John Krienke, Joe St Sauver, David Walker Internet2

Net+ Trust & Identity Services

© 2014 Internet2

[ ]

[ 2 ]

5 Areas Defined for Net+ Services

Software as a

Service

Video, Voice and

Collaborations Trust & Identity

Digital Content for

R&E

Delivered via next-generation, high-speed R&E global networks

Built on federated identity and integration architectural standards

Administered via global agreements, contracts and provisioning

Infrastructure, Platform, Security

© 2014 Internet2

[ ] ["""]"

Lifecycle

Explore

Develop

Deploy

© 2014 Internet2

[ ]

Service Validation ●  Goal is a service, structured for higher education, ready for

adoption ●  Typical issues

○  Compliance ○  Security

■  Cloud Controls Matrix ○  Accessibility

■  WCAG ○  Identity

■  InCommon integration ○  Networking ○  Specific service issues

© 2014 Internet2

[ ]

●  Issue Discovery ○  Use case implementation by service validation participants ○  Work groups for security, accessibility, and identity

●  Address Issues ○  Negotiated road maps ○  Priorities determined by service validation participants

●  Business Model ○  Contract terms ○  Pricing

●  Signed Agreement (vendor <-> Net+) ●  Agreement Template (Net+ <-> campus)

Service Validation Process

© 2014 Internet2

[ ]

•  InCommon Participation –  Publishing and consuming metadata –  Technical interoperation

•  Electronic mail as identifier –  Institutional and personal use of DocuSign

•  Security –  Issues are not absolute, rather they determine sensitivity and

criticality of appropriate use cases –  Analogous to security of electronic mail systems

Stories: The DocuSign Service Validation

© 2014 Internet2

[ ]

•  General Availability: - InCommon Certificate Service with Comodo - Duo Security multifactor security - SafeNet USB-format PKI hard tokens and smart cards

•  Early Adopter: - Eduroam wireless roaming

•  Service Validation: - Docusign electronic signatures - Toopher multifactor security

•  Evaluation: - LastPass password manager - Fischer Identity virtual identity provider

Current T&I portfolio

© 2014 Internet2

[ ]

•  Offered by InCommon in partnership with Comodo •  Offers unlimited SSL/TLS certs for web services, etc., including

extended validation (so-called “green bar”) certs, plus code signing and client certs, all for one annual fee (scaled to institutional Carnegie classification), usually resulting in $ savings

•  Covers all the domains a university owns (edu and non-edu alike) •  Trusted by virtually all web browsers and other applications •  Now in use by 278 different InCommon participants -- how about

your school? •  http://www.incommon.org/cert/ for more information

Certificate Service (General Availability)

© 2014 Internet2

[ ]

•  These days you need something better than just a password: Duo multifactor combines your password (something you know) with your smartphone (something you have).

•  Duo is both easy to use and affordable. •  Site license Duo for all faculty/staff, or add students. Coverage is

even available for hospital staff for academic hospitals. •  Not ready to site license yet? A minimal hassle pilot program is also

available for $5/user/year (500 user minimum) •  18 universities/university systems are already site licensing Duo,

and many others are piloting it in the ala carte program. •  http://www.incommon.org/duo/index.html for more information.

Duo Security Multifactor Authentication (GA)

© 2014 Internet2

[ ]

•  While phone-based multifactor auth is easiest to use and currently most popular, some sites prefer or require client certificates, and may need USB format PKI hard tokens or smartcards on which to store those certs.

•  InCommon currently offers selected SafeNet products to help meet the needs of those users.

•  See http://www.incommon.org/safenet/

SafeNet PKI Hard Tokens/SmartCards (GA)

© 2014 Internet2

[ ]

•  If you travel to other universities, you may find yourself wishing that you could login to wireless just like you do back home. If your home school and the school you’re visiting participate in Eduroam, and your system is properly configured, now you can!

•  From the perspective of universities, doing Eduroam means substantially fewer users who need manually provisioned guest accounts

•  For more information on Eduroam, please see http://www.internet2.edu/products-services/cloud-services-applications/eduroam or http://www.eduroam.us

Eduroam (Early Adopter)

© 2014 Internet2

[ ]

•  DocuSign is an electronic signature, transaction management, and document workflow service. Accessible anytime, anywhere, on any device, the DocuSign Global Network connects organizations to their customers, partners, suppliers, and employees where they transact business in confidence. DocuSign helps decrease transaction cycle times, reduce costs, and enhance customer satisfaction with the easiest, fastest, most secure global network for sending, signing and tracking documents in the cloud.

•  For more information on Docusign, please see http://www.internet2.edu/products-services/cloud-services-applications/docusign/

Docusign (Service Validation)

© 2014 Internet2

[ ]

•  Toopher is a new NET+ multifactor option that aims to make multifactor authentication virtually invisible by leveraging the location awareness of user smart phones (seehttps://www.toopher.com/ )

•  Toopher just commenced Service Validation at the end of March, and we’d love additional service validation university participants.

•  If your site is interested in participating, please contact either josh@toopher.com or joe@internet2.edu

Toopher (Service Validation)

© 2014 Internet2

[ ]

•  We all find ourselves juggling far too many passwords for all the different web sites we use. LastPass is a password manager that makes it easy for you to securely store and use strong passwords for all those sites -- without having to struggle to remember them. See https://lastpass.com/

•  Currently in the “evaluation” phase of the NET+ boarding process, we’re currently looking for five or six sites that might be interested in helping to evaluate and validate this service for the trust and identity portfolio. If your university is interested, please contact joe@internet2.edu for more information

LastPass (Evaluation Phase)

© 2014 Internet2

[ ]

•  Fisher's Ignite is a hosted, virtual identity provider service that satisfies the IdP related requirements for schools wishing to participate in InCommon or leverage services where InCommon participation is required, such as Internet2 NET+ services. The Basic Service is a self-service solution that enables access to InCommon for institutional and regional network service providers. The Premium Service – providing access to any number of SAML 2.0-compliant service providers, and includes additional value added services. For more information, see http://www.internet2.edu/products-services/cloud-services-applications/fischer-ignite-federation-service/

Fischer Ignite (Evaluation Phase)

© 2014 Internet2

[ ]

Any of these T&I services potentially of interest to attendees? •  Biometric multifactor applications (voice-based password reset?) •  Crypto currency service (such as Bitcoin, Ripple, Litecoin, etc.) •  Domain name registration services •  Identity-based email encryption (example: Voltage SecureMail) •  Outsourced public-record-based identity proofing service •  PII monitoring services (e.g., post-breach monitoring services) •  Pre-employment background verification services •  Trademark infringement/brand management monitoring services •  Virtual Private Network (VPN) services, particularly for travelers

Brainstorming More T&I Portfolio Offerings

© 2014 Internet2

[ ] ["""]"

Net+ Service Areas: WHAT IS OUR GOAL?

Software as a

Service

Video, Voice and

Collaborations Trust & Identity

Digital Content for

R&E

Delivered via next-generation, high-speed R&E global networks

Built on federated identity and integration standards

Administered via global agreements, contracts and provisioning

Infrastructure, Platform, Security

© 2014 Internet2

[ ]

Integration at Scale

InCommon Federation: 10 years 1644 Service Provider Entities 347 Identity Providers

© 2014 Internet2

[ ]

Integration at Scale

Interfederation

© 2014 Internet2

[ ]

•  Enhancing: Opportunistic, Campus sponsorship •  Foundational: Toward a Service Architecture

Principles for Service Inclusion

Built on federated identity and integration architectural standards

© 2014 Internet2

[ ]

•  Enhancing: Device and Person Authentication –  X.509 Certificates, –  Multifactor Authentication, –  Password Managers, –  Electronic Signatures –  Strategic catalysts: device identity, anonymity/privacy, mobile AuthN/Z, social

engineering and online trust, advances in cryptography, alternatives to root CA’s •  Foundational

–  Identity & Group Management, Single Sign On, Federated IdP –  Multifactor Authentication Services, –  IAM Professional Services consulting and integration, –  Gateways

Categories of T&I Services

Built on federated identity and integration architectural standards

© 2014 Internet2

[ ]

InCommon Affiliates

Aegis Identity Cirrus Identity Fischer International

Microsoft Unicon Spherical Cow Group

© 2014 Internet2

[ ]

Service Validation •  Func%onal)Assessment)•  Business)Model)•  Technical)Integra%on)

–  Network"–  Iden0ty"–  Integra0on"

"•  Security)•  Accessibility)•  Compliance)

["""]"

Formal criteria!•  MUST!•  SHOULD!•  MAY!

© 2014 Internet2

[ ]

How will we answer these Questions? via Governance & You •  Net+ Program Advisory Group (PAG)

–  Overall guidance on Net+ lifecycle, SV Criteria, Legal templates –  Community principles of engagement

•  InCommon Steering Committee’s expanded role to TIER –  InCommon Federation & Assurance programs –  T&I Service portfolio: principles, balance & number, T&I criteria –  Identity and Access Management R&D, Middleware, Integration &

Architecture –  Community, external relations

© 2014 Internet2

[ ]

•  Competition promotes choice and value, but too many options creates confusion.

•  How many services is ideal within a given category? •  Needed Principles for

–  Inclusion: Strategic or Opportunistic? –  Exclusion: –  Replacement: –  Discontinuance:

Service Selection Principles