Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Slides:



Advertisements
Similar presentations
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
Advertisements

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
BoF: Federated Identity Management for Researchers David Kelsey (STFC-RAL) TNC2014, Dublin 20 May 2014.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI CF, FIM workshop 11 Apr 2013.
WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
7 th FIM 4 R meeting April 2014 ESRIN Frascati.
EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.
AuEduPerson Schema Schema Derived from: - eduPerson - person [RFC 4517, RFC 4519] - organizationalPerson [RFC 4517, RFC 4519] - inetOrgPerson [RFC 2798]
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Additional Services: Security and IPv6 David Kelsey STFC-RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SPG future work EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
Federated Identity Management for Scientific Collaborations The Common Vision David Kelsey (STFC) 3 Nov 2011.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Utrecht NA3 Task 4 – Scalable Policy Negotiation.
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014.
WISE Information Security for Collaborating E-Infrastructures
WISE 2016 WISE: a global trust community where security experts share information and work together, creating collaboration among different e- infrastructures.
David Kelsey STFC-RAL 4th WISE workshop, Nikhef 27 March 2017
Boosting AAI for research and collaboration
The Policy Puzzle Many groups and (proposed) policies, but leaving many open issues AARC “NA3” is tackling a sub-set of these “Levels of Assurance” –
David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016
Federated Identity Management for Researchers (FIM4R)
EGI Security Policy Update
GÉANT 4-2 JRA3 T1 Something with Federations and Campus VC
Boosting AAI for research and collaboration
Federated Identity Management for Scientific Collaborations
The AARC Project Licia Florio (GÉANT) Christos Kanellopoulos (GRNET)
The AARC Project Licia Florio AARC Coordinator GÉANT
Policy in harmony: our best practice
Policy and Best Practice … in practice
Updated (VO) Community Security Policies
Update - Security Policies
AARC Blueprint Architecture and Pilots
Supporting communities with harmonized policy
EUGridPMA Status and Current Trends and some IGTF topics March 2018 APGridPMA ISGC Meeting David Groep, Nikhef & EUGridPMA.
OIDC Federation for Infrastructures
WISE Information Security for collaborating e-Infrastructures David Kelsey (STFC-RAL, UK Research and Innovation) ISGC2019, Taipei, 2 April 2019 In collaboration.
Tom Barton (WG Chair) University of Chicago and Internet2
Baseline Expectations for Trust in Federation
Federated Incident Response
WISE, SCI & policy templates David Kelsey (STFC-RAL, UK Research and Innovation) FIM4R & TIIME, Vienna, 11 February 2019.
Presentation transcript:

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015

Reminder - FIM4R paper Operational requirements include: Traceability. Identifying the cause of any security incident is essential for containment of its impact and to help prevent re-occurrence. The audit trail needs to include the federated IdPs. Appropriate Security Incident Response policies and procedures are required which need to include all IdPs and SPs. 4 Feb 15Sirtfi at FIM4R, Kelsey2

More background 7 th FIM4R (ESRIN meeting, April 2014) –Intense discussion on operational security Incident response needed for production services Action: Romain/Dave to compose and propose a draft document (building on work of SCI) –In collaboration with Géant/eduGAIN (Leif Nixon/Leif Johansson) the FIM4R community shall give feedback and eventually endorse document Birth of “Sirtfi” –Security Incident Response Trust framework for Federated Identity 4 Feb 15Sirtfi at FIM4R, Kelsey3

4 Feb 15Sirtfi at FIM4R, Kelsey4

4 Feb 15Sirtfi at FIM4R, Kelsey5

4 Feb 15Sirtfi at FIM4R, Kelsey6

Security for Collaborating Infrastructures (SCI) A collaborative activity of information security officers from large-scale infrastructures –EGI, OSG, PRACE, EUDAT, CHAIN, WLCG, XSEDE, … Developed out of EGEE – security policy group We are developing a Trust framework –Enable interoperation (security teams) –Manage cross-infrastructure security risks –Develop policy standards –Especially where not able to share identical security policies Version 1 of SCI document 4 Feb 15Sirtfi at FIM4R, Kelsey7

SCI: areas addressed Operational Security Incident Response Traceability Participant Responsibilities –Individual users –Collections of users –Resource providers, service operators Legal issues and Management procedures Protection and processing of Personal Data/Personally Identifiable Information 4 Feb 15Sirtfi at FIM4R, Kelsey8

Sirtfi – 1 st Meeting A Security Incident Response Trust Framework for Federated Identity After TNC2014 (Dublin) BoF session Meeting at TERENA offices 18 th June 2014 –David Groep, Leif Johansson, Dave Kelsey, Leif Nixon, Romain Wartel –Remote: Tom Barton, Jim Basney, Jacob Farmer, Ann West –Apologies from Ann Harding, Von Welch, Scott Koranda, Licia Florio, Nicole Harris 4 Feb 15Sirtfi at FIM4R, Kelsey9

Meeting 18 th June Discussed general aims and thoughts –For now only address security incident response –Assurance profile to meet requirements on incident response –Needs to be light weight - IdPs self assert –Federation Operators act as conduits of information from IdP –Need a flag of compliance (for relying parties) In IdP metadata Could be per user –Use eduPersonAssurance or “SAMLAuthenticatonContextClassRef” in assertions from IdP First modifications to SCI document –Operational Security, Incident Response and Traceability 4 Feb 15Sirtfi at FIM4R, Kelsey10

Sirtfi since June Video meeting – 1 st Oct 2014 F2F meeting after Internet2/Esnet TechX 31 Oct Another video meeting – 29 th Jan 2015 Mail list – Wiki Doc moved to Google Docs and simplified Document evolving (now V1.8) – see agenda –Make public once we have a reasonable first draft 4 Feb 15Sirtfi at FIM4R, Kelsey11

Some text Sirtfi document Abstract This document identifies practices and attributes of organizations that may facilitate their participation in a trust framework called Sirtfi purposed to enable coordination of security incident response across federated organizations Audience This document is intended for use by the personnel responsible for operational security at Identity Providers and Service Providers, and by Federation Operators who may facilitate its adoption by their member organizations 4 Feb 15Sirtfi at FIM4R, Kelsey12

Introduction (Sirtfi) Sirtfi trust framework aims to enable a coordinated response to a security incident in a federated context does not depend on a centralised authority or governance structure to assign roles and responsibilities The document defines a set of capabilities and roles associated with security incident response that an IdP or SP organisation self-asserts The Sirtfi trust framework posits that organisations asserting conformance with these will coordinate their response to security incidents using processes to be defined elsewhere 4 Feb 15Sirtfi at FIM4R, Kelsey13

Example Text Security Incident Response ● [IR1] Provide security incident response contact information following a process to be defined elsewhere. ● [IR2] Respond to requests for assistance with a security incident from other organisations participating in the Sirtfi trust framework in a timely manner. ● [IR3] Be able and willing to collaborate in the management of a security incident with affected organisations that participate in the Sirtfi trust framework. ● [IR4] Follow security incident response procedures established for the organisation. ● [IR5] Respect user privacy as determined by the organisations policies or legal counsel. ● [IR6] Respect and use the Traffic Light Protocol information disclosure policy. 4 Feb 15Sirtfi at FIM4R, Kelsey14

Current discussion Does Sirtfi require IdPs (and SPs) to inform others of a compromised user account that has been used in the trust framework? Two views –Yes, it should do in the Sirtfi document –No, this is covered by procedures developed elsewhere 4 Feb 15Sirtfi at FIM4R, Kelsey15

Sirtfi & Notification? To build on Sirtfi we need (one proposal) –(1) tools/infrastructure to securely share IR data –(2) an IdP-specific IR process that incorporates contacting federated SPs at appropriate times –(3) some form of starting point from the federation or Sirtfi that gives shape to (2). From this perspective, Sirtfi is step (0), making it possible that some good might be accomplished by implementing (1) and (2) 4 Feb 15Sirtfi at FIM4R, Kelsey16

Next steps Sirtfi – to sort out the notification requirement and then produce a public “version 1” document Seek wider discussion and feedback from FIM4R and REFEDS To date we have excellent participation from USA (InCommon) –We now need more input from Europe EU H2020 AARC –Can provide test use cases Start work on developing the related IR procedures 4 Feb 15Sirtfi at FIM4R, Kelsey17

Activity is very much open –People welcome to join –Tell me, if you wish to join the activity Questions? 4 Feb 15Sirtfi at FIM4R, Kelsey18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.