SecIdmNC09-20090225-cpm
Transcription
SecIdmNC09-20090225-cpm
Leveraging Identity Management for Privacy, Security, and Compliance Linda Hilton, Chief Information Officer, Vermont State Colleges & Christopher Misra, Information Security Officer, University of Massachusetts 1 For ref. only – remove for printing • Access control is a critical component of a standards-based information security program. It helps safeguard IT assets by controlling access to information, information processing facilities, and business processes according to business and security requirements. Access control also serves to protect our community members privacy by preventing unauthorized access to information held in application systems. Although institutions may have similar security goals, institutional type, size, and context will present unique implementation challenges. This seminar will explore how diverse institutions can bridge issues in technology, policy, and process related to security and identity management to achieve shared institutional goals and ensure compliance. What We Will Focus On • An overview of identity management • How identity management can help improve security, protect privacy, and ensure compliance • IdM as a component of an information security program • Bridging policy, process and technology 3 Identity Management Overview • • • • • Some definitions Core components IdM drivers Why do IdM? How is IdM used in Higher Ed? IdM: definitions • What do we mean by Identity Management? – California State University definition - An identity management infrastructure is a collection of technology and policy that enables networked computer systems to determine who has access to them, what resources the person is authorized to access, while protecting individual privacy and access to confidential information. 5 Analyze this Definition • Infrastructure - software and hardware • Collection - not just technology • Technology and policy – policy plays a critical role and is an essential element of the solution • Networked computer systems - implies distributed technology systems communicating over a network • Access - Who am I • Authorized - What can I do • Protecting - limiting access and protecting information 6 Idm: definitions The Burton group defines Identity Management as : A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities. – Integrates data sources and manages bio-demo information about people and devices – Establishes electronic identity of users and devices – Issues and validates identity credentials – Uses organizational data and management tools to assign affiliation attributes – …and gives permission to use services based on those attributes 7 Core IdM Components • People and Relationships • identity and trust • Account Creation, Management, and Deletion • Technology, business process, resources • Access management • Assignment of privilege, groups and roles, IdM and application-level security 8 44 Core components: People and Relationships • Different types of affiliations – Formal vs. Casual • Multiple affiliations and multiple roles • Affiliation life-cycles 9 55 Core components: Creation & Management of Identities • These are the IdM business processes • Vetting – collection and validation of identity information • Proofing – aligning collected data and matching to an actual person with some degree of certainty • Issuance of credentials – ID/password pair – ID card – 2nd factor token • Managing – providing assurance that the credential and the entity stay linked 10 66 Core components: Access Management • Connecting people to data and services • Authentication decisions • Authorization decisions – Affiliation type, status, level of assurance, roles and other attributes. • Rule of least privilege 11 77 Core components: Access Management • Assignment of privilege • Groups and roles • IdM and application-level security IdM Business Needs • Support increased collaboration and innovation • Improve customer service • Increase efficiency • Improve security of digital assets and mitigation of risk 13 88 What are IdM drivers? • Traditional forms of authentication and authorization are no longer sufficient for needs of modern internet-based applications • Application security is becoming increasingly onerous – multiple applications, multiple enterprises, and multiple user roles in multiple contexts • New regulations dictate more stringent identity management processes – – – – – HIPAA (Health Information Privacy) FERPA (Educational Records Privacy) Sarbanes Oxley (Financial Disclosures) Gramm-Leach-Bliley Act (Financial Information Privacy) Red Flag rules (Identity Theft Prevention) 14 88 Why Do Identity Management? • Centralize directory services – One authoritative source for applications – One stop shopping for students and employees! • Single sign-on – reduce control gates for access to data • Standardized posture makes adding new apps easier • Remote access • Inter-institutional access • Lifecycle issues: from cradle to grave • Enhance privacy of personal information • Improve security and safeguarding of information • Comply with federal and state laws and regulations 15 How Identity Management Is Used in Higher Education • Students – Learning resources (course management systems, library, etc.) – Online student systems • Staff – Employee directory – Online human resources systems (timesheets, payroll, benefits, etc.) • Faculty and Researchers – Online course materials and library resources – Federal research agencies, funding, and data resources • Alumni and Donors – Email for life – Alumni directories and services • All – Student/Employee directory – Emergency notification systems • External Access – Contractors, guests, visiting faculty, donors, volunteers 16 Emerging IdM Uses • Building Access Controls • Federal Government Agencies – NIH • National Student Loan Clearinghouse • Workflow 17 Creating an IdM Infrastructure • • • • • • A strategic approach to IdM Solve problems – pick low hanging fruit Create awareness Develop a roadmap Address the gaps and challenges Offer education 18 Tailoring IdM to the environment • • • • • • Operational – governance, org structure Cultural Resource levels Process maturity - it s an IT issue Scale differences Budgets and resources Case studies • Vermont State Colleges: Security and IdM • University of Massachusetts Case Studies • Each campus has unique experiences with deploying Identity Management and middleware. • We will review each of our school s approach to providing these services. University of Massachusetts Amherst IdM • Context – 45,000+ accounts – 25,000+ students • Deployment – ERP based provisioning and account management (Peoplesoft) – OpenLDAP – Kerberos authentication backend Case Study: UMass Background • Active LDAP project initiated in 2003 • Existing account management system circa 1993 • Started with account management system rewrite – Deployed as a custom app within our Peoplesoft environment – Campus ERP is System of Record Case Study: UMass Guiding Principles • (T)hese processes of identification, registration, authentication, and authorization that are uniquely separate processes that should be tightly linked and controlled in order to have a trusted and robust identity and privilege management system. Understanding the underlying processes and the differences in the processes is critical to managing these types of integrated systems. • From NMI authentication roadmap Case Study: UMass IdM and Security • Segmented authentication and white pages functionality – FERPA drivers • Tighter control over authenticating LDAP – Understanding and controlling where we expose our credentials • Relying heavily on WebISO – Where appropriate and feasible Case Study: UMass Protecting Privacy • Everyone has their own application, – and thus have a need for access control • Per-app IdM increases exposure of personal data – What one can do vs. is permitted to do • Assigned privileges may be sensitive • Roles and groups that map to courses require FERPA protections Case Study: UMass Compliance • Having a consistent IdM tied to ERP permits identification of user activity – DMCA, PCI-DSS, etc • Accurate de-provisioning is critical to internal audit – University Policy • Application enrollment – Logical next step from asset inventory Break Security, privacy, compliance overview • IdM and security • Managing and protecting privacy • Incident trends Identity Management and Security • Identity management system is a integral component of the organization s overall security strategy and architecture. • In higher education, IdM has often been developed and managed more as a business enabler than as part of the security strategy. • Looking at IdM success factors we see how much overlap there is with security. 30 Managing and Protecting Privacy • Security services traditionally focus on preventing badness – protective, defensive and reactive tools and techniques. • IdM provides a set of infrastructure services that enhance security – identification, authentication, and authorization. 31 Security Threat Environment • The security environment is changing. The focus should be on the behavior that we don t understand or manage well – Everyone wants their own application – Those who operate these applications frequently do not have a strong security background – Assignment of privilege is decentralized and often poorly managed What are the tangible risks • Data loss is a principle driver for many campus Information Security organizations • Many of the incidents revolve around individuals having access to data that had sensitive information (NPI) and not taking adequate security procedures. • Data management – knowing who has access to sensitive data, and then taking appropriate measures, is a key aspect of protecting that data. • Large incidents often revolve ancillary business systems that are run outside of central IT. 33 Data privacy legal issues • Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm Broader Privacy Issues • Increasingly through either state laws or as a result of the European Union privacy efforts we are going to have to manage varying rules for what is private information and how to manage that information based on the relevant jurisdiction of the individual. • Additionally, as the EU rules take hold we will need to recognize what outside groups we can share information with and what attributes can be released on individuals to different entities. 35 IdM: bringing the pieces together What Does IdM Involve? Technology Resources Policy and Governance ….And • Standards • Practices • Products • Authentication and Authorization Mechanisms • Enterprise Directories • Institutional Goals • Drivers • Constituent Requirements • Policies • Regulations & Laws • • • • • Business processes Applications Budget Project Management Staff / Skill Expertise • New TRUST relationships • Federations 37 Identity Management Drivers Legal & regulatory Institutional Goals Constituent Requirements Policy & Governance & Business Process Standards Budget Identity Management Practices Technology Products Resources Project Management Staff Skills/ Expertise 38 Identity and Access Management (IAM) Model 39 Technology 40 Technology: an architecture for Identity Management • Identity management systems aggregate information across disparate systems. Requirements include: – High performance – these systems drive all webfacing customer applications and customers (or employees) won t wait. – High reliability – these systems often provide all authentication and authorization services. When down, nothing can occur. – High security – these systems may maintain a large number of person attributes, sometimes including personally protected information. 41 Technology: Enterprise Directory • The core of an identity management system. • Metadirectory is usually the IdM database schema that is updated by the core data sources. • Physical directories, called LDAP, provide an interface to services. • For auditors, understanding how to validate that the business rules are implemented and followed is essential. 42 Technology & Business Process: Identifying Authoritative Data Sources • Authoritative data feeds for the Identity Management system may come in real time or batch from your CRM and/or ERP systems. • Often you have special population groups kept in systems outside of the ERP or CRM. • Some systems may provide periodic, or asynchronous updates or be polled for new information. • For auditors, understanding what data sources are used and the lag time to updating the IDMS system is essential to enforcing policy. 43 Technology & Business Process: Applications and Services • Applications and services are the consumers of an IDMS. Examples include: – Authentication - Who am I? – Authorization services – What can I do? – Portals are often a common application • Services may reside locally or be provided by off-campus providers through Software-as-a-Service (SaaS) or Service Oriented Architecture (SOA) methods. • Audit issue is how you validate partners are meeting service requirements and managing data appropriately? 44 Resources: Business Process • Leveraging IdM for managing roles and security • Universities are complex – we have systems for student housing, finance, human resources, grants management, student records, admissions, alumni, and library – often to name just a few of the major systems. • It is very rare to have a single vendor provide solutions to all of these areas and so we have many different vendors. In many cases we have a different vendor for each major system. • In addition, application security is getting much more complex making it staff intensive and difficult to audit for compliance. 45 Resources: Business Process • Multiple roles at the same institution can add to the complexity • Multiple institutions sharing identities can be even more complex • We need workflows for role changes that are accurate and timely (can be critical to application security) 46 U.S. Federal Government eAuthentication Initiative http://www.cio.gov/eauthentication/ 47 Federations • Federations – A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions http://www.incommonfederation.org/docs/guides/faq.cfm Federations • Fundamentally a policy construct ‒ Combined with a technical toolset • Often implemented with the Shibboleth toolset in R&E networks • Provides access to local campus resources to users from remote institutions Benefits of Federations • Organizations without a federation needing to share information must enter into bilateral agreements. These agreements are difficult to achieve and greatly complicate the work of insuring compliance if each has slightly different terms. • Individuals without a federation must establish a relationship with each organization, often providing duplicate information to multiple organizations. 50 Federations and Identity Management • Federations – definition – Dictionary.com - a federated body formed by a number of nations, states, societies, unions, etc., each retaining control of its own internal affairs. – Incommon.org -A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions. 51 Traditional Identity Management Benefits e-Learning Online Application State Agency A e-Learning Library State Agency B = Credentialing / Authentication = Authorization = User Credential 52 Federated Identity Concept Federation Benefits e-Learning Texas Online State Agency A SIRS Library State Agency B = Credentialing / Authentication 53 = Authorization = User Credential Federations • InCommon Federation – Higher Education & Research Emphasis – http://www.incommonfederation.org/ • UT System Identity Management Federation – Business Emphasis • State of California Federated IdM Vision (http://www.cio.ca.gov/stateIT/pdf/California_SOA_and_IDM_Vision_122007.pdf) • State of New York IdM Model (https://www.oft.state.ny.us/Policy/G07-001/) Trust Model (http://www.oft.state.ny.us/OFT/PrinciplesoftheNYSEnterpriseIdMArchitecture.pdf) • State of Nebraska Federated Services (http://www.nitc.state.ne.us/events/conferences/egov/2004/files/345_UserAuthentication_Hartman-FedID.ppt) 54 InCommon Federation – An Example • Presently about 123 members, approximately 81 higher education institutions, 5 government agencies or nonprofit laboratories, and 33 corporations (public and nonprofit) representing 1.7 million individuals. • Entities agree to a common participation agreement that allows each to inter-operate with the others. • InCommon sets basic practices for identity providers and service providers. The primary focus has been technical and focuses on campus identity management procedures and attributes. 55 What Does Security Involve? Technology Resources Policy and Governance ….But Most Importantly • Standards • Practices • Products • Institutional Goals • Constituent Requirements • Policies • Regulations & Laws • • • • • Business processes Applications Budget Project Management Staff / Skill Expertise 56 Security standards • The evolution of security processes and procedures from ISO 27002 provides a strong foundation for risk management and developing strong internal controls as these pertain to security. • While much of the ISO 27002 program is helpful to building a strong identity management function it was not necessarily written for this function. – As the IDMS becomes a key business driver we should see the framework evolve. • Working with audit may help us bridge some of these gaps while the policy approaches are resolved. 57 Security Standards • • • • • • • • • • • • Governance and Organization of Information Security Risk Assessment and Management Policy Asset Tracking and Management Human Resources Security Physical Security Communications and Operations Management Access Control IT Systems Acquisition, Development, Maintenance Incident Response and Management Business Continuity/Disaster Recovery Compliance Security Standards: IdM • Access Controls is a component of most security programs • From ISO27002, the need for access control is roughly defined as: Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorized use. • This aligns well with our definition of IdM ISO 27002: Access Control • Business requirement for access control – Access Control Policy • User access management – User registration – Privilege management – User password management – Review of user access rights • User responsibilities – Password use – Unattended user equipment – Clear desk and clear screen policy 60 ISO 27002: Access Control (cont d) • Network access control – Policy on use of networked services – User authentication for external connections – Equipment identification in networks – Remote diagnostic and configuration port protection – Segregation in networks – Network connection control – Network routing control 61 ISO 27002: Access Control (cont d) • Operating system access control – Secure log-on procedures – User identification and authentication – Password management system – Use of system utilities – Session time-out – Limitation of connection time • Application and information access control – Information access restriction – Sensitive system isolation 62 Level of Assurance in IDMS • IDMS systems have often been business enablers for connecting customers or external business partners. • Questions? – Do all account holders have access to all services and generate the same level of risk? – Do you have the same level of confidence that the identity associated with an account is who they purport to be for all your account holders? • If you answered no, you might look at integrating level of assurance into your IDMS. 63 Overview of Level of Assurance in IDMS • Two distinct uses 1. For a service provider, the level of risk to the application or organization if an incorrectly identified user is allowed to access the application or perform a transaction. This can happen if someone compromises an account password. 2. For an identity provider, the risk that the person is not who they claim to be – in this case the person has legitimate credentials that they acquired frauduantly • Organizations often perform both functions and must look at both risks. 64 Assurance as an Identity Provider • A combination of assurance that the person presenting their credentials is who they say they are AND they are the person presenting the credentials. – The degree of confidence in the vetting process; and – The degree of confidence that the person presenting the credential is the person you issued the credential too • • • • Level 1 – little or no assurance Level 2 – some confidence Level 3 – high confidence Level 4 – very high confidence 65 Assurance as an Identity Provider • eAuthentication guidelines require that everyone is identity proofed. • We define another group – level 0. Level 0 has no assurance the person is who they say they are. These are guests that assert their identity and want a portal account. We have no way of verifying they are who they say they are • Audit plays an important role in assessing and validating the procedures for initial identity proofing. We do this when issuing our ID card. 66 Assurance of Credentials • The second component of assurance is the assurance of the credential as presented by the person it was issued too. • Traditional authentication focuses on password management. Level 2 is the highest assurance a textbased password can achieve. • For level 3 or 4 assurance eAuthentication requires twofactor authentication. The second factor must be some token that is issued to the user. The US government is moving to smart ID-cards under the auspices of HSPD-12. 67 Credential Assurance NIST 800-63 guide provides excellent framework for managing credentials. The entropy spreadsheet is a great tool for reviewing password practices and looking at how subtle variations in policy practices change the strength of the credentials. This is a great tool for auditors! 68 An Example – Password Resets • Forgotten passwords are often among the most common call to the helpdesk. • Creating a self-service method to reset your password often is essential for improving customer service and reducing helpdesk costs. • However, this creates an opening for attacks to compromise accounts. We are integrating level of assurance into our process. – The 10% of total account holders that have LOA of 2 have a different process than the 90% with LOA of 1. 69 Assurance for Service Providers • Service providers follow traditional risk management approaches such as NIST 800-30 to assess the risk associated with an authentication error: • The potential harm or impact, and • The likelihood of such harm or impact. – Potential categories of harm include: reputation, financial loss, organization harm, release of sensitive information, risk to personal safety, and criminal or civil violations. – Ratings use values of low, moderate, or high. 70 Setting Level of Service Assurance 71 Idm Solutions • No slides on Shib? Ask Ann Current Status of Signet • MACE/I2 has suspended work on Signet and are now working with the community to refocus the requirements for privilege management and will move forward accordingly. This may mean evolving Signet or adding functionality to Grouper Groups Management Toolkit or other options. Stay tuned. • Some of the outcomes of this effort may take the form of practice recommendations. For instance, one of early requests was for approaches and tools for growing a campus authz infrastructure ---from groups to privilege management---and starting with a lower risk approach. The CAMP in June 2009 will be addressing this very issue. • MACE/I2 is also in discussions with Kuali about working together on IdM. 73 More Information Linda Hilton, Chief Information Officer, Vermont State Colleges Phone – 802.626.6394 Email – [email protected] Chris Misra, Information Security Officer, University of Massachusetts, Amherst Phone – Email – 74 Questions? 75 What did you think? • Your input is important to us! • Click on Evaluate This Session on the Mid-Atlantic Regional program page. Slide parking lot • Other slides below that may or may not fit Kim Cameron s Laws of Identity Whitepaper Seven Laws of Identity 1. User control and consent 2. Minimal disclosure for a constrained use 3. Limit relationships to justifiable parties 4. Control over who can see my identifier, directed identity 5. Pluralism of operators and technologies 6. Human integration 7. Consistent experience across contexts 78 Dick Hardt s Identity 2.0 Presentation at OSCON • One of the best presentations on identity management is by Dick Hardt at OSCON 2005. • This is a good overview of looking at how identity management may evolve. In 15 minutes he gives a great presentation. • http://www.identity20.com/media/OSCON2005/ 79 IDMS – Managing Roles and Application Security • Internet2 has launched a project called Signet to allow security roles to be managed centrally and have these update the application security. • The process is define a security model, assign roles and responsibilities in the IDMS for functions (e.g. approve payroll) and then have a specially developed connector update the security in the application based on changes in the IDMS. • The benefit is that as an employees status changes you can make the change in one place and propagate to all systems. 80 Key Elements of SIGNET • Provide a single point for managing authorization without consolidating control. Business owners have a web interface for managing who has access. • Allows centralized IDMS services to be leveraged for business applications and security, such as when a person leaves the organization or changes roles. • Helps enable business groups and users through a consistent approach to security 81 Web Services – Service Oriented Architecture • Service oriented architecture (SOA) leverages the web to provide services. The goal of SOA is that as the web becomes the application delivery platform there will be components done elsewhere that you want to integrate into your application. • There are a set of standards (multiple) that define how web services will interoperate and manage authorization and access to these web services. • Ultimately, for the promise of web services to be realized there will need to be solutions that reside outside of the application as part of an overarching IDMS system. 82 83 Longer Term Approaches • The WWW consortium (W3C) is working on standards for autonomous policy engines that take policy heuristics in an XML format and exchange and manage them across independent groups. • There seems to be momentum in moving to SOA and that will ultimately drive standards and direction as applications emerge that support business innovation. • Companies may initially have two approaches, one for internal desktop applications and the other for extranet applications. 84 Leveraging IdM: overview • How can IdM practices and policies improve security? • Intersections: policy frameworks • Intersections: technical frameworks • What is a standards-based information security program? Resources More information: CAMP • • • • • • • CAMP: Practical Building Blocks for Access Management JUNE 15–17, 2009 Philadelphia Institutions small and large interested in getting a handle on authorization Case studies of business and academic challenges from around the institution Discussions how to incrementally build authz to reduce risk and ensure success Practical approaches for integrating standard authorization components Strategies of how these approaches help with compliance, security, and service provisioning and support business objectives www.educause.edu/camp092 (website available early March) www.incommonfederation.org 88 02/10/2008 InCommon Collaborative Projects/Efforts https://spaces.internet2.edu/display/InCCollaborate/Home • • • • • • • • • InC Student InC Library InC SharePoint TeraGrid InCommon Inter-federation InCommon - NIH InCommon Research InC Apple Dreamspark 89
Similar documents
International Institute of Auditors -
2000, UMBC launched our initial Identity Management . ► In 2003, I authored a section on security architecture for higher education that focused on the role of Identity Management in developing a ...
More information