Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Published byCoral Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015."— Presentation transcript:

1 Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015

2 Reminder - FIM4R paper Operational requirements include: Traceability. Identifying the cause of any security incident is essential for containment of its impact and to help prevent re-occurrence. The audit trail needs to include the federated IdPs. Appropriate Security Incident Response policies and procedures are required which need to include all IdPs and SPs. 4 Feb 15Sirtfi at FIM4R, Kelsey2

3 More background 7 th FIM4R (ESRIN meeting, April 2014) –Intense discussion on operational security Incident response needed for production services Action: Romain/Dave to compose and propose a draft document (building on work of SCI) –In collaboration with Géant/eduGAIN (Leif Nixon/Leif Johansson) the FIM4R community shall give feedback and eventually endorse document Birth of “Sirtfi” –Security Incident Response Trust framework for Federated Identity 4 Feb 15Sirtfi at FIM4R, Kelsey3

4 4 Feb 15Sirtfi at FIM4R, Kelsey4

5 4 Feb 15Sirtfi at FIM4R, Kelsey5

6 4 Feb 15Sirtfi at FIM4R, Kelsey6

7 Security for Collaborating Infrastructures (SCI) A collaborative activity of information security officers from large-scale infrastructures –EGI, OSG, PRACE, EUDAT, CHAIN, WLCG, XSEDE, … Developed out of EGEE – security policy group We are developing a Trust framework –Enable interoperation (security teams) –Manage cross-infrastructure security risks –Develop policy standards –Especially where not able to share identical security policies Version 1 of SCI document http://pos.sissa.it/archive/conferences/179/011/ISGC%202013_011.pdf 4 Feb 15Sirtfi at FIM4R, Kelsey7

8 SCI: areas addressed Operational Security Incident Response Traceability Participant Responsibilities –Individual users –Collections of users –Resource providers, service operators Legal issues and Management procedures Protection and processing of Personal Data/Personally Identifiable Information 4 Feb 15Sirtfi at FIM4R, Kelsey8

9 Sirtfi – 1 st Meeting A Security Incident Response Trust Framework for Federated Identity After TNC2014 (Dublin) BoF session Meeting at TERENA offices 18 th June 2014 –David Groep, Leif Johansson, Dave Kelsey, Leif Nixon, Romain Wartel –Remote: Tom Barton, Jim Basney, Jacob Farmer, Ann West –Apologies from Ann Harding, Von Welch, Scott Koranda, Licia Florio, Nicole Harris 4 Feb 15Sirtfi at FIM4R, Kelsey9

10 Meeting 18 th June Discussed general aims and thoughts –For now only address security incident response –Assurance profile to meet requirements on incident response –Needs to be light weight - IdPs self assert –Federation Operators act as conduits of information from IdP –Need a flag of compliance (for relying parties) In IdP metadata Could be per user –Use eduPersonAssurance or “SAMLAuthenticatonContextClassRef” in assertions from IdP First modifications to SCI document –Operational Security, Incident Response and Traceability 4 Feb 15Sirtfi at FIM4R, Kelsey10

11 Sirtfi since June Video meeting – 1 st Oct 2014 F2F meeting after Internet2/Esnet TechX 31 Oct Another video meeting – 29 th Jan 2015 Mail list – sirtfi@terena.org Wiki https://refeds.terena.org/index.php/SIRTFI Doc moved to Google Docs and simplified Document evolving (now V1.8) – see agenda –Make public once we have a reasonable first draft 4 Feb 15Sirtfi at FIM4R, Kelsey11

12 Some text Sirtfi document Abstract This document identifies practices and attributes of organizations that may facilitate their participation in a trust framework called Sirtfi purposed to enable coordination of security incident response across federated organizations Audience This document is intended for use by the personnel responsible for operational security at Identity Providers and Service Providers, and by Federation Operators who may facilitate its adoption by their member organizations 4 Feb 15Sirtfi at FIM4R, Kelsey12

13 Introduction (Sirtfi) Sirtfi trust framework aims to enable a coordinated response to a security incident in a federated context does not depend on a centralised authority or governance structure to assign roles and responsibilities The document defines a set of capabilities and roles associated with security incident response that an IdP or SP organisation self-asserts The Sirtfi trust framework posits that organisations asserting conformance with these will coordinate their response to security incidents using processes to be defined elsewhere 4 Feb 15Sirtfi at FIM4R, Kelsey13

14 Example Text Security Incident Response ● [IR1] Provide security incident response contact information following a process to be defined elsewhere. ● [IR2] Respond to requests for assistance with a security incident from other organisations participating in the Sirtfi trust framework in a timely manner. ● [IR3] Be able and willing to collaborate in the management of a security incident with affected organisations that participate in the Sirtfi trust framework. ● [IR4] Follow security incident response procedures established for the organisation. ● [IR5] Respect user privacy as determined by the organisations policies or legal counsel. ● [IR6] Respect and use the Traffic Light Protocol information disclosure policy. 4 Feb 15Sirtfi at FIM4R, Kelsey14

15 Current discussion Does Sirtfi require IdPs (and SPs) to inform others of a compromised user account that has been used in the trust framework? Two views –Yes, it should do in the Sirtfi document –No, this is covered by procedures developed elsewhere 4 Feb 15Sirtfi at FIM4R, Kelsey15

16 Sirtfi & Notification? To build on Sirtfi we need (one proposal) –(1) tools/infrastructure to securely share IR data –(2) an IdP-specific IR process that incorporates contacting federated SPs at appropriate times –(3) some form of starting point from the federation or Sirtfi that gives shape to (2). From this perspective, Sirtfi is step (0), making it possible that some good might be accomplished by implementing (1) and (2) 4 Feb 15Sirtfi at FIM4R, Kelsey16

17 Next steps Sirtfi – to sort out the notification requirement and then produce a public “version 1” document Seek wider discussion and feedback from FIM4R and REFEDS To date we have excellent participation from USA (InCommon) –We now need more input from Europe EU H2020 AARC –Can provide test use cases Start work on developing the related IR procedures 4 Feb 15Sirtfi at FIM4R, Kelsey17

18 Activity is very much open –People welcome to join –Tell me, if you wish to join the activity Questions? 4 Feb 15Sirtfi at FIM4R, Kelsey18

Download ppt "Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015."

Similar presentations

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI CF, FIM workshop 11 Apr 2013.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI CF, FIM workshop 11 Apr 2013.
WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.

WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL

Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
7 th FIM 4 R meeting 23-24 April 2014 ESRIN Frascati.

7 th FIM 4 R meeting April 2014 ESRIN Frascati.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Similar presentations

Ads by Google