Top Banner
Authen4ca4on and Authorisa4on for Research and Collabora4on Hannah Short REFEDS, Vienna What will the Sir/i trust framework change for FIM4R? December 1 st , 2015 CERN [email protected]
18

What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

Aug 03, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Authen4ca4onandAuthorisa4onforResearchandCollabora4on

HannahShort

REFEDS,Vienna

WhatwilltheSir/itrustframeworkchangeforFIM4R?

December1st,2015

[email protected]

Page 2: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Background

• ASecurityIncidentResponseTrustFrameworkforFederatedIden4ty

• Needforcommontrustframework•  Enablecoordina4onofsecurityincidentresponse•  Vectorofa"ackgrowsmoreinvi4ngasmagnitudeoffederatednetworksincreases

• Selfasser4on•  Prac4calcompromise•  Possibleextensiontopeerassessment

2

Page 3: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

WhatwillSir/ichange?

ImpactonFIM4RCommuni4es• Trust• Support• Responsibility• SelfAudit

WeneedpartnerswithinFIM4Rtopilotthisframework!

Page 4: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

IdP

Federatedincidents

4

Compromised

SP

SP

SP

SP

SP

•  CompromisedaccountfromIden4tyProvider(IdP)accessesexternalServiceProviders(SPs)

•  Couldbeintra-federa4on,orinter-federa4on

•  Maliciousactorisabletopenetratethenetworkandtakeadvantageofthelackofcoordinatedincidentresponse

IdP

IdP

IdP

Page 5: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

IdPSP

Itallseemslikecommonsense…

5

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No:fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No:fiesSPs

Page 6: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

IdPSP

ButwithoutSir/i…

6

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No:fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No:fiesSPs

LargeSPdoesnotsharedetailsofcompromise,forfearofdamagetoreputa4on

SmallIdPmaynothavecapabilitytoblockusers,ortracetheirusage

SPsarenotboundtoabidebyconfiden4alityprotocolanddisclosesensi4veinforma4on

!

!

!

!Nosecuritycontactdetails!

X

XX

X

Page 7: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Trust

TherewillbeahigherleveloftrustforSirCi-compliantorganisa:ons.Thesepar:cipantswillbemorelikelytograntandbegrantedaccesstosharedresources.

7

SP

SPSP

eduGAINToken

MaybegrantedtosomebasicSPs

Accessrestrictedtocri:calSPs

SP

SPSP

eduGAINToken

UserfromSirCi’dIdP

eduGAINToken

UserfromnonSirCi’dIdP

BeforeSirCi ALerSirCi

Page 8: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Support

SirCi-compliantorganisa:onswillbeabletodrawonsupportfromeachotherintheeventofanincident.Bridgingfedera:onsandiden:fyingrequiredexper:sewillbefacilitated.

8

Sir]i-compliantIdP

<ContactPersoncontactType=“security”><EmailAddress>[email protected]</EmailAddress></ContactPerson><SirtfiCompliancestatus=“asserted”/>

IdP

Whocanwetrustwithsensi4veinforma4on?

Whoshouldweno4fy?Canwecountona

responseforurgentincidents?

Canwegetaccuratelogstotracktheincidentwithin

ourcommunity?

BeforeSirCi ALerSirCi

Page 9: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Responsibility

SirCi-compliantorganisa:onsmustbeabletocomplywithsupportobliga:onsintheeventofasecurityincident.Individualsshouldbeiden:fiedateachpar:cipa:ngorganisa:onandbeawareofexpecta:ons.

9

To:[email protected]:[email protected]!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!

To:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Urgent!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!Detailsbelow…

To:[email protected]:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Absolutely–I’monrotathisweek,accountblockedandweareinvestigating.Attachingrelevantlogsandwillkeepyouupdated.

BeforeSirCi ALerSirCi

Page 10: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

SelfAudit

SirCi-compliantorganisa:onswillberequiredtocompleteperiodicselfassessmentstoanalysetheirincidentresponsecapability.Securitycontactinforma:onmustbeaccuratelyrepresentedinmetadataandbeverifiedduringstaffingandbusinessreorganisa:on.

10

Hasanyonethoughtabout

security?

BeforeSirCi ALerSirCi

Page 11: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

What’snext?

• Poten4allyRFC• LoArequirements• Finalisa4onofmetadataelements•  Securitycontactelementh"p://www.slideshare.net/jbasney/saml-security-contacts•  Sir]icomplianceelement

• Toolforassessing/managingSir]icompliancea"ribute• Sir]iv2.0•  Requirementtono4fySir]ipartners•  Aler4ngmechanism

11

Page 12: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Sir/istatus

• Consulta4onclosesonDecember8th

• h"ps://wiki.refeds.org/display/CON/SIRTFI+Consulta4on%3A+Framework• Commentswelcome!

26/04/16 Documentreference 12

Page 13: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Appendix:Sir/iasserJons

26/04/16 13

Page 14: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

OperaJonalsecurity

•  [OS1]Securitypatchesinopera4ngsystemandapplica4onsoiwareareappliedina4melymanner.•  [OS2]Aprocessisusedtomanagevulnerabili4esinsoiwareoperatedbytheorganisa4on.•  [OS3]Mechanismsaredeployedtodetectpossibleintrusionsandprotectinforma4onsystemsfromsignificantandimmediatethreats•  [OS4]Auser’saccessrightscanbesuspended,modifiedorterminatedina4melymanner.•  [OS5]UsersandServiceOwners(asdefinedbyITIL[ITIL])withintheorganisa4oncanbecontacted.•  [OS6]Asecurityincidentresponsecapabilityexistswithintheorganisa4onwithsufficientauthoritytomi4gate,containthespreadof,andremediatetheeffectsofasecurityincident.

26/04/16 14

Page 15: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Incidentresponse

•  [IR1]Providesecurityincidentresponsecontactinforma4onasmayberequestedbyanR&Efedera4ontowhichyourorganiza4onbelongs.•  [IR2]Respondtorequestsforassistancewithasecurityincidentfromotherorganisa4onspar4cipa4ngintheSir]itrustframeworkina4melymanner.•  [IR3]Beableandwillingtocollaborateinthemanagementofasecurityincidentwithaffectedorganisa4onsthatpar4cipateintheSir]itrustframework.•  [IR4]Followsecurityincidentresponseproceduresestablishedfortheorganisa4on.•  [IR5]Respectuserprivacyasdeterminedbytheorganisa4onspoliciesorlegalcounsel.•  [IR6]RespectandusetheTrafficLightProtocol[TLP]informa4ondisclosurepolicy.

26/04/16 15

Page 16: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

Traceability

•  [TR1]Relevantsystemgeneratedinforma4on,includingaccurate4mestampsandiden4fiersofsystemcomponentsandactors,areretainedandavailableforuseinsecurityincidentresponseprocedures.•  [TR2]Informa4ona"estedtoin[TR1]isretainedinconformancewiththeorganisa4on’ssecurityincidentresponsepolicyorprac4ces.

26/04/16 16

Page 17: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

ParJcipantresponsibiliJes

•  [PR1]Thepar4cipanthasanAcceptableUsePolicy(AUP).•  [PR2]ThereisaprocesstoensurethatallusersareawareofandaccepttherequirementtoabidebytheAUP,forexampleduringaregistra4onorrenewalprocess.

26/04/16 17

Page 18: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the

h"ps://aarc-project.eu

©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnova4onprogrammeunderGrantAgreementNo.653965(AARC).

ThankyouAnyQues4ons?

h"ps://aarc-project.eu

[email protected]


Related Documents
SCALAC: Advance Computer Service for Latin America and the ...elcira.redclara.net/docs/Caso_4.pdf · Research Communities (FIM4R) • Roberto Barbera, University of Catania, INFN

SCALAC: Advance Computer Service for Latin America and the.....

Category: Documents
IMPLEMENTING ASSET MANAGEMENT AT THE RDNPrograms/Asset... · PRESENTATION OVERVIEW STRATEGIC FRAMEWORK IMPLEMENTATION MIKE DONNELLY, MANAGER WATER SERVICES ... GOAL 3: Enhanced collaboraon

IMPLEMENTING ASSET MANAGEMENT AT THE...

Category: Documents
For personal use only - ASX · Transforming+Bio-Analy1cs+ 5 TechnologyLicensing! Collaboraon! agreement! for! providing! services! on! 3Dorganotypic! cultures! for! downstream!applicaons!

For personal use only - ASX · Transforming+Bio-Analy1cs+ 5...

Category: Documents
UML based ArchiMate in Papyrus - PolarSys · UML based ArchiMate in Papyrus By: Thomas Gericke 15 ¡ Establish collaboraon with interested parJes ! We wish to collaboraon with other

UML based ArchiMate in Papyrus - PolarSys · UML based...

Category: Documents
LifeaertheEquipmentPurchase%%€¦ · LifeaertheEquipmentPurchase%% Sustaining)Program)ImprovementThrough) Local)and)Regional)Collaboraon)) CTE)EnhancementFunds)and)the)Cross)town)

LifeaertheEquipmentPurchase%%€¦ ·...

Category: Documents
Mantovani IDP IN THE CLOUD - terena.org · Compliant to REFEDS Discovery Guide Lalla Mantovani VAMP, Helsinki, 30.09.2013 28 IDP Metadata ready

Mantovani IDP IN THE CLOUD - terena.org · Compliant to...

Category: Documents
Institute-wide Planning Task Forceweb.mit.edu/instituteplanning/TaskForceJointSession.pdf · 2009-03-11 · Email reports from Co‐Chairs twice per month Will assure collaboraon

Institute-wide Planning Task...

Category: Documents
REFEDS Overview

REFEDS Overview

Category: Technology
Private&Sector&Collaboraon& with&Naonal&Regulatory&Systems&€¦ · Private sector collaboration with National Regulatory Systems | J. Christophe Delumeau 12 E2B VigiFlow National

Private&Sector&Collaboraon&...

Category: Documents
EmbeddedLinux&& Nowandthefuture& withLTSI · 2017. 12. 14. · EmbeddedLinux&& Nowandthefuture& withLTSI Hisao&Munakata, Renesas& Tsugikazu&SHIBATA,&NEC& 27.&March&2014& Collaboraon&Summit

EmbeddedLinux&& Nowandthefuture& withLTSI · 2017. 12....

Category: Documents
Why did AARC extend RAF? · The REFEDS Assurance Frameworkwas explained in a previous webinar. The AARC (Authentication and Authorisation for Research and Collaboration) project developed

Why did AARC extend RAF? · The REFEDS Assurance...

Category: Documents
EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.

EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer,...

Category: Documents