Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Thanks, Mark.

Regarding your soapbox, it was always my assumption that we would provide AD-specific guidance for complying with my proposed alternative means.  I completely agree with your idea of "marketing" assurance profiles as generally-accepted security practice.

Also related to the soapbox, Ann and I had a side discussion of whether an Alternative Means statement this general is a good idea.  She reminded me that the Alternative Means process expects statements that are fairly specific to referenced sections of the IAP.  With that in mind, I'll be redrafting the proposal to be more specific to AD and the IAP section(s) that are involved.  I'll also make the more general arguments as background, though, so that they can be reused in future Alternative Means proposals.

David

On Mon, 2013-04-01 at 18:18 +0000, Rank, Mark wrote:
>     David: 
>     
>     
>     I support dropping policy and education for the reasons you outline. I feel it would be very helpful to note something specific for AD. 
>     
>     
>     <soapbox>
>     In my interaction with some InfoSec officers at smaller campuses, they are looking for something to point to, to give them a defensible reason to move security forward on a campus against competing priorities. While I realize we need to keep things agnostic and use of OpenLDAP or OpenDJ as a verifier would have the same problem as AD. Given the prevalence of AD-DS as a direct verifier, my feeling is we could set up a virtuous cycle for adoption of the assurance profiles locally as "generally accepted security practice", if we provide some positive guidance for AD-DS.
>     </soapbox>
>     
>     
>     Sorry for the rant... I am better now..
>     
>     
>     Mark
>        
>     
>     --------------------------------------------------
>     Mark Rank
>     Project Manager - Identity & Access Mgt
>     UCSF Information Technology Services (ITS)
>     email: 
>     phn:414-331-1476
>     --------------------------------------------------

---

>     From: David Walker []
>     Sent: Monday, April 01, 2013 9:58 AM
>     To: Rank, Mark
>     Cc: 
>     Subject: Re: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT
>     
>     
>

Eric, Mark, et al,

Some thoughts:

• In thinking how address Eric's comment about the kinds of non-compliance we would allow here, it occurred to me that maybe we don't really care too much, as long as it's corrected quickly.  It had also occurred to me that I hadn't said anything about how quickly non-compliant behavior had to be detected, so I change the "72 hours after detection" requirement to just "72 hours."
• Mark had some good comments to clarify what we mean by policy and education, but I realized that there are already expectations that the IdPO has policy and education for its community members, so I dropped those.

So, I've changed the statement on https://spaces.internet2.edu/x/zoE_Ag to say "When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring through technical means, it is acceptable to comply through the use of a monitoring and mitigation program that detects non-compliant behavior and revokes the Subject's eligibility for affected profiles within 72 hours."

What do you think?  Would it help to add some more specific about AD to the discussion?  I was avoiding pointing fingers, but it might help with understanding of what we're trying to do.

David

On Mon, 2013-04-01 at 15:31 +0000, Rank, Mark wrote:

David et al.:


Just word smithing a bit...


Instead of...


"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, it is acceptable to comply through the use of policy, education, and monitoring for non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."


how about...


"When compliance with some requirement in the IAP depends on a Subject's behavior, and it is not practical to prevent that behavior from occurring, valid compensating controls may be considered. Proposed valid compensating controls would be an acceptable use policy that includes a recurring education component and a monitoring program to detect and report non-compliant behavior.  The IdPO shall revoke the Subject's eligibility for affected profiles with 72 hours after detecting non-compliant behavior."


Regards,
Mark


--------------------------------------------------
Mark Rank
Project Manager - Identity & Access Mgt
UCSF Information Technology Services (ITS)
email:
phn:414-331-1476
--------------------------------------------------

---

From: [] on behalf of David Walker []
Sent: Friday, March 29, 2013 11:15 AM
To:
Cc: DHW
Subject: [AD-Assurance] Proposed Alternative Means for End-User Use of Non-Compliant Technologies - DRAFT



Everyone,

I've drafted a proposed alternative means to address the general case of non-compliance due to end-user use of non-compliant technology (e.g., something that uses unencrypted LDAP against AD):

https://spaces.internet2.edu/x/zoE_Ag

Comments welcome.

David