Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication.

Published byJacob Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication."— Presentation transcript:

1 David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication – IGTF Generalized LoA, … and AARC! With inputs from: Interoperable Global Trust Federation IGTF AARC – coordinated by the GEANT Association/TERENA EGI SPG

2 David Groep Nikhef Amsterdam PDP & Grid Risk based policies and assurance Focusing on the inputs ◦ Assertions: identity, attributes ◦ Release and Trust: policies on SPs, on IdPs, or both? Developing the composite AAI landscape ◦ Authentication and Authorization for Research Collaborations Assurance Levels – both ways

3 David Groep Nikhef Amsterdam PDP & Grid Action (app) based More constraint actions can lower need for identity LoA (J)SPG VO Portal policy does that: 4 levels of actions Resource (value) based e.g. access to wireless network does not pose huge risks, so can live with a lower identity LoA (eduroam) Subject (ID/LoA) based Defined identity assurance level Includes Community-given LoA For given actions, resources, and acceptable residual risk, required ID assurance is a given ‘risk envelope’ Risk Residual Risk: 2014-10-163

4 David Groep Nikhef Amsterdam PDP & Grid Determine the risk envelope What are you willing to accept? ◦ Cost of monitoring to assess/retain systems integrity ◦ Cost of recovery in case of incidents (time, money, consultancy costs) ◦ Benefits of having more (paying) users ◦ Benefits of appearing ‘low-barrier’ Considerations include ◦ Your ‘outside’ risk envelope should stay the same – determined by local regulation, ◦ the AUPs of your (network) peers, ◦ your (media) exposure and reputation status 2014-10-164

5 David Groep Nikhef Amsterdam PDP & Grid Collaborative risk In beyond, we have developed models shifting responsibilities within the risk envelope VO Portal Policy: offset lower ID vetting with restricting actions Consider lower-risk services (think eduroam) Now incorporating collaborative subject attribute provisioning High-quality VO ID vetting (F2F)&IOTA identifiers (e.g. LHC) Mediated User Registration + actions containment + simple identifiers: LToS Specific Security Policy

6 David Groep Nikhef Amsterdam PDP & Grid For now focus has been largely on getting assurances from the service providers, e.g. ◦ Data Protection Code of Conduct ◦ developed Privacy Policy ◦ Justification for each attribute requested ◦ R&S Entity Category (for attribute release) https://wiki.edugain.org/Recipe_for_a_Service_Provider Assurance in R&E federations

7 David Groep Nikhef Amsterdam PDP & Grid … so we need some assurance from IdPs and Federations … this is new for most IdPs! ◦ Many (most) SPs have been ‘low-value’ – now changing: also pressure from publishers worried about proxies ◦ Focus of the IdP is to serve bulk users (students and admin staff), not typically researchers – there are too few! ◦ The IdM folks are (typically) not the people doing IT Sec or CSIRT ◦ and: not simple to get formal agreements really signed by an R&E institution (too many lawyers we don’t need get in the way) So we need some (‘R&E’ friendly) IdP assurance ◦ Because we believe practices are actually pretty OK – just not transparent! ◦ And we have done it before: for the IdPs that signed up to TCS! But EGI is (mostly) an SP

8 David Groep Nikhef Amsterdam PDP & Grid Example: IGTF trust building method Accreditation process ◦ Extensively documented public practices (CP/CPS, RFC3647) ◦ Interviewing and scrutiny by peer group (the PMA) ◦ Assessment against standards (LoA and APs) ◦ Technical compliance checks (dependent on credential type) Periodic, peer-reviewed, self-audits ◦ Based on Authentication Profiles, standard reference: GFD169 ◦ inspired by APs, LoA, and NIST SP800-53/ISO:IEC 27002 Federated assessment methodology by region (IGTF) ◦ keeps it scalable by ‘divide & conquer’ 2011-06-10 https://www.eugridpma.org/guidelines/accreditation

9 David Groep Nikhef Amsterdam PDP & Grid http://wiki.eugridpma.org/Main/IGTFLoAGeneralisation Federation of major Relying Parties (RPs) and identity providers that jointly agree on achievable and sufficient assurance ◦ RPs like PRACE, EGI, EUDAT, XSEDE, OSG, TERENA/ GÉANT, HPCI, … and many national representatives ◦ Identity providers, both from R&E and beyond About 2-3 distinct levels (not the Kantara ones) And a R&E ‘unique’ verification mechanism: peer reviewed and open documentation IGTF LoA Generalisation

10 David Groep Nikhef Amsterdam PDP & Grid IGTF ‘levels’ are useful classifying IdP assurance levels for distributed infrastructures ◦ There is not exactly a hierarchy (so we used opaque names) ◦ Is technology agnostic (PKI, SAML, OpenID/OAuth) http://wiki.eugridpma.org/Main/IGTFLoAGeneralisation ◦ ASPEN, BIRCH, CEDAR, DOGWOOD ◦ Reflect trust level of SLCS, MICS, Classic, IOTA ◦ Many IdPs are actually ‘good enough’ (certainly for DOGWOOD), but just forget or are afraid to express their (usually rather good) practices! Generalised LoA

11 David Groep Nikhef Amsterdam PDP & Grid The future is bringing us attributes from many sources identifiers from R&E or external providers Attributes on community membership Eligibility attributes, social attributes, … There are many, and quick, technical developments OpenConext, Grouper, PERUN, VOMS, HEXAA, … But there’s no (assurance level) collation mechanism yet … How to compose policies? How to assemble attributes with distinct LoAs? … nor is there a framework to interpret it Coming soon to a theatre near you: Compositional attributes & LoA

12 David Groep Nikhef Amsterdam PDP & Grid For LoA to be useful, it needs to consider risk and e.g. incident response capability when all assertions are combined for a final AuthZ decision ◦ Any source of attributes has an LoA (even if it is not yet expressed in readable form) ◦ The end-to-end system collaboratively needs to address risk: identifiers, attributes, resource data ◦ Example IGTF LoAs: The IGTF itself deals in identifiers, but the LoA framework could be applied to more attributes Decision based on attributes from multiple sources ◦ Need to make the LoA more ‘visible’ to authZ software ◦ But you should not just force higher LoA for all, but ◦ Allow for ‘collaborative’ assurance from many sources Making LoA useful

13 David Groep Nikhef Amsterdam PDP & Grid Authentication and Authorization for Research Collaborations AARC Expanding the work

14 David Groep Nikhef Amsterdam PDP & Grid On the technical side ◦ address Single Sign On for non-web applications ◦ authorisation side: attribute aggregation ◦ integration of credential use Both these areas are rather complex and even if progresses have been made, there is still need for further work On the policy side ◦ Consolidate initiatives where work is carried out ◦ GÉANT project, EGI, IGTF, REFEDS, FIM4R, RDA, e-IRG, SCI, SirTFi, … Why AARC?

15 David Groep Nikhef Amsterdam PDP & Grid Organisational and legal (policy) work eduGAIN REFEDS (R&S, CoC) IGTF RP (EGI, OSG, PRACE, XSEDE) LoA requirements Technical work Various non-Web SSO techniques Credential translators (STS, Portals, SLCS CAs) Inputs to AARC

16 David Groep Nikhef Amsterdam PDP & Grid Part of an ecosystem Research on scalable policy models (LoA, incident response, etc.) AARC Pilots (Guest IdPs, Attribute providers, etc.) Training/Outreach REFEDS/FIM4R/ RDA ESFRI Clusters/GÉANT /EGI/EUDAT Libraries, institutions, resource providers, etc.

17 David Groep Nikhef Amsterdam PDP & Grid Although there are ‘only’ 20 project partners it is a pan-European effort! ◦ work plan is to be co-developed collaboratively ◦ communities are encouraged (in several ways) to attend workshops and express their requirements Your input is very welcome! project start: ~ March 2015 An open collaborative effort TERENA, CERN, CESNET, CSC, DAASI, DFN, EGI, GARR, GRNET, JANET, FZJulich, KIT, LIBER, MZK/Brno, FOM-Nikhef, PSNC, RENATER, STFC/RAL, SURFNet, SURFsara

Download ppt "David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – going where? Collaborative, distributed, and generalized assurance beyond just identity authentication."

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323,

David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI ,
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.

David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 Towards Differentiated Identity Assurance as a collaborative.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI Towards Differentiated Identity Assurance as a collaborative.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.

Authentication and Authorisation for Research and Collaboration Pilots on the Integrated R&E AAI Paul van Dijk, Activity Lead Pilots.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Similar presentations

Ads by Google