Skip to Content.
Sympa Menu

ad-assurance - Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT


Chronological Thread 
  • From: David Walker <>
  • To:
  • Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
  • Date: Mon, 01 Apr 2013 12:51:25 -0700
  • Authentication-results: sfpop-ironport02.merit.edu; dkim=pass (signature verified)

Thanks, Jeff; I've made the wording changes.  See my next note, though, about the advisability of a very general Alternative Means statement, as I've proposed.

I agree with you about password change requirements.  Do you see a specific AD-related issue here, or is it more a comment on the credential compromise section of the IAP that I referenced?

David

On Mon, 2013-04-01 at 17:31 +0000, Capehart,Jeffrey D wrote:
Additional word-smithing suggestions:

 

"When compliance with a specific requirement in the IAP depends on a Subject's behavior, and preventing that behavior from occurring is not practical, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours.”

 

On the monitoring program, an automated monitoring & revocation would certainly be preferable to manual monitoring, but perhaps a mix of automated monitoring and manual revocation (by any one member of a team of more than one) might be ok too.

 

One aspect that does not appear to be addressed is that if the credential is to be considered compromised (maybe the attacker now knows your password), then there does not appear to be a remediation that includes requiring the user to change their password.  Making the user change their password every time it is potentially exposed would be a good motivator to make them try to figure out a way to resolve so that they can be recertified.

 

If the user is re-certified without requiring a password change, then is the additional risk truly mitigated?

 

In consideration of the AM proposal against the AM guidelines/requirements,

 

1.      Cites which specific components are being addressed?  NO

2.      The reason for proposal (intent)?        YES

3.      Which risks are exposed here and how mitigated?  NO (vague risks – non protection of passwords, non-compliance with IAP)

4.      Specific text for IdPO management? SOME

5.      Includes documentation? NO – but may be specific to a particular implementation method

 

Jeff

 

 

From: [mailto:] On Behalf Of David Walker
Sent: Monday, April 01, 2013 12:59 PM
To: Rank, Mark
Cc:
Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT


 

Eric, Mark, et al,

Some thoughts:

  • In thinking how address Eric's comment about the kinds of non-compliance we would allow here, it occurred to me that maybe we don't really care too much, as long as it's corrected quickly.  It had also occurred to me that I hadn't said anything about how quickly non-compliant behavior had to be detected, so I change the "72 hours after detection" requirement to just "72 hours."
  • Mark had some good comments to clarify what we mean by policy and education, but I realized that there are already expectations that the IdPO has policy and education for its community members, so I dropped those.


So, I've changed the statement on https://spaces.internet2.edu/x/zoE_Ag to say "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring through technical means, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours."

What do you think?  Would it help to add some more specific about AD to the discussion?  I was avoiding pointing fingers, but it might help with understanding of what we're trying to do.

David

On Mon, 2013-04-01 at 15:31 +0000, Rank, Mark wrote:

David et al.:

 

Just word smithing a bit...

 

Instead of...

 

"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, it is acceptable to comply through the use of policy, education, and monitoring for non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."

 

how about...

 

"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, valid compensating controls may be considered. Proposed valid compensating controls would be an acceptable use policy that includes a recurring education component and a monitoring program to detect and report non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."

 

Regards,

Mark

 

--------------------------------------------------

Mark Rank
Project Manager - Identity & Access Mgt

UCSF Information Technology Services (ITS)
email:

phn:414-331-1476

--------------------------------------------------


From: [] on behalf of David Walker []
Sent: Friday, March 29, 2013 11:15 AM
To:
Cc: DHW
Subject: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT



 

Everyone,

I've drafted a proposed alternative means to address the general case of non-compliance due to end-user use of non-compliant technology (e.g., something that uses unencrypted LDAP against AD):

https://spaces.internet2.edu/x/zoE_Ag


Comments welcome.

David


 






Archive powered by MHonArc 2.6.16.

Top of Page