Towards hamonized policies and best practices

Slides:



Advertisements
Similar presentations
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Advertisements

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos Open Day Event: Towards the European Open.
Federated Identity Management for Scientific Collaborations The Common Vision David Kelsey (STFC) 3 Nov 2011.
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014.
Building Trust for Research and Collaboration
Introduction to AAI Services
David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017
Boosting AAI for research and collaboration
RCauth.eu CILogon-like service in EGI and the EOSC
Cross-sector and user-centric AAI
The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –
EGI Updates Check-in Matthew Viljoen – EGI Foundation
AARC Update What’s been happening in AARC which matters for GÉANT
Bring the WLCG federation Home
Policy and Best Practices … the Story So Far
eduTEAMS platform for collaboration Niels Van Dijk
Policy and Best Practice Harmonisation
David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016
Policy and Best Practices … the Story So Far
AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)
Federated Identity Management for Researchers (FIM4R)
Boosting AAI for research and collaboration
Updates on Training Andrea Biancini (AARC2.AHM)2 NA2 WP leader
Federated Identity Management for Scientific Collaborations
Bringing Harmonized Policy and Best Practice
The AARC Project Licia Florio AARC Coordinator GÉANT
Minimal Level of Assurance (LoA)
GÉANT 4-2 JRA3 T1 and T2 Federations and Campus (CaFe) e-Infrastructures and Service Providers (RASP) Daniela Pöhn JRA3 T1 LRZ/DFN-AAI Technology Exchange.
Frameworks for harmonized policies and practices
Policy in harmony: our best practice
Policy and Best Practice Harmonisation (‘NA3’)
Leveraging the IGTF authentication fabric for research
Leveraging the IGTF authentication fabric for research
Thursday pilot session: 7-minutes
Towards hamonized policies and best practices
Policy and Best Practice … in practice
WP3: Policy and Best Practice Harmonisation
AARC Athens AHM meeting – NA3 session
OIDC Federation for Infrastructures
Updated (VO) Community Security Policies
Update - Security Policies
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
AARC2 JRA1 Update Nicolas Liampotis
RCauth.eu CILogon-like service in EGI and the EOSC
WP3: Policy and Best Practice Harmonisation
David Groep for the entire AARC Policy Team I2TechEX18 meeting
EUGridPMA Status and Current Trends and some IGTF topics August 2018 APGridPMA Auckland Meeting David Groep, Nikhef & EUGridPMA.
Community AAI with Check-In
David Groep for the entire AARC Policy Team AARC2 AHM4 meeting
AAI in EGI Status and Evolution
Baseline Expectations for Trust in Federation
Federated Incident Response
WISE, SCI & policy templates David Kelsey (STFC-RAL, UK Research and Innovation) FIM4R & TIIME, Vienna, 11 February 2019.
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Towards hamonized policies and best practices The Story So Far … David Groep NA3 Coordinator Dutch National Institute for sub-atomic Physics Nikhef AARC2 AHM2 Amsterdam meeting November 2017

A tour of the policy space in AARC2 Baseline Assurance known individual Password authenticator Documented vetting Persistent identifiers Self-assessment Fresh status attribute few unalienable expectations by research and collaborative services ‘low-risk’ use cases generic e-Infrastructure services access to common compute and data services that do not hold sensitive personal data protection of sensitive resources access to data of real people, where positive ID of researchers and 2-factor authentication is needed Slice includes: assumed ID vetting ‘Kantara LoA2’, ‘eIDAS low’, or ‘IGTF BIRCH’ Affiliation freshness better than 1 month Good entropy passwords Verified ID vetting ‘eIDAS substantial’, ‘Kantara LoA3’ Multi-factor authenticator supporting the Researchers & Community Operational Security bulk model 167 entities Engagement and Harmonisation supporting policies for Infrastructures 2

Operational Security – we’re all in it together! In the past 2 years, we managed to address security coordination for the federations, IdPs, and the e-Infrastructure collective services … … but everyone needs to be involved, globally!  User Attribute Service operations security Integrity and trust for the SP-IdP-Proxies Link security hubs (eduGAIN Support Desk, eInfra CSIRTs) to community capabilities  Promote trust groups and their expansion to effectively cover the eduGAIN network Define reference templates on how incident notifications should be conveyed Encourage endorsement by global standards bodies and communities 

Sirtfi – its working, but the need for propaganda remains! Relevant qualities to Infrastructures: 293 IdPs support R&S 188 IdPs from 18 feds support Sirtfi only 63 IdPs (from 17 feds) support both … Compare with SP adoption of DPCoCo: 129 from 16 feds R&S service: 75 from 11 feds … both DPCoCo and R&S SPs: 75 from 11 feds Sirtfi SPs: 13 from 8 feds All entities 4327 IdPs 2570 SPs 1763 Are our researchers only in the overlap of both? Can we do better with a dedicated registry? data: technical.edugain.org

Incident response process evolution in federations – beyond this first step Solution Stronger role for federation operators, as they are known to both SPs and IdPs Add hub capability centrally (@ eduGAIN) Challenges IdP appears outside the service’ security mandate Lack of contact, or lack of trust in IdP which is an unknown party IdP fails to inform other affected SPs, for fear of leaking data or reputation No established channels of communication

Helping out the providers – with service-centric harmonisation ˃ Traceability and accounting policy framework Compare models for comparing and considering equivalency of policies for traceability, accounting aggregation, and registration records retention in interfederation ˃ Explore the GDPR (2018) options for sharing of data on, and for, infrastructure usage Infrastructures need to share data, globally, but a scalable model will be community dependent ˃ Recommendations for Blueprint Architecture Elements with Snctfi Create the reference templates for SP-IdP-proxies, gateways, targeted credential repositories, &c

Three community models – three Recommendations? Global sharing in controlled communities appears attractive Uncertainly about requirements (governing body) and timing (> Mar 2018) are not helpful for adoption today … just yet Ongoing work: text needs to allow for (community) attribute authorities GDPR-style Code of Conduct – a new way from May 2018 Only works for tightly and ‘legal document’ controlled communities Puts legal and contract onus on the SP-IdP Proxy (as per our Blueprint) Research and Collaboration lack both mechanism and time to do this Model Clauses Note that this is not formally BCR, so requires acceptance of some risk Collaborations (e.g. based around Snctfi) with control mechanisms benefit “Say what you do, and do as you say” – transparency and openness is our real benefit towards the person whose data is being handled BCR-inspired model (“Binding Corporate Rules”-like)

Snctfi: aiding Infrastructures achieve policy coherency  allow SPIdP Proxies to assert ‘qualities’, categories, based on assessable trust  Develop recommendations for an Infrastructure’s coherent policy set Snctfi Scalable Negotiator for a Community Trust Framework in Federated Infrastructures Derived from SCI, the framework on Security for Collaboration among Infrastructures Complements Sirtfi with requirements on internal consistent policy sets for Infrastructures Aids Infrastructures to assert existing categories to IdPs: REFEDS R&S, Sirtfi, DPCoCo, … See FIM4R presentation by David Kelsey! Graphics inset: Ann Harding and Lukas Hammerle, GEANT and SWITCH

Snctfi infrastructure requirements, a summary State common security requirements: AAI, security, incident and vulnerability handling Ensure constituents comply: through MoUs, SLA, OLA, policies, or even contracts, &c Operational Security Awareness: users and communities need to know there are policies Have an AUP covering the usual Community registration and membership should be managed Have a way of identifying both individuals and communities Define the common aims and purposes (that really helps for data protection …) User Responsibilities Have a data protection policy that binds the infrastructure together, e.g. AARCs recommendations or DP CoCo Make sure every ‘back-end’ provider has a visible and accessible Privacy Policy Protection and Processing of Personal Data https://igtf.net/snctfi

Evolving the Policy Development Kit for communities around Snctfi … https://wiki.geant.org/display/AARC/Policy+Engagement+and+Coordination

Everything meshed together … look for your favourite loop … & and many more hubs and bridges, apologies if your logo is not here …

Ease the flow across infrastructures – targeting users & communities! ˃ Identify and support commonality between acceptable use policies (AUPs) So that a user that signed one of them need not be bothered again – and still move across silos Remember the Taipei Accord: WLCG, EGI, PRACE, OSG, XSEDE share an understanding and accept each other’s AUP as sufficient ˃ Enhance the Authentication Assurance Profiles Get the new Profiles accepted and deployed for all target groups Authenticating for access to biomedical and human-related data Implementing verified identity vetting in the GDPR era Making the baseline a real baseline, and Cappuccino a common occurrence ˃ Define a model for community attribute management and provisioning Reference practices for communities setting up their membership and attribute services So that the community is always in control, and the services can rely on that

We will need your input today! Operational Security and Incident Response Evolve beyond Sirtfi: towards automated sharing and response resolution through trust : grouping of trust models, with and through the Infrasturtcures Cross-domain trust groups spanning Infrastructures & eduGAIN Support Desk to aid resolution Service-centric policies Adoption of Snctfi, harmonizing policies in composite and multi-role (‘stacked’) infrastructures GDPR and TF-DPR impact on accounting, and accounting in complex communities (access control to accounting data) e-Researcher-Centric Policies Beyond Espresso: review complex Assurance Profile cases – in light of the GDPR and beyond Align practices for (self-hosted and managed) communities, baseline AUP Align attribute management practices & provenance for self-hosting and managed communities Policy Development Engagement and Coordination Guidance for communities: policy development and engagement ‘kit’ – via existing WISE, IGTF, & FIM4R SCIv3: aligning Snctfi, Sirtfi, and Recommendations

Policy Working Session this afternoon Sirtfi training, FAQ, and a registry Smoothing incident information exchange through technology Accounting data sharing within complex communities GDPR … and keeping users informed Policy alignment and the AUP development process Assurance needs and validation Policy development kit needs and engagement process Assurance alignment – linking the JRA1 and NA3 work on assurance 20 min Hannah 20 min Uros 30 min DaveK Later this week

davidg@nikhef.nl

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.