net+ trust & identity servicesmeetings.internet2.edu/media/medialibrary/2014/04/... · •...
TRANSCRIPT
John Krienke, Joe St Sauver, David Walker Internet2
Net+ Trust & Identity Services
© 2014 Internet2
[ ]
[ 2 ]
5 Areas Defined for Net+ Services
Software as a
Service
Video, Voice and
Collaborations Trust & Identity
Digital Content for
R&E
Delivered via next-generation, high-speed R&E global networks
Built on federated identity and integration architectural standards
Administered via global agreements, contracts and provisioning
Infrastructure, Platform, Security
© 2014 Internet2
[ ] ["""]"
Lifecycle
Explore
Develop
Deploy
© 2014 Internet2
[ ]
Service Validation ● Goal is a service, structured for higher education, ready for
adoption ● Typical issues
○ Compliance ○ Security
■ Cloud Controls Matrix ○ Accessibility
■ WCAG ○ Identity
■ InCommon integration ○ Networking ○ Specific service issues
© 2014 Internet2
[ ]
● Issue Discovery ○ Use case implementation by service validation participants ○ Work groups for security, accessibility, and identity
● Address Issues ○ Negotiated road maps ○ Priorities determined by service validation participants
● Business Model ○ Contract terms ○ Pricing
● Signed Agreement (vendor <-> Net+) ● Agreement Template (Net+ <-> campus)
Service Validation Process
© 2014 Internet2
[ ]
• InCommon Participation – Publishing and consuming metadata – Technical interoperation
• Electronic mail as identifier – Institutional and personal use of DocuSign
• Security – Issues are not absolute, rather they determine sensitivity and
criticality of appropriate use cases – Analogous to security of electronic mail systems
Stories: The DocuSign Service Validation
© 2014 Internet2
[ ]
• General Availability: - InCommon Certificate Service with Comodo - Duo Security multifactor security - SafeNet USB-format PKI hard tokens and smart cards
• Early Adopter: - Eduroam wireless roaming
• Service Validation: - Docusign electronic signatures - Toopher multifactor security
• Evaluation: - LastPass password manager - Fischer Identity virtual identity provider
Current T&I portfolio
© 2014 Internet2
[ ]
• Offered by InCommon in partnership with Comodo • Offers unlimited SSL/TLS certs for web services, etc., including
extended validation (so-called “green bar”) certs, plus code signing and client certs, all for one annual fee (scaled to institutional Carnegie classification), usually resulting in $ savings
• Covers all the domains a university owns (edu and non-edu alike) • Trusted by virtually all web browsers and other applications • Now in use by 278 different InCommon participants -- how about
your school? • http://www.incommon.org/cert/ for more information
Certificate Service (General Availability)
© 2014 Internet2
[ ]
• These days you need something better than just a password: Duo multifactor combines your password (something you know) with your smartphone (something you have).
• Duo is both easy to use and affordable. • Site license Duo for all faculty/staff, or add students. Coverage is
even available for hospital staff for academic hospitals. • Not ready to site license yet? A minimal hassle pilot program is also
available for $5/user/year (500 user minimum) • 18 universities/university systems are already site licensing Duo,
and many others are piloting it in the ala carte program. • http://www.incommon.org/duo/index.html for more information.
Duo Security Multifactor Authentication (GA)
© 2014 Internet2
[ ]
• While phone-based multifactor auth is easiest to use and currently most popular, some sites prefer or require client certificates, and may need USB format PKI hard tokens or smartcards on which to store those certs.
• InCommon currently offers selected SafeNet products to help meet the needs of those users.
• See http://www.incommon.org/safenet/
SafeNet PKI Hard Tokens/SmartCards (GA)
© 2014 Internet2
[ ]
• If you travel to other universities, you may find yourself wishing that you could login to wireless just like you do back home. If your home school and the school you’re visiting participate in Eduroam, and your system is properly configured, now you can!
• From the perspective of universities, doing Eduroam means substantially fewer users who need manually provisioned guest accounts
• For more information on Eduroam, please see http://www.internet2.edu/products-services/cloud-services-applications/eduroam or http://www.eduroam.us
Eduroam (Early Adopter)
© 2014 Internet2
[ ]
• DocuSign is an electronic signature, transaction management, and document workflow service. Accessible anytime, anywhere, on any device, the DocuSign Global Network connects organizations to their customers, partners, suppliers, and employees where they transact business in confidence. DocuSign helps decrease transaction cycle times, reduce costs, and enhance customer satisfaction with the easiest, fastest, most secure global network for sending, signing and tracking documents in the cloud.
• For more information on Docusign, please see http://www.internet2.edu/products-services/cloud-services-applications/docusign/
Docusign (Service Validation)
© 2014 Internet2
[ ]
• Toopher is a new NET+ multifactor option that aims to make multifactor authentication virtually invisible by leveraging the location awareness of user smart phones (seehttps://www.toopher.com/ )
• Toopher just commenced Service Validation at the end of March, and we’d love additional service validation university participants.
• If your site is interested in participating, please contact either [email protected] or [email protected]
Toopher (Service Validation)
© 2014 Internet2
[ ]
• We all find ourselves juggling far too many passwords for all the different web sites we use. LastPass is a password manager that makes it easy for you to securely store and use strong passwords for all those sites -- without having to struggle to remember them. See https://lastpass.com/
• Currently in the “evaluation” phase of the NET+ boarding process, we’re currently looking for five or six sites that might be interested in helping to evaluate and validate this service for the trust and identity portfolio. If your university is interested, please contact [email protected] for more information
LastPass (Evaluation Phase)
© 2014 Internet2
[ ]
• Fisher's Ignite is a hosted, virtual identity provider service that satisfies the IdP related requirements for schools wishing to participate in InCommon or leverage services where InCommon participation is required, such as Internet2 NET+ services. The Basic Service is a self-service solution that enables access to InCommon for institutional and regional network service providers. The Premium Service – providing access to any number of SAML 2.0-compliant service providers, and includes additional value added services. For more information, see http://www.internet2.edu/products-services/cloud-services-applications/fischer-ignite-federation-service/
Fischer Ignite (Evaluation Phase)
© 2014 Internet2
[ ]
Any of these T&I services potentially of interest to attendees? • Biometric multifactor applications (voice-based password reset?) • Crypto currency service (such as Bitcoin, Ripple, Litecoin, etc.) • Domain name registration services • Identity-based email encryption (example: Voltage SecureMail) • Outsourced public-record-based identity proofing service • PII monitoring services (e.g., post-breach monitoring services) • Pre-employment background verification services • Trademark infringement/brand management monitoring services • Virtual Private Network (VPN) services, particularly for travelers
Brainstorming More T&I Portfolio Offerings
© 2014 Internet2
[ ] ["""]"
Net+ Service Areas: WHAT IS OUR GOAL?
Software as a
Service
Video, Voice and
Collaborations Trust & Identity
Digital Content for
R&E
Delivered via next-generation, high-speed R&E global networks
Built on federated identity and integration standards
Administered via global agreements, contracts and provisioning
Infrastructure, Platform, Security
© 2014 Internet2
[ ]
Integration at Scale
InCommon Federation: 10 years 1644 Service Provider Entities 347 Identity Providers
© 2014 Internet2
[ ]
Integration at Scale
Interfederation
© 2014 Internet2
[ ]
• Enhancing: Opportunistic, Campus sponsorship • Foundational: Toward a Service Architecture
Principles for Service Inclusion
Built on federated identity and integration architectural standards
© 2014 Internet2
[ ]
• Enhancing: Device and Person Authentication – X.509 Certificates, – Multifactor Authentication, – Password Managers, – Electronic Signatures – Strategic catalysts: device identity, anonymity/privacy, mobile AuthN/Z, social
engineering and online trust, advances in cryptography, alternatives to root CA’s • Foundational
– Identity & Group Management, Single Sign On, Federated IdP – Multifactor Authentication Services, – IAM Professional Services consulting and integration, – Gateways
Categories of T&I Services
Built on federated identity and integration architectural standards
© 2014 Internet2
[ ]
InCommon Affiliates
Aegis Identity Cirrus Identity Fischer International
Microsoft Unicon Spherical Cow Group
© 2014 Internet2
[ ]
Service Validation • Func%onal)Assessment)• Business)Model)• Technical)Integra%on)
– Network"– Iden0ty"– Integra0on"
"• Security)• Accessibility)• Compliance)
["""]"
Formal criteria!• MUST!• SHOULD!• MAY!
© 2014 Internet2
[ ]
How will we answer these Questions? via Governance & You • Net+ Program Advisory Group (PAG)
– Overall guidance on Net+ lifecycle, SV Criteria, Legal templates – Community principles of engagement
• InCommon Steering Committee’s expanded role to TIER – InCommon Federation & Assurance programs – T&I Service portfolio: principles, balance & number, T&I criteria – Identity and Access Management R&D, Middleware, Integration &
Architecture – Community, external relations
© 2014 Internet2
[ ]
• Competition promotes choice and value, but too many options creates confusion.
• How many services is ideal within a given category? • Needed Principles for
– Inclusion: Strategic or Opportunistic? – Exclusion: – Replacement: – Discontinuance:
Service Selection Principles