1 / 22

InCommon Assurance Certification

InCommon Assurance Certification. VA-SCAN October 3, 2013 Mary Dunker. InCommon Assurance Certification. What is it? Why would I want it? How do I get it?. Assurance certification: What is it?.

jariah
Download Presentation

InCommon Assurance Certification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. InCommon Assurance Certification VA-SCAN October 3, 2013 Mary Dunker

  2. InCommon Assurance Certification • What is it? • Why would I want it? • How do I get it?

  3. Assurance certification:What is it? • Designation by InCommon that an Identity Provider meets criteria for one or more of InCommon Identity Assurance Profiles Bronze and Silver (IAP) • Evidence that IdP meets a standard for higher education recognized by federal government • Identity Assurance Qualifier added to Identity Provider’s InCommon metadata by InCommon

  4. Assurance certification:Why would I want it? • Improve identity & access management processes • Improve security surrounding campus credentials • Implement best practices for higher ed • Allow access to federated services that require it

  5. Assurance helps manage risk in cloud.

  6. Assurance certification:How do I get it? • Join the InCommon Federation • Support an Identity Provider with SAML/Shibboleth • Read Identity Assurance Assessment Framework and Identity Assurance Profiles • Evaluate scope • Bronze and/or Silver • Users • Credentials • Start a project

  7. InCommon Assurance Project • High level sponsor • Scope Definition • Audit (Silver) or attestation • Gap analysis • Management assertions • Alternative means? • Submission

  8. Sponsorship Enlist support of friends in high places – Vice President for Information Technology & CIO. Project will span units outside your own. • Human Resources and/or Payroll – employee identities • Registrar/Provost – student identities • ID Card-issuing office • IT Security Office • Internal (?) Audit

  9. Define Scope • Which users will get Assurance? • What assurance level do they need? (Bronze, Silver, both?) • What credentials will they use?

  10. Audit or Attestation? Silver requires audit; auditor’s opinion attesting to Management Assertions. Bronze requires attestation, but audit can be done. “Attester” checks Bronze box on InCommon Operations Data Form and signs Assurance Addendum. Attester = Executive or person who signed InCommon Participant Agreement

  11. Gap Analysis – IAP Criteria 4.2.1 Business, Policy and Operational Criteria 4.2.2 Registration and Identity Proofing (primarily Silver) 4.2.3 Credential Technology 4.2.4 Credential Issuance and Management 4.2.5 Authentication Process 4.2.6 Identity Information Management 4.2.7 Assertion Content 4.2.8 Technical Environment (Silver only)

  12. For each subsection… • Do we meet the criteria? • Yes: What/where is the supporting evidence? • Technical • Documentation • No: What work needs to be done? • Technical? Documentation? Policy? • Effort: major, moderate, or minor • Who will do the work? • When will the work be completed?

  13. Management Assertions 4.2.1.1. InCommon Participant Virginia Tech is an InCommon Participant in good standing.

  14. Evidence of compliance 4.2.1.1. InCommon Participant On <date>, Virginia Tech received a copy of the completed InCommon Participant Agreement, signed by John Doe of Virginia Tech, and John Krienke, InCommon CEO. Most recent membership payment of $xxxx.00 was made on <date>, with PO xxxxx. Virginia Tech is in compliance with other contractual obligations to InCommon, including posting InCommon Participant Operational Practices.

  15. Alternative Means Equivalent or stronger methods to satisfy criteria in the IAP. • Multi-factor • Active Directory • Your alternative means here…

  16. Alternative Means submission • Prior to applying for certification • At the time of application • Community contribution See http://www.incommonfederation.org/assurance/alternativemeans.html

  17. Audit Report • Date • Auditor identification and qualifications • Outline of audit methodology • Statement of whether the IdPO conforms with all requirements of each IAP (Bronze, Silver.) See IAAF Section 4.2

  18. Application Packet Bronze: Assurance Addendum Silver: • Audit summary • Assurance addendum (must also apply for Bronze) • Alternative means if applicable Approval process takes approximately one month.

  19. Resources • The program http://www.incommonfederation.org/assurance/ • The Assessment Framework (IAAF) http://www.incommon.org/docs/assurance/IAAF.pdf • Identity Assurance Profiles (IAP) http://www.incommon.org/docs/assurance/IAP.pdf

  20. Resources, continued… • Gap Analysis Templates https://spaces.internet2.edu/display/InCAssurance/Gap+Analysis+Templates • Generalized Management Assertions https://spaces.internet2.edu/display/InCAssurance/Generalized+Management+Assertions • Alternative Means http://www.incommonfederation.org/assurance/alternativemeans.html

  21. Resources, continued… • Submission – See FAQ http://www.incommonfederation.org/assurance/faq.html • Audit requirements -- See IAAF section 4.2 • Assurance Addendum and US FICAM Privacy Assurance Criteria http://www.incommonfederation.org/docs/assurance/Assurance_Addendum.pdf

  22. Resources, continued… • Virginia Tech Assurance Implementation Example https://spaces.internet2.edu/display/InCAssurance/Assurance+Implementation+Example+-+Virginia+Tech • CAS integration https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration • dunker@vt.edu

More Related