Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

On Fri, 2013-10-04 at 21:19 +0000, Capehart,Jeffrey D wrote:

It seems many of us originally thought the encryption was supposed to protect the password store in case the server got hacked.  Do we need to explicitly state that is not the intent of this requirement?

Yes, I think so.  I would put it in our interpretation.

The physical security and other controls (patching, limiting access, etc.), are already required as good practice.  And yes, while it would be ideal that a hacker can’t steal your password database because it is encrypted, the system has to be able to read it somehow.  And if the system can read it, then a hacker who can compromise the system can probably figure out how to do that too.  So, from a technology standpoint, it is probably impossible to encrypt the data so that a compromised machine won’t expose the passwords.  Having terrific physical security would tend to make an IT person think that Bitlocker is unnecessary and thus hard to convince to add it “just in case the server is lost/stolen”.

Exactly.  I suppose, in theory, that good enough physical security would be a compensation for weak storage encryption, but I'd need to see that argument put into practice before I'd agree to it.  It would be necessary, for example, for that physical security to follow the disk clear to its destruction, not just while it was in use.

That said, it does still seem like we are only requiring Bitlocker to meet the “Approved Algorithm” portion.   In essence, encrypting the whole disk just to make sure the passwords are encrypted with an approved algorithm.  If Microsoft thinks syskey provides the same level of protection (or better) than Bitlocker, maybe they could write up the alternative means statement.  Somehow, though, I don’t think we will be reassured just because the algorithm is not published and therefore is “secure”.

Yeah, I don't think they could make that case successfully.  If they offer, we can let them propose something, but I wouldn't solicit it from them.

-Jeff C.

 

From: [mailto:] On Behalf Of David Walker
Sent: Friday, October 04, 2013 5:06 PM
To:
Subject: Re: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call

 

Good point.  I was just quoting Joe, but quiescence is really a non-issue.

David

On Fri, 2013-10-04 at 20:59 +0000, Michael W. Brogan wrote:

In the notes related to section 4.1.2 I think the threat being addressed is “theft of disks.” The disk encryption control we recommend is effective against theft of disks no matter if the system is quiescent or active. From what we’ve learned there are never decrypted copies of passwords on the disk.

 

--Michael

 

From: [] On Behalf Of David Walker
Sent: Friday, October 04, 2013 10:35 AM
To: InCommon AD Assurance Group
Subject: [AD-Assurance] Quick notes from the 10/4/2013 AD Assurance call



 

Everyone,

Quick notes from today's call at https://spaces.internet2.edu/x/wYGZAg .  Please correct my mistakes.

David