PKI Development Forum

Jim Lowe, Campus Information Security OfficerBrian Rust, Communications

April 17, 2008

Background

• PKI introduced to campus• Part of a broader strategy

– Password policy– Levels of Assurance (LOA)

How sure are we that you are who you say you are?

LOA Recommendations for Access to Personal Information (PI)

LOA-1: Doesn’t require access to PILOA-2: Access to your own PILOA-3: Access other’s PI

PKI Use Cases: the early days

• Email - digital signatures• To encrypt emails

• Digitally signing mass emails

Information is as an Asset: What is restricted information?

895.507 Notice of unauthorized acquisition of personal information. […](b) “Personal information” means an individual’s last name and the individual’s first name or

first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:

1. The individual’s social security number.2. The individual’s driver’s license number or state identification number.3. The number of the individual’s financial account number, including a credit or debit card

account number, or any security code, access code, or password that wou ld permit access to the individual’s financial account.

4. The individual’s deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).5. The individual’s unique biometric data, including fingerprint, voice print, retina or iris

image, or any other unique physical representation.[…] (2) NOTICE REQUIRED. (a) […] an entity that maintains or licenses personal information in

this state knows that personal information in the entity’s possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information.

• Restricted data is PII & PHI

Recent use cases

• Registrar’s Privacy and Security Group– To reduce, and where possible eliminate, risk in

the receiving, storing, dissemination, and disposal of sensitive data

– To cultivate awareness of privacy and security in our individual units, our departments, the division, the campus, and anyone with whom we have contact

• Emails with restricted info

PKI Use Cases: the crystal ball

• Link with new campus ID card

• Secure VPN access• Desktop/laptop encryption

Getting started

• Me first• Why should they care?

– Have to– Want to

• Free samples• Work from the top and the middle

Marketing strategies

• Web: doit.wisc.edu, search: pki• Email• Presentations and demos• Newsletter article …• Postcard …

Lessons learned

• Involve management• Customer service• Process and procedures• Plan marketing before rollout

Usability

• Slow to adopt• Requires training and awareness• Certs expire requiring technical support• Integrate with existing ID mgt.• Integration with applications

– PeopleSoft– Card Space– Higgins– Other…

Our questions

• How have you made PKI more usable in your environment (any tricks of the trade)?

• Have you established training and docs that you would be willing to share with others?

• What has been the driving factor in your PKI implementations?

• What applications do you use with PKI?

Questions?

ndavis1@wisc.edulowe@wisc.edu

bgrust@wisc.edu