Federated Incident Response

Slides:



Advertisements
Similar presentations
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
Advertisements

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
Authentication and Authorisation for Research and Collaboration Licia Florio AARC CORBEL Workshop The AARC Project Paris, 31 May.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.
SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.
Building Trust for Research and Collaboration
WISE Information Security for Collaborating E-Infrastructures
Introduction to AAI Services
WLCG Update Hannah Short, CERN Computer Security.
WISE 2016 WISE: a global trust community where security experts share information and work together, creating collaboration among different e- infrastructures.
David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017
Boosting AAI for research and collaboration
RCauth.eu CILogon-like service in EGI and the EOSC
Cross-sector and user-centric AAI
WISE 2017 Collaborating Communities
Mechanisms of Interfederation
AARC Update What’s been happening in AARC which matters for GÉANT
Policy and Best Practices … the Story So Far
David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016
AARC Strategy and Approach
Policy and Best Practices … the Story So Far
Are you ready for a federated security incident?
Boosting AAI for research and collaboration
Incident Response Hannah Short Sirtfi and Beyond
Incident Response for Federated Identities
Federated Identity Management for Scientific Collaborations
Bringing Harmonized Policy and Best Practice
Towards hamonized policies and best practices
The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)
The AARC Project Licia Florio AARC Coordinator GÉANT
Minimal Level of Assurance (LoA)
Frameworks for harmonized policies and practices
Policy in harmony: our best practice
Leveraging the IGTF authentication fabric for research
Leveraging the IGTF authentication fabric for research
Towards hamonized policies and best practices
Policy and Best Practice … in practice
AARC Athens AHM meeting – NA3 session
Meeting summary Licia Florio
Updated (VO) Community Security Policies
Update - Security Policies
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
AARC2 JRA1 Update Nicolas Liampotis
AAI Architectures – current and future
RCauth.eu CILogon-like service in EGI and the EOSC
David Kelsey (STFC-RAL)
WP3: Policy and Best Practice Harmonisation
David Groep for the entire AARC Policy Team I2TechEX18 meeting
David Groep for the entire AARC Policy Team AARC2 AHM4 meeting
AAI in EGI Status and Evolution
WISE Information Security for collaborating e-Infrastructures David Kelsey (STFC-RAL, UK Research and Innovation) ISGC2019, Taipei, 2 April 2019 In collaboration.
Tom Barton (WG Chair) University of Chicago and Internet2
UmbrellaID in the EOSC era ?
WP6 – EOSC integration J-F. Perrin (ILL) 15th Jan 2019
WISE, SCI & policy templates David Kelsey (STFC-RAL, UK Research and Innovation) FIM4R & TIIME, Vienna, 11 February 2019.
Future GridPP Security
Presentation transcript:

Federated Incident Response Authentication and Authorisation for Research and Collaboration David Groep (borrowing heavily from Hannah Short, CERN) Policy and Best Practice activity coordination Nikhef ISGC Security Workshop Taipei Mach 31, 2019 Security Workshop 2019 co-supported by EOSC-HUB

R&E federation and eduGAIN – what you may know already eduGAIN – many countries & economic regions with an R&E identity federation … yet incident response has to be global (since the miscreants certainly are ) … full of valuable resources (data, network, services) graphics sources: map technical.edugain.org; federation drawing: Hannah Short, CERN; Infrastructure logos: AARC Pilot use cases

But what appears trivial SP IdP SP notices suspicious jobs executed by a handful of users from an IdP Notifies IdP IdP identifies over 1000 compromised identities IdP identifies all SPs accessed Notifies SPs SP SP SP graphics source: Hannah Short, CERN

… may not be so … Small IdP may not have capability to block users, or trace their usage SP IdP SP notices suspicious jobs executed by a handful of users from an IdP Notifies IdP X IdP identifies over 1000 compromised identities ! IdP identifies all SPs accessed Large SP does not share details of compromise, for fear of damage to reputation ! X Notifies SPs X X SP SP No security contact details! ! SPs are not bound to abide by confidentiality protocol and disclose sensitive information ! SP graphics source: Hannah Short, CERN

A Security Incident Response Trust Framework – Sirtfi summary Require that a security incident response capability exists with sufficient authority to mitigate, contain the spread of, and remediate the effects of an incident. Operational Security Assure confidentiality of information exchanged Identify trusted contacts Guarantee a response during collaboration Incident Response Improve the usefulness of logs Ensure logs are kept in accordance with policy Traceability Confirm that end users are aware of an appropriate AUP Participant Responsibilities

Sirtfi today https://refeds.org/SIRTFI countries with at least one Sirtfi entity graphics source: AARC2 DNA3.2 Report on Incident Response in FIM; data: technical.edugain.org

Want to check? http://sirtfi.cern.ch/ graphics source: Hannah Short, CERN

Response: Prepare, Act, and Report Before the incident support and implement Sirtfi – see https://refeds.org/sirtfi infrastructure (proxies) should adopt interoperable policies - http://wise-community.org/sci/ identity federations should adopt common incident response procedures – through the new eduGAIN support function leverage templated emails to ensure proper information sharing – AARC-I051 establish communications channels in advance During an incident follow the latest procedures – from your infrastructure, federation, eduGAIN, or (NREN) CERT initial procedures available at https://aarc-project.eu/guidelines/aarc-i051/ https://wiki.geant.org/display/AARC/Operational+Security+and+Incident+Response

Exercising the processes with mock incidents IdP1 SP1 SP2 SP3 Federation2 Federation1 Federation4 Federation3 eduGAIN Identity1 from IdP1 accesses the 3 SPs   Informant notices malicious activity at SP1 and informs them Exercise date Report URL March 2018 Incident Simulation #1 Report https://aarc-project.eu/wp-content/uploads/2018/04/20180326-Incident-Simulation-Report.pdf November 2018 Incident Simulation #2 Report https://aarc-project.eu/wp-content/uploads/2018/11/Incident-Response-Test-Model-for-Organisations-Simulation-2.pdf

AARC-I051 – the current best practice (and evolution)

How to be effective during an incident? AARC-I051 – https://aarc-project.eu/guidelines/aarc-i051/

Summary and what to do today (OK: and also tomorrow …) Prepare support and implement Sirtfi - https://refeds.org/sirtfi adopt interoperable policies - http://wise-community.org/sci/ adopt common incident response procedures – AARC-I051 leverage templated emails for proper information sharing establish communications channels in advance and be plugged-in … share, with the support of your infrastructure CERT/CSIRT teams Access to security contacts Access to threat intelligence Access to vulnerability reports Access to expertise for advanced incident investigation, e.g. forensics Fostering of trust between members Trusted Introducer eduGAIN security nren-CERT EGI-CSIRT REN-ISAC FIRST

davidg@nikhef.nl Planned progress on “SCC Coordination” More exercises, coordinated via WISE Improve available tooling Promote sharing of trust resulting from exercises davidg@nikhef.nl

Shameless plug: WISE & SIGISM Kaunas meeting WISE SCCC WG Shameless plug: WISE & SIGISM Kaunas meeting https://wise-community.org/events/ https://eventr.geant.org/events/3044

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.