...
- Already implemented.
- Could implement with small amount of manpower.
- Could implement with significant manpower.
- Could implement with low-cost system changes.
- Could implement with high-cost system changes.
- Would not get approval to make this change (please explain why).
Online survey: http://goo.gl/forms/vprx6EpNSO
1.Identity/account concept
...
- Nick Roy: At Iowa, at one point, I had estimated about USD 2 million and 2,000 hours of staff time across pretty much all of IT to get rid of NTLMv2, and at the time, it would have broken things like printers and network-connected storage with no good replacement solution. Warren Curry got pretty far down the authentication remediation road and I think had to back out due to some of the issues above. I think U. Chicago is still working on achieving Silver, but with a second factor. To date, only Virginia Tech (Mary Dunker) has achieved Silver, and only because they already had multi-factor hardware cryptographic tokens deployed.
- Tom Barton: 1 year to get an auditor knowing about identity management
- InCommon Survey
- Is your institution interested in implemneting either Bronze or Silver? - half yes, half no
- Are you aware of any SPs that requrire Bronze or Silver? - only 1 yes
- Does your institution have any users that need access to SPs requirering Bronze or Silver? - only 2 yes
- Are their services your institution would like to use, but cannot because your IdP lacks a required assurance profile? - no
- In what circumstances would it be valuable to your organization to be able to self-assert that your operation meets either of these specifications? - looking towards future needs (mostly), ease of obtaining the assurance level, chicken and egg problem, general security audit reporting, with external SPs
- What specific components do you value the most? - identity vetting: almost all; credential process: half, authentication technology/strength: almost all, attribute assurance: half
- Are you aware of federated authentication contexts that require or that you think should require multi-factor authentication? - half yes, half no
- Interested into an InCommon Multi-Factor Authentication Assurance Profile? - mostly yes, others I don't know, 1 no
- Other assurance profiles? - mostly no, for R&S, trustmarks, NIST, research collaborations
- Thoughts? - difficulties to get decision makers on board, multi-factor is excellent start, very few auditors understand or are qualified to verify the requirements for InCommon Assurance, big trust issues to overcome, interoperability and intercomparisons with international federations