what will the sir/i trust framework change for fim4r? · h"ps://aarc-project.eu authen4caon...

h"ps://aarc-project.eu

Authen4ca4onandAuthorisa4onforResearchandCollabora4on

HannahShort

REFEDS,Vienna

WhatwilltheSir/itrustframeworkchangeforFIM4R?

December1st,2015

[email protected]


Background

• ASecurityIncidentResponseTrustFrameworkforFederatedIden4ty

• Needforcommontrustframework•  Enablecoordina4onofsecurityincidentresponse•  Vectorofa"ackgrowsmoreinvi4ngasmagnitudeoffederatednetworksincreases

• Selfasser4on•  Prac4calcompromise•  Possibleextensiontopeerassessment

2


WhatwillSir/ichange?

ImpactonFIM4RCommuni4es• Trust• Support• Responsibility• SelfAudit

WeneedpartnerswithinFIM4Rtopilotthisframework!


IdP

Federatedincidents

4

Compromised

SP

SP

SP

SP

SP

•  CompromisedaccountfromIden4tyProvider(IdP)accessesexternalServiceProviders(SPs)

•  Couldbeintra-federa4on,orinter-federa4on

•  Maliciousactorisabletopenetratethenetworkandtakeadvantageofthelackofcoordinatedincidentresponse

IdP

IdP

IdP


IdPSP

Itallseemslikecommonsense…

5

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No:fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No:fiesSPs


IdPSP

ButwithoutSir/i…

6

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No:fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No:fiesSPs

LargeSPdoesnotsharedetailsofcompromise,forfearofdamagetoreputa4on

SmallIdPmaynothavecapabilitytoblockusers,ortracetheirusage

SPsarenotboundtoabidebyconfiden4alityprotocolanddisclosesensi4veinforma4on

!

!

!

!Nosecuritycontactdetails!

X

XX

X


Trust

TherewillbeahigherleveloftrustforSirCi-compliantorganisa:ons.Thesepar:cipantswillbemorelikelytograntandbegrantedaccesstosharedresources.

7

SP

SPSP

eduGAINToken

MaybegrantedtosomebasicSPs

Accessrestrictedtocri:calSPs

SP

SPSP

eduGAINToken

UserfromSirCi’dIdP

eduGAINToken

UserfromnonSirCi’dIdP

BeforeSirCi ALerSirCi


Support

SirCi-compliantorganisa:onswillbeabletodrawonsupportfromeachotherintheeventofanincident.Bridgingfedera:onsandiden:fyingrequiredexper:sewillbefacilitated.

8

Sir]i-compliantIdP

<ContactPersoncontactType=“security”><EmailAddress>[email protected]</EmailAddress></ContactPerson><SirtfiCompliancestatus=“asserted”/>

IdP

Whocanwetrustwithsensi4veinforma4on?

Whoshouldweno4fy?Canwecountona

responseforurgentincidents?

Canwegetaccuratelogstotracktheincidentwithin

ourcommunity?



Responsibility

SirCi-compliantorganisa:onsmustbeabletocomplywithsupportobliga:onsintheeventofasecurityincident.Individualsshouldbeiden:fiedateachpar:cipa:ngorganisa:onandbeawareofexpecta:ons.

9

To:[email protected]:[email protected]!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!

To:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Urgent!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!Detailsbelow…

To:[email protected]:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Absolutely–I’monrotathisweek,accountblockedandweareinvestigating.Attachingrelevantlogsandwillkeepyouupdated.



SelfAudit

SirCi-compliantorganisa:onswillberequiredtocompleteperiodicselfassessmentstoanalysetheirincidentresponsecapability.Securitycontactinforma:onmustbeaccuratelyrepresentedinmetadataandbeverifiedduringstaffingandbusinessreorganisa:on.

10

Hasanyonethoughtabout

security?



What’snext?

• Poten4allyRFC• LoArequirements• Finalisa4onofmetadataelements•  Securitycontactelementh"p://www.slideshare.net/jbasney/saml-security-contacts•  Sir]icomplianceelement

• Toolforassessing/managingSir]icompliancea"ribute• Sir]iv2.0•  Requirementtono4fySir]ipartners•  Aler4ngmechanism

11


Sir/istatus

• Consulta4onclosesonDecember8th

• h"ps://wiki.refeds.org/display/CON/SIRTFI+Consulta4on%3A+Framework• Commentswelcome!

26/04/16 Documentreference 12


Appendix:Sir/iasserJons

26/04/16 13


OperaJonalsecurity

•  [OS1]Securitypatchesinopera4ngsystemandapplica4onsoiwareareappliedina4melymanner.•  [OS2]Aprocessisusedtomanagevulnerabili4esinsoiwareoperatedbytheorganisa4on.•  [OS3]Mechanismsaredeployedtodetectpossibleintrusionsandprotectinforma4onsystemsfromsignificantandimmediatethreats•  [OS4]Auser’saccessrightscanbesuspended,modifiedorterminatedina4melymanner.•  [OS5]UsersandServiceOwners(asdefinedbyITIL[ITIL])withintheorganisa4oncanbecontacted.•  [OS6]Asecurityincidentresponsecapabilityexistswithintheorganisa4onwithsufficientauthoritytomi4gate,containthespreadof,andremediatetheeffectsofasecurityincident.

26/04/16 14


Incidentresponse

•  [IR1]Providesecurityincidentresponsecontactinforma4onasmayberequestedbyanR&Efedera4ontowhichyourorganiza4onbelongs.•  [IR2]Respondtorequestsforassistancewithasecurityincidentfromotherorganisa4onspar4cipa4ngintheSir]itrustframeworkina4melymanner.•  [IR3]Beableandwillingtocollaborateinthemanagementofasecurityincidentwithaffectedorganisa4onsthatpar4cipateintheSir]itrustframework.•  [IR4]Followsecurityincidentresponseproceduresestablishedfortheorganisa4on.•  [IR5]Respectuserprivacyasdeterminedbytheorganisa4onspoliciesorlegalcounsel.•  [IR6]RespectandusetheTrafficLightProtocol[TLP]informa4ondisclosurepolicy.

26/04/16 15


Traceability

•  [TR1]Relevantsystemgeneratedinforma4on,includingaccurate4mestampsandiden4fiersofsystemcomponentsandactors,areretainedandavailableforuseinsecurityincidentresponseprocedures.•  [TR2]Informa4ona"estedtoin[TR1]isretainedinconformancewiththeorganisa4on’ssecurityincidentresponsepolicyorprac4ces.

26/04/16 16


ParJcipantresponsibiliJes

•  [PR1]Thepar4cipanthasanAcceptableUsePolicy(AUP).•  [PR2]ThereisaprocesstoensurethatallusersareawareofandaccepttherequirementtoabidebytheAUP,forexampleduringaregistra4onorrenewalprocess.

26/04/16 17


©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnova4onprogrammeunderGrantAgreementNo.653965(AARC).

ThankyouAnyQues4ons?


[email protected]

what will the sir/i trust framework change for fim4r? · h"ps://aarc-project.eu authen4caon...

Documents