Joining the Federal Federation: a Campus Perspective

1
Joining the Federal Federation a Campus
Perspective

• Institute for Computer Policy and Law
• June 29, 2005
• Andrea Beesing
• amb3_at_cornell.edu
• IT Security Office
• Cornell University

2
Topics of discussion

• Business drivers for Cornells Shibboleth
  implementation and participation in InCommon and
  eAuthentication (eAuth)
• Overview of federal eAuth credentials assessment
  framework (CAF) and Cornells experience with it
• Areas identified as commendable
• Areas of common practice
• Differences with the federal governments CAF
• Where next?

3
Cornell business drivers
4
Broad objective of assessment

• Baseline exercise to determine area of
• common interest between eAuth Initiative
• and Cornell in its involvement with
• Shibboleth InCommon

5
Assessment objective clarified

• Evaluate Cornell practices against CAF
• Find areas of common practice between Shibboleth
  community and eAuth, as well as differences
• Suggest changes where they would be beneficial to
  common operations
• Evaluate whether the two communities can be an
  operationally good fit

6
Assessment components

• CAF Credential Assessment Framework
• CS Credential Service
• CSP Credential Service Provider
• CAP Credentials Assessment Profile

7
Credential Assessment Framework

Credential Service Provider
Credential Assessment Profile
Credential Assessment Checklist
Cornell University
eAuthentication assessors Cornell staff
NetIDs
Credential Assessment Checklist
GuestIDs
VMIDs
Credential Assessment Report
Other
8
Assessment categories and examples

• Organizational maturity
• Valid legal entity w/authority to operate (1)
• Risk management methodology (2)
• Identity proofing
• Written policy on steps for identity proofing (2)
• Authentication protocol
• Secrets encrypted when transmitted over network
  (1)
• Password not disclosed to third parties (2)

9
Assessment categories and examples

• Token strength
• Password resistance to guessing, or entropy (1)
• Stronger resistance to guessing (2)
• Status management
• Revoked credentials cannot be authenticated (1)
• Revocation of credential within 72 hours of
  invalidation, compromise (2)
• Credential delivery
• Credential delivered in manner that confirms
  postal address of record or fixed-line telephone
  number of record (2)

10
Sample CAF checklist for level 1

1. Assurance Level 1
2. Organizational Maturity

Tag Description Suggested Evidence of Compliance Status
Established The CSP shall be a valid legal entity, and a person with legal authority to commit the CSP shall submit the Assessment package. The operational system will be assessed as it stands at the time of the Assessment. Planned upgrades or modifications will not be considered during the assessment. 1. Articles of incorporation, Organizational Charter, Affidavit, etc. 2. Demonstration
Authorization to Operate The CS shall have completed appropriate authorization to operate (ATO) as required by the CSP policies. The CSP shall demonstrate it understands and complies with any legal requirements incumbent on it in connection to the CS. 1. Copy of ATO or company authorization for Credential Service 2. Asserted in Authorization document as set forth in GSA policies
General Disclosure The CSP shall make the Terms, Conditions, and Privacy Policy for the CS available to the intended user community. In addition, the CSP shall notify subscribers in a timely and reliable fashion of any changes to the Terms, Conditions, and Privacy Policy. Terms, Conditions, Privacy policies posted on Website Document how provider will do this.

11
Sample CAP checklist for level 2
1.1 Assurance Level 2 Assessment at Assurance
Level 2 also requires validated compliance with
all Assurance Level 1 criteria. That is,
Assurance Level 2 assessments are cumulative of
Assurance Levels 1 and 2. 1.1.1 Organizational
Maturity
Tag Description Suggested Evidence of Compliance Status
Documentation The CSP shall have all security related policies and procedures documented that are required to demonstrate compliance. Undocumented practices will not be considered evidence. Copies or link to policies
Helpdesk A helpdesk shall be available for subscribers to resolve issues related to their credentials during the CSPs regular business hours, minimally from 9am to 5pm Monday through Friday. Observe Helpdesk
Risk Mgt The CSP shall demonstrate a risk management methodology that adequately identifies and mitigates risks related to the CS. Copy of Risk Assessment
12
Assessment process steps

• Submit sign-up sheet
• Schedule assessment with eAuth team
• Submit documentation to eAuth team
• Prepare Cornell overview for assessment meeting
• Contact Cornell stakeholders to inform and/or
  schedule for eAuth team visit

13
Assessment process steps

• Day 1 of assessment
• Provide background information on Cornell as
  credential provider
• First pass through assessment checklist
• Tour of data center
• Day 2 of assessment
• Review draft of assessment report and checklist
• Correct and clarify assessment checklist

14
Assessment process participants

• Identity Management team or equivalent
• IT Security Director
• IT Policy Director
• University Counsel
• IT Auditor

• Human Resources Records
• Computer Access staff
• University Registrar
• Business continuity planner
• Data center manager

15
Commendable areas

• Position of the Identity Management program
  within the IT organization
• Complete and up to date documentation for users
• Data center security

16
Cornell Information Technologies VP, Info Tech
Customer Services and Marketing
Security Office
Advanced Technology and Architecture
Network and Communication Services
Systems and Operations
Information Systems
Distributed Learning Services
IT Security Director
Identity Management Authentication Authorization
Directory Services Provisioning Tools
Security Incident Response Vulnerability
Scanning Network Anomaly Detection Client
Security Security Consulting
Units performing account management functions
connected with this credential service
17
Areas of common practice

• General approach to IT policy
• IT policy framework
• Quality of policy documents
• Effective channels for communicating policies
• Well-established disaster recovery plan
• Excellent delivery procedures for credentials

18
Differences with CAF level 1 assessment

• Threat protection
• Measures to prevent on-line guessing of passwords
  insufficient
• Federal governments baseline recommendations
• Password life rules or
• Lock-out rules
• Uniqueness of password/forcing password change
  when user logs on for first time
• Password life rules and lock-out are particularly
  problematic for universities

19
Differences with CAF level 2

• Business Continuity Plan should be finalized
• Written policy or practice statement documenting
  all identity proofing procedures
• Better remote proofing procedures for alumni

20
Where next?

• eAuth FastLane pilot with U. of Washington, Penn
  State and U. of Maryland, Baltimore County
• Individual arrangements between federal
  government and universities will not scale
• Goal will be interoperation between eAuth and
  InCommon
• InCommon does not now require the same level of
  accreditation as eAuth for either credential
  providers or service providers
• Accreditation could become an important function
  for any shared identity federation

21
For more information

• eAuthentication
• http//www.cio.gov/eauthentication/
• eAuthentication credential assessment tool suite
• http//www.cio.gov/eauthentication/CredSuite.htm
• Cornell IT Security Office web site (includes
  Identity Management) http//www.cit.cornell.edu/
  oit/Security.html
• Cornells policy tutorial for new students
• https//cuweblogin2.cit.cornell.edu/cuwl-cgi/polic
  yPub.cgi