Service Providers Over-Trusting Weak Identities:  What To Do?

DATE and TIME: 2011-05-26 10:00 -- 11:00

CONVENER:  Rodger Hendricks, University of Florida

SCRIBE:  Rodger Hendricks, University of Florida

# of ATTENDEES:  6

MAIN ISSUES DISCUSSED

- People providing non-public services over the network can do so without any training or central registration.

- With Guest and Self-Asserted identities, authentication doesn't even imply identification.

- There are legitimate use cases for giving VPN access to weakly-identified people.

- The mechanism for creating "weak ID" is sometimes used for people about whom we actually know a great deal.

ACTIVITIES GOING FORWARD / NEXT STEPS

- Perform or complete a classification of confidential data at the institution.

- Where possible, require a risk assessment from any unit using authentication information.

- Where possible, gather information after the fact about sites using authentication information.

- Where possible, gather information after the fact about sites using authentication information.

- Have a conversation about VPN and level of assurance at the institution, come to an understanding and publish it.

- Repeat for services other than VPN.

If slides are used in the session, please ask presenters to convert their slides to PDF and email them to SteveO@internet2.edu

Thank you!