Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Assurance refeds-090626100437-phpapp02


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

Assurance refeds-090626100437-phpapp02

  1. 1. Moving forward with assurance
  2. 2. Overview <ul><li>Talking about concepts of assurance within REFEDS – not going to cover all the different types of assurance / audit out there at the moment (but will collate this on the website). </li></ul><ul><li>What do we mean by a federation? </li></ul><ul><li>How does this differ from a community of practise? </li></ul><ul><li>How do we increase ‘assurance’ within federations? </li></ul>
  3. 3. The federation club <ul><li>Typically in our context a collection of organisations within a specific geographic boundary involved in education and research. </li></ul><ul><li>Plus the service providers delivering services to these organisations. </li></ul><ul><li>This is a gross generalisation! </li></ul><ul><li>“ Real world” organisations (legal entities – although legal status not always relevant or required): </li></ul><ul><ul><li>The domain of education and research; </li></ul></ul><ul><ul><li>Not a community of practise. </li></ul></ul>
  4. 4. Federations, Domains and Communities of Practise fed B fed C fed D fed E fed A fed F
  5. 5. Current Federation Model <ul><li>Pragmatic, fundable, relatively easy to organise. </li></ul><ul><li>Not broken, doesn’t need fixing  . </li></ul><ul><li>Value-add to the domain of members is in REGISTRATION of entities at federation. </li></ul><ul><li>Federation adds assurance as a registrar: </li></ul><ul><ul><li>Quality of metadata; </li></ul></ul><ul><ul><li>Adherence to laws, good practise. </li></ul></ul><ul><li>Provides a statement of practise as a registrar , including commentary on the assurance it provides for members and others to make a trust value judgement. </li></ul><ul><li>Works at this level as organisations are typically like for like – the ‘warm fluffy feeling’. </li></ul>
  6. 6. Where is assurance added? <ul><li>To the entity: at the point of registration with some kind of metadata registrar (typically at the moment Federations). </li></ul><ul><li>This type of assurance is different from end-user assurance. </li></ul><ul><li>Confusion between role of federation in adding assurance to metadata through registration and policing end-user assurance. </li></ul><ul><li>To the end-user: at the point of registration with an institution (identity proofing). ONLY to identity. </li></ul><ul><li>(Possibly) at various different points in time. </li></ul><ul><li>Need to separate out: </li></ul><ul><ul><li>Assurance in metadata (this is well-processed entity metadata, authoritative copy etc). </li></ul></ul><ul><ul><li>Assurance of the identity of an end-user. </li></ul></ul><ul><ul><li>Assurance in the identity management practises of a particular institution. </li></ul></ul>
  7. 7. Things to think about for assurance (1) <ul><li>Assurance provided at point of metadata registration. </li></ul><ul><ul><li>Where is this statement made and how? </li></ul></ul><ul><ul><li>Made by registrar not by entity. </li></ul></ul><ul><ul><li>Add-on assurance, not part of the identity assurance profile work. </li></ul></ul><ul><li>UK federation Operator Procedures? </li></ul><ul><ul><li> . </li></ul></ul><ul><li>Assurance can additionally be added at point of metadata aggregation (we only aggregated from these types of metadata registrars – more later). </li></ul><ul><li>Note: different from the types of ‘registration assurance’ discussed by David Chadwick which refers to registration of users = identity proofing. </li></ul>
  8. 8. Things to think about for assurance (2) <ul><li>Strength of Authentication: </li></ul><ul><ul><li>Password (challenge, response) – most entities here; </li></ul></ul><ul><ul><li>Tunnelled password; </li></ul></ul><ul><ul><li>Soft crypto token / one-time password; </li></ul></ul><ul><ul><li>Hard crypto token. </li></ul></ul><ul><li>Can be part of an identity assurance profile. </li></ul><ul><li>Typically hierarchical in nature (gets stronger!). </li></ul>
  9. 9. Things to think about for assurance (3) <ul><li>Identity Assurance Profiles. </li></ul><ul><li>Should be defined by (representative bodies of) the communities that need to use them (not the domain in which they operate). </li></ul><ul><li>Should describe whole programme / process including standards (i.e. NIST), processes required to meet this standard and auditing processes. </li></ul><ul><li>IAPs should be expressed in entity metadata as ‘flags’. </li></ul><ul><li>Flag in metadata does not itself provide assurance. </li></ul><ul><li>IAPs not necessarily hierarchical (not ‘levels’). </li></ul><ul><li>Provides assurance of identity : very small subset (name, perhaps DoB) of user attributes. Shouldn’t be assumed to assure all attributes provided (i.e can only guarantee address is up to date if explicit address updating is in IAP). </li></ul>
  10. 10. Registration and Aggregation / Distribution <ul><li>Useful to separate out the roles of: </li></ul><ul><ul><li>Metadata Registration; </li></ul></ul><ul><ul><li>Metadata Aggregation and Distribution. </li></ul></ul><ul><li>Both typically done by federations, but aggregation and distribution can happen in isolation from registration. </li></ul><ul><li>Registration: adds registration assurance, authoritative copy, well-looked after metadata (as opposed to self-asserted metadata from institutions). </li></ul><ul><li>Registered metadata carries IAPs. The assurance is that these are well expressed IAPs, not that the IAPs are correct. </li></ul><ul><li>Auditing of IAPs can happen elsewhere. </li></ul><ul><li>Registrar can aggregate and distribute metadata. </li></ul><ul><li>Other aggregators can aggregate and distribute metadata from a variety of registrars (or self-asserted metadata directly from institutions) depending on trust decisions based on registrar sources: an additional assurance. </li></ul><ul><li>Organisations make decisions to use aggregated metadata based on above. </li></ul>
  11. 11. Assumptions and Questions <ul><li>LoA is used as a term in our environment to mean all three of these areas and subsets of these areas. </li></ul><ul><li>Clarity is needed on assurance provided by registrar within current federations: registrar statement of assurance practise? </li></ul><ul><li>Communities of practise should define IAPS. Federation clubs are not necessarily communities of practise (but may be). </li></ul><ul><li>REFEDS may have an interest in defining IAPs for work within all European federations rather than developing piecemeal for each. </li></ul><ul><li>Assurance auditor role needs to be though about: who instigates / carries out the audit? Federation? External party? </li></ul><ul><li>How many potential IAP may federations have to support? How many communities of practise and where is the limit? </li></ul><ul><li>Case studies for different levels of authentication? </li></ul>
  12. 12. Taking Forward the Workpackage <ul><li>Collate information about different assurance standards / processes / programmes on the REFEDS wiki. </li></ul><ul><li>Semantics! Looking at the ‘floor’. </li></ul><ul><li>JISC funding to collection requirements / case studies from communities of practise in different countries / locations etc. </li></ul><ul><li>Work within Geant3 to investigate requirements for Identity Assurance Profiles across REFEDS federations. </li></ul><ul><li>Service Provider Profiles? </li></ul><ul><li>Risk assessment approach to assurance – agreed across REFEDS. </li></ul><ul><li>Things that are close to the 4 levels of assurance within NIST, but with some differences are common. Often looking at authentication first and foremost and not IAP. </li></ul>