SafeNet and Internet2 to Secure Digital Identities for Universities
SafeNet, Inc., a global leader in data protection, and Internet2®, the world’s most advanced networking consortium, today announced they have entered into an agreement to offer SafeNet smart cards and PKI hard tokens for cryptographic storage of PKI credentials.
As part of its multifactor authentication program, Internet2’s InCommon will offer SafeNet’s smart cards and PKI tokens to participating higher education organizations. These devices provide researchers, faculty, students and staff with secure, cryptographic storage of the client certificates that they may use to access campus-based and online resources secured with PKI, as well as allowing for S/MIME digital email signatures and email encryption.
SafeNet will serve as one of the preferred vendors of security technology, providing InCommon participants with two-factor authentication devices that enable highly secure, certificate-based access to online and local network resources. Use of hard tokens or smart cards can be helpful if users are working on a shared machine in a campus computer lab or want to use the same cryptographic credentials on multiple devices, such as on a desktop at work and a laptop at home.
InCommon serves the U.S. education and research communities, supporting a common framework of trust, including the U.S. identity management trust federation for research and education, a community-driven Certificate Service, an Assurance Program for higher levels of trust, and a multifactor authentication program.
The more than 400 InCommon participants include colleges, universities, research organizations, U.S. government agencies, and their sponsored partners.
Executive Comments
“In today’s increasingly mobile environment, more students and researchers are accessing IT services and institutional information from a variety of devices and locations. At the same time, universities are under the gun to make certain that security is strong. Second-factor solutions are a proven approach to protecting the security of individual and university information,” said Jack Suess, chief information officer and vice president for information technology at the University of Maryland, Baltimore County, and chair of the InCommon Steering Committee. “Our partnership with SafeNet provides the education community a proven multifactor authentication solution.”
“As we continue to see an exponential growth of digital data assets, ensuring secure access becomes increasingly critical for security,” said Chen Arbel, Director of Business Development at SafeNet. “It is essential to make certain that users are who they say they are and that they can only access what they have been authorized to access. We believe two-factor authentication, backed by PKI as the root of trust, is the best way to secure these digital assets. We are pleased to offer this program in conjunction with InCommon to help protect their participants’ digital assets, whether they reside in the enterprise or are accessed remotely.”
Additional Resources:
• InCommon SafeNet Partnership: http://www.incommon.org/safenet
• SafeNet Recognized as an Authentication Leader in Gartner Magic Quadrant: http://www.safenet-inc.com/news/2012/safenet-recognized-as-an-authentication-leader-in-magic-quadrant/
• Securing PKI: http://www.safenet-inc.com/Solutions/Industry_Solutions_for/Secure_PKI/
• InCommon & SafeNet Partnership FAQ: https://spaces.at.internet2.edu/display/InCCollaborate/SafeNet+FAQ
• SafeNet’s Strong Authentication: http://www.safenet-inc.com/products/data-protection/multi-factor-authentication/
About Internet2:
Internet2® is a member-owned advanced technology community founded by the nation's leading higher education institutions in 1996. Internet2 provides a collaborative environment for U.S. research and education organizations to solve common technology challenges, and to develop innovative solutions in support of their educational, research, and community service missions. For more information, visit http://www.internet2.edu.
About InCommon:
InCommon®, operated by Internet2®, serves the U.S. education and research communities, supporting a common framework of trust services, including the U.S. identity management trust federation for research and education, a community-driven Certificate Service, an Assurance Program providing higher levels of trust, and a multifactor authentication program. The InCommon Federation enables scalable, trusted collaborations among its community of participants. The Certificate Service offers unlimited certificates to the U.S. higher education community for one fixed annual fee. InCommon has more than 400 participants, including higher education institutions and research organizations, and their sponsored partners. For more information, see www.internet2.edu and www.incommon.org.
About SafeNet:
Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet’s data-centric approach focuses on the protection of high-value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments.
Is OAuth2 In Your Future?
Whether it becomes a protocol or a framework, OAuth2 certainly deserves another look. In fact, I revisit the nascent worlds of OAuth2 and OpenID Connect often, regularly testing the waters and gauging the current state-of-the-art. At this point, AFAICT there’s really nothing to latch on to unless you’re a bleeding edge developer, researcher, or technology pundit.
People whose opinion I respect predict OAuth2 and friends have a very positive future indeed. Personally I think it’s too early to tell, but from the perspective of a federation operator, are there use cases that would benefit from OAuth2 now?
We are faced with at least one burning use case at the moment. That is, the use case of a low to moderate value federated webapp with very modest attribute requirements. This use case requires near 100% penetration yet should have near zero boarding requirements, that is, Level of Assurance (LoA) is minimal while the barriers to interoperability should be as close to zero as possible.
Relatively speaking, this is a very old use case. It has remained unsolved for so long, it now threatens to unravel the federated approach by marginalizing the hard won successes realized over years of deployment. Thus the opportunity for a young framework (like OAuth2) to step in and make significant inroads is very real. This is of course the way it should be, a kind of survival of the fittest. So let the user beware: OAuth2 may be in your future sooner than you think!
Let me outline the use case in slightly more detail so we know what we’re up against. A typical federated Service Provider (SP) has the following requirements:
- Roughly LoA-1, that is, a basic level of assurance with optional identity (if there is a claim of positive identity, the Identity Provider (IdP) should assert it)
- Globally unique, persistent, non-reassigned identifier
- One or more so-called personal identifiers (e-mail address, person name, and/or human-readable principal name)
- A discovery interface with an 80% success rate (minimum)
- No manual IdP boarding requirements
Expanding on the latter pair of requirements: Assume at least 80% of the users that visit the SP are presented with a discovery interface that includes one of their preferred IdPs, and moreover, the IdP selected by the user meets the assurance and attribute requirements without further human interaction. Remember, this must result in a positive user experience at least 80% of the time!
Today of course we are far from meeting the needs of this use case. SPs either manually board IdPs one-by-one, leading to a relatively small group of trusted IdPs, or SPs present the user with a broad selection of IdPs, few of which meet the designated assurance and attribute requirements. In either case, the SP realizes roughly a 20% success rate (at best). Not good.
Solutions anyone? Do OAuth2 and friends play a role here?
IAM Online – Wednesday, August 8, 2012
3 pm ET / 2 pm CT / 1 pm MT / Noon PT
www.incommon.org/iamonline
Demystifying Privilege and Access Management – Strategies for Local, Federated and Cloud Environments
As IT portfolios expand with a plethora of applications and services both old and new, so do the challenges of providing an efficient, effective, and scalable privilege and access management practice.
The MACE Privilege and Access Management Working Group has developed a series of recommendations for principles, methods and techniques that you can apply to a broad spectrum of applications – locally operated, federation aware, and cloud-based. Join us to learn about these recommendations and how you can assess scalable privilege and access management practices for your applications.
Speaker: Chris Phillips, Technical Architect, Canadian Access Federation (CANARIE)
Host and Moderator: Tom Barton, Senior Director of Architecture, Integration, and CISO, University of Chicago
Connecting
We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.
About IAM Online
IAM Online is a monthly online education series including essentials of federated identity management, hot topics from the EDUCAUSE Identity and Access Management Working Group, and emerging topics in IAM. Experts provide overviews, answer questions and lead discussions. IAM is brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.
The July 2012 issue of InCommon Update is now available, with information about the next IAM Online, a new InCommon affiliate, new Research & Scholarship category service providers, and more.
FileSender is the latest addition to the InCommon Research & Scholarship category. This service, an NSF research project operated by Internet2, allows researchers at participating institutions to temporarily store a file of up to 1TB in size and notify recipients of the method for retrieval. It is designed to provide a solution to the e-mail large file attachment restriction in most mail systems. FileSender is available to InCommon participants (higher education or research organizations only) that operate an identity provider that releases eduPersonPrincipalName and e-mail attributes.
Service providers (SPs) eligible for the R&S category support research and scholarship activities such as virtual organizations and campus-based collaboration services. Participating identity providers (IdPs) agree to release a minimal set of attributes to R&S SPs (name, email address, user identifier, and affiliation). This can be done with a one-time modification to the IdP’s default attribute release policy, which applies to the entire R&S category. This provides a simpler and more scalable approach for IdPs than negotiating attribute release individually with every service provider.
See the InCommon wiki for complete information about the R&S Category. A complete list of R&S services is available via the Federation Info web pages.
The Future Of Federated Identity: Or, Whither SAML?
IAM Online - Thursday, July 19, 2012
1 pm ET / Noon CT / 11 am MT / 10 am PT
www.incommon.org/iamonline
Join the next IAM Online (special day and time) for a session with Eve Maler, an expert on emerging identity and security at Forrester Research.
Session Abstract: The Security Assertion Markup Language (SAML) has been king of the federated identity hill for a decade, but there are mountains of use cases it doesn't answer well: mobile SSO, agile partnering, social sign-in, the long tail of SaaS services, and more. What are the stress points? What has rushed in to fill the gap? Eve will take a look at the past, present, and future of SAML and its cousins in the world of loosely coupled identity.
Eve Maler is a principal analyst at Forrester Research and is an expert on emerging identity and security solutions, identity federation, consumer-facing identity and web access management, distributed authorization, privacy enhancement, and web services security. She previously was an identity solutions architect with PayPal, and managed Sun Microsystems' technical collaborations with Microsoft on web services and federated identity interoperability. She made major leadership, technical, and education contributions to the development of the SAML standard for federated identity.
Speaker
Eve Maler, Principal Analyst serving security and risk professionals at Forrester Research
Host and Moderator
Tom Barton, Senior Director of Architecture, Integration, and CISO, University of Chicago
Connecting
We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.
About IAM Online
IAM Online is a monthly online education series including essentials of federated identity management, hot topics from the EDUCAUSE Identity and Access Management Working Group, and emerging topics in IAM. Experts provide overviews, answer questions and lead discussions. IAM is brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.