what will the sir/i trust framework change for fim4r? · h"ps://aarc-project.eu authen4caon...
TRANSCRIPT
h"ps://aarc-project.eu
Authen4ca4onandAuthorisa4onforResearchandCollabora4on
HannahShort
REFEDS,Vienna
WhatwilltheSir/itrustframeworkchangeforFIM4R?
December1st,2015
h"ps://aarc-project.eu
Background
• ASecurityIncidentResponseTrustFrameworkforFederatedIden4ty
• Needforcommontrustframework• Enablecoordina4onofsecurityincidentresponse• Vectorofa"ackgrowsmoreinvi4ngasmagnitudeoffederatednetworksincreases
• Selfasser4on• Prac4calcompromise• Possibleextensiontopeerassessment
2
h"ps://aarc-project.eu
WhatwillSir/ichange?
ImpactonFIM4RCommuni4es• Trust• Support• Responsibility• SelfAudit
WeneedpartnerswithinFIM4Rtopilotthisframework!
h"ps://aarc-project.eu
IdP
Federatedincidents
4
Compromised
SP
SP
SP
SP
SP
• CompromisedaccountfromIden4tyProvider(IdP)accessesexternalServiceProviders(SPs)
• Couldbeintra-federa4on,orinter-federa4on
• Maliciousactorisabletopenetratethenetworkandtakeadvantageofthelackofcoordinatedincidentresponse
IdP
IdP
IdP
h"ps://aarc-project.eu
IdPSP
Itallseemslikecommonsense…
5
SPno4cessuspiciousjobsexecutedbya
handfulofusersfromanIdP
IdPiden4fiesover1000compromisedaccounts
No:fiesIdP
IdPiden4fiesallSPsaccessed
SP
SP
SP
No:fiesSPs
h"ps://aarc-project.eu
IdPSP
ButwithoutSir/i…
6
SPno4cessuspiciousjobsexecutedbya
handfulofusersfromanIdP
IdPiden4fiesover1000compromisedaccounts
No:fiesIdP
IdPiden4fiesallSPsaccessed
SP
SP
SP
No:fiesSPs
LargeSPdoesnotsharedetailsofcompromise,forfearofdamagetoreputa4on
SmallIdPmaynothavecapabilitytoblockusers,ortracetheirusage
SPsarenotboundtoabidebyconfiden4alityprotocolanddisclosesensi4veinforma4on
!
!
!
!Nosecuritycontactdetails!
X
XX
X
h"ps://aarc-project.eu
Trust
TherewillbeahigherleveloftrustforSirCi-compliantorganisa:ons.Thesepar:cipantswillbemorelikelytograntandbegrantedaccesstosharedresources.
7
SP
SPSP
eduGAINToken
MaybegrantedtosomebasicSPs
Accessrestrictedtocri:calSPs
SP
SPSP
eduGAINToken
UserfromSirCi’dIdP
eduGAINToken
UserfromnonSirCi’dIdP
BeforeSirCi ALerSirCi
h"ps://aarc-project.eu
Support
SirCi-compliantorganisa:onswillbeabletodrawonsupportfromeachotherintheeventofanincident.Bridgingfedera:onsandiden:fyingrequiredexper:sewillbefacilitated.
8
Sir]i-compliantIdP
<ContactPersoncontactType=“security”><EmailAddress>[email protected]</EmailAddress></ContactPerson><SirtfiCompliancestatus=“asserted”/>
IdP
Whocanwetrustwithsensi4veinforma4on?
Whoshouldweno4fy?Canwecountona
responseforurgentincidents?
Canwegetaccuratelogstotracktheincidentwithin
ourcommunity?
BeforeSirCi ALerSirCi
h"ps://aarc-project.eu
Responsibility
SirCi-compliantorganisa:onsmustbeabletocomplywithsupportobliga:onsintheeventofasecurityincident.Individualsshouldbeiden:fiedateachpar:cipa:ngorganisa:onandbeawareofexpecta:ons.
9
To:[email protected]:[email protected]!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!
To:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Urgent!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!Detailsbelow…
To:[email protected]:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Absolutely–I’monrotathisweek,accountblockedandweareinvestigating.Attachingrelevantlogsandwillkeepyouupdated.
BeforeSirCi ALerSirCi
h"ps://aarc-project.eu
SelfAudit
SirCi-compliantorganisa:onswillberequiredtocompleteperiodicselfassessmentstoanalysetheirincidentresponsecapability.Securitycontactinforma:onmustbeaccuratelyrepresentedinmetadataandbeverifiedduringstaffingandbusinessreorganisa:on.
10
Hasanyonethoughtabout
security?
BeforeSirCi ALerSirCi
h"ps://aarc-project.eu
What’snext?
• Poten4allyRFC• LoArequirements• Finalisa4onofmetadataelements• Securitycontactelementh"p://www.slideshare.net/jbasney/saml-security-contacts• Sir]icomplianceelement
• Toolforassessing/managingSir]icompliancea"ribute• Sir]iv2.0• Requirementtono4fySir]ipartners• Aler4ngmechanism
11
h"ps://aarc-project.eu
Sir/istatus
• Consulta4onclosesonDecember8th
• h"ps://wiki.refeds.org/display/CON/SIRTFI+Consulta4on%3A+Framework• Commentswelcome!
26/04/16 Documentreference 12
h"ps://aarc-project.eu
Appendix:Sir/iasserJons
26/04/16 13
h"ps://aarc-project.eu
OperaJonalsecurity
• [OS1]Securitypatchesinopera4ngsystemandapplica4onsoiwareareappliedina4melymanner.• [OS2]Aprocessisusedtomanagevulnerabili4esinsoiwareoperatedbytheorganisa4on.• [OS3]Mechanismsaredeployedtodetectpossibleintrusionsandprotectinforma4onsystemsfromsignificantandimmediatethreats• [OS4]Auser’saccessrightscanbesuspended,modifiedorterminatedina4melymanner.• [OS5]UsersandServiceOwners(asdefinedbyITIL[ITIL])withintheorganisa4oncanbecontacted.• [OS6]Asecurityincidentresponsecapabilityexistswithintheorganisa4onwithsufficientauthoritytomi4gate,containthespreadof,andremediatetheeffectsofasecurityincident.
26/04/16 14
h"ps://aarc-project.eu
Incidentresponse
• [IR1]Providesecurityincidentresponsecontactinforma4onasmayberequestedbyanR&Efedera4ontowhichyourorganiza4onbelongs.• [IR2]Respondtorequestsforassistancewithasecurityincidentfromotherorganisa4onspar4cipa4ngintheSir]itrustframeworkina4melymanner.• [IR3]Beableandwillingtocollaborateinthemanagementofasecurityincidentwithaffectedorganisa4onsthatpar4cipateintheSir]itrustframework.• [IR4]Followsecurityincidentresponseproceduresestablishedfortheorganisa4on.• [IR5]Respectuserprivacyasdeterminedbytheorganisa4onspoliciesorlegalcounsel.• [IR6]RespectandusetheTrafficLightProtocol[TLP]informa4ondisclosurepolicy.
26/04/16 15
h"ps://aarc-project.eu
Traceability
• [TR1]Relevantsystemgeneratedinforma4on,includingaccurate4mestampsandiden4fiersofsystemcomponentsandactors,areretainedandavailableforuseinsecurityincidentresponseprocedures.• [TR2]Informa4ona"estedtoin[TR1]isretainedinconformancewiththeorganisa4on’ssecurityincidentresponsepolicyorprac4ces.
26/04/16 16
h"ps://aarc-project.eu
ParJcipantresponsibiliJes
• [PR1]Thepar4cipanthasanAcceptableUsePolicy(AUP).• [PR2]ThereisaprocesstoensurethatallusersareawareofandaccepttherequirementtoabidebytheAUP,forexampleduringaregistra4onorrenewalprocess.
26/04/16 17
h"ps://aarc-project.eu
©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnova4onprogrammeunderGrantAgreementNo.653965(AARC).
ThankyouAnyQues4ons?
h"ps://aarc-project.eu