs. non-federated– Is the SSO technology used for logging
into a federated service?
![Page 19: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/19.jpg)
Federation
• Security benefits– Trust framework– Common standards – Shared policies– Published practices• Help other institutions decide if they want to
federate with you
![Page 20: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/20.jpg)
• Governance– Who decides what attributes are
released and to whom?• Involves compliance with regulations such
as FERPA• Identify and work with stakeholders• Develop policies for what a service provider
can and cannot do with respect to retention and sharing
Federation
![Page 21: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/21.jpg)
Federation
• InCommon Federation Participant Operational Principles– A benefit of federating– A service provider must• Respect the privacy constraints on identity
information released to it by other Participants• Use identity information only for its
intended purpose
![Page 22: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/22.jpg)
Risk Management
• Develop an incident response policy before an event occurs
• Assess the risk level–What was released to whom?– In a federated instance, consider what
was released on a per service provider basis
–Were sensitive transactions performed?
![Page 23: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/23.jpg)
Risk Management
• A service provider may need to be notified– Consult legal counsel due to implications
• See Federated Security Incident Response for more on the challenges of federated incident response
![Page 24: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/24.jpg)
Questions?
![Page 25: Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.](https://reader030.fdocuments.in/reader030/viewer/2022032606/56649eab5503460f94bb1753/html5/thumbnails/25.jpg)
Breakout Exercise
InCommon Federation Participant Operational Practices
(POP)