Site Search

Roadmap - Home PDF Version Executive Summary 1. Concepts/Terms 2. The Need for Change2.1. The Change Itself 3. Develop your Plan for Change 3.1. Define the Problem 3.2. Define the Guiding Principles3.3. Inventory your Campus 3.4. Develop your Direction 4. Implement Change 4.1. Policy, Business Process and Technology4.2. Develop Policy Framework 4.3. Develop Business Processes 4.4. Develop Technology Infrastructure 4.5. Migrate to Production 5. Resources

<< previous | next >>

3.4. Develop your Direction

• Create your Matrix
• Consider Risk and Assign LoA
• Determine Gaps
• Develop your Direction and Roadmap

Having the information about your campus authentication service and future needs, you can now develop the detailed plan. In this stage, you will:

• Create a matrix of the populations of people you intend to serve (students, faculty, staff, contractors, alumni, etc.) and the services the stakeholders want to offer to them (email, library, learning management, online giving, and recruiting services, for example).
• Use this matrix to develop overall requirements for your processes and technology infrastructure by considering the risk, drivers, and related requirements.
• Compare these requirements with your inventory to determine the gaps and develop your own institutional or application Roadmap and target LoAs.

Create your Matrix

Depending on whether your project scope includes the entire authentication service or just authentication for a specific application, create a matrix of the populations of users that your campus intends to serve and the services the stakeholders want to offer to them. This will help you to analyze your risk factors and LoAs later. For example, offering a course to a distance education student who will never set foot on campus poses very different identity vetting implications than a student standing next to you, holding a state-issued drivers license. Having a strong identification and registration processes to achieve a high LoA is far more difficult in the first case than the second.

Different than the inventory which included information gleaned at a management level, this matrix helps you understand the specific implementation issues. To get a rough idea of how you can proceed, review two worksheet examples in the linked spreadsheet:

• Example 1: Web-based Self-service Password Change Application (XLS).
• Example 2: Web-based Banner Financial Application (XLS).

Use either one of the applications included in this spreadsheet as an example to walk through this part of developing your direction. At this point, for a chosen application determine:

1. Broad populations in columns A, B, and C.
2. Their current LoA in column D as defined by the E-Authentication levels on page 7 of the Password Credential Assessment Profile for levels 1 and 2. (If you're using PKI, check out page 2 of the Certificate Credential Assessment Profile for levels 3 and 4 as well)

This step can be as detailed or high-level as needed.

Consider Risk and Assign LoA

With your population and inventory data in hand, you should now work on determining the risk level for the applications and using that to develop the LoA for the credentials.

1. Read and use the approach outlined in Section 2 of the Federal E-Authentication Guidance for Federal Agencies for relatively lightweight risk assessment for applications. In this part of the process, you are taking the role as a service provider and determining the relative value of the information resource.
2. Using the information from step 1, indicate the access (or application function in the spreadsheet) that each role would have and add that to column E. The spreadsheet uses the common CRUD (Create, Read, Update, and Delete) data manipulation functions to help classify the access rights.
3. Determine the Application Risk Assessment Value (either high, medium or low in the case of the spreadsheet examples) and the corresponding minimum LoA of the credential required to access the application. Insert these two values to column F and G respectively. Refer to E-Authentication Guidance for Federal Agencies for information on mapping application risk level to required credential LoA.
4. Column H then compares the required minimum LoA (from column G) with your current campus LoA by role (in column D) and determines whether you have a LoA gap. If you do, you may need to beef up the technology or processes to get the specific credentials up to the required LoA level.

For a more detailed risk assessment refer to the Electronic Risk and Requirements Assessment. It is a database-driven tool available from the Federal E-Authentication Initiative and helps you assess your institution's applications and related authentication risks. EDUCAUSE/Internet2 Computer and Network Security Task Force has a Risk Assessment Framework that may be of help as well.

Don't worry if you end up with more than one LoA for all your applications. More and more campuses are finding that they need more than one to ensure that the security rigor is appropriate for the wide range of applications they support.

Case Study (PDF)  – University of Maryland, Baltimore County   Jack Suess discusses Levels of Assurance at the University of Maryland-Baltimore County.

Determine Gaps

You can now use your application's required LoA and accompanying credential strength requirements to determine what you need to do to address the gaps you may have identified in step 4 above.

To help you with this, the NIST Publication 800-63 Electronic Authentication Guideline discusses the specific components that affect LoA, how they differ across the levels, and what you need to implement to achieve each of the four Federal LoA levels. Levels 1 and 2 are password-based and 3 and 4 are PKI-based levels. For a summary of the requirements, refer to the Credential Assessment Suite:

• For levels 1 and 2 refer to the Password Credential Assessment Profile. Most campuses will start by working towards level 1, which includes guidance for assessing organizational maturity, authentication protocol, token strength, and status management. See page 7 of the Profile for a summary of requirements.
• For levels 3 and 4 refer to the Certificate Credential Assessment Profile. These are appropriate for higher-level security requirements.
• For a tool to help determine the password (and certificate) practices for all four levels, refer to the Entropy Spreadsheet.

Note: The E-Authentication Initiative provides an excellent body of work to help schools determine appropriate approaches, but keep in mind that this effort it is still evolving. Campuses should track the Initiative's progress to ensure compliance once they decide to leverage their identity infrastructure to access Federal applications.

Case Study (DOC) – E-Authentication Credential Assessment for InCommon Federation Sampling of Three Universities Three universities were assessed on assurance levels 1 and 2 using the E-Authentication Assessment Framework. The linked doc is the gap analysis of those assessments done.

Develop your Direction and Roadmap

One way to think about the result of this high-level planning activity is to develop a rough implementation sequence (or Roadmap) of the identified technology functions, processes, and policies. It can help to organize and communicate your plans for the authentication infrastructure and determine which of your upcoming projects you can leverage to make progress.

A Roadmap can also assist non-IT stakeholders to visualize the interplay of these components and the dependencies involved with the process of implementing any one of them. Take the gaps identified above and develop a rough implementation sequence. You can use this as your own institutional or applications Roadmap. For examples, see

• University of Wisconsin-Madison Roadmap - Graphical Example
• Cornell University - Written Example
• University of Texas System - Graphical Example (Click on How do we get there? and look for UT System Identity Management Roadmap.)

Once you have your own Roadmap in hand, click [next] below to read the overview of the Implement Change section and begin the implementation.

<< previous | next >>