PKI Development Forum

1
PKI Development Forum

• Jim Lowe, Campus Information Security Officer
• Brian Rust, Communications
• April 17, 2008

2
Background

• PKI introduced to campus
• Part of a broader strategy
• Password policy
• Levels of Assurance (LOA)
• How sure are we that you are who you say you are?

3
LOA Recommendations for Access to Personal
Information (PI)

• LOA-1 Doesnt require access to PI
• LOA-2 Access to your own PI
• LOA-3 Access others PI

4
PKI Use Cases the early days

• Email - digital signatures
• To encrypt emails
• Digitally signing mass emails

5
Information is as an Asset What is restricted
information?

• 895.507 Notice of unauthorized acquisition of
  personal information.
• (b) Personal information means an individuals
  last name and the individuals first name or
  first initial, in combination with and linked to
  any of the following elements, if the element is
  not publicly available information and is not
  encrypted, redacted, or altered in a manner that
  renders the element unreadable
• 1. The individuals social security number.
• 2. The individuals drivers license number or
  state identification number.
• 3. The number of the individuals financial
  account number, including a credit or debit card
  account number, or any security code, access
  code, or password that wou ld permit access to
  the individuals financial account.
• 4. The individuals deoxyribonucleic acid
  profile, as defined in s. 939.74 (2d) (a).
• 5. The individuals unique biometric data,
  including fingerprint, voice print, retina or
  iris image, or any other unique physical
  representation.
• (2) NOTICE REQUIRED. (a) an entity that
  maintains or licenses personal information in
  this state knows that personal information in the
  entitys possession has been acquired by a person
  whom the entity has not authorized to acquire the
  personal information, the entity shall make
  reasonable efforts to notify each subject of the
  personal information.

• Restricted data is PII PHI

6
Recent use cases

• Registrars Privacy and Security Group
• To reduce, and where possible eliminate, risk in
  the receiving, storing, dissemination, and
  disposal of sensitive data
• To cultivate awareness of privacy and security in
  our individual units, our departments, the
  division, the campus, and anyone with whom we
  have contact
• Emails with restricted info

7
PKI Use Cases the crystal ball

• Link with new campus ID card
• Secure VPN access
• Desktop/laptop encryption

8
Getting started

• Me first
• Why should they care?
• Have to
• Want to
• Free samples
• Work from the top and the middle

9
Marketing strategies

• Web doit.wisc.edu, search pki
• Email
• Presentations and demos
• Newsletter article
• Postcard

10
(No Transcript)
11
(No Transcript)
12
Lessons learned

• Involve management
• Customer service
• Process and procedures
• Plan marketing before rollout

13
Usability

• Slow to adopt
• Requires training and awareness
• Certs expire requiring technical support
• Integrate with existing ID mgt.
• Integration with applications
• PeopleSoft
• Card Space
• Higgins
• Other

14
Our questions

• How have you made PKI more usable in your
  environment (any tricks of the trade)?
• Have you established training and docs that you
  would be willing to share with others?
• What has been the driving factor in your PKI
  implementations?
• What applications do you use with PKI?

15
Questions?

• ndavis1_at_wisc.edu
• lowe_at_wisc.edu
• bgrust_at_wisc.edu