Security

1. Identity Management for
Security Professionals:
Leveraging Federations
Seminar 01Z
Brendan Bellina, University of Southern California
Miguel Soldi, University of Texas System
April 14, 2010

2. Agenda
1:15 - 2:30
• Overview of Identity and Access Management (IdM/IAM)
• How Does IdM Improve Information Security and Privacy?
• A Model Architecture for IdM: A Framework to Build On
• Concept and Use of Levels of Assurance (LoA)
2:30 - 2:45 Open discussion
2:45 - 3:00 Break
3:00 - 4:10
• Concept and Use of Federated Identity Management
• USC and UT System Case Studies
• Leveraging Federations: Enhancing Information Security and
Privacy in Collaboration, SaaS, and Cloud Computing
4:10 - 4:30 Open discussion and wrap up

3. …only strong characters can resist the
temptation of superficial analysis.
Albert Einstein
3

4. Identity and Access
Management
(IdM/AIM)
4

5. One (of many) IAM Definitions
Identity and Access management (IAM) is
a broad administrative function that
identifies individuals in a system, and
controls and facilitates their access to
resources within that system by
associating user rights and restrictions
with the established identity.
5

6. CSU Definition of IdM
California State University definition:
– An identity management infrastructure is a
collection of technology and policy that
enables networked computer systems to
determine who has access to them, what
resources the person is authorized to
access, while protecting individual privacy
and access to confidential information.
6

7. Analyzing the CSU Definition
• Infrastructure - software and hardware
• Collection - not just technology
• Technology and policy – policy plays a critical role
and is an essential element of the solution
• Networked computer systems - implies distributed
technology systems communicating over a network
• Access - Who am I
• Authorized - What can I do
• Protecting - limiting access and protecting
information
7

8. Burton Group Definition
The Burton Group defines Identity Management as:
“A set of processes, and a supporting infrastructure,
for the creation, maintenance, and use of digital
identities.”
– Integrates data sources and manages bio-demo
information about people and devices
– Establishes electronic identity of users and devices
– Issues and validates identity credentials
– Uses organizational data and management tools to
assign affiliation attributes
– …and gives permission to use services based on
those attributes
8

9. Identity Management Factors
Technology
Policy &
Governance
Institutional
Goals
Constituent
Requirements
Standards
Practices
Products
Budget
Staff
Skills/Expertise
Identity
Management
Ability to
Implement
Drivers
Project
Management
9

10. Examples of Use of IdM in
Higher Education
• Students
– Learning resources (course management systems, library, etc.)
– Online student systems
• Staff
– Employee directory
– Online human resources systems (timesheets, payroll, benefits, etc.)
• Faculty and Researchers
– Online course materials and library resources
– Federal research agencies, funding, and data resources
• Alumni and Donors
– Email for life
– Alumni directories and services
• All
– Student/Employee directory
– Emergency notification systems
10

11. Core Concepts of IdM
• People and Relationships
– Identity and fabric of trust
• Creation and Management of Identities
– Governance, business process, technology
• Access to Data, Applications, and Services
– Roles, groups, privileges
11

12. People and Relationships
• Different categories of affiliates
– Formal (staff, employee, student) vs. Casual
(Donor, Parent, Guest, Library Walk-in)
• Multiple affiliations and transitions
– Student workers
– Emeriti
– Administrators with Faculty appointments
– Employees pursuing degrees
• Affiliation life-cycles
12

13. Example User State Diagram
13

14. Creation and Management of
Identities
• Vetting – collection and validation of
identity information
• Proofing – aligning collected data and
matching an actual person
• Creation of a master identity record
• Issuance of credentials
– ID/password pair
– ID card
– 2nd factor token 14

15. Access to Data, Applications,
and Services
• Connecting people to data and services
• Authentication decisions
– Knowing who
• Authorization decisions
– Entitlements, Affiliation type, status, level of
assurance, roles and other attributes.
15

16. Benefits of IdM
• Centralize directory services
– One authoritative source for applications
– One stop shopping for students and employees!
• Single sign-on – reduce the number of control gates for
access to data at the same LOA
• Remote access
• Inter-institutional access
• Lifecycle issues: “from cradle to grave” and lifetime
access
• Enhance privacy of personal information
• Improve security and safeguarding of information
• Compliance with federal and state laws and regulations
16

17. Emerging Uses of IdM
• Building Access Controls
• Federal Government Agencies
– NIH
• National Student Loan Clearinghouse
• Workflow
17

18. How Does IdM Improve
Information Security and
Privacy?
18

19. “The best thing about the Internet is they don’t know you’re
a dog.”
Tom Toles. Buffalo News, April 4, 2000.
19

20. “You’re a four-year-old German Shephard-Schnauser mix,
likes to shop for rawhide chews, 213 visits to Lassie
website, chatroom conversation 8-29-99 said third Lassie
was the hottest, downloaded photos of third Lassie
10-12-99, e-mailed them to five other dogs whose identities
are…”
20

21. Data Security Incidents in Higher
Education
• Higher education has had a large number of non-public
information (NPI) data releases. Primarily this is
associated with our past heavy use of social security
numbers.
• Privacyrights.org lists 184 releases in first 6 months of
2008, 43 were universities.
– Higher education’s total is lower in 2008 than in 2007
and we seem to be making some progress in that our
overall percentage of releases is going down.
21

22. What Do We Know About
Incidents?
• Small incidents are the most frequent.
• Many incidents revolve around individuals having
access to data that had sensitive information (NPI) and
not taking adequate security procedures.
• Data management – knowing who has access to
sensitive data, and then taking appropriate measures, is
a key aspect of protecting that data.
• Large incidents often revolve ancillary business systems
that are run outside of central IT.
22

23. Security Threat Environment
• The security environment is changing. The
focus should be on the behavior that we
don’t understand or manage well
– Everyone wants their own application
– Those who operate these applications
frequently do not have a strong security
background
– Assignment of privilege is decentralized and
often poorly managed
23

24. Why Is IdM Becoming
Increasingly Important?
• Traditional forms of authentication and authorization are
no longer sufficient for the level of assurance needed by
modern internet-based applications
• Application security is becoming increasingly onerous
(multiple applications, multiple enterprises, and multiple
user roles in multiple contexts)
• New regulations dictate more stringent identity
management processes
– HIPAA (Health Information Privacy)
– FERPA (Educational Records Privacy)
– Sarbanes Oxley (Financial Disclosures)
– Gramm-Leach-Bliley Act (Financial Information Privacy)
24

25. IdM and Security
• Identity management is an integral component of the
organizations overall security strategy and architecture.
• In higher education, identity management and related
systems have often been developed and managed more
as a business enabler than as part of the security
strategy.
• Looking at identity management policy and legal
constraints we see how much overlap there is with
security.
25

26. Policy and Legal Constraints
• Ownership of Data
– Is data stewardship well-defined?
– Is it centralized or distributed?
• Access to Data
– Formally or loosely governed?
– Access authority centralized or distributed?
• Data Administration
– Centrally managed or distributed
– Compliant with federal and state law (HIPAA)?
26

27. IdM and Security Are
Complimentary
• Security and Identity Management
– Risk Assessment/Management
– Data Classification
– Identification, Authentication, and Authorization
– Levels of Assurance
– Compliance
– Red Flags Program
27

28. Key Points to Keep in Mind
• We are in the beginning stages of managing
identity.
• There won’t be a single identity provider
solution.
• The human integration component is critical and
we need to create something flexible that people
can consistently use.
• This is a rapidly evolving area because this is a
critical component in making the Internet usable.
28

29. 80% Policy; 20% Technology
29

30. Policy Frameworks to Build On
• The evolution of security processes and procedures
from ISO 27002 provides a strong foundation for risk
management and developing strong internal controls as
these pertain to security.
• While much of the ISO 27002 program is helpful to
building a strong identity management function it was
not necessarily written for this function. As the identity
management becomes a key business driver we will see
the frameworks evolve.
• We are looking at internal audit to help us bridge some
of these gaps while the policy approaches are resolved.
30

31. ISO 27002: Access Control
• Business requirement for access control
– Access Control Policy
• User access management
– User registration
– Privilege management
– User password management
– Review of user access rights
• User responsibilities
– Password use
– Unattended user equipment
– Clear desk and clear screen policy
31

32. ISO 27002: Access Control
(cont’d)
• Network access control
– Policy on use of networked services
– User authentication for external connections
– Equipment identification in networks
– Remote diagnostic and configuration port
protection
– Segregation in networks
– Network connection control
– Network routing control
32

33. • Operating system access control
– Secure log-on procedures
– User identification and authentication
– Password management system
– Use of system utilities
– Session time-out
– Limitation of connection time
• Application and information access control
– Information access restriction
– Sensitive system isolation
33
ISO 27002: Access Control
(cont’d)

34. • Mobile computing and teleworking
– Mobile computing and communications
– Teleworking
34
ISO 27002: Access Control
(cont’d)

35. A Model Architecture for IdM:
A Framework to Build On
35

36. A Model Architecture
for Identity Management
• Identity management systems aggregate information
across disparate systems. Requirements include:
– High performance – these systems drive all web-
facing customer applications and customers (or
employees) won’t wait.
– High reliability – these systems often provide all
authentication and authorization services. When
down, nothing can occur.
– High security – these systems may maintain a large
number of person attributes, sometimes including
personally protected information.
36

37. Governance Policy
Data Collection Multiple Systems of Record
Identity Resolution Registry Functions
Data Migration Metadirectory scripts; Provisioning
Entry/Attribute
Access and Release
LDAP Access Controls, Shibboleth
ARP’s
Data Consumers LDAP designed for high-volume read,
low-value write.
Applications, End-users,
Application/NOS directories
37

38. 38

39. 39

40. Identifying Authoritative Data Sources
• Authoritative data feeds for the
identity management system may
come in real time or batch from
your CRM and/or ERP systems.
•Often you have special population
groups kept in systems outside of
the ERP or CRM.
•Some systems may provide
periodic, or asynchronous updates
or be polled for new information.
•For auditors, understanding what
data sources are used and the lag
time to updating the IdM system is
essential to enforcing policy.
40

41. Enterprise Directory Services
• This slide forms the core of an
identity management system.
• Metadirectory is usually the
system database schema that
is updated by the core data
sources.
• Physical directories, called
LDAP, provide an interface to
services.
• For auditors, understanding
how to validate that the
business rules are
implemented and followed is
essential.
41

42. Applications and Services
• Applications and services are the
consumers of an IDMS. Examples
include:
– Authentication - Who am I?
– Authorization services – What can I do?
– Portals are often a common application
• Services may reside locally or be
provided by off-campus providers
through Software-as-a-Service
(SaaS) or Service Oriented
Architecture (SOA) methods.
• Audit issue is how you validate
partners are meeting service
requirements and managing data
appropriately?
42

43. Vendor Offerings to Build On
• Microsoft Identity Lifecycle Manager
http://www.microsoft.com/windowsserver/ilm2007/default.mspx
• Oracle Middleware Suite.
http://www.oracle.com/us/products/middleware/identity-management/index.html
43

44. Concept and Use of Levels of
Assurance (LoA)
44

45. Level of Assurance in IdM
• Identity management systems have often been business
enablers for connecting customers or external business
partners.
• Questions?
– Do all account holders have access to all services
and generate the same level of risk?
– Do you have the same level of confidence that the
identity associated with an account is who they
purport to be for all your account holders?
• If you answered ‘No’ to any of the questions above, you
might look at integrating level of assurance into your IdM
strategy.
45

46. Level of Assurance in IdM (cont.)
• Two distinct uses:
1. For a service provider, the level of risk to the
application or organization if an incorrectly identified
user is allowed to access the application or perform
a transaction. This can happen if someone
compromises an account password.
2. For an identity provider, the risk that the person is
not who they claim to be – in this case the person
has legitimate credentials that they acquired
frauduantly
• Organizations often perform both functions and must
look at both risks.
46

47. • A combination of assurance that the person presenting
their credentials is who they say they are AND they are
the person presenting the credentials.
– The degree of confidence in the vetting process; and
– The degree of confidence that the person presenting the
credential is the person you issued the credential too
• Level 1 – little or no assurance
• Level 2 – some confidence
• Level 3 – high confidence
• Level 4 – very high confidence
Assurance for Identity Providers
47

48. U.S. Federal Government
Identity Management Initiative
http://www.idmanagement.gov/
48

49. Assurance for Identity Providers
(cont.)
• Assurance of Credentials as presented by the person to
whom it was issued.
– Traditional authentication focuses on password
management. Level 2 is the highest assurance a
text-based password can achieve.
– Level 3 or 4 assurance requires two-factor
authentication. The second factor must be some
token that is issued to the user. The US government
is moving to smart ID-cards under the auspices of
HSPD-12.
49

50. Identity Assurance Profiles
• Determined based on three general areas
– Documentation of policies and procedures and
standard operating practices
– Registering identity subjects and issuing credentials
– Strength of authentication and shared secrets
• InCommon Bronze & Silver
• NIST 800-63 Electronic Authentication
Guideline http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
• Some require audit
50

51. Assurance for Service Providers
• Service providers follow traditional risk management
approaches (e.g., NIST 800-30) to assess the risk
associated with an authentication error:
– The potential harm or impact, and
– The likelihood of such harm or impact.
• Potential categories of harm include: reputation, financial
loss, organization harm, release of sensitive information,
risk to personal safety, and criminal or civil violations.
• Ratings use values of low, moderate, or high.
51

52. Setting Level of Service Assurance
52

53. What does Level of Assurance
mean for an Institution?
• Processes to establish credentials for remote and in
person
• Ability to identify and assert individuals and their
relationship to you
• Policy around releasing information to entities outside of
the university
• Documentation of practices
– Risk Management Methodology
– Change Management
– Business Continuity Plan
• Regular Audits
53

54. Using Levels of Assurance to
Enhance Security
• Security is about risk mitigation.
• LOA allows you to mitigate risk in your
authentication processes.
• Identify applications needing higher security and
then identify the people using those
applications. Those individuals are the ones
which require a higher LOA.
– Examples - Faculty and staff with financial or payroll
approval, system admins and senior administrations.
54

55. Questions and Open Discussion
55

56. Break
56

57. Concept and Use of Federated
Identity Management
57

58. What Do People Want?
• Institution wants to offer services to their
constituents but doesn’t want to host them.
• Vendor wants to offer a service to institutions but
doesn’t want the burden of managing user
credentials and authentication.
• User wants seamless access to services. “Single
Sign-On”.
• Security officer wants to protect University
assets, user identity information, and passwords.
58

59. Is There A Standard For This?
• SAML 2.0 – Security Assertion Markup
Language
– An OASIS standard managed by the OASIS
Security Services Technical Committee
– Vendor and industry acceptance
– Over 70 solutions certified by the Liberty
Alliance
• http://saml.xml.org/saml-specifications
Source: <http://www.pingidentity.com/>
59

60. Is There A Standard For This?
(cont.)
• Shibboleth – Open source software
package for web single sign-on across or
within organizational boundaries
– SAML-based software managed by Internet2
– Higher education and increasing vendor and
acceptance
– Provides extended privacy functionality
• http://shibboleth.internet2.edu/about.html
60

61. “Point to Point” Model
User@Institution
A
User@Institution B
= Credentialing / Authentication = Authorization = User Credential
Research
Projects
Physics
Homework
Service
Shared
Courses
Library
Provider
Student Loan
Service
Slide from IAM Online, Feb 12, 2010 “Introduction to Federated
Identity Management” by John O’Keefe, Lafayette College
61

62. Federations and Identity Management
• Federations – definition
– Dictionary.com - a federated body formed by a
number of nations, states, societies, unions, etc.,
each retaining control of its own internal affairs.
– InCommon.org - a federation is an association of
organizations that come together to exchange
information, as appropriate, about their users and
resources in order to enable collaborations and
transactions.
62

63. Attributes: Entitlement, Anonymous ID, Affiliation…
Metadata, certificates, common attributes & meaning,
federation registration authority, Shibboleth
1. User attempts to access
protected resource. Selects
home institution and is
redirected to home.
2. Authentication: single-sign-on at
home institution
3. Federation-based trust
exchange to verify partners
and locations
4. Authorization: Privacy-
preserving exchange of
agreed upon attributes
5. If attributes are acceptable to
resource policy, access is
granted!
Home Institution – user signs in
Online Resource
Federated Access via SAML
63

64. Federated Model
User@Institution A
User@Institution B
= Credentialing / Authentication = Authorization = User Credential
Research
Projects
Physics
Homework
Service
Shared
Courses
Library
Provider
Student Loan
Service
Slide from IAM Online, Feb 12, 2010 “Introduction to Federated
Identity Management” by John O’Keefe, Lafayette College
Federation
Reduced number
of IDs and
passwords
Identity protecting
Restricted
release of
attributes
Local
authentication
Scalable
64

65. Benefits of Federations
• For organizations, without a federation, organizations
that want to share information must enter into bilateral
agreements. These agreements are difficult to achieve
and greatly complicate the work of insuring compliance if
each has slightly different terms.
• For individuals, without a federation, individuals must
establish a relationship with each organization, often
providing duplicate information to multiple organizations.
65

66. Basic Requirements for
Federating
• Relationships
– Attributes, Roles, Life cycles
• Transport Mechanisms
– Standards - SAML, OpenID, InfoCard
• Authenticate
• Legal Agreement
• Policy
66

67. • InCommon Federation
– Higher Education & Research Emphasis
• UT System Identity Management Federation
– Business Emphasis
• State of California Federated IdM Vision
(http://www.cioarchives.ca.gov/stateIT/pdf/CA_SOA_IDM_Vision_08-27-2007.pdf)
• State of New York IdM Model
(https://www.oft.state.ny.us/Policy/G07-001/) Trust Model
(http://www.oft.state.ny.us/OFT/PrinciplesoftheNYSEnterpriseIAMArchitecture.pdf)
• State of Nebraska Federated Services
(http://www.nitc.state.ne.us/events/conferences/egov/2004/files/345_UserAuthentication_Hartman-FedID.ppt)
Federations
67

68. Federating Opportunities in
Higher Education
• Microsoft Dreamspark
• iParadigm - TurnItIn
• WebAssign
• Apple - iTunes U
• Digital Measures
• e2Campus
• Students Only Inc
• Symplicity
• Refworks
• Kuali Foundation
• OCLC
• Burton Group
• EBSCO Publishing
• Elsevier
• TeraGrid
• NSF
• NIH
• JSTOR
• lynda.com
• National Student
Clearinghouse
68

69. What is InCommon?
http://www.incommonfederation.org
A SAML-based Federation that includes:
• 200+ higher education participants
• Six government and nonprofit laboratories, research
centers, and agencies (including NIH, TeraGrid, and
NSF)
• 51 sponsored partners
• Two county K-12 school districts (as part of a pilot)
• More than 4 million higher education users
• Members agree to rules and practices that allow for
interoperability
69

70. Value of InCommon
• Governance by a representative Steering Committee
– Formulates policy, operational standards and practices, establishes a
common set of attributes and definitions.
• Legal Agreement
– Basic responsibilities, official signatory and establishment of trust,
conflict and dispute resolution, basic protections
• Trust “Notary”
– InCommon verifies the identity of organizations and their delegated
officers
• Trusted Metadata
– InCommon verifies and aggregates security information for each
participant’s servers, systems, and support contacts
• Technical Interoperability (Technical Advisory Committee)
– InCommon defines shared attributes (eduPerson), standards (SAML),
software (Shibboleth)
70

71. InCommon Identity Assurance
http://www.incommonfederation.org/assurance/
• InCommon has finalized two documents that specify the criteria
used to assess identity providers:
– “Identity Assurance Assessment Framework”
– “InCommon Bronze and Silver Identity Assurance Profiles”
• Supporting documents
– InCommon Attribute Overview
– InCommon Attribute Summary
– Assurance Profile Assessment Checklist - This checklist should
be used in conjunction with the InCommon "Identity Assurance
Assessment Framework" and the InCommon "Bronze and Silver
Identity Assurance Profile" documents. The checklist is intended
to aid in self assessment by Identity Providers and provide
background for a final assessment by qualified IT auditors.
71

72. InCommon Collaborative
Projects/Efforts
https://spaces.internet2.edu/display/InCCollaborate/Home
• InC Student
• InC Library
• InC SharePoint
• TeraGrid
• InCommon Inter-federation
• InCommon - NIH
• InCommon Research
• InC Apple
• Dreamspark
72

73. It’s All About Trust
73

74. USC Case Study
74

75. About USC
• Private university est. 1880 in Los Angeles
• 19 academic units
• 35,000 students
• 21,100 employees (faculty, staff student
workers)
• 229,000 alumni
• 6,600 regularly enrolled international students
Source: http://www.usc.edu/about/ataglance/
75

76. National Student Clearinghouse
- Allows Student access to enrollment verification
activities via the Web:
- Print enrollment certificates
- View enrollment history
- Check enrollment verifications that the
Clearinghouse has provided to student service
providers on their behalf
- View student loan deferments
- Link to real-time information on their student
loans
76

77. Benefits of Using Shibboleth and InCommon
with Student Self-Service
• Eliminate necessity of students registering with
NSC using SSN
• Make Student Self-Service available to students
who do not have an SSN or choose not to
provide the SSN
• Ease of use with Integrated Single-Sign On with
OASIS (USC Online Student Information System
Service), USC Portal, and other services
77

78. Work, Time, Resources
• Service sponsored by University Registrar. Presented for
approval to IAM Steering Committee and Data Stewards.
• Add University ID to existing NSC weekly data feed from
Student Information System
• Shibboleth Identity Provider configuration to release
student University ID and USC OPEID to NSC at student
login
• NSC link updated in OASIS
• Under 40 hours of technical work
• Implemented July 30. First school to implement in
production using Shibboleth 2.
78

79. Documentation
• Internet2 NSC Pilot documentation
– https://spaces.internet2.edu/display/InCCollaborate/N
ational+Student+Clearinghouse+Pilot
• USC Setup documentation
– https://spaces.internet2.edu/display/InCCollaborate/U
SC-NSC+Setup
• National Student Clearinghouse Student Self-Service
documentation:
– SSS Developer’s Implementation Guide
– SSS Shibboleth Profile Form
• NCES Global Locator (for OPEID lookup)
– http://nces.ed.gov/globallocator/
79

80. UT System Case Study
80

81. The University of Texas System
~ 195,000 students
~ 84,000 faculty & staff
~ 11 billion annual budget
• 9 Academic Institutions
• 6 Medical Institutions
• U. T. System Administration
• U. T. Investment Management
Company (UTIMCO)
MISSIONS
• Research
• Instruction
• Patient Care
• Public Service
81

82. Ideally, individuals would each like a
single digital credential that can be
securely used to authenticate his or her
identity anytime authentication of
identity is required to secure any
transaction.
William Weems, Ph.D. UT Health Science Center at Houston: Sharing Restricted Resources Across Organizational Boundaries
82

83. The UT System Federation
Drivers:
• Collaboration is a key goal.
• It all started with a “statement of direction” from our leaders and a
small “starter grant” from the government
• Why our own federation?
– We know our campuses best / clear administrative boundary - could
happen quicker if we do it within the UT System.
– Ensure that no campus is left behind
– Direct control over policies and directions
– Most of our initial apps were just for our campuses
– We want to strive for providing infrastructure to meet higher LoAs
throughout UT System
83

84. The UT System Federation
Overview:
• Uses Internet2 technology (Open Source)
– Shibboleth
• Based upon standards and best practices
– LDAP(eduPerson), SAML, etc
• Stable, Scalable, Secure, Interoperable
• Enabling Policies Exist
– https://idm.utsystem.edu/utfed/index.html
– Based on InCommon Federation policies and
documents
• Governance Structure in Place 84

85. Current Applications:
• All @ UT System Administration
– Training, Financial Reports, etc. ~ 40 applications
– All UT Institutions
– Guest Wireless for all UT institutions was first
• Blackboard @ UT HSC Houston
– MD Anderson
• Research Collaboration @ UT Arlington
– UT Dallas, UT Southwestern Medical Center, UT Pan American
• MobileCampus @ MobileCampus (.com)
– UT Austin, UT Arlington, UT Dallas, UT El Paso
• Risk Assessment Tool (ISAAC-UT)
– All UT institutions
• Time and Effort
– UT MD Anderson, UT Medical Branch
The UT System Federation
85

86. Lessons Learned (so far)
• Policy work is slow, but critical to establish an environment
in which trust can develop.
• It’s important to address the support needs that grow out of
a federated environment (federate the support too).
• Federated authorization is challenging and takes lots of
time and effort (AppAdmin workflow app) – training and
executive support are the keys.
86

87. What are the Practical Benefits
of this Approach?
• User satisfaction
– Fewer passwords to remember, increases the value of their campus credential
• Local autonomy
– Supports differing technologies, policies, and business processes
• Increased security
– No application-based loosely-coupled identities
– More granular authorization
• Lower costs
– Applications don’t have to manage separate identities for their users
• Support secure inter-institutional collaboration across the world just
as easily as across the state (well, almost)
– SAML is a mature global standard
87

88. Leveraging Federations:
Enhancing Information Security
and Privacy in Collaboration, SaaS,
and Cloud Computing
88

89. Collaboration
• With increased use of the web as user interface,
university systems are deploying administrative solutions
that support shared infrastructure for multiple institutions
• Press Release 10-023
Microsoft and NSF Enable Research in the Cloud
– “Agreement will offer free access to new computational and
collaborative services to accelerate scientific discovery for
research communities.”
– “Microsoft will provide cloud computing research projects
identified by NSF with access to Windows Azure for a three-year
period, along with a support team to help researchers quickly
integrate cloud technology into their research. “
89

90. Software-as-a-Service (SaaS)
• SaaS is a model of software deployment
whereby a provider licenses an application
to customers for use as a service on
demand.
• Many of the commercial service providers
joining InCommon utilize this model.
90

91. Some Common Higher Ed
SaaS Vendors
91

92. Cloud Computing
• Gartner - “a style of computing where massively
scalable IT-enabled capabilities are delivered ‘as a
service’ to external customers using Internet
technologies.”
• Wikipedia - “cloud computing is a paradigm of
computing in which dynamically scalable and often
virtualized resources are provided as a service over the
Internet. Users need not have knowledge of, expertise
in, or control over the technology infrastructure in the
"cloud" that supports them.”
92

93. Some Cloud Examples
93

94. Alternate Sourcing
94

95. The Challenge
• The decision to procure these services is
driven by departments instead of IT
strategy.
• Integrating these separately developed
applications into an integrated approach.
– How do you manage access?
– How do you manage provisioning?
– How do you integrate this into the web
services you provide?
• How to reduce the number of credentials
95

96. A Solution: Leverage Federation
• Focus on four activities:
– Develop an institutional Identity Management System
– Create a standard set of attributes for each person
(eduPerson)
– Use a federation to enable external access
– Require institutional developers and in RFPs that
service providers support SAML and InCommon
• InCommon provides an easy to use
framework for customers and service
providers that will work across higher
education.
Source: Jack Suess and Kevin Morooney “Identity Management and Trust Services: Foundations for Cloud Computing”, EDUCAUSE
Review Vol. 44 Sept/Oct 2009
96

97. Items to be aware of
• Federal Trade Commission Red Flags Rule:
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
• New FERPA Regulations:
http://www.ed.gov/policy/gen/guid/fpco/ferpa/
• Student Financial Aid Clearing House:
http://www.studentclearinghouse.org
• Fed – Higher Ed becomes a contractor – Peter Alterman Slides:
http://net.educause.edu/NMM09/Program/1020177?PRODUCT_COD
E=NMM09/GS10
• NIST 800-63 equivalence to InCommon Silver:
https://spaces.internet2.edu/display/InCColaborate/InCommon+Silver
• University of Texas System Federation Member Operating Practices:
https://idm.utsystem.edu/utfed/MemberOperatingPractices.pdf
97

98. Online Resources
Websites
• http://www.internet2.edu/middleware/
• http://www.nmi-edit.org
• http://www.incommonfederation.org/
• http://shibboleth.internet2.edu
• http://www.educause.edu/Resources/Browse/Authenticat
ion/25439
• http://www.educause.edu/Resources/Browse/Identityand
AccessManagement/17322
• http://www.educause.edu/Resources/Browse/Federated
%20Identity%20Management/31075
98

99. Kim Cameron’s Identity Blog
Kim Cameron is Microsoft’s
Chief Architect of Identity.
His blog is a very good place
to get thoughtful discussion
on identity.
http://www.identityblog.com/
99

100. Kim Cameron’s Laws of Identity
Seven Laws of Identity
1. User control and consent
2. Minimal disclosure for a constrained use
3. Limit relationships to justifiable parties
4. Control over who can see my identifier, directed identity
5. Pluralism of operators and technologies
6. Human integration
7. Consistent experience across contexts
100

101. Identity 2.0
• One of the best presentations on identity
management 2.0 is by Dick Hardt at
OSCON 2005.
• This is a good overview of looking at how
identity management may evolve. In 15
minutes he gives a great presentation.
• http://www.identity20.com/media/OSCON
2005/
101

102. Questions
102

103. What did you think?
• Your input is important to us!
• Click on “Evaluate This Session” on the
conference program page.
103

104. Contact Information
• Brendan Bellina
– bbellina@usc.edu
• Miguel Soldi
– msoldi@utsystem.edu
104

105. Copyright Statement
Copyright Brendan Bellina and Miguel Soldi,
2010. This work is the intellectual property of the
authors. Permission is granted for this material
to be shared for non-commercial, educational
purposes, provided that this copyright statement
appears on the reproduced materials and notice
is given that the copying is by permission of the
authors. To disseminate otherwise or to
republish requires written permission from the
authors.
105