e-Infrastructure Security: Levels of Assurance
The introduction of a distributed authentication and authorisation environment (eg using Shibboleth), creates a new requirement for mechanisms that support feedback on the confidence level of the authentication process. Some resources may be considered more valuable or sensitive than others and thus require greater levels of assurance (LoA) that the person or process attempting to gain access is really who or what they purport to be. Standard mechanisms need to be defined and agreed to enable this information to be exchanged securely and with confidence in a wide variety of environments.
Executive Summary
The e-Infrastructure Security: Levels of Assurance project (ES-LoA) has investigated current definitions of LoA emerging in the UK at a government level, as well as internationally. It has also surveyed potential users of LoA technology, both identity providers (such as universities, colleges) who have to register people to permit access to services, and service providers (including commercial and JISC-funded services).
Methodology
The work included:
- desktop research on current LoA activities
- consultation with key stakeholders in the wider community
- two surveys; one brief and one full. The Brief Survey was designed for commercial publishers and other service suppliers to test awareness of a federated approach to access control and basic LoA concepts. The Full Survey was a more in-depth investigation aimed at identity providers (IdPs), service providers (SPs) and the grid community
- the ESLoA project also collaborated with the JISC’s Identity Project who kindly included LoA questions in their widely circulated survey.
Results
The project found that the US Government (OMB – Office of Management and Budget; NIST– National Institute of Standards and Technology) has produced the most detailed and widely accepted approach to LoA, based on a four level model, and a critical mass of institutions adopting this approach has been established. It has created an inter-federation interoperability partnership with the US InCommon HE federation. InCommon is also piloting an inter-federation project with the US National Institutes of Health (NIH) using LoA access controls.
The suppliers’ Brief Survey found a surprisingly high level of awareness of both federated access management systems and LoA concepts. Respondents suggested a number of scenarios where LoA mechanisms could be usefully employed including financial transactions, sensitive content, account maintenance, pre-publication access and society membership privileges.
The Full Survey found that 70% of the service providers think that more valuable/sensitive resources should be protected by a stronger form of user identification/authentication. Almost all the respondents (92%) are willing to respect national or international standards on e-authentication, with the great majority (80%) wanting medium to high levels of federation governance.
In terms of user registration, identity vetting and record keeping, 67% of IdPs do not satisfy even minimum record keeping requirements for the NIST level 2. In terms of criteria for password selection, periods of validity and the number of unsuccessful attempts allowed, none of the respondents could satisfy even the minimal requirements for NIST level 1.
The questions included in the Identity Project’s survey revealed that there was a perceived need for “graded authentication” (i.e. LoA), although there was a lack of confidence in their ability to implement it.
Recommendations
The report makes 7 recommendations, including drafting a set of definitions for the UK academic community compatible with emerging international standards based on the OMB/NIST model.
The final recommendation is the creation of a demonstrator covering a small number of differing use cases as the most effective way to widen understanding and show how the concepts might work in practice. This would highlight issues related to the real-life deployment of fine-grained access control.