Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Groep Nikhef Amsterdam PDP & Grid In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "David Groep Nikhef Amsterdam PDP & Grid In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation."— Presentation transcript:

1 David Groep Nikhef Amsterdam PDP & Grid In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation ISGC 2011 David Groep

2 Nikhef Amsterdam PDP & Grid In Grid... where many participants have no a-priori relationship

3 David Groep Nikhef Amsterdam PDP & Grid... we trust in identity and attributes delivered from many sources

4 David Groep Nikhef Amsterdam PDP & Grid Trusting and trustable parties focus: -persistent unique ID -traceability assurance

5 David Groep Nikhef Amsterdam PDP & Grid Identity Vetting (‘people ware’ LoA) Operational Requirements (‘what and how LoA’) Site security controls (‘implementation LoA’) Publication and disclosure (‘gaining trust’) Auditing (‘sustaining trust’) Privacy and confidentiality (‘securing trust’) Compromise and Disaster Recovery (‘recovering trust’) User responsibilities ◦ this one deserves more attention in home organisation context, since direct & continuous contact with users can be maintained AP Structure and Elements of Trust

6 David Groep Nikhef Amsterdam PDP & Grid Trust Relations in Classic CAs

7 David Groep Nikhef Amsterdam PDP & Grid Classic Authentication Profile Example: Classic Authority using Secured Infrastructure Aimed at long-lived identity assertions Identity vetting procedures ◦ Based on (national) photo ID’s, face-to-face verification of applicants via distributed network of Registration Authorities or ‘Trusted’ Registrars ◦ Periodic rekeying once every year, using fresh key material ◦ Appropriate representation of the person’s real name in the credential ◦ validate all rekeying against pre-existing credential identifiers Secured operations ◦ dedicated rooms with monitored access, vault, and audit trails ◦ off-line signing key or HSM-backed on-line systems (FIPS 140.2 lvl 2) Response to incidents ◦ Timely (<24hrs) revocation of compromised credentials ◦ must issue an up-to-date list of revoked credentials Audit log retention and periodic re-assessment 2010-11-25 Esta blis hing iden tity in EGI7 https://www.eugridpma.org/guidelines/classic/

8 David Groep Nikhef Amsterdam PDP & Grid Classic AP’s ‘traditional ID vetting’ ◦ done by CA explicitly according to own practices ◦ face-to-face after or at time of making request What does that bring? ◦ pro – easy to describe ◦ con – complicated for user and introduces delay ◦ but even then in risk analysis for the end-to-end trust chain, ID is only a small element as verified in the ‘classic’ AP Policies supporting trust

9 David Groep Nikhef Amsterdam PDP & Grid Vetting in classic CAs gives ‘warm and fuzzy feeling’ ◦ is easy to describe in a stand-alone document ◦ which may be false ◦ but is certainly fuzzy But grid is no longer alone: many others need trust ◦ many other services inside and off-campus need ‘trusted identity’ in some way ◦ relative lower value of many off-campus services previously did not require a lot of complexity in assurance level or trust We, the Grid, trust

10 David Groep Nikhef Amsterdam PDP & Grid new trusted identity sources have emerged ◦ R&E federations have been established ◦ hosting more and higher-valued services ◦ broad and increasing user base we now leverage these for access to e-Infra resources A new wave of federated CAs

11 David Groep Nikhef Amsterdam PDP & Grid Trust Relations in a Federated CA (MICS) model

12 David Groep Nikhef Amsterdam PDP & Grid Broader base for users brings challenges ‘warm and fuzzy’ trust has a scaling limit there will necessarily be some indirection but federated IdP’s are ‘closer’ to the user ◦ more trustworthy and more close to any changes ◦ IdP’s are further away from the ‘grid’, and thus less warm and fuzzy this applies to ID attributes and other value-added attributes... and should apply to the VO as well! New CA models

13 David Groep Nikhef Amsterdam PDP & Grid New e-Infrastructure scenarios GridShib graphic: Jim Basney, NCSA VASH graphic: Christoph Witzig, SWITCH IMDI Browser (delegated corpus browsing) graphic: Mischa Salle, Nikhef Delegation options ‘hidden’ federated CAs Security Token Service semi-explicit instant CA

14 David Groep Nikhef Amsterdam PDP & Grid Requirements (example from SURFfederatie) Give accurate organisational contact details End-user guidance document per organisation ◦ netiquette, compliance with law, no damage to third parties ◦ guidance should be ‘appropriately enforced’ federation systems appropriately secured data complete and up to date, set of required attributes disclose procedures and practices on request Enforcement and sanctions Suspension from the federation (nothing worse) Indemnify other participants from damages Basic federation policies

15 David Groep Nikhef Amsterdam PDP & Grid Contract supported trust ‘We the Grid’ should now trust what the IdP says, and rely on that trust without ‘warm and fuzzy’ recourse graphic: after Jan Meijer, UNINETT

16 David Groep Nikhef Amsterdam PDP & Grid IGTF global trust features are not ‘default’ in many federations ◦ persistent unique naming ◦ higher-assurance level identity vetting Responsibilities have to be defined ◦ these now rely on the IdPs – these are now ‘quality IdPs’ in well-recognised federations ◦ contract mechanisms tie down responsibility ◦ how can an organisation set up a trusted IdM & IdP? In Grid We Trust

17 David Groep Nikhef Amsterdam PDP & Grid Ad HocFocusedStandardIntegrated Single log-on Authorization Source systems Policies Documented processes IdP systems for federation Quality Assurance Process implementation Security / Auditing Elements of institutional IdM Source: SURFnet Identity Management Maturity Scan http://www.surfnet.nl/ IGI Group http://www.igi.nl/

18 David Groep Nikhef Amsterdam PDP & Grid To be trustworthy, each IdP in a federation should address the basic requirements for trusted identity and attributes Basically, this is ◦ addressing the topics listed in the AP by the IGTF ◦ user education and validation ◦ organisational ‘culture’ and a bit of policy and technical expertise... At a random mid-size org...

19 David Groep Nikhef Amsterdam PDP & Grid ICT ◦ trustworthy IdP implies that users are familiar with the IdP, and use it for everyday work (so no separate login or system) ◦ when rolled out, gives usability advantages (less helpdesk calls) and better security enforcement (single kill switch) many services can be linked to SSO services (usually via LDAP) HR ◦ source of ‘validated’ ID attributes (registry) ◦ likely has existing practices to comply with privacy, data retention & protection, and legal issues Management ◦ buy-in to endorse policy and guarantee continuity Organisational elements

20 David Groep Nikhef Amsterdam PDP & Grid For mid-size org needed effort not very high ◦ once there is common intent and purpose can be done within ~ 6 months (not full-time), using OSS tooling Work items ◦ ensure buy-in ◦ write up a draft policy (using the AP template) ◦ set up ( LDAP -capable) directory service ◦ demonstrate some quick goodies: desktop login, link to no-policy test federation using simpleSAMLphp ◦ review the policy ◦ join the full federation and give goodies to users Join a federation with integrated IdM

21 David Groep Nikhef Amsterdam PDP & Grid Federation services as incentive and driving force for users and organisational systems such as email as incentive for both ICT (less support load, better controls) and users (single password)

22 David Groep Nikhef Amsterdam PDP & Grid Goodies gain momentum, then take the next step ◦ convert ‘critical’ systems, such a email, self-services (travel request, budgetting, timesheets,...) ◦ implement your account & password expiration policy in automated processes if that was not yet standing procedure (test first!) give reasonable grace period, say, 13 months ◦ start disabling services that are not SSO enabled The harder bits

23 David Groep Nikhef Amsterdam PDP & Grid Used IGTF Authentication Profile template Missing elements related to user management ◦ need for data protection and attribute release policies ◦ additional user obligations (e.g. password changing) ◦ expiration controls ◦ differentiate between suspension and expiration ◦ you cannot ‘delete’ users (must keep the key identifier) In section 3 (identity vetting) added ‘hardship clause’ – helps ease pain of policy faults by limited override Also Grid AUP and Site Ops Policy have useful elements Be prepared to disclose the policy – publicly, AFAIAC! So: What About the Policy?

24 David Groep Nikhef Amsterdam PDP & Grid Organisational interest in proper registration as a side- effect of the IdM introduction ◦ ICT services are typically the main thing people (grad students, guests, visiting researchers) need – so they want to have these and will go a long way to pester people. Alongside with a room key ◦ Other services (registration in a phone directory, a web picture galery, room allocation system, insurance) for the applicant have lower priority ◦ By linking the systems, overall quality improved:  guests/students pester IT for an account, who redirects to HR. The applicant will keep on top of it and helps ensure consistency  HR wants a complete registration, e.g. for insurance purposes, and has an interest in processing the application Side effects of linking the IdM

25 David Groep Nikhef Amsterdam PDP & Grid Policy document – you really must have one ◦ as high level as possible (no frequent change), but... ◦ enough to assess compliance with popular services (in federation and elsewhere) Separate out your documents ◦ practices and implementation from policy ◦ attribute listing for data protection purposes in separate document – however, will need re-approval Explain intent, not only practices, to help desk Some lessons learnt

26 David Groep Nikhef Amsterdam PDP & Grid web-SSO federations have matured integration of ‘high-value grid’ & web federation now becomes reality... so from now on... Significant benefits for grid & more federation peers and CAs rely on and trust home institutes to manage their users properly so that in Grid we may trust large, complex orgs: integration with existing ERP system mid-size: try it yourself, with policy templates and SSO tools

Download ppt "David Groep Nikhef Amsterdam PDP & Grid In Grid We Trust New authentication mechanisms and their impact on trust relationships at the home organisation."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.

1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.

David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, 01-03 October 2002 Marco Casassa Mont Richard.

Trusted Systems Laboratory Hewlett-Packard Laboratories Bristol, UK InfraSec 2002 InfraSec 2002 Bristol, October 2002 Marco Casassa Mont Richard.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Similar presentations

Ads by Google