SecIdmNC09-20090225-cpm

Transcription

SecIdmNC09-20090225-cpm
Leveraging Identity
Management for Privacy,
Security, and Compliance
Linda Hilton, Chief Information Officer, Vermont State Colleges
&
Christopher Misra, Information Security Officer, University of Massachusetts
1
For ref. only – remove for printing
• 
Access control is a critical component of a standards-based information
security program. It helps safeguard IT assets by controlling access to
information, information processing facilities, and business processes
according to business and security requirements. Access control also
serves to protect our community members privacy by preventing
unauthorized access to information held in application systems. Although
institutions may have similar security goals, institutional type, size, and
context will present unique implementation challenges. This seminar will
explore how diverse institutions can bridge issues in technology, policy, and
process related to security and identity management to achieve shared
institutional goals and ensure compliance.
What We Will Focus On
•  An overview of identity management
•  How identity management can help improve
security, protect privacy, and ensure
compliance
•  IdM as a component of an information security
program
•  Bridging policy, process and technology
3
Identity Management Overview
• 
• 
• 
• 
• 
Some definitions
Core components
IdM drivers
Why do IdM?
How is IdM used in Higher Ed?
IdM: definitions
•  What do we mean by Identity Management?
–  California State University definition - An identity
management infrastructure is a collection of
technology and policy that enables networked
computer systems to determine who has access to
them, what resources the person is authorized to
access, while protecting individual privacy and
access to confidential information.
5
Analyze this Definition
•  Infrastructure - software and hardware
•  Collection - not just technology
•  Technology and policy – policy plays a critical role and is
an essential element of the solution
•  Networked computer systems - implies distributed
technology systems communicating over a network
•  Access - Who am I
•  Authorized - What can I do
•  Protecting - limiting access and protecting information
6
Idm: definitions
The Burton group defines Identity Management as :
A set of processes, and a supporting infrastructure,
for the creation, maintenance, and use of digital
identities.
–  Integrates data sources and manages bio-demo
information about people and devices
–  Establishes electronic identity of users and devices
–  Issues and validates identity credentials
–  Uses organizational data and management tools to
assign affiliation attributes
–  …and gives permission to use services based on
those attributes
7
Core IdM Components
•  People and Relationships
•  identity and trust
•  Account Creation, Management, and
Deletion
•  Technology, business process, resources
•  Access management
•  Assignment of privilege, groups and roles, IdM and application-level
security
8
44
Core components: People and
Relationships
•  Different types of affiliations
–  Formal vs. Casual
•  Multiple affiliations and multiple roles
•  Affiliation life-cycles
9
55
Core components: Creation &
Management of Identities
•  These are the IdM business processes
•  Vetting – collection and validation of identity information
•  Proofing – aligning collected data and matching to an
actual person with some degree of certainty
•  Issuance of credentials
–  ID/password pair
–  ID card
–  2nd factor token
•  Managing – providing assurance that the credential and
the entity stay linked
10
66
Core components:
Access Management
•  Connecting people to data and services
•  Authentication decisions
•  Authorization decisions
–  Affiliation type, status, level of assurance,
roles and other attributes.
•  Rule of least privilege
11
77
Core components:
Access Management
•  Assignment of privilege
•  Groups and roles
•  IdM and application-level security
IdM Business Needs
•  Support increased collaboration and
innovation
•  Improve customer service
•  Increase efficiency
•  Improve security of digital assets and
mitigation of risk
13
88
What are IdM drivers?
•  Traditional forms of authentication and authorization are
no longer sufficient for needs of modern internet-based
applications
•  Application security is becoming increasingly onerous
–  multiple applications, multiple enterprises, and multiple user
roles in multiple contexts
•  New regulations dictate more stringent identity
management processes
– 
– 
– 
– 
– 
HIPAA (Health Information Privacy)
FERPA (Educational Records Privacy)
Sarbanes Oxley (Financial Disclosures)
Gramm-Leach-Bliley Act (Financial Information Privacy)
Red Flag rules (Identity Theft Prevention)
14
88
Why Do Identity Management?
•  Centralize directory services
–  One authoritative source for applications
–  One stop shopping for students and employees!
•  Single sign-on – reduce control gates for access to data
•  Standardized posture makes adding new apps easier
•  Remote access
•  Inter-institutional access
•  Lifecycle issues: from cradle to grave
•  Enhance privacy of personal information
•  Improve security and safeguarding of information
•  Comply with federal and state laws and regulations
15
How Identity Management
Is Used in Higher Education
• 
Students
–  Learning resources (course management systems, library, etc.)
–  Online student systems
• 
Staff
–  Employee directory
–  Online human resources systems (timesheets, payroll, benefits, etc.)
• 
Faculty and Researchers
–  Online course materials and library resources
–  Federal research agencies, funding, and data resources
• 
Alumni and Donors
–  Email for life
–  Alumni directories and services
• 
All
–  Student/Employee directory
–  Emergency notification systems
• 
External Access
–  Contractors, guests, visiting faculty, donors, volunteers
16
Emerging IdM Uses
•  Building Access Controls
•  Federal Government Agencies
–  NIH
•  National Student Loan Clearinghouse
•  Workflow
17
Creating an IdM Infrastructure
• 
• 
• 
• 
• 
• 
A strategic approach to IdM
Solve problems – pick low hanging fruit
Create awareness
Develop a roadmap
Address the gaps and challenges
Offer education
18
Tailoring IdM to the environment
• 
• 
• 
• 
• 
• 
Operational – governance, org structure
Cultural
Resource levels
Process maturity - it s an IT issue
Scale differences
Budgets and resources
Case studies
•  Vermont State Colleges: Security and IdM
•  University of Massachusetts
Case Studies
•  Each campus has unique experiences with
deploying Identity Management and
middleware.
•  We will review each of our school s
approach to providing these services.
University of Massachusetts
Amherst IdM
•  Context
–  45,000+ accounts
–  25,000+ students
•  Deployment
–  ERP based provisioning and account
management (Peoplesoft)
–  OpenLDAP
–  Kerberos authentication backend
Case Study: UMass
Background
•  Active LDAP project initiated in 2003
•  Existing account management system
circa 1993
•  Started with account management system
rewrite
–  Deployed as a custom app within our
Peoplesoft environment
–  Campus ERP is System of Record
Case Study: UMass
Guiding Principles
•  (T)hese processes of identification, registration,
authentication, and authorization that are
uniquely separate processes that should be
tightly linked and controlled in order to have a
trusted and robust identity and privilege
management system. Understanding the
underlying processes and the differences in the
processes is critical to managing these types of
integrated systems.
•  From NMI authentication roadmap
Case Study: UMass
IdM and Security
•  Segmented authentication and white
pages functionality
–  FERPA drivers
•  Tighter control over authenticating LDAP
–  Understanding and controlling where we
expose our credentials
•  Relying heavily on WebISO
–  Where appropriate and feasible
Case Study: UMass
Protecting Privacy
•  Everyone has their own application,
–  and thus have a need for access control
•  Per-app IdM increases exposure of
personal data
–  What one can do vs. is permitted to do
•  Assigned privileges may be sensitive
•  Roles and groups that map to courses
require FERPA protections
Case Study: UMass
Compliance
•  Having a consistent IdM tied to ERP
permits identification of user activity
–  DMCA, PCI-DSS, etc
•  Accurate de-provisioning is critical to
internal audit
–  University Policy
•  Application enrollment
–  Logical next step from asset inventory
Break
Security, privacy, compliance
overview
•  IdM and security
•  Managing and protecting privacy
•  Incident trends
Identity Management and Security
•  Identity management system is a integral component of
the organization s overall security strategy and
architecture.
•  In higher education, IdM has often been developed and
managed more as a business enabler than as part of the
security strategy.
•  Looking at IdM success factors we see how much
overlap there is with security.
30
Managing and Protecting Privacy
•  Security services traditionally focus on
preventing badness
–  protective, defensive and reactive tools and
techniques.
•  IdM provides a set of infrastructure
services that enhance security
–  identification, authentication, and
authorization.
31
Security Threat Environment
•  The security environment is changing. The
focus should be on the behavior that we
don t understand or manage well
–  Everyone wants their own application
–  Those who operate these applications
frequently do not have a strong security
background
–  Assignment of privilege is decentralized and
often poorly managed
What are the tangible risks
•  Data loss is a principle driver for many campus
Information Security organizations
•  Many of the incidents revolve around individuals having
access to data that had sensitive information (NPI) and
not taking adequate security procedures.
•  Data management – knowing who has access to
sensitive data, and then taking appropriate measures, is
a key aspect of protecting that data.
•  Large incidents often revolve ancillary business systems
that are run outside of central IT.
33
Data privacy legal issues
•  Forty-four states, the District of Columbia,
Puerto Rico and the Virgin Islands have
enacted legislation requiring notification of
security breaches involving personal
information.
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
Broader Privacy Issues
•  Increasingly through either state laws or as a result of
the European Union privacy efforts we are going to have
to manage varying rules for what is private information
and how to manage that information based on the
relevant jurisdiction of the individual.
•  Additionally, as the EU rules take hold we will need to
recognize what outside groups we can share information
with and what attributes can be released on individuals
to different entities.
35
IdM: bringing the pieces together
What Does IdM Involve?
Technology
Resources
Policy and Governance
….And
• Standards
• Practices
• Products
• Authentication and Authorization
Mechanisms
• Enterprise Directories
• Institutional Goals
• Drivers
• Constituent Requirements
• Policies
• Regulations & Laws
• 
• 
• 
• 
• 
Business processes
Applications
Budget
Project Management
Staff / Skill Expertise
•  New TRUST relationships
•  Federations
37
Identity Management Drivers
Legal &
regulatory
Institutional
Goals
Constituent
Requirements
Policy &
Governance & Business Process
Standards
Budget
Identity
Management
Practices
Technology
Products
Resources
Project
Management
Staff Skills/
Expertise
38
Identity and Access Management (IAM) Model
39
Technology
40
Technology: an architecture
for Identity Management
•  Identity management systems aggregate information
across disparate systems. Requirements include:
–  High performance – these systems drive all webfacing customer applications and customers (or
employees) won t wait.
–  High reliability – these systems often provide all
authentication and authorization services. When
down, nothing can occur.
–  High security – these systems may maintain a large
number of person attributes, sometimes including
personally protected information.
41
Technology: Enterprise Directory
•  The core of an identity
management system.
•  Metadirectory is usually the
IdM database schema that is
updated by the core data
sources.
•  Physical directories, called
LDAP, provide an interface to
services.
•  For auditors, understanding
how to validate that the
business rules are implemented
and followed is essential.
42
Technology & Business Process:
Identifying Authoritative Data Sources
•  Authoritative data feeds for the
Identity Management system may
come in real time or batch from
your CRM and/or ERP systems.
•  Often you have special population
groups kept in systems outside of
the ERP or CRM.
•  Some systems may provide
periodic, or asynchronous updates
or be polled for new information.
•  For auditors, understanding what
data sources are used and the lag
time to updating the IDMS system
is essential to enforcing policy.
43
Technology & Business Process:
Applications and Services
•  Applications and services are the
consumers of an IDMS. Examples
include:
–  Authentication - Who am I?
–  Authorization services – What can I do?
–  Portals are often a common application
•  Services
may reside locally or be
provided by off-campus providers
through Software-as-a-Service (SaaS)
or Service Oriented Architecture (SOA)
methods.
•  Audit issue is how you validate
partners are meeting service
requirements and managing data
appropriately?
44
Resources: Business Process
•  Leveraging IdM for managing roles and security
•  Universities are complex – we have systems for student
housing, finance, human resources, grants
management, student records, admissions, alumni, and
library – often to name just a few of the major systems.
•  It is very rare to have a single vendor provide solutions
to all of these areas and so we have many different
vendors. In many cases we have a different vendor for
each major system.
•  In addition, application security is getting much more
complex making it staff intensive and difficult to audit for
compliance.
45
Resources: Business Process
•  Multiple roles at the same institution can
add to the complexity
•  Multiple institutions sharing identities can
be even more complex
•  We need workflows for role changes that
are accurate and timely (can be critical to
application security)
46
U.S. Federal Government
eAuthentication Initiative
http://www.cio.gov/eauthentication/
47
Federations
•  Federations
–  A federation is an association of
organizations that use a common set of
attributes, practices and policies to exchange
information about their users and resources in
order to enable collaborations and
transactions
http://www.incommonfederation.org/docs/guides/faq.cfm
Federations
•  Fundamentally a policy construct
‒  Combined with a technical toolset
•  Often implemented with the Shibboleth
toolset in R&E networks
•  Provides access to local campus
resources to users from remote institutions
Benefits of Federations
•  Organizations without a federation needing to share
information must enter into bilateral agreements. These
agreements are difficult to achieve and greatly
complicate the work of insuring compliance if each has
slightly different terms.
•  Individuals without a federation must establish a
relationship with each organization, often providing
duplicate information to multiple organizations.
50
Federations and Identity Management
•  Federations – definition
–  Dictionary.com - a federated body formed by a
number of nations, states, societies, unions, etc.,
each retaining control of its own internal affairs.
–  Incommon.org -A federation is an association of
organizations that use a common set of attributes,
practices and policies to exchange information about
their users and resources in order to enable
collaborations and transactions.
51
Traditional Identity Management
Benefits
e-Learning
Online
Application
State Agency A
e-Learning
Library
State Agency B
= Credentialing / Authentication
= Authorization
= User Credential
52
Federated Identity Concept
Federation
Benefits
e-Learning
Texas
Online
State Agency A
SIRS
Library
State Agency B
= Credentialing / Authentication
53
= Authorization
= User Credential
Federations
•  InCommon Federation
–  Higher Education & Research Emphasis
–  http://www.incommonfederation.org/
•  UT System Identity Management Federation
–  Business Emphasis
•  State of California Federated IdM Vision
(http://www.cio.ca.gov/stateIT/pdf/California_SOA_and_IDM_Vision_122007.pdf)
•  State of New York IdM Model
(https://www.oft.state.ny.us/Policy/G07-001/) Trust Model
(http://www.oft.state.ny.us/OFT/PrinciplesoftheNYSEnterpriseIdMArchitecture.pdf)
•  State of Nebraska Federated Services
(http://www.nitc.state.ne.us/events/conferences/egov/2004/files/345_UserAuthentication_Hartman-FedID.ppt)
54
InCommon Federation – An
Example
•  Presently about 123 members, approximately 81 higher
education institutions, 5 government agencies or nonprofit laboratories, and 33 corporations (public and nonprofit) representing 1.7 million individuals.
•  Entities agree to a common participation agreement that
allows each to inter-operate with the others.
•  InCommon sets basic practices for identity providers and
service providers. The primary focus has been technical
and focuses on campus identity management
procedures and attributes.
55
What Does Security Involve?
Technology
Resources
Policy and Governance
….But Most Importantly
• Standards
• Practices
• Products
• Institutional Goals
• Constituent Requirements
• Policies
• Regulations & Laws
• 
• 
• 
• 
• 
Business processes
Applications
Budget
Project Management
Staff / Skill Expertise
56
Security standards
•  The evolution of security processes and procedures
from ISO 27002 provides a strong foundation for risk
management and developing strong internal controls as
these pertain to security.
•  While much of the ISO 27002 program is helpful to
building a strong identity management function it was
not necessarily written for this function.
–  As the IDMS becomes a key business driver we should see the
framework evolve.
•  Working with audit may help us bridge some of these
gaps while the policy approaches are resolved.
57
Security Standards
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
Governance and Organization of Information Security
Risk Assessment and Management
Policy
Asset Tracking and Management
Human Resources Security
Physical Security
Communications and Operations Management
Access Control
IT Systems Acquisition, Development, Maintenance
Incident Response and Management
Business Continuity/Disaster Recovery
Compliance
Security Standards: IdM
•  Access Controls is a component of most
security programs
•  From ISO27002, the need for access
control is roughly defined as:
Logical access to IT systems, networks and
data must be suitably controlled to prevent
unauthorized use.
•  This aligns well with our definition of IdM
ISO 27002: Access Control
•  Business requirement for access control
–  Access Control Policy
•  User access management
–  User registration
–  Privilege management
–  User password management
–  Review of user access rights
•  User responsibilities
–  Password use
–  Unattended user equipment
–  Clear desk and clear screen policy
60
ISO 27002: Access Control (cont d)
•  Network access control
–  Policy on use of networked services
–  User authentication for external connections
–  Equipment identification in networks
–  Remote diagnostic and configuration port
protection
–  Segregation in networks
–  Network connection control
–  Network routing control
61
ISO 27002: Access Control (cont d)
•  Operating system access control
–  Secure log-on procedures
–  User identification and authentication
–  Password management system
–  Use of system utilities
–  Session time-out
–  Limitation of connection time
•  Application and information access control
–  Information access restriction
–  Sensitive system isolation
62
Level of Assurance in IDMS
•  IDMS systems have often been business enablers for
connecting customers or external business partners.
•  Questions?
–  Do all account holders have access to all services
and generate the same level of risk?
–  Do you have the same level of confidence that the
identity associated with an account is who they
purport to be for all your account holders?
•  If you answered no, you might look at integrating level of
assurance into your IDMS.
63
Overview of Level of Assurance in IDMS
•  Two distinct uses
1.  For a service provider, the level of risk to the
application or organization if an incorrectly identified
user is allowed to access the application or perform
a transaction. This can happen if someone
compromises an account password.
2.  For an identity provider, the risk that the person is
not who they claim to be – in this case the person
has legitimate credentials that they acquired
frauduantly
•  Organizations often perform both functions and must
look at both risks.
64
Assurance as an Identity Provider
•  A combination of assurance that the person presenting
their credentials is who they say they are AND they are
the person presenting the credentials.
–  The degree of confidence in the vetting process; and
–  The degree of confidence that the person presenting the
credential is the person you issued the credential too
• 
• 
• 
• 
Level 1 – little or no assurance
Level 2 – some confidence
Level 3 – high confidence
Level 4 – very high confidence
65
Assurance as an Identity Provider
•  eAuthentication guidelines require that everyone is
identity proofed.
•  We define another group – level 0. Level 0 has no
assurance the person is who they say they are. These
are guests that assert their identity and want a portal
account. We have no way of verifying they are who they
say they are
•  Audit plays an important role in assessing and validating
the procedures for initial identity proofing. We do this
when issuing our ID card.
66
Assurance of Credentials
•  The second component of assurance is the assurance of
the credential as presented by the person it was issued
too.
•  Traditional authentication focuses on password
management. Level 2 is the highest assurance a textbased password can achieve.
•  For level 3 or 4 assurance eAuthentication requires twofactor authentication. The second factor must be some
token that is issued to the user. The US government is
moving to smart ID-cards under the auspices of
HSPD-12.
67
Credential Assurance
NIST 800-63 guide provides
excellent framework for
managing credentials.
The entropy spreadsheet is
a great tool for reviewing
password practices and
looking at how subtle
variations in policy practices
change the strength of the
credentials.
This is a great tool for
auditors!
68
An Example – Password Resets
•  Forgotten passwords are often among the most common
call to the helpdesk.
•  Creating a self-service method to reset your password
often is essential for improving customer service and
reducing helpdesk costs.
•  However, this creates an opening for attacks to
compromise accounts. We are integrating level of
assurance into our process.
–  The 10% of total account holders that have LOA of 2 have a
different process than the 90% with LOA of 1.
69
Assurance for Service Providers
•  Service providers follow traditional risk management
approaches such as NIST 800-30 to assess the risk
associated with an authentication error:
•  The potential harm or impact, and
•  The likelihood of such harm or impact.
–  Potential categories of harm include: reputation,
financial loss, organization harm, release of sensitive
information, risk to personal safety, and criminal or
civil violations.
–  Ratings use values of low, moderate, or high.
70
Setting Level of Service Assurance
71
Idm Solutions
•  No slides on Shib? Ask Ann
Current Status of Signet
•  MACE/I2 has suspended work on Signet and are now working with
the community to refocus the requirements for privilege
management and will move forward accordingly. This may mean
evolving Signet or adding functionality to Grouper Groups
Management Toolkit or other options. Stay tuned.
•  Some of the outcomes of this effort may take the form of practice
recommendations. For instance, one of early requests was for
approaches and tools for growing a campus authz infrastructure
---from groups to privilege management---and starting with a
lower risk approach. The CAMP in June 2009 will be addressing
this very issue.
•  MACE/I2 is also in discussions with Kuali about working together
on IdM.
73
More Information
Linda Hilton, Chief Information Officer,
Vermont State Colleges
Phone – 802.626.6394
Email – linda.hilton@vsc.edu
Chris Misra, Information Security Officer,
University of Massachusetts, Amherst
Phone –
Email –
74
Questions?
75
What did you think?
•  Your input is important to us!
•  Click on Evaluate This Session on the
Mid-Atlantic Regional program page.
Slide parking lot
•  Other slides below that may or may not fit
Kim Cameron s Laws of
Identity Whitepaper
Seven Laws of Identity
1.  User control and consent
2.  Minimal disclosure for a constrained use
3.  Limit relationships to justifiable parties
4.  Control over who can see my identifier, directed identity
5.  Pluralism of operators and technologies
6.  Human integration
7.  Consistent experience across contexts
78
Dick Hardt s Identity 2.0
Presentation at OSCON
•  One of the best presentations on identity management is
by Dick Hardt at OSCON 2005.
•  This is a good overview of looking at how identity
management may evolve. In 15 minutes he gives a great
presentation.
•  http://www.identity20.com/media/OSCON2005/
79
IDMS – Managing Roles and
Application Security
•  Internet2 has launched a project called Signet to allow
security roles to be managed centrally and have these
update the application security.
•  The process is define a security model, assign roles and
responsibilities in the IDMS for functions (e.g. approve
payroll) and then have a specially developed connector
update the security in the application based on changes
in the IDMS.
•  The benefit is that as an employees status changes you
can make the change in one place and propagate to all
systems.
80
Key Elements of SIGNET
•  Provide a single point for managing authorization without
consolidating control. Business owners have a web
interface for managing who has access.
•  Allows centralized IDMS services to be leveraged for
business applications and security, such as when a
person leaves the organization or changes roles.
•  Helps enable business groups and users through a
consistent approach to security
81
Web Services – Service
Oriented Architecture
•  Service oriented architecture (SOA) leverages the web
to provide services. The goal of SOA is that as the web
becomes the application delivery platform there will be
components done elsewhere that you want to integrate
into your application.
•  There are a set of standards (multiple) that define how
web services will interoperate and manage authorization
and access to these web services.
•  Ultimately, for the promise of web services to be realized
there will need to be solutions that reside outside of the
application as part of an overarching IDMS system.
82
83
Longer Term Approaches
•  The WWW consortium (W3C) is working on standards
for autonomous policy engines that take policy heuristics
in an XML format and exchange and manage them
across independent groups.
•  There seems to be momentum in moving to SOA and
that will ultimately drive standards and direction as
applications emerge that support business innovation.
•  Companies may initially have two approaches, one for
internal desktop applications and the other for extranet
applications.
84
Leveraging IdM: overview
•  How can IdM practices and policies
improve security?
•  Intersections: policy frameworks
•  Intersections: technical frameworks
•  What is a standards-based information
security program?
Resources
More information: CAMP
• 
• 
• 
• 
• 
• 
• 
CAMP: Practical Building Blocks for Access Management JUNE 15–17,
2009 Philadelphia
Institutions small and large interested in getting a handle on authorization
Case studies of business and academic challenges from around the
institution
Discussions how to incrementally build authz to reduce risk and ensure
success
Practical approaches for integrating standard authorization components
Strategies of how these approaches help with compliance, security, and
service provisioning and support business objectives
www.educause.edu/camp092 (website available early March)
www.incommonfederation.org
88
02/10/2008
InCommon Collaborative
Projects/Efforts
https://spaces.internet2.edu/display/InCCollaborate/Home
• 
• 
• 
• 
• 
• 
• 
• 
• 
InC Student
InC Library
InC SharePoint
TeraGrid
InCommon Inter-federation
InCommon - NIH
InCommon Research
InC Apple
Dreamspark
89