Child pages
  • Assurance Implementation Example - Virginia Tech

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.2.3 Registration Records – the record of the facts of registration needs to be modified to include issuer of document; i.e., Drivers license is currently recorded. The issuer (State/country of issuance) is not captured.

SETI SIES, SNS, Software Dist.

TAS or procedure

Minor if issuer is entered in existing comment field by TAS operator; moderate if TAS is modified to enforce entry of issuer. Resolution:  Change TAS, providing all acceptable document types in pulldown menus, and to require entry of the issuer.

4.2.2.4 Identity Proofing – Details about payroll and departmental procedures and documentation are unknown, so we do not know if changes may be required to meet the IAP. If graduate students who are not employees remain eligible for Silver LoA PDCs, we will need to review initial identity proofing procedures for them.

Meet with representatives from Payroll and HR to determine procedures.

Documentation, procedure

minor if documentation exists and procedures do not need to change. Resolution: documentation exists for payroll, HR, I-9 hiring procedures. No changes to procedures required.

4.2.2.4.1 Existing relationship - TAS should record the person’s eligible affiliation(s) at the time the certificate was issued.

SETI SIES

TAS

minor

4.2.2.4.2 In-Person proofing - determine if any changes are needed based on conversations addressing 4.2.2.4. Item 3 under 4.2.2.4.2 is N/A. We will require that addresses match. Update October 27, 2011 - Since the only government issued photo ID that contains an address seems to be the driver's license, we will ensure we have a process for address confirmation according to one of the options in 4.2.2.5

Project leads, SETI SIES if TAS changes are needed.

Documentation, procedure, TAS, Enterprise Directory

moderate

4.2.2.5 Address of record confirmation  - need to add this to TAS registration process.

SETI Middleware, SIES; IMS, TAS RAAs

ED, IMS SMS to phone web app

Moderate

Management Assertion

...

Virginia Tech asserts that identity proofing in this IAP is based on a government issued ID and that information verified at the time of employment is used to create a record for the Subject in Virginia Tech's Identity Management System.

Evidence of Compliance

...

The Token Administration System is documented in a TAS User Guide, to which the auditors were given access. Requirements for RA administrators, who access TAS using a Silver-level eToken, are documented in the Virginia Tech User CA Certification Practice Statement. Since we based the registration on an existing relationship with the university, we consulted with HR, payroll, and the Bursar's office, and then provided the auditors with documentation of the procedures used to verify a person's identity during the hiring process. The auditor observed the TAS registration procedures by obtaining a Virginia Tech eToken from the RA Administrators in the Student Network Services office.   

...

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.3 Credential Technology – This section does not apply to multifactor credentials. Documentation will be produced to show how Virginia Tech’s credential technology meets or exceeds IAP requirements. Where guidance is needed, we will refer to NIST 800-63.

IMS, SETI

Documentation

moderate

...

Management Assertion

...

The Virginia Tech User Certification Authority issues an X.509 personal digital certificate (PDC) onto a SafeNet 64K USB eToken Pro device. The eToken is activated using a password. Public-private key exchange (client SSL) is used to perform authentication. This is not a typical "Shared Authentication Secret" form of Identity Credential, but the institution asserts that this multi-factor credential meets or exceeds the requirements of the IAP. Additional guidance is provided in NIST 800-63. 

...

Evidence of Compliance

...

See Sample Management Assertions under multi-factor Excample 2 at the CIC Multi-factor Working Group page.

...

Action item (identify section and sub-section)

Who (Univ. unit)

Type (documentation, infrastructure, procedure, Token Administration System)

Effort (Major, moderate, minor, complete)

4.2.4.2 Credential revocation or expiration – item #1 specifies the IdPO shall revoke Credentials or Tokens within 72 hours of being notified that a credential is invalid or compromised. We must document this in CPS and publish/enforce procedures.

SIES for draft language, PMA for approval

Documentation, procedure

minor

4.2.4.4 Credential issuance records retention – IdPO shall retain records of credential issuance and revocation for minimum of 180 days beyond expiration of the credential. VT User CPS states VTCA retains audit logs for 1 year.

PMA, SIES

documentation, Infrastructure, TAS

minor

...

Management Assertion

...

The authentication Credential is bound to the physical Subject and to the IdMS record pertaining to the Subject. 

...

Evidence of Compliance

...

The authentication credential is bound to the Subject during credential issuance according to procedures that are described in the Virginia Tech User Certification Authority CPS. These procedures are carried out by the RA and CA Administrators who use TAS to register the subjects and issue certificates onto eTokens. The process requires the RAA to verify the person's identity in person, comparing information from the required government-issued photo IDs with information in the IdMS and comparing the photo with the pysical appearance of the Subject. Unique attributes associated with the Subject in the IdMS are included in the X.509 certificate. Revocation requests are taken by the Help desk and offices that issue eTokens. The revoked certificate serial numbers are included in the CRL, which is published at least once every 24 hours. Certificates are issued for a period of two years, and upon expiration or revocation, the Subject must appear in person to receive a new public-private key pair and certificate using the same procedures as for initial personal digital certificate issuance on the eToken. The tAS audit logs (records of issuance & revocation) and archives are retained for three years. Auditors confirmed compliance by observing the credential issuance process.

...

Gap Analysis

No gaps were identified.

...

Management Assertion

...

Virginia Tech's IdP authentication implementation allows the Subject to interact with the IdP in a manner that proves he or she is the holder of a Credential, thus enabling the subsequent issuance of Assertions. 

...

Evidence of Compliance

...

CAS is the authentication handler for Virginia Tech's Shibboleth implementation. CAS contains functionality to resist replay attacks. SSL provides secure communication and resistance to eavesdropper attacks. Proof of possession is provided via the requirement for the user to possess a hardware eToken whose private key can only be unlocked using a password which is known only to the Subject. The CAS protocol specification requires entropy in session ids and cryptographic techniques to ensure that sessioins are at least as resistant to attach as initial authentication. The risk of sharing credentials is mitigated by the requirement for the Subject to use two-factor authentication. The Subject is required to read and digitally sign that he/she will comply with the eToken Usage Agreement before the device is given to the Subject.

...

Gap Analysis

No gaps were identified

...

Management Assertion

...

Subject Records are managed appropriately so that Assertions issued by the IdP are valid. IdPO management practices are summarized below.

...

Evidence of Compliance

...

Subject records exist in the Enterprise Directory and in the Virginia Tech Certificate Authority's (VTCA) Public Key Infrastructure (PKI). The management of the Enterprise Directory is done in accordance with policies and procedures developed by the Identity Management Services (IMS) office within Information Technology. The VTCA PKI is managed in accordance with policies and procedures for the Virginia Tech User CA described in the User CPS. The VTCA is governed by the Virginia Tech PKI PMA. Subject records from the Enterprise Directory are used for eligibility and identity proofing during registration to enroll for a Virginia Tech PDC on an eToken. Some of the attribute information comprising attributes of the PDC is retrieved from the Subject's Person record in the Enterprise Directory, thus linking the subject records from the Enterprise Directory with those in the VTCA PKI. 

...

 No gaps were identified.

...

Management Assertion

...

Processes are in place at Virginia Tech to ensure that information about a Subject's identity conveyed in an Assertion of identity to an SP is from an authoritative source. 

...

Evidence of Compliance

...

The Identity Attributes on the eToken PDC are based on information retrieved from the VT Enterprise Directory. These attributes are:

...

No gaps were identified. 

...

Management Assertion

...

Virginia Tech's IdMS Operations are managed to resist various potential threats such as unauthorized intrusions and service disruptions that might result in false Assertions of Identity or other erroneous communications. 

...

Evidence of Compliance

...

The  Virginia Tech User CA Certification Practice Statement describes controls for the VTCA software (EJBCA), its maintenance, and security in sections 6.6.1 and 6.6.2. Section 6.7 specifies that Network Security Controls must be implemented to protect against known network attacks. Controls include up to date patching of operating system and application software, appropriate network boundary controls, turning off unused network ports and services, restricting installed software to that which is required to operate the CA. Login access to EJBCA and TAS requires the use of the eToken, issued at the Silver level. Audit logs and archives are maintained, with restricted access to those logs. Separation of duties for PKI roles is required and enforced through data base roles, and secured channels are used for all network communication.

...