federated or not: secure identity management janemarie duh identity management systems architect...

Federated or Not:Secure Identity Management

Janemarie DuhIdentity Management

Systems ArchitectChair, Security Working Group

ITS, Lafayette College

Security

• Has three aspects– Confidentiality– Integrity– Availability

Privacy

• Is the right to control one’s identity during transactions– Revealing only what one chooses

• Identities need protection– Inadequate protections may result in

misuse and release of private information

Goal

• Make identities available in a secure privacy-protected manner

Security Baseline

Account Management Policies

• Account creation– Administrative processes that result in a

record for an identity in a database– Who qualifies to have an electronic

identity?• Identity proofing

– Of attributes such as name and DOB– Results in credential issuance

• Account creation authorization

Account Management Policies

• Account updating– Prompt notification of changes to

attributes• Results in valid data being used• Changes such as in name, address, or

employee type

Account Management Policies

• Account termination– Changes due to• Termination• Retirement• Graduation

• Account removal– Retention of identifiers

Account Management Policies

• Password management– Strength • Publish guidelines• Implement via application code

– Forgotten passwords• Password reset mechanism• Identity vetting for off-campus users

Related IT Policies

• Acceptable Use Policy– Authorization

• Data Stewardship Policy– Storage– Transmission– Password strength

Related IT Policies

• Log management policies– Privacy implications• Content• Retention

Protecting Identities and PII

• Credentials– How are they communicated to the

user?–What authentication technologies are

being used?– Are passwords protected?• In transit across the network –

>encryption • At rest in a database –>hashing

Protecting Identities and PII

• Reuse of identifiers• ERP and desktop security• Sharing and storage of sensitive information– Improper methods

• Email • Spreadsheets on office computers• Removable devices• Cloud (Drop Box, Google Drive)

Protecting Identities and PII

• Sharing and storage of sensitive PII– Proper methods• Transmit using a secure network (VPN) or

encryption• Store on an access-restricted network share

– Consider multi-factor authentication (MFA) for those with access to sensitive data

Protecting Identities and PII

• Access to the identity store– Accessible only to administrators– Accessible only to SSO technology such

as CAS or Shibboleth• No direct access and no access from outside

Single Sign-on (SSO)

• Uses the results of an authentication transaction more than once

• Benefits– Technical standard –> SAML• Makes identities available in a secure

and privacy-protected manner– Fewer identifiers and passwords

Single Sign-on (SSO)

• Concerns–Timeouts• Session•User-initiated termination

– May expose existing security risks

Single Sign-on (SSO)

• Federated vs. non-federated– Is the SSO technology used for logging

into a federated service?

Federation

• Security benefits– Trust framework– Common standards – Shared policies– Published practices• Help other institutions decide if they want to

federate with you

• Governance– Who decides what attributes are

released and to whom?• Involves compliance with regulations such

as FERPA• Identify and work with stakeholders• Develop policies for what a service provider

can and cannot do with respect to retention and sharing

Federation

Federation

• InCommon Federation Participant Operational Principles– A benefit of federating– A service provider must• Respect the privacy constraints on identity

information released to it by other Participants• Use identity information only for its

intended purpose

Risk Management

• Develop an incident response policy before an event occurs

• Assess the risk level–What was released to whom?– In a federated instance, consider what

was released on a per service provider basis

–Were sensitive transactions performed?

Risk Management

• A service provider may need to be notified– Consult legal counsel due to implications

• See Federated Security Incident Response for more on the challenges of federated incident response

Questions?

Breakout Exercise

InCommon Federation Participant Operational Practices

(POP)