Service Providers Over-Trusting Weak Identities: What To Do?
DATE and TIME: 2011-05-26 10:00 -- 11:00
CONVENER: Rodger Hendricks, University of Florida
SCRIBE: Rodger Hendricks, University of Florida
# of ATTENDEES: 6
MAIN ISSUES DISCUSSED
- People providing non-public services over the network can do so without any training or central registration.
- With Guest and Self-Asserted identities, authentication doesn't even imply identification.
- There are legitimate use cases for giving VPN access to weakly-identified people.
- The mechanism for creating "weak ID" is sometimes used for people about whom we actually know a great deal.
ACTIVITIES GOING FORWARD / NEXT STEPS
- Perform or complete a classification of confidential data at the institution.
- Where possible, require a risk assessment from any unit using authentication information.
- Where possible, gather information after the fact about sites using authentication information.
- Where possible, gather information after the fact about sites using authentication information.
- Have a conversation about VPN and level of assurance at the institution, come to an understanding and publish it.
- Repeat for services other than VPN.
If slides are used in the session, please ask presenters to convert their slides to PDF and email them to SteveO@internet2.edu
Thank you!
1 Comment
Anonymous
First complete draft