leveraging identity management for privacy, security, and...
TRANSCRIPT
1
Leveraging Identity Management for Privacy, Security, and Compliance
Linda Hilton, Chief Information Officer, Vermont State Colleges &
Christopher Misra, Information Security Officer, University of Massachusetts
For ref. only – remove for printing • Access control is a critical component of a standards-based information
security program. It helps safeguard IT assets by controlling access to information, information processing facilities, and business processes according to business and security requirements. Access control also serves to protect our community members’ privacy by preventing unauthorized access to information held in application systems. Although institutions may have similar security goals, institutional type, size, and context will present unique implementation challenges. This seminar will explore how diverse institutions can bridge issues in technology, policy, and process related to security and identity management to achieve shared institutional goals and ensure compliance.
3
What We Will Focus On
• An overview of identity management • How identity management can help improve
security, protect privacy, and ensure compliance
• IdM as a component of an information security program
• Bridging policy, process and technology
Identity Management Overview
• Some definitions • Core components • IdM drivers • Why “do” IdM? • How is IdM used in Higher Ed?
5
IdM: definitions
• What do we mean by Identity Management? – California State University definition - An identity
management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information.
6
Analyze this Definition • Infrastructure - software and hardware • Collection - not just technology • Technology and policy – policy plays a critical role and is
an essential element of the solution • Networked computer systems - implies distributed
technology systems communicating over a network • Access - Who am I • Authorized - What can I do • Protecting - limiting access and protecting information
7
Idm: definitions The Burton group defines Identity Management as : “A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.”
– Integrates data sources and manages bio-demo information about people and devices
– Establishes electronic identity of users and devices – Issues and validates identity credentials – Uses organizational data and management tools to
assign affiliation attributes – …and gives permission to use services based on
those attributes
8 4 4
Core IdM Components
• People and Relationships • identity and trust
• Account Creation, Management, and Deletion
• Technology, business process, resources
• Access management • Assignment of privilege, groups and roles, IdM and application-level
security
9 5 5
Core components: People and Relationships
• Different types of affiliations – Formal vs. Casual
• Multiple affiliations and multiple roles • Affiliation life-cycles
10 6 6
Core components: Creation & Management of Identities
• These are the IdM business processes • Vetting – collection and validation of identity information • Proofing – aligning collected data and matching to an
actual person with some degree of certainty • Issuance of credentials
– ID/password pair – ID card – 2nd factor token
• Managing – providing assurance that the credential and the entity stay linked
11 7 7
Core components: Access Management
• Connecting people to data and services • Authentication decisions • Authorization decisions
– Affiliation type, status, level of assurance, roles and other attributes.
• Rule of least privilege
Core components: Access Management
• Assignment of privilege • Groups and roles • IdM and application-level security
13 8 8
IdM Business Needs
• Support increased collaboration and
innovation • Improve customer service • Increase efficiency • Improve security of digital assets and
mitigation of risk
14 8 8
What are IdM drivers? • Traditional forms of authentication and authorization are
no longer sufficient for needs of modern internet-based applications
• Application security is becoming increasingly onerous – multiple applications, multiple enterprises, and multiple user
roles in multiple contexts • New regulations dictate more stringent identity
management processes – HIPAA (Health Information Privacy) – FERPA (Educational Records Privacy) – Sarbanes Oxley (Financial Disclosures) – Gramm-Leach-Bliley Act (Financial Information Privacy) – Red Flag rules (Identity Theft Prevention)
15
Why Do Identity Management? • Centralize directory services
– One authoritative source for applications – One stop shopping for students and employees!
• Single sign-on – reduce control gates for access to data • Standardized posture makes adding new apps easier • Remote access • Inter-institutional access • Lifecycle issues: “from cradle to grave” • Enhance privacy of personal information • Improve security and safeguarding of information • Comply with federal and state laws and regulations
16
How Identity Management Is Used in Higher Education
• Students – Learning resources (course management systems, library, etc.) – Online student systems
• Staff – Employee directory – Online human resources systems (timesheets, payroll, benefits, etc.)
• Faculty and Researchers – Online course materials and library resources – Federal research agencies, funding, and data resources
• Alumni and Donors – Email for life – Alumni directories and services
• All – Student/Employee directory – Emergency notification systems
• External Access – Contractors, guests, visiting faculty, donors, volunteers
17
Emerging IdM Uses
• Building Access Controls • Federal Government Agencies
– NIH • National Student Loan Clearinghouse • Workflow
18
Creating an IdM Infrastructure
• A strategic approach to IdM • Solve problems – pick low hanging fruit • Create awareness • Develop a roadmap • Address the gaps and challenges • Offer education
Tailoring IdM to the environment
• Operational – governance, org structure • Cultural • Resource levels • Process maturity - “it’s an IT issue” • Scale differences • Budgets and resources
Case studies
• Vermont State Colleges: Security and IdM • University of Massachusetts
Case Studies
• Each campus has unique experiences with deploying Identity Management and middleware.
• We will review each of our school’s approach to providing these services.
University of Massachusetts Amherst IdM
• Context – 45,000+ accounts – 25,000+ students
• Deployment – ERP based provisioning and account
management (Peoplesoft) – OpenLDAP – Kerberos authentication backend
Case Study: UMass Background
• Active LDAP project initiated in 2003 • Existing account management system
circa 1993 • Started with account management system
rewrite – Deployed as a custom app within our
Peoplesoft environment – Campus ERP is System of Record
Case Study: UMass Guiding Principles
• (T)hese processes of identification, registration, authentication, and authorization that are uniquely separate processes that should be tightly linked and controlled in order to have a trusted and robust identity and privilege management system. Understanding the underlying processes and the differences in the processes is critical to managing these types of integrated systems.
• From NMI authentication roadmap
Case Study: UMass IdM and Security
• Segmented authentication and white pages functionality – FERPA drivers
• Tighter control over authenticating LDAP – Understanding and controlling where we
expose our credentials • Relying heavily on WebISO
– Where appropriate and feasible
Case Study: UMass Protecting Privacy
• Everyone has their own application, – and thus have a need for access control
• Per-app IdM increases exposure of personal data – What one can do vs. is permitted to do
• Assigned privileges may be sensitive • Roles and groups that map to courses
require FERPA protections
Case Study: UMass Compliance
• Having a consistent IdM tied to ERP permits identification of user activity – DMCA, PCI-DSS, etc
• Accurate de-provisioning is critical to internal audit – University Policy
• Application enrollment – Logical next step from asset inventory
Break
Security, privacy, compliance overview
• IdM and security • Managing and protecting privacy • Incident trends
30
Identity Management and Security • Identity management system is a integral component of
the organization’s overall security strategy and architecture.
• In higher education, IdM has often been developed and managed more as a business enabler than as part of the security strategy.
• Looking at IdM success factors we see how much overlap there is with security.
31
Managing and Protecting Privacy
• Security services traditionally focus on preventing badness – protective, defensive and reactive tools and
techniques. • IdM provides a set of infrastructure
services that enhance security – identification, authentication, and
authorization.
Security Threat Environment
• The security environment is changing. The focus should be on the behavior that we don’t understand or manage well – Everyone wants their own application – Those who operate these applications
frequently do not have a strong security background
– Assignment of privilege is decentralized and often poorly managed
33
What are the tangible risks • Data loss is a principle driver for many campus
Information Security organizations • Many of the incidents revolve around individuals having
access to data that had sensitive information (NPI) and not taking adequate security procedures.
• Data management – knowing who has access to sensitive data, and then taking appropriate measures, is a key aspect of protecting that data.
• Large incidents often revolve ancillary business systems that are run outside of central IT.
Data privacy legal issues
• “Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. “ http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm
35
Broader Privacy Issues • Increasingly through either state laws or as a result of
the European Union privacy efforts we are going to have to manage varying rules for what is private information and how to manage that information based on the relevant jurisdiction of the individual.
• Additionally, as the EU rules take hold we will need to recognize what outside groups we can share information with and what attributes can be released on individuals to different entities.
IdM: bringing the pieces together
37
What Does IdM Involve? Technology • Standards • Practices • Products • Authentication and Authorization
Mechanisms • Enterprise Directories
Resources • Business processes • Applications • Budget • Project Management • Staff / Skill Expertise
Policy and Governance • Institutional Goals • Drivers • Constituent Requirements • Policies • Regulations & Laws
….And • New TRUST relationships • Federations
38
Identity Management Drivers
Project Management
Technology
Policy & Governance & Business Process
Institutional Goals Constituent
Requirements
Standards
Practices
Products
Budget
Staff Skills/Expertise
Identity Management
Resources
Legal & regulatory
39 Identity and Access Management (IAM) Model
40
Technology
41
Technology: an architecture for Identity Management
• Identity management systems aggregate information across disparate systems. Requirements include: – High performance – these systems drive all web-
facing customer applications and customers (or employees) won’t wait.
– High reliability – these systems often provide all authentication and authorization services. When down, nothing can occur.
– High security – these systems may maintain a large number of person attributes, sometimes including personally protected information.
42
Technology: Enterprise Directory
• The core of an identity management system. • Metadirectory is usually the IdM database schema that is updated by the core data sources. • Physical directories, called LDAP, provide an interface to services. • For auditors, understanding how to validate that the business rules are implemented and followed is essential.
43
Technology & Business Process: Identifying Authoritative Data Sources • Authoritative data feeds for the Identity Management system may come in real time or batch from your CRM and/or ERP systems. • Often you have special population groups kept in systems outside of the ERP or CRM. • Some systems may provide periodic, or asynchronous updates or be polled for new information. • For auditors, understanding what data sources are used and the lag time to updating the IDMS system is essential to enforcing policy.
44
Technology & Business Process: Applications and Services
• Applications and services are the consumers of an IDMS. Examples include:
– Authentication - Who am I? – Authorization services – What can I do? – Portals are often a common application
• Services may reside locally or be provided by off-campus providers through Software-as-a-Service (SaaS) or Service Oriented Architecture (SOA) methods. • Audit issue is how you validate partners are meeting service requirements and managing data appropriately?
45
Resources: Business Process • Leveraging IdM for managing roles and security • Universities are complex – we have systems for student
housing, finance, human resources, grants management, student records, admissions, alumni, and library – often to name just a few of the major systems.
• It is very rare to have a single vendor provide solutions to all of these areas and so we have many different vendors. In many cases we have a different vendor for each major system.
• In addition, application security is getting much more complex making it staff intensive and difficult to audit for compliance.
46
Resources: Business Process
• Multiple roles at the same institution can add to the complexity
• Multiple institutions sharing identities can be even more complex
• We need workflows for role changes that are accurate and timely (can be critical to application security)
47
U.S. Federal Government eAuthentication Initiative
http://www.cio.gov/eauthentication/
Federations
• Federations – “A federation is an association of
organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions”
http://www.incommonfederation.org/docs/guides/faq.cfm
Federations
• Fundamentally a policy construct ‒ Combined with a technical toolset
• Often implemented with the Shibboleth toolset in R&E networks
• Provides access to local campus resources to users from remote institutions
50
Benefits of Federations • Organizations without a federation needing to share
information must enter into bilateral agreements. These agreements are difficult to achieve and greatly complicate the work of insuring compliance if each has slightly different terms.
• Individuals without a federation must establish a relationship with each organization, often providing duplicate information to multiple organizations.
51
Federations and Identity Management
• Federations – definition – Dictionary.com - a federated body formed by a
number of nations, states, societies, unions, etc., each retaining control of its own internal affairs.
– Incommon.org -A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions.
52
State Agency A
State Agency B
Benefits
e-Learning
e-Learning
Library
Online Application
= Credentialing / Authentication = Authorization = User Credential
Traditional Identity Management
53
Federation
State Agency A
State Agency B
Benefits
SIRS
e-Learning
Library
Texas Online
= Credentialing / Authentication = Authorization = User Credential
Federated Identity Concept
54
• InCommon Federation – Higher Education & Research Emphasis – http://www.incommonfederation.org/
• UT System Identity Management Federation – Business Emphasis
• State of California Federated IdM Vision (http://www.cio.ca.gov/stateIT/pdf/California_SOA_and_IDM_Vision_122007.pdf)
• State of New York IdM Model (https://www.oft.state.ny.us/Policy/G07-001/) Trust Model (http://www.oft.state.ny.us/OFT/PrinciplesoftheNYSEnterpriseIdMArchitecture.pdf)
• State of Nebraska Federated Services (http://www.nitc.state.ne.us/events/conferences/egov/2004/files/345_UserAuthentication_Hartman-FedID.ppt)
Federations
55
InCommon Federation – An Example
• Presently about 123 members, approximately 81 higher education institutions, 5 government agencies or non-profit laboratories, and 33 corporations (public and non-profit) representing 1.7 million individuals.
• Entities agree to a common participation agreement that allows each to inter-operate with the others.
• InCommon sets basic practices for identity providers and service providers. The primary focus has been technical and focuses on campus identity management procedures and attributes.
56
What Does Security Involve? Technology • Standards • Practices • Products
Resources • Business processes • Applications • Budget • Project Management • Staff / Skill Expertise
Policy and Governance • Institutional Goals • Constituent Requirements • Policies • Regulations & Laws
….But Most Importantly
57
Security standards • The evolution of security processes and procedures
from ISO 27002 provides a strong foundation for risk management and developing strong internal controls as these pertain to security.
• While much of the ISO 27002 program is helpful to building a strong identity management function it was not necessarily written for this function. – As the IDMS becomes a key business driver we should see the
framework evolve.
• Working with audit may help us bridge some of these gaps while the policy approaches are resolved.
Security Standards • Governance and Organization of Information Security • Risk Assessment and Management • Policy • Asset Tracking and Management • Human Resources Security • Physical Security • Communications and Operations Management • Access Control • IT Systems Acquisition, Development, Maintenance • Incident Response and Management • Business Continuity/Disaster Recovery • Compliance
Security Standards: IdM
• Access Controls is a component of most security programs
• From ISO27002, the need for access control is roughly defined as: ”Logical access to IT systems, networks and
data must be suitably controlled to prevent unauthorized use.”
• This aligns well with our definition of IdM
60
ISO 27002: Access Control • Business requirement for access control
– Access Control Policy • User access management
– User registration – Privilege management – User password management – Review of user access rights
• User responsibilities – Password use – Unattended user equipment – Clear desk and clear screen policy
61
ISO 27002: Access Control (cont’d)
• Network access control – Policy on use of networked services – User authentication for external connections – Equipment identification in networks – Remote diagnostic and configuration port
protection – Segregation in networks – Network connection control – Network routing control
62
ISO 27002: Access Control (cont’d)
• Operating system access control – Secure log-on procedures – User identification and authentication – Password management system – Use of system utilities – Session time-out – Limitation of connection time
• Application and information access control – Information access restriction – Sensitive system isolation
63
Level of Assurance in IDMS • IDMS systems have often been business enablers for
connecting customers or external business partners. • Questions?
– Do all account holders have access to all services and generate the same level of risk?
– Do you have the same level of confidence that the identity associated with an account is who they purport to be for all your account holders?
• If you answered no, you might look at integrating level of assurance into your IDMS.
64
Overview of Level of Assurance in IDMS
• Two distinct uses 1. For a service provider, the level of risk to the
application or organization if an incorrectly identified user is allowed to access the application or perform a transaction. This can happen if someone compromises an account password.
2. For an identity provider, the risk that the person is not who they claim to be – in this case the person has legitimate credentials that they acquired frauduantly
• Organizations often perform both functions and must look at both risks.
65
• A combination of assurance that the person presenting their credentials is who they say they are AND they are the person presenting the credentials.
– The degree of confidence in the vetting process; and – The degree of confidence that the person presenting the
credential is the person you issued the credential too
• Level 1 – little or no assurance • Level 2 – some confidence • Level 3 – high confidence • Level 4 – very high confidence
Assurance as an Identity Provider
66
Assurance as an Identity Provider • eAuthentication guidelines require that everyone is
identity proofed. • We define another group – level 0. Level 0 has no
assurance the person is who they say they are. These are guests that assert their identity and want a portal account. We have no way of verifying they are who they say they are
• Audit plays an important role in assessing and validating the procedures for initial identity proofing. We do this when issuing our ID card.
67
Assurance of Credentials • The second component of assurance is the assurance of
the credential as presented by the person it was issued too.
• Traditional authentication focuses on password management. Level 2 is the highest assurance a text-based password can achieve.
• For level 3 or 4 assurance eAuthentication requires two-factor authentication. The second factor must be some token that is issued to the user. The US government is moving to smart ID-cards under the auspices of HSPD-12.
68
Credential Assurance NIST 800-63 guide provides excellent framework for managing credentials. The entropy spreadsheet is a great tool for reviewing password practices and looking at how subtle variations in policy practices change the strength of the credentials. This is a great tool for auditors!
69
An Example – Password Resets • Forgotten passwords are often among the most common
call to the helpdesk. • Creating a self-service method to reset your password
often is essential for improving customer service and reducing helpdesk costs.
• However, this creates an opening for attacks to compromise accounts. We are integrating level of assurance into our process.
– The 10% of total account holders that have LOA of 2 have a different process than the 90% with LOA of 1.
70
Assurance for Service Providers • Service providers follow traditional risk management
approaches such as NIST 800-30 to assess the risk associated with an authentication error:
• The potential harm or impact, and • The likelihood of such harm or impact.
– Potential categories of harm include: reputation, financial loss, organization harm, release of sensitive information, risk to personal safety, and criminal or civil violations.
– Ratings use values of low, moderate, or high.
71
Setting Level of Service Assurance
Idm Solutions
• No slides on Shib? Ask Ann
73
Current Status of Signet • MACE/I2 has suspended work on Signet and are now working with
the community to refocus the requirements for privilege management and will move forward accordingly. This may mean evolving Signet or adding functionality to Grouper Groups Management Toolkit or other options. Stay tuned.
• Some of the outcomes of this effort may take the form of practice recommendations. For instance, one of early requests was for approaches and tools for growing a campus authz infrastructure ---from groups to privilege management---and starting with a lower risk approach. The CAMP in June 2009 will be addressing this very issue.
• MACE/I2 is also in discussions with Kuali about working together on IdM.
74
More Information
Linda Hilton, Chief Information Officer, Vermont State Colleges
Phone – 802.626.6394 Email – [email protected]
Chris Misra, Information Security Officer, University of Massachusetts, Amherst
Phone – Email –
75
Questions?
What did you think?
• Your input is important to us!
• Click on “Evaluate This Session” on the Mid-Atlantic Regional program page.
Slide parking lot
• Other slides below that may or may not fit
78
Kim Cameron’s Laws of Identity Whitepaper
Seven Laws of Identity 1. User control and consent 2. Minimal disclosure for a constrained use 3. Limit relationships to justifiable parties 4. Control over who can see my identifier, directed identity 5. Pluralism of operators and technologies 6. Human integration 7. Consistent experience across contexts
79
Dick Hardt’s Identity 2.0 Presentation at OSCON
• One of the best presentations on identity management is by Dick Hardt at OSCON 2005.
• This is a good overview of looking at how identity management may evolve. In 15 minutes he gives a great presentation.
• http://www.identity20.com/media/OSCON2005/
80
IDMS – Managing Roles and Application Security
• Internet2 has launched a project called Signet to allow security roles to be managed centrally and have these update the application security.
• The process is define a security model, assign roles and responsibilities in the IDMS for functions (e.g. approve payroll) and then have a specially developed connector update the security in the application based on changes in the IDMS.
• The benefit is that as an employees status changes you can make the change in one place and propagate to all systems.
81
Key Elements of SIGNET • Provide a single point for managing authorization without
consolidating control. Business owners have a web interface for managing who has access.
• Allows centralized IDMS services to be leveraged for business applications and security, such as when a person leaves the organization or changes roles.
• Helps enable business groups and users through a consistent approach to security
82
Web Services – Service Oriented Architecture
• Service oriented architecture (SOA) leverages the web to provide services. The goal of SOA is that as the web becomes the application delivery platform there will be components done elsewhere that you want to integrate into your application.
• There are a set of standards (multiple) that define how web services will interoperate and manage authorization and access to these web services.
• Ultimately, for the promise of web services to be realized there will need to be solutions that reside outside of the application as part of an overarching IDMS system.
83
84
Longer Term Approaches • The WWW consortium (W3C) is working on standards
for autonomous policy engines that take policy heuristics in an XML format and exchange and manage them across independent groups.
• There seems to be momentum in moving to SOA and that will ultimately drive standards and direction as applications emerge that support business innovation.
• Companies may initially have two approaches, one for internal desktop applications and the other for extranet applications.
Leveraging IdM: overview
• How can IdM practices and policies improve security?
• Intersections: policy frameworks • Intersections: technical frameworks • What is a standards-based information
security program?
Resources
More information: CAMP • CAMP: Practical Building Blocks for Access Management JUNE 15–17,
2009 Philadelphia • Institutions small and large interested in getting a handle on authorization • Case studies of business and academic challenges from around the
institution • Discussions how to incrementally build authz to reduce risk and ensure
success • Practical approaches for integrating standard authorization components • Strategies of how these approaches help with compliance, security, and
service provisioning and support business objectives • www.educause.edu/camp092 (website available early March)
88 02/10/2008
www.incommonfederation.org
89
InCommon Collaborative Projects/Efforts
https://spaces.internet2.edu/display/InCCollaborate/Home
• InC Student • InC Library • InC SharePoint • TeraGrid • InCommon Inter-federation • InCommon - NIH • InCommon Research • InC Apple • Dreamspark