Harvard University Information Technology’s Identity and Access Management (IAM) program registered the University identity provider (IdP) for certification with the InCommon Federation on Friday, Sept. 26, affirming that Harvard’s IAM practices adhere to nationally recognized security standards for identity management and authentication. InCommon, which serves more than 7.8 million users through federated identity management, has established two tiers of certification as a trust framework between identity providers (IdPs) and service providers (SPs) in academic and research disciplines. Harvard’s certification not only establishes the University’s status as a Bronze-level member, but also paves the way for achieving Silver status in the next fiscal year.
The InCommon Bronze and Silver identity assurance frameworks are based on National Institute of Standards and Technology Level of Assurance (LoA) standards. They establish standard levels of assurance for SPs concerned that users accessing their applications and services are who they say they are. Bronze certification is comparable to NIST LoA 1 standards, while Silver is equivalent to NIST LoA 2 — a security level, in InCommon’s words, “roughly appropriate for basic financial transactions.”
Harvard joins the vanguard for InCommon certification — as of August 2014, two higher-ed institutions have earned Bronze certification, and one of those has also reached Silver-level status. However, as identity assurance and attribute security continue to become vital issues for those offering academic-sector services, the value of certification is only expected to grow.
Identified as one of IAM’s top three goals for FY15, achieving InCommon Bronze certification started with a thorough gap analysis to determine which areas of Harvard’s existing assertion procedures needed to be improved — in the process confirming that, while some areas required changes, the University was close not only to Bronze certification, but also to Silver. In fact, the document submitted to InCommon supplies rationale for nearly every Silver requirement in addition to those required of Bronze, and Harvard expects to file for Silver certification in FY16.
Certifying with InCommon verifies to the Harvard Community that University IAM efforts meet nationally recognized external standards, but that’s just the start. In addition to contributing to HUIT’s Top 40 goal of providing provisioning and authentication support for the University, InCommon participation and certification addresses several of IAM’s key tenets — simplifying the user experience, enabling research and collaboration, and protecting University resources — by making good on IAM’s vision goals of providing secure, easy access to applications via solutions requiring fewer login credentials, enabling collaboration across and beyond Harvard.
“Qualifying for InCommon Bronze status, and being nearly ready to qualify for Silver status, provides assurance to the Harvard Community of the security of the University’s IAM systems,” says Scott Bradner, HUIT senior technology consultant. “In the future, it will also support the use of an increasing number of Internet resources using existing University login credentials.”
End users will benefit in several ways from Harvard’s participation as an InCommon federation member, and from the Bronze certification in particular. While membership in InCommon enables members of the Harvard Community to access a growing number of resources using their existing University credentials, certification keeps the lines to federated authentication open for an increasing number of organizations indicating that they will require such certification to access sensitive resources. Harvard’s move toward Silver certification will, in particular, address requirements that will be enforced by federal organizations such as the National Institutes of Health and various research services.
What’s more, HUIT benefits at an organizational level from certification, not only in reputational gain but also from the incremental benefits to University information security unlocked by certification-critical product and process improvements — including such advances as salting hashed passwords and, only when required, enforcing more frequent user password changes.
For more information on IAM’s work so far and progress toward InCommon Silver certification, contact Scott Bradner at 617.495.3864 or email@example.com. To learn more about the IAM program as a whole, including the full three-year program plan and updates on project and overall progress, please visit the IAM website at iam.harvard.edu.