csu enterprise identity management trust- level framework · csu enterprise identity management...

DIVISION OF INFORMATION TECHNOLOGY ENTERPRISE ARCHITECTURE

Page | 1 v1.0

CSU Enterprise Identity Management Trust-Level Framework

Version 1.0 - November 2015


Page | 2 v1.0

Table of Contents Purpose of this Document ...................................................................................................................... 3

Executive Summary ................................................................................................................................. 3

Motivation............................................................................................................................................... 4

CSU Trust Level Model ............................................................................................................................ 5

Identity Trust Levels ............................................................................................................................ 6

Identity Proofing ............................................................................................................................. 6

Identity Reconciliation .................................................................................................................... 6

Identity Trust Levels for Affiliations ................................................................................................ 7

Authentication Trust Levels ................................................................................................................ 9

Authentication Assertion Protection Level ......................................................................................... 9

Example Trust Levels applied to Applications ..................................................................................... 9

Appendix A. Attorney-General’s Identity Proofing Objectives and Evidence Weightings. ............... 10

Identity Proofing Objectives ......................................................................................................... 10

Appendix B. Australian Access Federation – Levels of Assurance .................................................... 12

Table of Figures Figure 1 - CSU Identity Trust Levels ......................................................................................................... 5 Figure 2 - Authentication Trust Levels ..................................................................................................... 5 Figure 3 - Authentication Assertion Protection Level .............................................................................. 5 Figure 4 - Identity Attributes and Evidence required to establish trust level .......................................... 6 Figure 5 Trust Levels for affiliations ........................................................................................................ 8 Figure 6 Trust Levels for affiliations applied to Applications .................................................................. 9


Page | 3 v1.0

Purpose of this Document The purpose of this document is to establish a framework relating to Trust Levels for identities that have an affiliation with CSU. The framework can be utilised to help assess the requirements for delivering services to the wide variety of people the university engages with.

Executive Summary Universities have traditionally had fairly static and clear cut boundaries relating to the people it deals with – the University Community. Academic and support staff as well as students generally form the basis of the community with relatively limited numbers of alternate association types. Rapid changes in the higher education landscape bought about by evolving technology based pedagogies as well as a move to a more competitive commercial environment has meant the focus has moved from a bricks and mortar paradigm to providing services to a large range of people in any location as well as more aggressive recruitment strategies. This framework introduces a taxonomy for defining the types and levels of Trust applicable at CSU as well as relating the Trust Level and Identity Management processes to the various affiliations that people have with the university and the diverse affiliation journeys they may take through their period of engagement.


Page | 4 v1.0

Motivation The establishment of Trust Levels provides a standardised method of:

Assessing the level of confidence in the legitimacy of an identity to ensure appropriate access to services and application functionality.

Mitigating risk of exposure of sensitive data by controlling access to systems that hold that data.

Evaluating the rigour of authentication processes to insure they are conducted in a secure way. The ability to control access to systems based on Trust Levels can be leveraged to extend the creation and management of identity accounts to people that fall outside the established community boundaries. This means a CSU identifier and credential set that accompany the identity across varying affiliations can be allocated prior to the traditional community entry points. Trust Levels also provide a way to allow system access to identities with only a cursory affiliation with the university, were assigning resources to conducting identity verification and reconciliation processes is not viable. Segregating access via trust levels used in conjunction with common identifiers and credentials helps facilitate:

A smoother path through entry processes such as admissions by not requiring a change in Credentials at the point of enrolment.

People that already have an account to engage with those processes with their common CSU credentials.

Seamless User Experience by use of common credentials and identifiers across a Single Sign-On environment

Allows identity and other related data to be moved between systems using the allocated CSU identifier.

Allows linking of identities via the CSU identifier to track and analyse activities across the gamut of affiliations


Page | 5 v1.0

CSU Trust Level Model The model relates to three distinct aspects of the identity’s interaction with services and applications. 1. Identity Trust Levels - The level of confidence that the person is who they say they are and consists of Identity Proofing and Identity Reconciliation. Note: The Federated Identity Column equates the AAF Levels of Assurance (LoA) to the CSU trust Level

Trust Level Name Description Federated Identity1

ITL-0 Anonymous No Identity information is known

ITL-1 Self-Registered Self-Registered with confirmed Unique Email Address or Social Logon

ITL-2 Trusted Source Identity data is provided by a trusted source where preliminary Identity Verification is carried out

ITL-3 Gateway The identity has been established via CSU Identity Gateway processes and checks. Proof of identity requirements are not rigidly enforced but the person may: - Vouched for and managed by a CSU Staff member - Incidentally provide other documents that match asserted Identity Attributes (e.g. Proof of previous study) - Declare data information they have provided is true and Accurate - Provide information that can be verified with other authorities (e.g. Tax File Number or Bank Account)

LoA1

ITL-4 Legislative Because of legislative requirements of an identity’s affiliation there is additional documentary evidence that must be sighted. (e.g. Visa Documents or Working with Children Certificate)

LoA1

ITL-5 Certified Approved documents in conjunction with suitable Photographic evidence is produced in presence of CSU Staff Member or trusted agent

LoA2

Figure 1 - CSU Identity Trust Levels

2. Authentication Trust Level - Level of confidence in a persons asserted Digital Identity i.e. the stringency of authentication.

Trust Level Name Description

ATL-0 Public No authentication

ATL-1 Proxied Requires authentication to one application that has a Trust Relationship with the application. Authentication to the first application ensures only authorised use E.g. LTI integration with the Learning Management System

ATL-2 Single Factor Identity is proven by providing validated credentials (username and Password)

ATL-3 Multi-Factor Identity is proven by providing validated credentials (username and Password) plus at least one additional method of authentication (PIN, One-Time Password)

Figure 2 - Authentication Trust Levels

3. Authentication Assertion Protection Level - Level of Confidence in the security of the Authentication Process

Protection Level Name Description

AAP-0 Unencrypted The authentication process is conducted without encryption

AAP-1 Encrypted The authentication process is conducted across encrypted network and cookies and tokens are encrypted

Figure 3 - Authentication Assertion Protection Level

1 Refer to Appendix B. Australian Access Federation – Levels of Assurance


Page | 6 v1.0

Identity Trust Levels Identity Proofing The National Identity Proofing Guidelines issued by the Australian Governments Attorney-General’s Department defines Identity Proofing as follows, and provides a model for weighting various types of evidence used in the process.

“Identity proofing is the process of capturing and confirming information to a specified or understood level of assurance to provide organisations with confidence in the identity of a person with whom they are interacting with for the first time.”

Identity Proofing Objectives The veracity of claims about a person’s identity is established through evidence provided to meet some or all of the following five identity proofing objectives (depending on confidence in the claimed identity required):

1. Confirm uniqueness of the identity in the intended context 2. Confirm the claimed identity is legitimate (to ensure the identity has not been fraudulently created) 3. Confirm the operation of the identity in the community over time 4. Confirm the linkage between the identity and the person claiming the identity 5. Confirm the identity is not known to be used fraudulently

Identity Reconciliation Identity reconciliation is the process of comparing a new identity account against existing accounts to ensure they are in fact the same person and duplicate identities are not being recorded. This ensures the correct trust levels are applied and allows auditing of an identities across the enterprise. The Table below represents:

The Attributes that are mandatory to achieve the Trust Level as well as attributes that aid the reconciliation process.

The levels of documentary evidence that should be provided.

Identity Attributes Documentary

Evidence2

Identity Trust Levels Name

Firs

t N

ame

Pre

ferr

ed F

irst

Nam

e

Mid

dle

Nam

e

Last

Nam

e

Form

er L

ast

Nam

e

Dat

e O

f B

irth

Gen

der

Emai

l Ad

dre

ss

Tax

File

Nu

mb

er

Pri

mar

y

Seco

nd

ary

ITL-0 Anonymous - - - - - - - - - - -

ITL-1 Self-Registered * + + * + + + * - - +

ITL-2 Trusted Source * + + * + * * * - - +

ITL-3 Gateway * + + * + * * * + + +

ITL-4 Legislative * + + * + * * * + + *

ITL-5 Certified * + + * + * * * + * *

- Not applicable + Contributes to reconciliation processes * Mandatory

Figure 4 - Identity Attributes and Evidence required to establish trust level

2 Refer to Appendix A. Attorney-General’s Identity Proofing Objectives and Evidence Weightings.


Page | 7 v1.0

Identity Trust Levels for Affiliations The following Table indicates the appropriate Identity Trust Levels assigned to different affiliations that identities maintain with CSU.

Group Affiliation Description ITL Has

IGMS Group

Miscellaneous Anonymous A person that has interacted with CSU via a service or event (online or in person) where knowing the person's identity is not required. ITL-0 -

General Public ITL-0 -

Community Member ITL-0 -

Community Borrower An individual who is not a student or employee of the University who has registered with the Library for the purpose of borrowing from the CSU library. ITL-3 X

AAF Affiliate ITL-0 -

Contractor ITL-0 -

Lead A person that has interacted with CSU via a service or event (online or in person) within the context of learning and teaching and that CSU would like to be aware of the person's activity. A person may interact many times across different services or events.

ITL-0 -

Guest ITL-0 -

Delivery Partner ITL-0 -

Agent ITL-0 -

(Unpaid) Practicum Supervisor Individuals who supervise CSU students on practicum placement but they are not employees of the University. ITL-0 X

External Enterprise Employee ITL-3 -

Parent (of student) ITL-0 -

Alumnus ITL-0 -

Customers Prospective Student Prospective Student is a person that has registered their interest in studying at CSU via a future student service or event. ITL-1 -

UAC Preference UAC admission applicant who has nominated a CSU course as one of their course preferences and not necessarily their first preference. A UAC Applicant can nominate up to nine preferences.

ITL-2 -

VTAC Preference VTAC admission applicant who has nominated a CSU course as one of their course preferences and not necessarily their first preference. A VTAC Applicant can nominate more than one preference.

ITL-2 -

UAC Applicant UAC Applicant is a person that has decided to lodge an application for admissions into CSU through UAC office. ITL-2 -

VTAC Applicant VTAC Applicant is a person that has decided to lodge an application for admission into CSU through VTAC office. ITL-2 -

Articulating student -

UAC Scholarship Applicant ITL-2 -

Applicant Applicant is a person that has decided to lodge an application for admissions with CSU. A person may lodge more than one application in a given admissions period. Applicant can be further classified as a 'direct', UAC or VTAC applicant to indicate initial data capture point.

ITL-1 -

Offered Applicant Applicant is a person that has decided to lodge an application for admissions with CSU and has received a formal letter of offer. ITL-3 X

Students (Current) Student A person who has an active program enrolment for a course of study at CSU. ITL-3 X


Page | 8 v1.0

Graduating Student A person who has successfully completed program accreditation resulting in the testamur course of study at CSU. ITL-3 -

Past Student A person who was previously an enrolled student but currently does not have an active program enrolment for a course of study at CSU. ITL-3 X

Policing Student A person who has an active program enrolment for a course of study at CSU convened by the School of Policing or the Australian Graduate School of Policing and Security (AGSPS).

ITL-3 -

Higher Degree Research Student A person who has an active program enrolment for a course of study at CSU where the course has a classification of 'doctorate by research' or 'master by research'.

ITL-3 X

Human Resources

Prospective Employee A person or business identified (or self-identified) as a possible future employer of current and or past CSU students. Providing work for pay. ITL-0 -

Temporary Staff ITL-3 X

Staff Member ITL-5 X

Casual Staff ITL-3 X

Affiliate A person who has a formal affiliation with CSU, similar to staff in online service privileges except they are unpaid. Namely the CSU Chancellor, CSU Council Members and visiting appointments.

ITL-3 X

Paid Practicum Supervisor Associated teachers who are paid by the University for the supervision of CSU students on practicum placement but they are not employees of the University. Currently only for Faculty of Education practicum supervision

ITL-3 X

External Exam Invigilator ITL-3 -

Employer A person or business that employs one or more current and or past CSU students. Providing work for pay. ITL-0 -

Figure 5 Trust Levels for affiliations


Page | 9 v1.0

Authentication Trust Levels The second component of the trust model is Authentication Trust Levels. This relates to the process that surrounds the authentication to the system that is being accessed. This can range from no authentication at all through to complex Multi-Factor arrangements.

Authentication Assertion Protection Level Finally the Authentication Assertion Protection Level

Example Trust Levels applied to Applications The Following table shows examples of the various trust levels applied to applications. This helps to define the various aspects of interfacing with the applications and services as well as defining the 3 Trust levels for the affiliations that use the system.

Name Aspect Affiliations Identity

Trust Level Authentication

Trust Level

Authentication Assertion

Protection Level

Academic Workload Calculator

Casual Registration Prospective Staff 1 0 1

Staff Use Staff 3+ 2 1

Tax Registration Prospective Staff 1 3 1

Adobe Connect Application Guest 0 0 1

LMS Staff 3+ 1 1

Student 3 1 1

Aleph Web Staff 3 1 0

Student 3 1 0

Community Borrower 3 1 0

Alesco WebKiosk Staff 3+ 2 1

Ex-Staff 1 2 1

Forms Access Staff 5 2 1

Archibus + IFM + Cadcorp FMCentral General Public 0 0 0

Staff Member 3+ 2 1

Student 3 2 1

Argos Evision Staff 3+ 2 0

ARIS Web Interface Staff 3+ 2 1

Banner Finance Forms Access Staff 3+ 2 1

Online Budget Reports Staff 3+ 2 1 Figure 6 Trust Levels for affiliations applied to Applications


Page | 10 v1.0

Appendix A. Attorney-General’s Identity Proofing Objectives and Evidence Weightings.

Identity Proofing Objectives The veracity of claims about a person’s identity is established through evidence provided to meet some or all of the following five identity proofing objectives (depending on confidence in the claimed identity required): 1. Confirm uniqueness of the identity in the intended context to ensure that individuals can be distinguished from one another and that the right service is delivered to the right individual. This would include a check that another person has not previously claimed ownership of the identity (i.e. there is a sole claimant), for example by checking the organisation’s database for identity records with the same attributes. 2. Confirm the claimed identity is legitimate to ensure the identity has not been fraudulently created (i.e. the identity is that of a real person) through evidence of commencement of identity in Australia. Where greater confidence in the claimed identity is required, this objective may also include a check that an identity has not been recorded as deceased (e.g. through the Fact of Death file). 3. Confirm the operation of the identity in the community over time to provide additional confidence that an identity is legitimate in that it is being used in the community (including online where appropriate). Even where a person is able to obtain genuine identity documents in a fictitious name, it will be harder to provide evidence that the identity has been active in the community, particularly over an extended period of time and if evidence reflects the breadth of a person’s life, such as:

Citizen: evidence that demonstrates the person’s life as a citizen and any support or services they are provided by government

Money: evidence that demonstrates the person’s financial and working life, and

Living: evidence that demonstrates where they live and what they consume. 4. Confirm the linkage between the identity and the person claiming the identity to provide confidence that the identity confirmed through objectives 2 and 3 is not only legitimate, but that the person claiming the identity is its legitimate holder. This has traditionally been done by comparing a person’s face against a photograph, although there is an increasing range of technologies that can provide alternative methods, such as comparison of a biometric captured at enrolment against a biometric previously captured by a trusted organisation. 5. Confirm the identity is not known to be used fraudulently to provide additional confidence that a fraudulent (either fictitious or stolen) identity is not being used. This could be through checks against internal registers of known fraudulent identities or against ‘dummy records’ recorded in the system. Where possible, this could include checks against information provided by external sources, such as law enforcement agencies


Page | 11 v1.0

Type of evidence Weighting

Objective 3: Evidence of Identity Operating in the Community

DFAT issued Certificate of Identity Secondary

DFAT issued Document of Identity Secondary

DFAT issued United Nations Convention Travel Document Secondary

Foreign government issued documents (e.g. driver licences) Secondary

Medicare Card Secondary

Enrolment with the Australian Electoral Commission Secondary

Security Guard/Crowd Control photo licence Secondary

Evidence of right to a government benefit (DVA or Centrelink) Secondary

Consular photo identity card issued by DFAT Secondary

Police Force Officer photo identity card Secondary

Australian Defence Force photo identity card Secondary

Commonwealth or state/territory government photo identity card Secondary

Aviation Security Identification Card Secondary

Maritime Security Identification Card Secondary

Firearms licence Secondary

Credit reference check Secondary

Australian tertiary student photo identity document Secondary

Australian secondary student photo identity document Secondary

Certified academic transcript from an Australian university Secondary

Trusted referees report Secondary

Bank card Secondary

Credit card Secondary

Other authoritative online sources of evidence verified by a Third Party Identity Provider Secondary

Tax File Number Secondary

Evidence of digital footprint email/mobile/social Secondary

Objective 2 evidence of commencement of identity (at LoA 2 only) Secondary

Objective 4: Evidence of a linkage between a person and a claimed identity

Australian passport (including Ordinary, Frequent traveller, Diplomatic, Official and Emergency) Primary

Foreign passport Primary

Australian driver licence Primary

DIBP ImmiCard Primary

If no other primary evidence types available to establish linkage: Australian government issued proof of age card / photo card

Primary

If no other primary evidence types available to establish linkage: Australian secondary student identity document (issued by a government agency or Australian school only)

Primary (only for under 18 years)


Page | 12 v1.0

Appendix B. Australian Access Federation – Levels of Assurance The Australian Access Federation (AAF) facilitates the use of CSU credentials to access a range of services provided by research organisations and Tertiary Institutions. These services can be restricted to CSU identities for which the university has asserted a level of identity proofing and reconciliation known as Levels of Assurance. Level of Assurance 1

Registration and identity-proofing requirements (eduPersonAssurance = urn:mace:aaf.edu.au:iap:id:1)

Y/N NIST page#

Requirement

N/A Document your processes for issuing credentials. Note this is a baseline requirement for complying with the AAF Federation Rules. There are no additional requirements for identity proofing at Level 1.

Level of Assurance 2

Registration and identity-proofing requirements (eduPersonAssurance = urn:mace:aaf.edu.au:iap:id:2)

Y/N NIST page#

Requirement

33 The applicant has undergone an in-person registration process at your organisation during which they have demonstrated possession of a valid current primary government picture ID that contains their picture and either their address of record or their nationality of record – in other words, either a driver’s license or a passport.

33 During the registration process the Registration Authority (RA) at your organisation inspects the applicant’s photo ID,

compares the picture to the applicant, and records the ID number, the address, and the date of birth.

33 If the photo ID appears to be valid and the photo matches the applicant, then

a) If personal information in records includes a telephone number or e-mail address, the CSP issues credentials in a manner that confirms the ability of the Applicant to receive communications at phone number or email address associated with the Applicant in records. Any secret sent over an unprotected session shall be reset upon first use; or

b) If ID confirms address of record, RA authorizes or CSP issues credentials. Notice is sent to address of record, or;

c) If ID does not confirm address of record, CSP issues credentials in a manner that confirms the claimed address.

35 If the registration process, identity proofing, token creation/issuance and credential issuance take place as separate physical encounters or electronic transactions, you have ensured the same party acts as applicant throughout the processes using the following method:

The applicant identifies himself in any new electronic transaction by presenting a temporary secret which was established during a prior transaction of encounter, or sent to the applicant’s phone number, email address, or physical address of record.

The applicant identifies himself in person by either using a secret as described above, or through the use of a biometric characteristic that was recorded during a prior encounter (such as a student/staff card displaying their photo).

31 You have followed the documented processes in a practice statement that demonstrates these requirements are met.