appropriate access: levels of assurance
DESCRIPTION
Appropriate Access: Levels of Assurance. Stefan Wahe Office of Campus Information Security. The Case Study. The University of Wisconsin System uses a loosely federated authentication system. Each of the 16 campuses maintain their own credential store and identity proofing processes. - PowerPoint PPT PresentationTRANSCRIPT
Appropriate Access: Levels of AssuranceStefan Wahe
Office of Campus Information Security
The Case Study•The University of Wisconsin System uses a loosely federated authentication system.
•Each of the 16 campuses maintain their own credential store and identity proofing processes.
•Business ERPs that contain personable identifiable information are beginning to use the federated authentication system
Case Study: The Problems
•It was unknown how each campus assures the:– Accuracy of an identity subject– Strength of the authentication token– Reliability of the controls and procedures
that protect the credential store
•The services are not aware of threats related to identity and data attacks.
Go from ...
... to get to ...
to prevent something like ...
• Man-in-the-Middle• Replay Attack• Password Guessing• Brute Force• Dictionary Attack• DDoS• Non-Repudiation
Case Study: The Goal•Identify gaps by assessing the Credential Store against a standard.
•Measure the risk by considering the gaps.•Report the risks to management:
– What are the risks– How can the risks be reduced
•Allow management to determine risk mitigation strategy.
The CAF Assessment Tool
•http://www.cio.wisc.edu/security/risk.aspx
Creating an Self-Assessment Tool
•Self-Assessment Questions were based on requirements / recommendations from:–InCommon Credential Assessment Profile r0.3–NIST 800-63: Electronic Authentication Guideline
–NIST 800-53: Recommended Security Controls for Federal Information Systems
–Payment Card Industry - Data Security Standard
http://downloads.clipart.com/20398418.gif?t=1202940069&h=8cc1c9c2b1acac222022c31830f96681&u=swahe
The CAF Assessment Tool•The assessment tool consists of 37 questions (requirements).
•Five “disciplines” are represented disciplines:–Operations and Management–Authentication Protocol–Token Strength–Registration and Identity Proofing–Status Management
The Questions
Section Example Question
Part 1: Operations and Management
Configuration Management
Part 2: Authentication Protocol
Stored Secrets
Part 3: Token Strength Password Policy
Part 4: Registration and Identity Proofing
Records Management
Part 5: Status Management CS Availability
Part 1: Operations and Management
10 Configuration Management
a. Does the CS demonstrate Configuration Management methodology that includes:
i. A documented process for reviewing, approving and implementing changes
ii. Version control for software system components
iii. Timely identification and installation of all applicable patches for any software used in the provisioning of the CS.
NIST-InCommon Token Strength: At this assurance level, the PIN (numeric-only) or Password, and the controls used to limit on-line guessing attacks shall ensure that an attack targeted against a selected identity subject’s PIN or Password shall have a probability of success of less than 2- 1010 (1 chance in 1,024) success over the life of the PIN or Password. Refer to NIST SP 800-63 Appendix A, and the CAF Suites’s Entropy Spreadsheet to calculate resistance to online guessing.
Part 3: Token Strength
28 Password Policya What is the minimum required
length of the password?f Can individuals recover lost or
forgotten passwords?
b From password inception, is the total number of failed attempts tracked?
g Is password history maintained and used to prohibit the re-use of passwords? How many password changes are stored?
c Are passwords prevented from containing the username and/or the Identity Subjects proper name?
h Are controls in place that prevent a consecutive character string of three or more (e.g. aaa, 111, @@@)?
d What it the maximum number of failed logon attempts before an account is locked?
i Which of the following character sets are required in establishing a password: Uppercase letters, lowercase letters, digits, special characters or control characters?
e How often are password changes required?
Part 3: Registration & Identity Proofing30 Records
a. Is the record of the facts of registration maintained by the CS or its representative (e.g., Registration
Authority)? b. Are records identifying the revocation of credentials
maintained?
c. Are the record of the facts of registration maintained that identifies full legal name, date of birth and address of record.
d. Do credentials include identifying information that permits recovery of the records of the registration associated with the credentials?
Case Study: The Process•Each campus provided:
–A response to the assessment questionnaire.–A network scan of the devices that comprise the Credential Store Infrastructure.
•The responses were analyzed for compliance with:–Identity Proofing–Token Strength–Technical Controls
Case Study: The Process•Each Campus was provided a report that identified – Overall Status– Findings (Gaps and Risk)– Recommendation
•The Governance Council was provided a report that identified the status of each campus’ credential store.
Case Study: The Process•Reports are provided to applications or services owners upon request.
•Reports may be provided to Legislative Auditors upon request
•Re-assessments occur every six months.
Who Was Involved• CIOs from each of the 16 campuses.• Campuses had a different types of employees
involved in completing the assessment
• Chief Information Security Officer
• Directory Services Analyst
• Network Administrator • Security Analyst
• System Administrator
* Typically employees with a strong technical understanding of the controls and requirements
Case Study: General Findings•Documentation was lacking in most cases.
•Process was lacking in some cases (especially identity assurance).
•Great in some technical controls and cryptographic algorithms.
•Some positive answers in the first assessment were answered in the negative during the second assessment.
Next Steps•We will begin conducting a third assessment
in August 2008.
•Some requirements will be audited (tested) during the third assessment.
•Update the Self-Assessment Tool to reflect the changes in the CAP/IAP.
•Provide documentation on how to meet requirements.
•Identify assessment process for PKI implementations.
Other Considerations
•Office of Admissions: Sourcing Applicants•Registrars Office: Sourcing Students•Human Resources: Sourcing Employees•Photo ID: Identity Proofing Process•Help Desk: Identity Proofing Process
• Typically employees with a strong understanding of the business process.
• Employees who need to be able to follow the business process.
Include Business Partners
Other Considerations✓Finalize the Identity Assurance Profile.
– With the assumption that it will change overtime
✓Develop a self-assessment tool based on the IAP
✓Consider using a maturity scale for determining compliance.
✓How do we verify our state of compliance.
Discussion ...
•Stefan Wahe
•University of Wisconsin - Madison
•http://www.doit.wisc.edu/security/resources/