Federated or Not:Secure Identity Management
Janemarie DuhIdentity Management
Systems ArchitectChair, Security Working Group
ITS, Lafayette College
Security
• Has three aspects– Confidentiality– Integrity– Availability
Privacy
• Is the right to control one’s identity during transactions– Revealing only what one chooses
• Identities need protection– Inadequate protections may result in
misuse and release of private information
Goal
• Make identities available in a secure privacy-protected manner
Security Baseline
Account Management Policies
• Account creation– Administrative processes that result in a
record for an identity in a database– Who qualifies to have an electronic
identity?• Identity proofing
– Of attributes such as name and DOB– Results in credential issuance
• Account creation authorization
Account Management Policies
• Account updating– Prompt notification of changes to
attributes• Results in valid data being used• Changes such as in name, address, or
employee type
Account Management Policies
• Account termination– Changes due to• Termination• Retirement• Graduation
• Account removal– Retention of identifiers
Account Management Policies
• Password management– Strength • Publish guidelines• Implement via application code
– Forgotten passwords• Password reset mechanism• Identity vetting for off-campus users
Related IT Policies
• Acceptable Use Policy– Authorization
• Data Stewardship Policy– Storage– Transmission– Password strength
Related IT Policies
• Log management policies– Privacy implications• Content• Retention
Protecting Identities and PII
• Credentials– How are they communicated to the
user?–What authentication technologies are
being used?– Are passwords protected?• In transit across the network –
>encryption • At rest in a database –>hashing
Protecting Identities and PII
• Reuse of identifiers• ERP and desktop security• Sharing and storage of sensitive information– Improper methods
• Email • Spreadsheets on office computers• Removable devices• Cloud (Drop Box, Google Drive)
Protecting Identities and PII
• Sharing and storage of sensitive PII– Proper methods• Transmit using a secure network (VPN) or
encryption• Store on an access-restricted network share
– Consider multi-factor authentication (MFA) for those with access to sensitive data
Protecting Identities and PII
• Access to the identity store– Accessible only to administrators– Accessible only to SSO technology such
as CAS or Shibboleth• No direct access and no access from outside
Single Sign-on (SSO)
• Uses the results of an authentication transaction more than once
• Benefits– Technical standard –> SAML• Makes identities available in a secure
and privacy-protected manner– Fewer identifiers and passwords
Single Sign-on (SSO)
• Concerns–Timeouts• Session•User-initiated termination
– May expose existing security risks
Single Sign-on (SSO)
• Federated vs. non-federated– Is the SSO technology used for logging
into a federated service?
Federation
• Security benefits– Trust framework– Common standards – Shared policies– Published practices• Help other institutions decide if they want to
federate with you
• Governance– Who decides what attributes are
released and to whom?• Involves compliance with regulations such
as FERPA• Identify and work with stakeholders• Develop policies for what a service provider
can and cannot do with respect to retention and sharing
Federation
Federation
• InCommon Federation Participant Operational Principles– A benefit of federating– A service provider must• Respect the privacy constraints on identity
information released to it by other Participants• Use identity information only for its
intended purpose
Risk Management
• Develop an incident response policy before an event occurs
• Assess the risk level–What was released to whom?– In a federated instance, consider what
was released on a per service provider basis
–Were sensitive transactions performed?
Risk Management
• A service provider may need to be notified– Consult legal counsel due to implications
• See Federated Security Incident Response for more on the challenges of federated incident response
Questions?
Breakout Exercise
InCommon Federation Participant Operational Practices
(POP)