Getting to Silver:
Practical Matters for CIC Universities
Tom Barton
University of Chicago
© 2009 The University of Chicago
Committee on Institutional Cooperation
The CIC: 12 large midwestern US research universities
1.
2.
3.
4.
5.
6.
7.
University of Chicago
University of Illinois
Indiana University
University of Iowa
University of Michigan
Michigan State University
University of Minnesota
8. Northwestern University
9. Ohio State University
10. Pennsylvania State
University
11. Purdue University
12. University of WisconsinMadison
2
InCommon Silver
Comparable to NIST LoA2
 Based on OMB M-04-04 and NIST 800-63

Covers all aspects of the IdM operation
 Two audits required

 Every 2 years – confirm operation follows documented policy &
procedure
 One time – assess documented policy & procedure for Silver
compliance

InCommon keeps letter from Silver compliance auditor
and publishes the fact of that IdP’s compliance
3
The CIC and InCommon Silver
 CIC
CIOs decided in August 2009 that all CIC
schools should be Silver certified by Fall 2011
 Why?
 Sustain adoption of fundamentally sound campus
business practices and technologies in Identity
Management
 Expand inter-institutional collaboration
 Support emergent trends, relationships, needs on the
national identity scene and elevate prominence of CIC in
those dimensions
 Project
leads: Renee Shuey & me
4
Timeframe
sooner
later
Which campus people need Silver assurance?
CIC
CourseShare
Payroll
Benefits
CIC
storage
cloud
Student
Loans
OSG
CILogon
NSC
Nat’l Labs
NIH
apps TeraGrid
caBIG
smaller
larger
User group size
5
Pieces of Silver
 Piece
A: Documentation of policies and procedures
and standard operating practices
 Piece
B: Strength of authentication and shared
secrets
 Piece
C: Registering identity subjects and issuing
credentials to them
6
Documentation of policies and procedures
and standard operating practices
Requirements
Comprehensive IdM
policies and procedures
Formal authority
Criminal background
checks for IdM staff
Bi-annual audit
Issues or risks
No one really knows, unclear
who gets to decide, weak
documentation practice
Lack of clear governance
New mandate for Human
Resources Department
Scheduling & funding
7
Strength of authentication and shared
secrets
Requirements
Password complexity &
lifetime
Account lock-out
Passwords stored
appropriately
Passwords only in secure
channels
Issues or risks
Resistance to change
Resistance to change
How campus portal
handles passwords
Remaining legacy systems
8
Registering identity subjects and issuing
credentials to them
Requirements
n/a
Issues or risks
Which user groups are in scope for
the campus Silver project?
Identity vetting &
Change existing process for onregistration
boarding students or staff
–OR–
Implement a new IV&R process
Store breeder
Increase exposure of Personally
document numbers Identifiable Information
Credential issuance Change online credential issuance
process
process; new link with existing
business processes
9
The view from Fall 2011
 Energize
collaborative efforts across the CIC
 CIC
campuses provide best possible support for
scientific and scholarly collaboration
 CIC
campuses poised to take full advantage of
cloud/shared services
 For
a large university, achieving Silver compliance
can boost confidence on campus too
10