Document No: mtr140262 McLean, va


Relevant Policy Documents



Download 186.57 Kb.
Page8/10
Date31.07.2017
Size186.57 Kb.
#25169
1   2   3   4   5   6   7   8   9   10

Relevant Policy Documents


The task team reviewed number of VA policy documents, NIST Special Publications (SP), Federal Information Processing Standards (FIPS), and other documents for content applicable to the Secure RESTful Interfaces task. Table lists documents with applicable content.

Table - Relevant Policy Documents



Reference

Title

Applicability

VA Handbook 6500 [22]

RISK MANAGEMENT FRAMEWORK FOR VA INFORMATION SYSTEMS – TIER 3: VA INFORMATION SECURITY PROGRAM

Core VA policy document

Office of Management and Budget (OMB) Memo 04-04 [23]

E-Authentication Guidance for Federal Agencies

Guidance on assessing the required assurance level for online transactions

NIST SP 800-63-2 [24]

Electronic Authentication Guideline

Guidance on authentication mechanisms and protocols to meet assurance requirements per OMB M-04-04 risk assessment

NIST SP 800-53 [25]

Recommended Security Controls for Federal Information Systems and Organizations

Required security controls based on risk categorization for Government systems

NIST SP 800-47 [26]

Security Guide for Interconnecting Information Technology Systems

Standards for establishing, managing, and securing system interconnections

      1. Policy Considerations

        1. OAuth Clients and System Interconnections


NIST SP 800-47 provides guidance for establishing and managing system interconnections, and requires that the interconnecting parties sign a Memorandum of Understanding (MOU), come to an agreement on how the security of the connection will be managed by each side, and sign an Interconnection Security Agreement (ISA). SP 800-47 defines a system interconnection somewhat broadly as “the direct connection of two or more IT systems for the purpose of sharing data and other information resources.” The description of control CA-3 (System Interconnections) in SP 800-53 provides additional guidance:

This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing.

It is not entirely clear which types of OAuth clients, if any, would be considered interconnected systems with the authorization server or protected resources. A user accessing a Government system with a web browser through a public interface is not considered a system interconnection, and certainly meets the “transitory, user-controlled” condition stated in SP 800-53. OAuth clients using the implicit flow to access resources over a public interface are basically equivalent to the browser user.

Native clients deviate from the 800-53 language, since they may access resources when the user is not present. The same is true of web clients, and it seems more reasonable to consider a large hosted web application to be an “interconnected system.” It would be impractical for the Government to sign MOUs and ISAs with every person who installs a copy of a native application. Attempting to treat web application clients as interconnected systems would be more manageable, since a large number of users might access the system through a single client.

However, the three OAuth client types listed above are all acting on behalf of individual users, and they all access resources through public interfaces. In this sense, they are substantially similar to a single user accessing resources with a web browser. The main difference is that they may submit automated requests when the user is not present. Web browser users might also decide to script their requests to run unattended using a tool such as wget7, but does this act create a system interconnection?

OAuth clients using the client credentials grant, on the other hand, do not obtain authorization from particular users or act on their behalf, and are often used to perform bulk transfers between systems. Though they may use the same public interfaces as the other OAuth client types, they would seem to fit the definition of interconnected systems and require the management processes defined in NIST SP 800-47.

The 800-53 language exempting “user-controlled, transitory” connections from the definition of system interconnections supports the argument that native and browser-based OAuth clients, and perhaps even web application clients, should not be considered interconnected systems. Partner systems performing bulk transfers using the client credentials grant, on the other hand, do not act on behalf of particular users and fit the definition of interconnected systems. Updated policy guidance at the Federal Government level would help clarify these issues. The MITRE task team recommends that VA raise these issues with the FICAM program office and other cross-government policy organizations (see Section 6.2).

        1. Level of Assurance Requirements for Access to Patient Data


OMB M-04-04 includes a framework for performing a risk assessment to determine the required LOA for authentication of a given transaction. The LOA determination is based on the potential impact of unauthorized access. However, the framework requires a subjective evaluation of distress, harm, and loss caused by authentication failures using adjectives such as “limited,” “serious,” and “severe.” Perhaps unsurprisingly, there is no consensus on LOA requirements for providers or patients to access electronic health record information. The MITRE task team recommends that VA work with the Federal Health Architecture, the Office of the National Coordinator, and other mission partners to arrive at a common set of assurance requirements for use cases involving patient data.

        1. Public-key Cryptography without X.509 Certificates


OpenID Connect uses the JWT standard for ID Tokens, and the Secure RESTful Interfaces profile for OAuth specifies the use of JWT for client authentication and access tokens. JWTs use the JOSE set of standards for signatures and encryption, which refer to JWK to specify how cryptographic keys are referenced and shared among participants.

JWK supports the use of X.509 certificates to bind keys to systems and other entities, but does not require it; keys can also be passed by value in JSON objects, or by reference through URLs indicating where the JSON objects containing keys can be downloaded.

A great deal of federal IT policy is based on the proper use of PKI and X.509, detailing how trust chains should be built, certificates should be validated, and revocation information should be obtained. For some OAuth use cases, the use of X.509 certificates is impractical. Native clients, for example, must use unique credentials for each installed instance of the client software, and it would be impractical to issue a certificate signed by an established CA to each one. More to the point, such a certificate would be of little value, since nothing would be known about its recipient except that he/she had installed a particular software package. The public/private key pair, however, could still be used to provide assurance that a client presenting the same key in future sessions is the same client that initially registered the public key with the authorization server.

Federal implementation guidance on JOSE and related standards would help to ensure that implementations by Government agencies are secure and interoperable.




  1. Download 186.57 Kb.

    Share with your friends:
1   2   3   4   5   6   7   8   9   10



The database is protected by copyright ©ininet.org 2024
send message
    Main page
security implications
mitre corporation