Skip to Content.
Sympa Menu

ad-assurance - Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT


Chronological Thread 
  • From: David Walker <>
  • To: "Rank, Mark" <>
  • Cc: "" <>
  • Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
  • Date: Mon, 01 Apr 2013 09:58:34 -0700
  • Authentication-results: sfpop-ironport07.merit.edu; dkim=pass (signature verified)

Eric, Mark, et al,

Some thoughts:

  • In thinking how address Eric's comment about the kinds of non-compliance we would allow here, it occurred to me that maybe we don't really care too much, as long as it's corrected quickly.  It had also occurred to me that I hadn't said anything about how quickly non-compliant behavior had to be detected, so I change the "72 hours after detection" requirement to just "72 hours."
  • Mark had some good comments to clarify what we mean by policy and education, but I realized that there are already expectations that the IdPO has policy and education for its community members, so I dropped those.

So, I've changed the statement on https://spaces.internet2.edu/x/zoE_Ag to say "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring through technical means, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours."

What do you think?  Would it help to add some more specific about AD to the discussion?  I was avoiding pointing fingers, but it might help with understanding of what we're trying to do.

David

On Mon, 2013-04-01 at 15:31 +0000, Rank, Mark wrote:
David et al.:


Just word smithing a bit...


Instead of...


"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, it is acceptable to comply through the use of policy, education, and monitoring for non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."


how about...


"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, valid compensating controls may be considered. Proposed valid compensating controls would be an acceptable use policy that includes a recurring education component and a monitoring program to detect and report non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."


Regards,
Mark


--------------------------------------------------
Mark Rank
Project Manager - Identity & Access Mgt
UCSF Information Technology Services (ITS)
email:
phn:414-331-1476
--------------------------------------------------

From: [] on behalf of David Walker []
Sent: Friday, March 29, 2013 11:15 AM
To:
Cc: DHW
Subject: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT



Everyone,

I've drafted a proposed alternative means to address the general case of non-compliance due to end-user use of non-compliant technology (e.g., something that uses unencrypted LDAP against AD):

https://spaces.internet2.edu/x/zoE_Ag

Comments welcome.

David




Archive powered by MHonArc 2.6.16.

Top of Page