CIC InCommon Silver Certification
DATE and TIME:26 May 2011 1330 MDT
CONVENER: Jim Green @ MSU
SCRIBE: Gary Schwartz @ RPI
# of ATTENDEES: ~20
MAIN ISSUES DISCUSSED
InCommon Silver Certification
No one certified silver yet
Bronze = LOA1, Silver LOA2
Compatible with NIST 800-63
CIC = Big Ten (12) + U CHi = 13, + Va Tech & UWash ~15
CIC Idenitfy Management TF: CIC-wide goal = all Silver by Fall 2011
Motivation
String contacts within InCommon
Anticipate Federal government requirements - get ahead, not find themselves behind
Provide feedback to InCommon
Silver certification has a lot of use cases
Penn St leading some part of CIC effort
Project plan had phases with gap analysis; overall plan scrapped by goals remain
Q: When will NIH, NSF, etc require Silver?
A: NIH will require silver ofr federated access this year; CILogin now requires LOA1
CIC feedback to InCommon
Original spec was overspecififed
Auditors felt original spec was too difficult to audit
InCommon absorbed feedback and came up with more acceptable v2, including streamlined documentation requirements
MSU Involved internal autitors in their process
Work = 10% tech, 90% business processes, policies, etc
MSU has 3 person team which includes auditor
did gap analysis of tech, and the business processes
biggest problem was lack of documentation, including that for co9nforming practices
did small, internal "dry runs" of audit
CIC working groups
documentation
AD
2factor
kerberos
registration authority processes
try to shre work across all of CIC
MSU did their own mini-audit, including processes walkthrough with their internal auditors
CIC may practice vet/aduit each other
UC system may do something similar - UC now has their own "UC Trust Basic"
Not a lot of interest to date in Bronze certification, which is not identical to InCommon Basic (which has no spec)
Scope of certification
Some institutions including all employees in certification
Others just some employees
At least one including all employees and students
Some CIC believe they will not achieve Silver level this fall
Jim's notes put together over lunch and used for the talk:
1. scribe volunteer
2. others to talk briefly
3. what do folks want to hear about
CIC
fall 2009
joined by U Wash and VTU
led by Renee Shuey of Penn State
work subgroups – Documentation, Active Directory, Two factor auth, Kerberos (inactive), RA processes (inactive)
Identity Assurance Profiles
technical, business, audit
technical
strength of authentication
authn context
SAML2 only
IAQ assertion
business
business
policy
practices/processes
documentation
audit
management assertions
audit report
IAP revised
auditor involvement in CIC
documentation burden reduced
MSU ID office
special process
not going with 2 factor -> down the road
management assertions – one per factor -- simplistic model – just points to where compliance with Silver is documented for that factor
mini-audit - dry run – 4.2.2 section only. Discovered a problem with encryption for one of our enterprise systems
action items ways to get involved
-
ACTIVITIES GOING FORWARD / NEXT STEPS
InCommon to
- develop a list of campuses implementing InC IAPs
- create a mailing list of folks implementing InC IAPs who wish to share ideas
- announce when a campus becomes Silver (or Bronze) compliant on the InC Participants list
- create an implementation wiki to include case studies and community-driven implementation FAQ
-
If slides are used in the session, please ask presenters to convert their slides to PDF and email them to SteveO@internet2.edu
Thank you!