What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and...
Transcript of What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and...
![Page 1: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/1.jpg)
h"ps://aarc-project.eu
Authen4ca4onandAuthorisa4onforResearchandCollabora4on
HannahShort
REFEDS,Vienna
WhatwilltheSir/itrustframeworkchangeforFIM4R?
December1st,2015
![Page 2: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/2.jpg)
h"ps://aarc-project.eu
Background
• ASecurityIncidentResponseTrustFrameworkforFederatedIden4ty
• Needforcommontrustframework• Enablecoordina4onofsecurityincidentresponse• Vectorofa"ackgrowsmoreinvi4ngasmagnitudeoffederatednetworksincreases
• Selfasser4on• Prac4calcompromise• Possibleextensiontopeerassessment
2
![Page 3: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/3.jpg)
h"ps://aarc-project.eu
WhatwillSir/ichange?
ImpactonFIM4RCommuni4es• Trust• Support• Responsibility• SelfAudit
WeneedpartnerswithinFIM4Rtopilotthisframework!
![Page 4: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/4.jpg)
h"ps://aarc-project.eu
IdP
Federatedincidents
4
Compromised
SP
SP
SP
SP
SP
• CompromisedaccountfromIden4tyProvider(IdP)accessesexternalServiceProviders(SPs)
• Couldbeintra-federa4on,orinter-federa4on
• Maliciousactorisabletopenetratethenetworkandtakeadvantageofthelackofcoordinatedincidentresponse
IdP
IdP
IdP
![Page 5: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/5.jpg)
h"ps://aarc-project.eu
IdPSP
Itallseemslikecommonsense…
5
SPno4cessuspiciousjobsexecutedbya
handfulofusersfromanIdP
IdPiden4fiesover1000compromisedaccounts
No:fiesIdP
IdPiden4fiesallSPsaccessed
SP
SP
SP
No:fiesSPs
![Page 6: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/6.jpg)
h"ps://aarc-project.eu
IdPSP
ButwithoutSir/i…
6
SPno4cessuspiciousjobsexecutedbya
handfulofusersfromanIdP
IdPiden4fiesover1000compromisedaccounts
No:fiesIdP
IdPiden4fiesallSPsaccessed
SP
SP
SP
No:fiesSPs
LargeSPdoesnotsharedetailsofcompromise,forfearofdamagetoreputa4on
SmallIdPmaynothavecapabilitytoblockusers,ortracetheirusage
SPsarenotboundtoabidebyconfiden4alityprotocolanddisclosesensi4veinforma4on
!
!
!
!Nosecuritycontactdetails!
X
XX
X
![Page 7: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/7.jpg)
h"ps://aarc-project.eu
Trust
TherewillbeahigherleveloftrustforSirCi-compliantorganisa:ons.Thesepar:cipantswillbemorelikelytograntandbegrantedaccesstosharedresources.
7
SP
SPSP
eduGAINToken
MaybegrantedtosomebasicSPs
Accessrestrictedtocri:calSPs
SP
SPSP
eduGAINToken
UserfromSirCi’dIdP
eduGAINToken
UserfromnonSirCi’dIdP
BeforeSirCi ALerSirCi
![Page 8: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/8.jpg)
h"ps://aarc-project.eu
Support
SirCi-compliantorganisa:onswillbeabletodrawonsupportfromeachotherintheeventofanincident.Bridgingfedera:onsandiden:fyingrequiredexper:sewillbefacilitated.
8
Sir]i-compliantIdP
<ContactPersoncontactType=“security”><EmailAddress>[email protected]</EmailAddress></ContactPerson><SirtfiCompliancestatus=“asserted”/>
IdP
Whocanwetrustwithsensi4veinforma4on?
Whoshouldweno4fy?Canwecountona
responseforurgentincidents?
Canwegetaccuratelogstotracktheincidentwithin
ourcommunity?
BeforeSirCi ALerSirCi
![Page 9: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/9.jpg)
h"ps://aarc-project.eu
Responsibility
SirCi-compliantorganisa:onsmustbeabletocomplywithsupportobliga:onsintheeventofasecurityincident.Individualsshouldbeiden:fiedateachpar:cipa:ngorganisa:onandbeawareofexpecta:ons.
9
To:[email protected]:[email protected]!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!
To:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Urgent!Userfoundsubmittingmaliciousjobs–pleaseinvestigate!Detailsbelow…
To:[email protected]:[email protected]:[email protected]**TLPAMBER–Limiteddistributionallowed**Absolutely–I’monrotathisweek,accountblockedandweareinvestigating.Attachingrelevantlogsandwillkeepyouupdated.
BeforeSirCi ALerSirCi
![Page 10: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/10.jpg)
h"ps://aarc-project.eu
SelfAudit
SirCi-compliantorganisa:onswillberequiredtocompleteperiodicselfassessmentstoanalysetheirincidentresponsecapability.Securitycontactinforma:onmustbeaccuratelyrepresentedinmetadataandbeverifiedduringstaffingandbusinessreorganisa:on.
10
Hasanyonethoughtabout
security?
BeforeSirCi ALerSirCi
![Page 11: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/11.jpg)
h"ps://aarc-project.eu
What’snext?
• Poten4allyRFC• LoArequirements• Finalisa4onofmetadataelements• Securitycontactelementh"p://www.slideshare.net/jbasney/saml-security-contacts• Sir]icomplianceelement
• Toolforassessing/managingSir]icompliancea"ribute• Sir]iv2.0• Requirementtono4fySir]ipartners• Aler4ngmechanism
11
![Page 12: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/12.jpg)
h"ps://aarc-project.eu
Sir/istatus
• Consulta4onclosesonDecember8th
• h"ps://wiki.refeds.org/display/CON/SIRTFI+Consulta4on%3A+Framework• Commentswelcome!
26/04/16 Documentreference 12
![Page 13: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/13.jpg)
h"ps://aarc-project.eu
Appendix:Sir/iasserJons
26/04/16 13
![Page 14: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/14.jpg)
h"ps://aarc-project.eu
OperaJonalsecurity
• [OS1]Securitypatchesinopera4ngsystemandapplica4onsoiwareareappliedina4melymanner.• [OS2]Aprocessisusedtomanagevulnerabili4esinsoiwareoperatedbytheorganisa4on.• [OS3]Mechanismsaredeployedtodetectpossibleintrusionsandprotectinforma4onsystemsfromsignificantandimmediatethreats• [OS4]Auser’saccessrightscanbesuspended,modifiedorterminatedina4melymanner.• [OS5]UsersandServiceOwners(asdefinedbyITIL[ITIL])withintheorganisa4oncanbecontacted.• [OS6]Asecurityincidentresponsecapabilityexistswithintheorganisa4onwithsufficientauthoritytomi4gate,containthespreadof,andremediatetheeffectsofasecurityincident.
26/04/16 14
![Page 15: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/15.jpg)
h"ps://aarc-project.eu
Incidentresponse
• [IR1]Providesecurityincidentresponsecontactinforma4onasmayberequestedbyanR&Efedera4ontowhichyourorganiza4onbelongs.• [IR2]Respondtorequestsforassistancewithasecurityincidentfromotherorganisa4onspar4cipa4ngintheSir]itrustframeworkina4melymanner.• [IR3]Beableandwillingtocollaborateinthemanagementofasecurityincidentwithaffectedorganisa4onsthatpar4cipateintheSir]itrustframework.• [IR4]Followsecurityincidentresponseproceduresestablishedfortheorganisa4on.• [IR5]Respectuserprivacyasdeterminedbytheorganisa4onspoliciesorlegalcounsel.• [IR6]RespectandusetheTrafficLightProtocol[TLP]informa4ondisclosurepolicy.
26/04/16 15
![Page 16: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/16.jpg)
h"ps://aarc-project.eu
Traceability
• [TR1]Relevantsystemgeneratedinforma4on,includingaccurate4mestampsandiden4fiersofsystemcomponentsandactors,areretainedandavailableforuseinsecurityincidentresponseprocedures.• [TR2]Informa4ona"estedtoin[TR1]isretainedinconformancewiththeorganisa4on’ssecurityincidentresponsepolicyorprac4ces.
26/04/16 16
![Page 17: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/17.jpg)
h"ps://aarc-project.eu
ParJcipantresponsibiliJes
• [PR1]Thepar4cipanthasanAcceptableUsePolicy(AUP).• [PR2]ThereisaprocesstoensurethatallusersareawareofandaccepttherequirementtoabidebytheAUP,forexampleduringaregistra4onorrenewalprocess.
26/04/16 17
![Page 18: What will the Sir/i trust framework change for FIM4R? · h"ps://aarc-project.eu Authen4caon and Authorisaon for Research and Collaboraon Hannah Short REFEDS, Vienna What will the](https://reader033.fdocuments.in/reader033/viewer/2022050417/5f8d7f4625057f3eae64cb42/html5/thumbnails/18.jpg)
h"ps://aarc-project.eu
©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnova4onprogrammeunderGrantAgreementNo.653965(AARC).
ThankyouAnyQues4ons?
h"ps://aarc-project.eu