Preliminary work

SURFnet

Doc (in Dutch)

  • Simple Sign On
    • How many systems/applications can be used with the account, authentication, identities in the organisation
  • Authorization
    • How many systems/applications can be authorized with the account, roles/groups, central or decentral, types of groups/roles, differenciate between identities
  • Identified source system
    • which/how many source systems are used, manual input with documentation, one leading system, add attributes/information for SP
  • Policies
    • for authorization, authentication, provisioning, standardisation, FIM, privacy; responsibilities for them; architecture; security policy; password policy; lifecycle for accounts; how often is FIM updated; how often are policies updated; are those policies in use; monitoring and updating policies
  • Processes and procedures
    • processes for new users, rules for username and email, verification of the identity, lifecycle, process how data is given to a third party, process to generate new passwords, how often is the data updated, reviews and reports, conclusions from reports and reviews
  • Suitable IdP System
    • standardised, which standard, availability, when available
  • Quality of data/identities
    • correctness, completeness, change management of data, verification of data with external databases/systems
  • Implementation of processes and procedures
    • clearly described, monitoring, ?, legal entity?
  • Security
    • awareness, audits, intrusion tests, classified, actions, data protection, logfiles

Haka

Excel file (in English)

  • Inventory of Authorized and Unauthorized Devices
    • responsibility for information asset, assets clearly identified and documented
  • Secure Configurations for Software on Workstations and Servers
    • documentation available for the IdP configuration, documentation available with commands for starting and stopping the IdP together with test procedures to verify that the service started correctly, database behind firewall, documentation for software configuration changes, use of unsecure protocols prevented, configuration assessment programs executed regularly
  • Boundary Defense & Secure Configurations for Network Devices
    • firewall rules defined to allow only traffic defined in configuration documentation, IdP in DMZ, internal and external zones, IDS, IPS, automated ports scans executed regularly, management interfaces seperated
  • Maintenance, Monitoring, and Analysis of Security Audit Logs
    • monitoring system + logs, automated alterting messages, reports, checks that no personal data is logged to avoid privacy issues, automation
  • Application Software Security
    • assertion lifetime, singature check of metadata, private keys only readable by necessary services needed by IdP, new key pair at least every three year, application firewall, anti-malware protection, help desk
  • Controlled Use of Administrative Privileges
    • remote root or admin logins forbidden, default passwords changed
  • Controlled Access Based on the Need to Know
    • description of IM of IdP, unique identities, verification, shared secrets, password policy, minimum password length, password complexity enforcement, password lifetime, passwords by secure channels, strong authentication
  • Continous Vulnerability Assessment and Remediation
    • vulnerabilitiy scanning tools, critical updates, up-to-date metadata
  • Account Monitoring and Control
    • statistics on authentications, accounts disabled, statistics on SPs, regularity of statistics
  • Privacy
    • legal & contractual compliance, User acceptance, consent of end users, due notification in changes of the service are in place, privacy policy service
  • Data Recovery & Incident Response Capability
    • backup copies, restore procedure tested, backups in secure location, incident response procedures, known what should be done in the case of a compromize of the certificate private key
  • Security Skills Assessment and Appropriate Training
    • procedure defined to educate the IdP administrators and trained staff

AAF Boost Reports

https://aaf.edu.au/wp-content/uploads/2015/04/AAF_example_org_report.pdf
aaf.edu.au/wp-content/uploads/2015/04/AAF_example_sum_report.pdf

  • Assurance: understand requirements, aware of identity proofing
  • Technical: attribute filtering, high availability configuration, deployment, responsibility for operation, monitoring, version of IdP software, version of Java JDK
  • User Interface: help desk, recover passwords, terms of use
  • Security: old versions, vulnerabilities, SHA1 in metadata, web server and server configuration, open ports

ISO 27k

relevant: annex 9 ISO 27k1 and chapter 9 ISO 27k2

  • Business requirements of access control: Access control policy
  • User access management: registration, provisioning, review of users' rights, removal or adjustment of access rights
  • System and application access control: Password management system (password quality)
  • Secure log-on procedures

Draft 0.1

  • Identity/account concept: unique id, not reasigned, individual accounts, registration, proof of identity, processes for new users

  • Authentication and authorization: authentication itself, authorization (roles/groups), quality of data (correctness, completeness), change management for data, life cycle of an account and user rights, closing accounts, rules for passwords (and enforcement of quality)
  • Policies, processes and procedures: password policy, security policy, how often FIM updated, policies updated and monitored, privacy, access control policy
  • Security: awareness, audits, IDS/intrusion tests, data protection, logfiles, monitoring, reports, updates, availability, up-to-date metadata

from AARC:

  • Accounts belong to a known individual (i.e. no shared accounts)
  • Persistent identifiers (i.e. are not re-assigned)
  • Documented identity vetting (not necessarily F2F)
  • Password authN (with some good practices)
  • Departing user’s account closes/ePA changes promptly
  • Self-assessment (supported with specific guidelines)
  • No labels