Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response for Federated Identities

Published byTimothy Ross Modified over 6 years ago

Similar presentations

Presentation on theme: "Incident Response for Federated Identities"— Presentation transcript:

1 Incident Response for Federated Identities
Authentication and Authorisation for Research and Collaboration Hannah Short AARC Computer Security, CERN EUGridPMA 19 September 2016

2 Security Incident Response in Distributed Infrastructures
Agenda Security Incident Response in Distributed Infrastructures The challenge of Federated Identity Management What can we do?

3 Security Incident Response in Distributed Infrastructures
Agenda Security Incident Response in Distributed Infrastructures The challenge of Federated Identity Management What can we do?

4 Security Incident Response in Distributed Infrastructures
Shared Policies Trust Operational Support

5 Shared Policies Written rules, and obligations
Clear basis for exclusion from infrastructure if not followed Reasonable likelihood that sites follow best practices in security

6 Operational Support Incident preparation and prevention - cascade advisories, IOCs, patches etc Coordinate incident response across multiple Sites Power to block problematic Sites & users

7 Trust Fundamentally, incident response is more successful when the individuals know and trust each other Online trust Consistent, trustworthy behaviour Voluntary collaboration Offline trust Key exchange Verification that you are a real person 

8 Security Incident Response in Distributed Infrastructures
Agenda Security Incident Response in Distributed Infrastructures The challenge of Federated Identity Management What can we do?

9 Federated Identity Management Worldwide What is a Federation?
Federated Identity Mangement (FIM) is the concept of groups of Service Providers (SPs) and Identity Providers (IdPs) agreeing to interoperate under a set of policies. Federations are typically established nationally and use the SAML2 protocol for information exchange Each entity within the federation is described by metadata

10 Federated Identity Management Worldwide eduGAIN
eduGAIN is a form of interfederation Participating federations share information (metadata) about entities from their own federation with eduGAIN eduGAIN bundles this metadata and publishes it in a central location. eduGAIN aggregates metadata from participating federations (metadata service). This aggregate is consumed by all participating federations, such that Identity Providers and Service Providers can find each other. Technically, this aggregate works as follows: 'export metadata aggregate’, eduGAIN aggregate, Each participating federation produces a so called 'export metadata aggregate'; a file that contains the metadata of local Identity Providers and Service Providers that participate in eduGAIN. Note that this is often a subset of all Identity Providers and Service Providers from that federation. eduGAIN combines all export metadata aggregates and generates an "eduGAIN aggregate"; a file that combines all metadata from all participating federations. This eduGAIN aggregate is signed by eduGAIN and published on the internet, thereby making it available to all participating federations. Each participating federation must consume this eduGAIN aggregate and supply it to their local Identity Providers and Service Providers. Credit to Alessandra Scicchitano – GEANT for this slide

11 Federated Identity Management Worldwide eduGAIN adoption
eduGAIN Stats Federations: 38 All entities: 3157 IdPs: 2007 SPs: 1151 Credit to eduGAIN, data taken March 2016

12 Security Incident Response in Distributed Infrastructures
Shared Policies Trust Operational Support

13 The challenge of Federated Identity Management
Shared Policies Trust Operational Support EduGAIN membership includes 4 policies… Security Incident Response is not one We have no insight into security practices of each participant Collaboration between IdPs and SPs is essential to build full incident timeline – they have no obligation to collaborate

14 The challenge of Federated Identity Management
Shared Policies Trust Operational Support EduGAIN has no central help desk Few national federations offer central security support No way to block an identity, IdP, or federation everywhere and immediately

15 The challenge of Federated Identity Management
Shared Policies Trust Operational Support Security is often not priority (or even in skillset) of engaged FIM participants Simply too big…

16 2037 IdPs 1197 SPs Potential targets
Potential sources of compromised identities 1197 SPs Potential targets

17 Security Incident Response in Distributed Infrastructures
Agenda Security Incident Response in Distributed Infrastructures The challenge of Federated Identity Management What can we do?

18 All I need is one identity…
What can we do? All I need is one identity… Federation 3 Federation 1 Federation 2 SP IdP Clearly an inviting vector of attack… luckily, this was noticed several years ago!

19 Beginnings Issues of IdM raised by IT leaders from EIROforum labs (Jan 2011) CERN, EFDA-JET, EMBL, ESA, ESO, ESRF, European XFEL and ILL These laboratories, as well as national and regional research organizations, face similar challenges Prepared a paper that documents common requirements “Security procedures and incident response would need to be reviewed. Today, each resource provider is for example responsible for terminating access by known compromised identities. With identity federation, this responsibility will be shifted to the IdP though resource providers will insist on the ability to revoke access.” “Such an identity federation in the High Energy Physics (HEP) community would rely on: • A well-defined framework to ensure sufficient trust and security among the different IdPs and relying parties.“ Credit to David Kelsey (STFC) for this content

20 Evolution Several years later, 2016
Security Incident Response Trust Framework for Federated Identity Approved by the REFEDS (Research & Education FEDerations) Community Registered Internet Assigned Numbers Authority (IANA) Assurance Profilehttps://

21 Sirtfi Require that a security incident response capability exists with sufficient authority to mitigate, contain the spread of, and remediate the effects of an incident. Operational Security Assure confidentiality of information exchanged Identify trusted contacts Guarantee a response during collaboration Incident Response Improve the usefulness of logs Ensure logs are kept in accordance with policy Traceability Confirm that end users are aware of an appropriate AUP Participant Responsibilities

22 Current adoption 4 102 1 1

23 Find out more

24 How does Sirtfi help?

25 How does Sirtfi help? Operational Support Shared Policies Trust
Shared framework fulfills purpose of basic policy Obliged to collaborate Basic operational security best practices Allows us to identify security conscious bodies

26 How does Sirtfi not help?
Shared Policies Trust Operational Support Some Federation Operators unwilling to act as gatekeepers No large-scale blocking mechanism Trust tied to organisation/entity, not individual Difficult to build offline trust

27 What’s missing? Requirement How could we get this? Indication of who really trusts who Independent trust portal, votes based web of trust Capability to remove participants from Sirtfi Shared Operational Support Periodic tests of contact responsiveness Channel for smaller participants to access security support and trust groups Log of “bad behaviour” Ability to block identities across eduGAIN Distributed mechanism for blocking users (e.g. confyrm, perun…)

28 Operational Support is needed, but where?
GEANT GEANT – possible but not ideal eduGAIN – no central support Federations – not all are willing Research Communities – very possible! eduGAIN Fed 1 Fed 2 Fed 3 Research Communities

29 Conclusion Federated Identity Management is a likely evolution from the end-user certificate model There is a need to establish an effective Security Incident Response capability within eduGAIN Sirtfi goes some way to providing the missing capabilities There are still gaps, particularly for sustainable operational support Shared Policies Trust Operational Support

30

Download ppt "Incident Response for Federated Identities"

Similar presentations

Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.

Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
Authentication and Authorization in a federated environment Jules Wolfrat (SARA)

Authentication and Authorization in a federated environment Jules Wolfrat (SARA)
Www.geant.org AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.

AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.

Sirtfi David Kelsey (STFC-RAL) REFEDS at TNC15 14 June 2015.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.

Authentication and Authorisation for Research and Collaboration David Groep AARC All Hands meeting Milano Policy and Best Practice.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Similar presentations

Ads by Google