InCommon Assurance Active Directory for Silver Cookbook
Conference Call Notes – October 26th, 2011
Silver/AD Cookbook available at: InCommon Silver with Active Directory Cookbook - DRAFT
Note Taker: Susan Neitsch (Texas A&M)
Participants: (I did not catch everyone's name - please send updates/corrections to: nicholas hyphen roy at uiowa dot edu)
Russell Yount (Carnegie Mellon); Harry Nicholas (North Carolina State); Mark Rank, Dave Jaskie, Shane Stimac, Jim Kavanaugh (UW Milwaukee); Nick Roy (U Iowa); Mark Hove (Minnesota); Ron Thielen (U Chicago); Harry ? (Univ. British Columbia); Warren Curry (Florida); Andy ? (LSU); Susan Neitsch, Xavier Chapa, Zac Sanders, Trez Jones, Matt Pierce, Jason Zylks (Texas A&M); Brian Arkills (U Washington); Ken Rowe (Illinois); Larry Gilreath (Microsoft), Joseph Streeter (UW Madison)
Action Items:
- Russell will draft a taxonomy for common words in the IAP and share with the assurance list. Anyone with words they would like include should post those to the list.
- Warren Curry will draft paragraph addressing when AD is in scope for Silver IAP compliance for inclusion in the cookbook.
- Ken will work with Warren to incorporate an explanation of the focus of the AD cookbook (Getting AD to work, not addressing systems that may interact with AD.) into the paragraph.
- Will contact TAC to get details on the meaning of 'industry standard' algorithms.
- post topics for next conference call on the assurance list.
-Nick will talk to Ann West, Brian Arkills and Larry Gilreath about opportunities to present the work
-Nick will talk to Ann West about getting the cookbook "blessed" by the TAC
-Nick will get Russell Yount added to edit permissions on the wiki
Discussion:
Review changes to cookbook. Brian Arkills summarized the changes he made to the AD cookbook. In particular, his changes addressed the issues identified in first conference call. (The wiki tracks changes so anyone wanting particulars can click the 'view change' link at the top of the cookbook to be able to navigate through all the changes made.)
Does 4.2.4.4 suggest an AD lifecycle of the following? Revocation event -> AD user is disabled -> 180 days passes -> AD user may be deleted (if desired) or is some other records retention process sufficient?
4.2.4.4 seems to focus more on records retention rather than technology, specifically retaining logs of registration events and revocation events. Retaining locked accounts is one way to meet this.
Nothings says we have to delete records from AD. 4.2.4.4 pertains to logging of credential events, not actual credential management. The auditor will evaluate deprovisioning process for compliance with Silver.
What does 'revocation' mean? delete? disable? Russell suggested developing a taxonomy for words in the IAP that have ambiguity. The Identity Assurance Assessment Framework document does define terms (Appendix C), but it is not exhaustive.
There are two situations involving AD. One where it is the Credential Store used by the IdP and another where federated access is not going through AD, but it still is in scope of the IAP because it stores Silver credentials. Warren suggested adding a paragraph to the intro of the cookbook to emphasize this.
Is ADFS outside the scope of this document? How about Shibboleth pointed at AD? If they aren't outside the scope, then we probably need to add some content specific to them.
Short answer is yes, these are outside the scope of the AD cookbook. Ann West is working on other cookbooks for other components/systems; education/training program. Things that are outside the scope of the AD cookbook will be covered in these other documents. Someone does need to make sure the different cookbooks align in their recommendations so that, for example, to ensure the AD recommendations do not contradict the Shibboleth recommendations. Will add paragraph to cookbook explaining the focus of the documents is just getting AD to work.
The 1.0 IAP much more specific about type of cryptography - required NIST approved cryptographic algorithms. The 1.1 IAP calls for 'industry standard' algorithms.
What does 'industry standard' mean? Could ask for feedback on this from InCommon TAC. Defining 'industry standard' is outside the scope of the AD cookbook. 'Industry standard' was intentionally added to IAP to be less specific allow AD to be an acceptable.
Ken will work with Warren on paragraph to articulate that the cookbook does not address systems integrating with AD.
Might be some Windows specific stuff on 4.2.5.6: Mitigate risk of sharing credentials
In AD environment, have services needing credentials. These services are commonly managed by multiple people. The service credential is typically a shared credential.
To pass audits you have to have processes/procedures for trusted staff, controls in place for privileged accounts.
Univ Washington: When we issue a service (shared) account, owners/administrators are tracked so that when one of them looses employee status, the IdMS prompts the remaining acct owners to change the password. Not an AD specific practice, but some AD specific things could be said about this.
This falls under general operational best practices, not just AD. This does not need to be addressed in the AD cookbook.
Next steps: Help from others- people willing to contribute?
Looking for volunteers to edit the wiki, testing.
- Harry (NC State) will be sharing document with AD gurus and get feedback which he will share with assurance list.
- Warren (Florida) memo put out to the university; will distribute to assurance list if it can be classified as an external document.
Lessons learned will be valuable. Share experiences, specific mitigation strategies on assurance list.
Next steps: Timeline for completion/Getting the word out - ideas?
The cookbook is far enough along to be passed on/let people look at/get feedback.
Finish cookbook so it can be presented at Spring I2 meeting or Windows High Ed conference.
Need to remove 'DRAFT' designation before auditing begins.
Nick will take cookbook to InCommon TAC through Ann for their feedback/stamp of approval.
Send suggestions for meetings to present AD cookbook to assurance list or directly to Nick Roy.
November conference call may collide with Thanksgiving. If so, Nick will send out a Doodle poll to reschedule Nov conf call.