Authentication

Password-based security is no longer enough for many kinds of sensitive data, with dual-factor authentication now a requirement under some legislation. In this session, you will find what some schools have been doing to address higher levels of authentication with multifactor devices that use PKI. The Aladdin eToken will be featured, demonstrating flexible deployment configurations (smartcard and USB form factors) on multiple operating systems, including the three most important to higher education: Linux (or some variant), Apple Mac (OS X and PowerPC chip sets), and Windows. We are specifically seeking schools to participate in a new user group to be formed around support of these eToken devices.

Do you already have a grid-computing deployment on campus? Or do you have researchers who need to access grid-computing resources from high-performance computing centers around the globe? In this session, you will find out how to configure your CA to issue International Grid Trust Federation (IGTF)-compliant certificates and join over a hundred CAs currently certified under approved IGTF profiles. Hear real-life experiences from SURAgrid, see bridge PKIs in action, and learn how to leverage your campus PKI infrastructure to facilitate access to worldwide grid-computing efforts.

Having PKI-authenticated applications is not enough. In this session, we will discuss how applications have been PKI enabled and how they have been accepted and used. You will hear from institutions that have implemented and maintain multiple applications that are PKI authenticated and are well accepted by their user community.

A level of assurance (LoA) refers to the degree of certainty that (1) a resource owner has that a person's physical self has been adequately verified before credentials are issued by a registration authority, and (2) a user indeed owns the credentials they are subsequently presenting to access the resource. The requirements for the level of certainty at both ends of that set of transactions should be driven by a risk assessment based on the value of the resources being protected. This session will describe the concept of LoA, discuss its importance, outline its technical components, and discuss the proposition that roles of the identity management and security staff are critical for a successful implementation of LoA.

Provisioning access is an IAM function, and deprovisioning that access is a security objective. How might these combined objectives be met with common process, and what sorts of access should be managed by it? Data, applications, networked services, and physical facilities all have particular provisioning and deprovisioning needs. Campus cards, for instance, mitigate risk only when the access information associated with them is current. When a card's rights get out of sync with its bearer's status, the card itself becomes a risk. Addressing this issue, given all the authorization and access points, can be a challenge unless they are tied into the enterprise identity management system.

Incident-response processes and tools are, by-and-large, designed to guide reaction to situations within an organization and are geared toward incidents involving local users and systems. With federated identity, we're now expanding this and entering into agreements and relationships that enable an extended community to access our services and our campus constituents to use off-site services in an authenticated and authorized fashion. In this new context, how do you respond when someone from a collaborating organization is hacking your systems? This session will discuss the challenges in the policy, practice, and technology of addressing incident response and mitigation in a federated world.

Unsure how all the parts of an identity management system fit together and would like to know more? This non-technical, preworkshop seminar offers a functional model of the campus infrastructure and provide attendees a chance to view it through the technology, policy, and business process lenses. Topics covered include technology model, lifecycle of identity, and policy frameworks and governance.

How can IAM be helpful in managing network intrusion and access? A researcher wants to show a national grid-enabled resource to her class, but can’t access it because she’s in a classroom and, by policy, unable to get through the firewall. She then clicks on her research icon, authenticates and, because of her researcher status, accesses the research van that is enabled to use the appropriate ports. Can coupling network capabilities and IAM replace the use of IP addresses as the criterion for access with identity, roles, and related attributes? Focusing in on wireless access specifically, can IAM can help correlate identity to an endpoint device by combining network registration and personal identification? This session will explore these questions and how one can identify the person behind the device or address.

The Institute of Museum and Library Services (IMLS) has awarded a 3-year grant for nearly a million dollars to a partnership between William Paterson University, Rutgers University Libraries and NJEDge.Net to develop and deploy a statewide academic video-on-demand repository. The digital video repository (Fedora Commons-based) will he housed in the core of the NJEDge network and will provide "lectures-on-demand", licensed commercial videos, and locally owned videos. A Video Commons collection will be publically available including history, lectures from notables, and video documenting research and scientific advances. NJVid is notable for providing a statewide video strategy to accommodate any type of organization-higher education, K12, public libraries, museums and archives. A substantial part of this project will provide the resources to develop a statewide Shibboleth-based Identity management infrastructure, supporting statewide network authentication and authorization that can be used for many content resources. This presentation will describe the open source architecture and middleware applications that are under development.