Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014.

Slides:

Advertisements

Similar presentations

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Advertisements

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI CF, FIM workshop 11 Apr 2013.

WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Additional Services: Security and IPv6 David Kelsey STFC-RAL.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SPG future work EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

Federated Identity Management for Scientific Collaborations The Common Vision David Kelsey (STFC) 3 Nov 2011.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.

PRACE security Jules Wolfrat, SURFsara, The Netherlands April 25, 2013, EGI CSIRT meeting, Linköping, Sweden 10 May Montpellier.

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.

Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.

Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL

SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.

Welcome to 11th FIM4R 11th Meeting, Montréal September 2017

WISE Information Security for Collaborating E-Infrastructures

WISE 2016 WISE: a global trust community where security experts share information and work together, creating collaboration among different e- infrastructures.

David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017

The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –

Bring the WLCG federation Home

David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016

Federated Identity Management for Researchers (FIM4R)

EGI Security Policy Update

GÉANT 4-2 JRA3 T1 Something with Federations and Campus VC

Update on FIM4R David Kelsey

Incident Response Hannah Short Sirtfi and Beyond

Incident Response for Federated Identities

Federated Identity Management for Scientific Collaborations

The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)

The AARC Project Licia Florio AARC Coordinator GÉANT

Policy in harmony: our best practice

Policy and Best Practice … in practice

OIDC Federation for Infrastructures

Updated (VO) Community Security Policies

Supporting communities with harmonized policy

EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.

OIDC Federation for Infrastructures

David Kelsey (STFC-RAL)

WP3: Policy and Best Practice Harmonisation

David Groep for the entire AARC Policy Team I2TechEX18 meeting

WISE Information Security for collaborating e-Infrastructures David Kelsey (STFC-RAL, UK Research and Innovation) ISGC2019, Taipei, 2 April 2019 In collaboration.

Tom Barton (WG Chair) University of Chicago and Internet2

Baseline Expectations for Trust in Federation

WISE, SCI & policy templates David Kelsey (STFC-RAL, UK Research and Innovation) FIM4R & TIIME, Vienna, 11 February 2019.

Presentation transcript:

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014

Outline Input FIM4R requirements TNC2014 BoF – Romain Wartel Security for Collaborating Infrastructures (SCI) Sir-T-Fi 1 st meeting - 18 June 2014 Mail list, wiki, document 2 nd F2F meeting this week – Friday morning 26 Oct 14SIRTFI, Kelsey2

Federated IdM for Research (FIM4R) Includes photon & neutron facilities, social science & humanities, high energy physics, climate science, life sciences and ESA Aim: define common vision, requirements and best practices Vision and requirements paper published 26 Oct 14SIRTFI, Kelsey3

FIM4R paper Operational requirements include: Traceability. Identifying the cause of any security incident is essential for containment of its impact and to help prevent re-occurrence. The audit trail needs to include the federated IdPs. Appropriate Security Incident Response policies and procedures are required which need to include all IdPs and SPs. 26 Oct 14SIRTFI, Kelsey4

26 Oct 14SIRTFI, Kelsey5

26 Oct 14SIRTFI, Kelsey6

26 Oct 14SIRTFI, Kelsey7

26 Oct 14SIRTFI, Kelsey8

26 Oct 14SIRTFI, Kelsey9

Security for Collaborating Infrastructures (SCI) A collaborative activity of information security officers from large-scale infrastructures –EGI, OSG, PRACE, EUDAT, CHAIN, WLCG, XSEDE, … Developed out of EGEE – security policy group We are developing a Trust framework –Enable interoperation (security teams) –Manage cross-infrastructure security risks –Develop policy standards –Especially where not able to share identical security policies Version 1 of SCI document 26 Oct 14SIRTFI, Kelsey10

SCI: areas addressed Operational Security Incident Response Traceability Participant Responsibilities –Individual users –Collections of users –Resource providers, service operators Legal issues and Management procedures Protection and processing of Personal Data/Personally Identifiable Information 26 Oct 14SIRTFI, Kelsey11

Sir-T-Fi – 1 st Meeting A Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) After discussions at TNC2014 Meeting at TERENA offices 18 th June –David Groep, Leif Johansson, Dave Kelsey, Leif Nixon, Romain Wartel –Remote: Tom Barton, Jim Basney, Jacob Farmer, Ann West –Apologies from Ann Harding, Von Welch, Scott Koranda, Licia Florio, Nicole Harris 26 Oct 14SIRTFI, Kelsey12

Meeting 18 th June Discussed general aims and thoughts –For now only address security incident response –Assurance profile to meet requirements on incident response –Needs to be light weight - IdPs self assert –Federation Operators act as conduits of information from IdP –Need a flag of compliance (for relying parties) In IdP metadata Could be per user –Use eduPersonAssurance or “SAMLAuthenticatonContextClassRef” in assertions from IdP First modifications to SCI document –Operational Security, Incident Response and Traceability 26 Oct 14SIRTFI, Kelsey13

Sir-T-Fi since June One phone/video meeting – 1 st Oct Mail list – Wiki Doc moved to Google Docs Document evolving –Make public once we have a reasonable first draft 26 Oct 14SIRTFI, Kelsey14

Some text from document Abstract The Sir-T-Fi group (Security Incident Response Trust Framework for Federated Identity) is a collaborative activity of information security professionals from national identity federations and distributed IT infrastructures in the research & education sector. Its aim is to simplify the management of cross-infrastructure operational security risks, to build trust and develop policy standards for collaboration in security incident response. 26 Oct 14SIRTFI, Kelsey15

Example Text (2) Security Incident Response Each Claims Processor must: [IR1] Provide security contact information who will respond in a timely manner according to current best practice, e.g. one working day. [IR2] Have an established Incident Response procedure. This must address: roles, authority, and responsibilities; identification and assessment of an incident; minimising damage, response and recovery strategies; [IR3] The ability and the willingness to collaborate in the handling of a security incident with affected Claims Processors; [IR4] Respect and should use the TLP (ref) information disclosure policy. 26 Oct 14SIRTFI, Kelsey16

Next steps Sir-T-Fi meeting on Friday morning –How do we encourage deployment ACAMP this week Input from others, e.g. source/technology/federated_security_incident_response.pdf EU H2020 AARC –Can provide test use cases Activity is very much open –People welcome to join –Ask Nicole Harris if you wish to join mail list 26 Oct 14SIRTFI, Kelsey17

Questions? 26 Oct 14SIRTFI, Kelsey18