Top Banner
Authen4ca4on and Authorisa4on for Research and Collabora4on Hannah Short REFEDS, Vienna What will the Sir/i trust framework change for FIM4R? December 1 st , 2015 CERN [email protected]
18

What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

Aug 03, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Authen4ca4onandAuthorisa4onforResearchandCollabora4on

HannahShort

REFEDS,Vienna

WhatwilltheSir/itrustframeworkchangeforFIM4R?

December1st,2015

[email protected]

Page 2: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Background

• ASecurityIncidentResponseTrustFrameworkforFederatedIden4ty

• Needforcommontrustframework•  Enablecoordina4onofsecurityincidentresponse•  Vectorofa"ackgrowsmoreinvi4ngasmagnitudeoffederatednetworksincreases

• Selfasser4on•  Prac4calcompromise•  Possibleextensiontopeerassessment

2

Page 3: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

WhatwillSir/ichange?

ImpactonFIM4RCommuni4es• Trust• Support• Responsibility• SelfAudit

WeneedpartnerswithinFIM4Rtopilotthisframework!

Page 4: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

IdP

Federatedincidents

4

Compromised

SP

SP

SP

SP

SP

•  CompromisedaccountfromIden4tyProvider(IdP)accessesexternalServiceProviders(SPs)

•  Couldbeintra-federa4on,orinter-federa4on

•  Maliciousactorisabletopenetratethenetworkandtakeadvantageofthelackofcoordinatedincidentresponse

IdP

IdP

IdP

Page 5: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

IdPSP

Itallseemslikecommonsense…

5

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No:fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No:fiesSPs

Page 6: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

IdPSP

ButwithoutSir/i…

6

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No:fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No:fiesSPs

LargeSPdoesnotsharedetailsofcompromise,forfearofdamagetoreputa4on

SmallIdPmaynothavecapabilitytoblockusers,ortracetheirusage

SPsarenotboundtoabidebyconfiden4alityprotocolanddisclosesensi4veinforma4on

!

!

!

!Nosecuritycontactdetails!

X

XX

X

Page 7: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Trust

TherewillbeahigherleveloftrustforSirCi-compliantorganisa:ons.Thesepar:cipantswillbemorelikelytograntandbegrantedaccesstosharedresources.

7

SP

SPSP

eduGAINToken

MaybegrantedtosomebasicSPs

Accessrestrictedtocri:calSPs

SP

SPSP

eduGAINToken

UserfromSirCi’dIdP

eduGAINToken

UserfromnonSirCi’dIdP

BeforeSirCi ALerSirCi

Page 8: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Support

SirCi-compliantorganisa:onswillbeabletodrawonsupportfromeachotherintheeventofanincident.Bridgingfedera:onsandiden:fyingrequiredexper:sewillbefacilitated.

8

Sir]i-compliantIdP

<ContactPersoncontactType=“security”><EmailAddress>[email protected]</EmailAddress></ContactPerson><SirtfiCompliancestatus=“asserted”/>

IdP

Whocanwetrustwithsensi4veinforma4on?

Whoshouldweno4fy?Canwecountona

responseforurgentincidents?

Canwegetaccuratelogstotracktheincidentwithin

ourcommunity?

BeforeSirCi ALerSirCi

Page 9: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Responsibility

SirCi-compliantorganisa:onsmustbeabletocomplywithsupportobliga:onsintheeventofasecurityincident.Individualsshouldbeiden:fiedateachpar:cipa:ngorganisa:onandbeawareofexpecta:ons.

9

To:[email protected]:[email protected]!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!

To:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Urgent!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!Detailsbelow…

To:[email protected]:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Absolutely–I’monrotathisweek,accountblockedandweareinvestigating.Attachingrelevantlogsandwillkeepyouupdated.

BeforeSirCi ALerSirCi

Page 10: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

SelfAudit

SirCi-compliantorganisa:onswillberequiredtocompleteperiodicselfassessmentstoanalysetheirincidentresponsecapability.Securitycontactinforma:onmustbeaccuratelyrepresentedinmetadataandbeverifiedduringstaffingandbusinessreorganisa:on.

10

Hasanyonethoughtabout

security?

BeforeSirCi ALerSirCi

Page 11: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

What’snext?

• Poten4allyRFC• LoArequirements• Finalisa4onofmetadataelements•  Securitycontactelementh"p://www.slideshare.net/jbasney/saml-security-contacts•  Sir]icomplianceelement

• Toolforassessing/managingSir]icompliancea"ribute• Sir]iv2.0•  Requirementtono4fySir]ipartners•  Aler4ngmechanism

11

Page 12: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Sir/istatus

• Consulta4onclosesonDecember8th

• h"ps://wiki.refeds.org/display/CON/SIRTFI+Consulta4on%3A+Framework• Commentswelcome!

26/04/16 Documentreference 12

Page 13: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Appendix:Sir/iasserJons

26/04/16 13

Page 14: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

OperaJonalsecurity

•  [OS1]Securitypatchesinopera4ngsystemandapplica4onsoiwareareappliedina4melymanner.•  [OS2]Aprocessisusedtomanagevulnerabili4esinsoiwareoperatedbytheorganisa4on.•  [OS3]Mechanismsaredeployedtodetectpossibleintrusionsandprotectinforma4onsystemsfromsignificantandimmediatethreats•  [OS4]Auser’saccessrightscanbesuspended,modifiedorterminatedina4melymanner.•  [OS5]UsersandServiceOwners(asdefinedbyITIL[ITIL])withintheorganisa4oncanbecontacted.•  [OS6]Asecurityincidentresponsecapabilityexistswithintheorganisa4onwithsufficientauthoritytomi4gate,containthespreadof,andremediatetheeffectsofasecurityincident.

26/04/16 14

Page 15: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Incidentresponse

•  [IR1]Providesecurityincidentresponsecontactinforma4onasmayberequestedbyanR&Efedera4ontowhichyourorganiza4onbelongs.•  [IR2]Respondtorequestsforassistancewithasecurityincidentfromotherorganisa4onspar4cipa4ngintheSir]itrustframeworkina4melymanner.•  [IR3]Beableandwillingtocollaborateinthemanagementofasecurityincidentwithaffectedorganisa4onsthatpar4cipateintheSir]itrustframework.•  [IR4]Followsecurityincidentresponseproceduresestablishedfortheorganisa4on.•  [IR5]Respectuserprivacyasdeterminedbytheorganisa4onspoliciesorlegalcounsel.•  [IR6]RespectandusetheTrafficLightProtocol[TLP]informa4ondisclosurepolicy.

26/04/16 15

Page 16: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Traceability

•  [TR1]Relevantsystemgeneratedinforma4on,includingaccurate4mestampsandiden4fiersofsystemcomponentsandactors,areretainedandavailableforuseinsecurityincidentresponseprocedures.•  [TR2]Informa4ona"estedtoin[TR1]isretainedinconformancewiththeorganisa4on’ssecurityincidentresponsepolicyorprac4ces.

26/04/16 16

Page 17: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

ParJcipantresponsibiliJes

•  [PR1]Thepar4cipanthasanAcceptableUsePolicy(AUP).•  [PR2]ThereisaprocesstoensurethatallusersareawareofandaccepttherequirementtoabidebytheAUP,forexampleduringaregistra4onorrenewalprocess.

26/04/16 17

Page 18: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnova4onprogrammeunderGrantAgreementNo.653965(AARC).

ThankyouAnyQues4ons?

h"ps://aarc-project.eu

[email protected]