Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure.

Published byGavin Wheeler Modified over 8 years ago

Similar presentations

Presentation on theme: "David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure."— Presentation transcript:

1 David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure services ISGC2014 David Groep This work is supported by EGI-InSPIRE under NA2 for Global Task O-E-15 and by the Dutch National e-Infrastructure coordinated by SURFsara davidg@nikhef.nl, orcid.org/0000-0003-1026-6606http://dx.doi.org/10.6084/m9.figshare.XXXXXX

2 David Groep Nikhef Amsterdam PDP & Grid Why Do We Trust? Goals single registration for access to many resources with multiple sources of ‘interesting’ trust assertions: user, institute, trusted third parties, communities to provide basis for access control by resources providers in a secure, operationally stable, and available way Reduce over-all burden by adhering to common policy criteria

3 David Groep Nikhef Amsterdam PDP & Grid Participants Many participants contribute to access control with trustworthy identity and attributes decision rests with the resource … service, site, &c …

4 Requirements to fulfil Incident Response long-term* traceable independent from short-lived community must be revocable correlate with other information sources banning and containment handle Privacy and data protection important ‘unalienable right’ for research correlation of PII among service providers could allow profiling exchange of PII often fraught with issues Measurement and Accounting publication metrics usage metering, billing auditing and compliance monitoring identity lives in a policy ecosystem to protect all participants commensurate to their risk level Access Control Attribute handle unique binding never re-assigned Regulatory compliance need to know who you let in beforehand

5 David Groep Nikhef Amsterdam PDP & Grid Whom do we ~ trust? community today often either uses identity from identity authorities (e.g. most EGI VOs) might also be a merger of local user knowledge (e.g. PRACE) resource owners grant access based on both ID authorities directly and community membership which is based on the ID TTPs are typically IGTF classic, MICS and SLCS local knowledge (usually) overrides anything else

6 David Groep Nikhef Amsterdam PDP & Grid As resource owners in what identity do we trust? It has a ‘name’ Some sort of integrity protection (crypto) An assurer, who says the above is correct but ‘correct’ can mean different things and also ‘integrity protection’ can be different Trusted Identity? Name ‘Crypto’ - a watermark Assurer name

7 David Groep Nikhef Amsterdam PDP & Grid Most common levels IGTF Classic, MICS, SLCS Name is ‘reasonable representation’ verified against an official document (via a federated ID, in-person meeting, local representative, or notary) Crypto is usually RSA digital signatures Signed by a limited set of authorities, peer-reviewed and namespace-coordinated IGTF’s Classic, MICS and SLCS give ‘roughly equivalent’ assurance level Identity authorities in current e-Infrastructure Interoperable Global Trust Federation – www.igtf.net

8 Risk Action (app) based More constraint actions can lower need for identity LoA (J)SPG VO Portal policy did just that: 4 levels of actions Resource (value) based e.g. access to wireless network does not pose huge risks, so can live with a lower identity LoA (eduroam) Subject (ID/LoA) based Defined identity assurance level Includes Community-given LoA For given actions, resources, and acceptable residual risk, required ID assurance is a given ‘risk envelope’

9 David Groep Nikhef Amsterdam PDP & Grid Distributed IT infrastructures get more diverse Portals and SAAS Read-only data access, or transient data More (data) sharing between pre-trusted individuals or small groups Pre-vetted infrastructures (XSEDE, wLCG) Does a single level still suffice, or can we redistribute the responsibilities? Beyond a single level for Identity?

10 Example: user registration in PRACE site B site C site A LDAP user DB allowed User authz Review DB Project attributes user DB user DB Graphic: Vincent Rabbailler (IDRIS and PRACE) EUGridPMA Budapest 2013

11 IGTF Assurance Process Type and sensitivity of e-Infrastructure services drives the level of assurance required Security and assurance level set to be commensurate ◦ not overly high for ‘commodity’ resources ◦ not too low, as resource owners/providers otherwise start implementing additional controls on top of and over the common criteria ◦ defined in collaboration with resource providers ◦ using transparency and a peer review processes ◦ leveraging our own community organisation mechanisms

12 Trust Element Distribution Technical elements integrity of the roots of trust integrity of issuance process process incident response revocation capabilities key management credential management incident response Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control Verifiability & Response, mitigation, recovery IGTF Classic elements RP, Community elements

13 Until now, our e-Infrastructure used a single ‘level’ ◦ there are also well-known ‘government’ standards for LoA in the USA: OMB M-04-04 & NIST SP800-63, generalised: Kantara ◦ there is rough but not 1:1 correspondence between balanced needs of the providers and users and the Kantara LoA levels For your interest: Kantara Assurance Levels http://kantarainitiative.org/confluence/download/attachments/38371432/Kantara+IAF-1400-Service+Assessment+Criteria.pdf Trust in the assertions by resource and service providers is key

14 David Groep Nikhef Amsterdam PDP & Grid Cater for those use cases where ◦ the relying parties (VOs) already collect identity data ◦ this relying party data is authoritative and provides traceability ◦ the ‘identity’ component of the credential is not used through an authentication service that provides only ◦ persistent, non-reused identifiers ◦ traceability only at time of issuance ◦ naming be real, pseudonymous, or set by-the-user-and-usually-OK ◦ retains good security for issuance processes and systems and where the RP will have to take care of ◦ all ‘named’ identity vetting, naming and contact details ◦ subscribers changing name (often) when traceability is lost Differentiated LoA - Collaborative identity vetting

15 A new Identity Assurance Level Identity elements identifier management re-binding and revocation binding to entities traceability of entities emergency communications regular communications ‘rich’ attribute assertions correlating identifiers access control

16 IGTF Trust Structure Common criteria and model ◦ globally unique and persistent identifier provisioning ◦ not fully normative, but based on minimum requirements Trust is technology agnostic ◦ technology and assurance ‘profiles’ in the same trust fabric ◦ ‘classic’traditional public key infrastructure with near-realtime identity betting ◦ ‘MICS’dynamic ID provisioning leveraging federations ◦ ‘SLCS’on-demand short-lived token generation a basis for ‘arbitrary token’ services ◦ and now a new profile … … IOTA – Identifier-Only Trust Assurance For your interest: IGTF Authentication Profiles http://ww.igtf.net/

17 IGTF and other assurance levels my own personal classification of identity LoAs

18 David Groep Nikhef Amsterdam PDP & Grid Name is unique, but not ‘standard’ globally ◦ Some WebSSO federations on purpose don’t have one ◦ But you get a name, probably OK, maybe user-chosen Incident response participation by the CA ◦ a contact address for the home organisation ◦ and likely from the federation, maybe from the ‘UHO’ A up-to-13-months valid certificate ◦ Can keep same name later if there is an ID record ◦ But: name will change if the user moves institution A well-secured issuing process IOTA: what do you get? For now, you’ll get these mostly as certificates, but the level is technology agnostic and can be applied to X.509, OpenID Connect, WebSSO federations with SAML, &c

19 David Groep Nikhef Amsterdam PDP & Grid Prevent duplication of effort ◦ Should be easier for end-users to get ◦ They should feel ‘happier’ ◦ Less end-user support (for eligible users) More quick turn-around time registering ◦ Experience like TCS (MICS) or on-line Cas ◦ But for many more users (e.g. InCommon Basic) More flexibility assigning services to trust levels IOTA: what do you gain?

20 David Groep Nikhef Amsterdam PDP & Grid Identity assurance only as strong as back-end usually R&E federations (eduGAIN, InCommon) some are really weak on assurance, auditing and traceability, have user-editable content – or just decline incident response on purpose not many of these are setup to deal with OpSec! expect content of the IOTA credentials to be somewhat better than facebook, twitter or gmail But then they are much easier to get for users … Differentiated  Really Different!

21 David Groep Nikhef Amsterdam PDP & Grid … and since you know your users anyway Link IOTA credentials to pre-existing users you know yourself IOTA subject are persistent, unique and never re-issued to anyone else (so are good identifiers) … or it’s a ‘lower value resource’ to mitigate risk Know your own users

22 David Groep Nikhef Amsterdam PDP & Grid It remains critical that RPs acknowledge that the information contained in IOTA credentials in itself is insufficient to trace individuals, and that any traceability and contact requirements rest with the infrastructures (or collectives of users). Mixing IOTA-capable and more loosely managed assurance levels within the same service requires distinguishing capabilities and policy evaluation on the receiving end that can take combined decisions on authentication credential strength and community membership or attribute information, and it must be noted that most software in current production use is not capable of making this distinction. Assurance levels must not be mixed unless a risk assessment has been done. In Quasi-legalise …

23 David Groep Nikhef Amsterdam PDP & Grid Think before you Do ‘interesting’ interplay in mixed infrastructures It is not supported in software to distinguish users on resources that are part of two RP infrastructures with multiple VOs, i.e., one with and one without IOTA “For a Resource Provider participating in multiple infrastructures, the minimum acceptable LoA should be the lowest one that the resource provider is willing to accept for all its users and supported communities” So if you participate in a controlled infra with managed user database and one which has ‘loose’ registration procedures, you should stay at Classic, MICS & SLCS!

24 David Groep Nikhef Amsterdam PDP & Grid IOTA opens new possibilities for easier access Fits really well with current federations ◦ An InCommon Basic IOTA CA is coming ◦ Policy allows for a single service in e.g. eduGAIN a ‘WYSIWYG’ authority: the name is never re-used, but it may not be who you think it is! Prevents duplication of effort and encourages more users, if you use it with your own user registration system … but read the fine-print before first use: https://www.igtf.net/ap/iota Summary

25 ?

Download ppt "David Groep Nikhef Amsterdam PDP & Grid Differentiated and Collaborative Assurance profiling the identity management landscape for diversifying e-Infrastructure."

Similar presentations

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Www.egi.eu EGI-InSPIRE RI-261323 EGI (IGTF Liaison Function) www.egi.eu EGI-InSPIRE RI-261323 The IGTF IOTA Profile towards differentiated assurance levels.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI The IGTF IOTA Profile towards differentiated assurance levels.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David.

INFSO-RI Enabling Grids for E-sciencE Portals and Authentication Issues and Solution Directions from a CA and IGTF Perspective David.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam 2005-10-17 Milan Sova CESNET.

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI-261323,

David Groep EUGridPMA The International Grid Trust Federation enabling an interoperable global trust fabric also supported by EGI.eu EGI-InSPIRE RI ,
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Geneva, Switzerland, 15-16 September 2014 Introduction of ISO/IEC 29003 Identity Proofing Patrick Curry Director, British Business Federation Authority.

Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.

IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.

LiveAP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure SURFsara, and EGI.eu O-E-15 and EGI-InSPIRE.
Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.

Identity Management Levels of Assurance WLCG GDB CERN, 8 Apr 2009 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Similar presentations

Ads by Google