pki development forum jim lowe, campus information security officer brian rust, communications april...
TRANSCRIPT
![Page 1: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/1.jpg)
PKI Development Forum
Jim Lowe, Campus Information Security OfficerBrian Rust, Communications
April 17, 2008
![Page 2: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/2.jpg)
Background
• PKI introduced to campus• Part of a broader strategy
– Password policy– Levels of Assurance (LOA)
How sure are we that you are who you say you are?
![Page 3: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/3.jpg)
LOA Recommendations for Access to Personal Information (PI)
LOA-1: Doesn’t require access to PILOA-2: Access to your own PILOA-3: Access other’s PI
![Page 4: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/4.jpg)
PKI Use Cases: the early days
• Email - digital signatures• To encrypt emails
• Digitally signing mass emails
![Page 5: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/5.jpg)
Information is as an Asset: What is restricted information?
895.507 Notice of unauthorized acquisition of personal information. […](b) “Personal information” means an individual’s last name and the individual’s first name or
first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
1. The individual’s social security number.2. The individual’s driver’s license number or state identification number.3. The number of the individual’s financial account number, including a credit or debit card
account number, or any security code, access code, or password that wou ld permit access to the individual’s financial account.
4. The individual’s deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).5. The individual’s unique biometric data, including fingerprint, voice print, retina or iris
image, or any other unique physical representation.[…] (2) NOTICE REQUIRED. (a) […] an entity that maintains or licenses personal information in
this state knows that personal information in the entity’s possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information.
• Restricted data is PII & PHI
![Page 6: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/6.jpg)
Recent use cases
• Registrar’s Privacy and Security Group– To reduce, and where possible eliminate, risk in
the receiving, storing, dissemination, and disposal of sensitive data
– To cultivate awareness of privacy and security in our individual units, our departments, the division, the campus, and anyone with whom we have contact
• Emails with restricted info
![Page 7: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/7.jpg)
PKI Use Cases: the crystal ball
• Link with new campus ID card
• Secure VPN access• Desktop/laptop encryption
![Page 8: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/8.jpg)
Getting started
• Me first• Why should they care?
– Have to– Want to
• Free samples• Work from the top and the middle
![Page 9: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/9.jpg)
Marketing strategies
• Web: doit.wisc.edu, search: pki• Email• Presentations and demos• Newsletter article …• Postcard …
![Page 10: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/10.jpg)
![Page 11: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/11.jpg)
![Page 12: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/12.jpg)
Lessons learned
• Involve management• Customer service• Process and procedures• Plan marketing before rollout
![Page 13: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/13.jpg)
Usability
• Slow to adopt• Requires training and awareness• Certs expire requiring technical support• Integrate with existing ID mgt.• Integration with applications
– PeopleSoft– Card Space– Higgins– Other…
![Page 14: PKI Development Forum Jim Lowe, Campus Information Security Officer Brian Rust, Communications April 17, 2008](https://reader035.vdocuments.net/reader035/viewer/2022062517/56649eaa5503460f94baf608/html5/thumbnails/14.jpg)
Our questions
• How have you made PKI more usable in your environment (any tricks of the trade)?
• Have you established training and docs that you would be willing to share with others?
• What has been the driving factor in your PKI implementations?
• What applications do you use with PKI?