h"ps://aarc-project.eu

Authen4ca4onandAuthorisa4onforResearchandCollabora4on

HannahShort

Kantara

AddressingFederatedSecurityIncidentResponseAARCAssuranceProfiles

April7th,2016

CERNhannah.short@cern.ch

h"ps://aarc-project.eu

TheAARCProject

Policy&BestPrac4ceHarmonisa4onWorkPackage

• MinimumLoA• SirVi

AssuranceGaps

• SelfAssessment

RecordingAdop4on

2

Agenda

h"ps://aarc-project.eu

• Authorisa4onandAuthen4ca4onforResearchandCollabora4on• EuropeanCommissionfundedproject• 2years,2015/17• 20partnersfromNRENs,E-Infrastructures&Libraries• Buildsonexis4ngAAIsandonproduc4onfederatedinfrastructures.

3

AARC

TheAARCvisionistocreateafutureinwhiche-Infrastructuresandnewresearchcollabora4onscooperateseamlesslyontopofascalableand

interoperableAAI.

h"ps://aarc-project.eu

h"ps://aarc-project.eu

• Globalscope,thoughEurope-focused

• Manymovingparts…

• Mustensureanypolicyadop4on/technicalchangesare:•  Easytoadopt•  Legallyacceptable•  Financiallybeneficial/neutral

• AARC2proposalsubmi"ed

•  2017/19•  27partners(sogrowing!)•  Focusonusers

4

AARC

h"ps://aarc-project.eu 5

AARC

h"ps://aarc-project.eu

Policyandbestprac:cesharmonisa:on

Whatdoesassurancemean?Andtowhom?Howmuchdifferen:a:onofLoAcanpeoplehandle?

What’sasustainabledistribu:onofresponsibili:esamongstAAIpar:cipants?

Whatistheplaceofthird-partycommercialandeGovproviders?Howdoesthathelpguestiden:ty?

Howcanwesharenecessaryaccoun:ng?

Howcanweaddressincidentsthatpropagatethroughthefederatedspace?

Canwegetpolicycoordina:ontoscale?

CredittoDavidGroep(Nikhef)forthisslide

h"ps://aarc-project.eu

• Taskschosenaroundperceivedpolicygaps

• Areasiden4fiedjointlybye-infrastructures,researchinfrastructuresandNRENs

7

Policyandbestprac:cesharmonisa:on

Deliveryofanassurancebaselineanddifferen4atedassuranceframework;

Iden4fyaminimalsetofpoliciestoenablea"ribute

aggrega4on;

Explorepolicyandsecurityaspectstoenabletheintegra4onofa"ribute

providersandofcreden4altransla4onservices;

Enableconsistenthandlingofsecurityincidentswhenfederatedaccessisenabled;

Developsupportmodelsfor(inter)federatedaccesstocommercialservices;

Developguidelinestoenableexchangeof

accoun4ngandusagedata.

h"ps://aarc-project.eu

CommonBaselineLevelofAssurance

• Mul4pleLoAprofilesexistbuttendtobelocalised&requireconsiderablenego4a4ontoadopt

• Basedonempiricalstudies,whatisareasonablebaselineofassurancetoexpectfromR&EIdPs?

SecurityIncidentResponse

• Canwefacilitatecollabora4veincidentresponse?

•  Isthereawaytomakethisa"rac4vetopar4cipants?

8

Policyandbestprac:cesharmonisa:onAssuranceGaps

h"ps://aarc-project.eu

• Interviewed6researchinfrastructures•  CLARIN(languageresearch)•  DARIAH(artsandhumani4es)•  ELIXIR(lifescience)•  LIGO(physics)•  photon/neutronfacili4es(physics)• WLCG(physics)

• Interviewed2e-infrastructures•  EGI•  PRACE

• Interviewresults:h"ps://wiki.geant.org/x/nQHbAg

9

MinimumLoAResearchcommunityinterviews

CredittoMikaelLindenforthisslide

h"ps://aarc-project.eu

1.   TheaccountsintheHomeOrganisa:onsmusteachbelongtoaknownindividual

2.   Persistentuseriden:fiers(i.e.,noreassignofuseriden:fiers)

3.   Documentediden:tyveSngprocedures(notnecessarilyface-to-face)

4.   Passwordauthen:ca:on(withsomegoodprac:ces)5.   Depar:nguser’seduPersonAffilia:onmustchange

promptly6.   Self-assessment(supportedwithspecificguidelines)

Thedocument:h"ps://wiki.geant.org/x/wIEVAw

10

MinimumLoAInterviewresults

CredittoMikaelLindenforthisslide

h"ps://aarc-project.eu

• REFEDSworkinggroup• LikelythateachminimumLoArequirementwillbeaseparateEn4tyCategory

11

MinimumLoANextsteps

h"ps://aarc-project.eu 12

Policyandbestprac:cesharmonisa:onThechainofassurance

Authen'catorsIden'tyve2ng

IdMPolicyA8ributerelease

Federa'oncontractTrustmarks&categories

Confedera'on‘eduGAIN’

Federa'oncontractDataprotec'on&privacy

DataexchangeInfrastructureCommons

representa'ona8ributesourcehiding

IncidentResponse

?

CredittoDavidGroep(Nikhef)forthisslide

h"ps://aarc-project.eu

• Clearlyaninvi4ngvectorofa"ack• Thelackofacentralisedsupportsystemforsecurityincidentresponseisaniden4fiedrisktothesuccessofeduGAIN

• Wewillneedpar4cipantstocollaborateduringincidentresponse–thismaybeoutsidetheirremit

13

SecurityIncidentResponseTheproblem

!

AllIneedisone

account…

Federa4on3

Federa4on1

Federa4on2

SP

SP

SP

SP

SP

SP

SPSPSP

SP

IdP

IdP

IdPIdP

IdP

h"ps://aarc-project.eu

IdPSP

Itallseemslikecommonsense…

26/04/16 14

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No'fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No'fiesSPs

h"ps://aarc-project.eu

IdPSP

…butinreality

26/04/16 15

SPno4cessuspiciousjobsexecutedbya

handfulofusersfromanIdP

IdPiden4fiesover1000compromisedaccounts

No'fiesIdP

IdPiden4fiesallSPsaccessed

SP

SP

SP

No'fiesSPs

LargeSPdoesnotsharedetailsofcompromise,forfearofdamagetoreputa4on

SmallIdPmaynothavecapabilitytoblockusers,ortracetheirusage

SPsarenotboundtoabidebyconfiden4alityprotocolanddisclosesensi4veinforma4on

!

!

!

!Nosecuritycontactdetails!

X

XX

X

h"ps://aarc-project.eu

• A"acksinevitableL• Butwecanmakesecuritycapabilitytransparentandbuildrela4onshipsbetweenorganisa4onsandpeopleJ

…Weneedatrustframework!

16

SecurityIncidentResponseThesolu:on

Inviting new vector of

attack

Uncertainty in security

capability of participants

Lack of trust

h"ps://aarc-project.eu

2012 2013 2014 2015 2016 2017 2018 2019

FIM4RPaper

SecurityforCollabora4ngInfrastructures(SCI)

REFEDSWorkingGroup

AARC

SirViv1.0Published

FirstRoundDeployment

RFC

AARC2

SecondRoundDeployment

17

SecurityIncidentResponseAhistoryandthefuture

h"ps://aarc-project.eu

•  IssueofIdMraisedbyITleadersfromEIROforumlabs(Jan2011)•  CERN,EFDA-JET,EMBL,ESA,ESO,ESRF,EuropeanXFELandILL

• Theselaboratories,aswellasna4onalandregionalresearchorganiza4ons,facesimilarchallenges

• Preparedapaperthatdocumentscommonrequirementsh"ps://cdsweb.cern.ch/record/1442597

18

SecurityIncidentResponseFIM4R

CredittoDavidKelsey(STFC)forthiscontent

“Suchaniden'tyfedera'onintheHighEnergyPhysics(HEP)communitywouldrelyon:•Awell-definedframeworktoensuresufficienttrustandsecurityamongthedifferentIdPsandrelyingpar'es.“

“Securityproceduresandincidentresponsewouldneedtobereviewed.Today,eachresourceproviderisforexampleresponsiblefortermina'ngaccessbyknowncompromisediden''es.Withiden'tyfedera'on,thisresponsibilitywillbeshiYedtotheIdPthoughresourceproviderswillinsistontheabilitytorevokeaccess.”

h"ps://aarc-project.eu

SecurityIncidentResponseSecurityforCollabora:ngInfrastructures(SCI)

•  Acollabora4veac4vityofinforma4onsecurityofficersfromlarge-scaleinfrastructures

•  EGI,OSG,PRACE,EUDAT,CHAIN,WLCG,XSEDE,…

•  Laidthefounda4onsforaTrustframework•  Enableinteropera4on(securityteams)•  Managecross-infrastructuresecurityrisks•  Developpolicystandards•  Especiallywherenotabletoshareiden4calsecuritypolicies

•  ProceedingsoftheISGC2013conferenceh"p://pos.sissa.it/archive/conferences/179/011/ISGC%202013_011.pdf

19

CredittoDavidKelsey(STFC)forthisslide

h"ps://aarc-project.eu

• TheSCIdocumentformedthebasisfortheSecurityIncidentResponseTrustFrameworkforFederatedIden4ty

20

SecurityIncidentResponseSirbi

ü  Ar4culateframeworkrequirementsü  CompleteCommunityConsulta4onü  PublishSirViframeworkü  CreateTrainingmaterialq  Confirmmetadataextensionsq  Beginadop4onq  SupportfilteringbasedonSirVi

h"ps://aarc-project.eu 21

SecurityIncidentResponseSirbi

•  Require that a security incident response capability exists with sufficient authority to mitigate, contain the spread of, and remediate the effects of an incident.

Operational Security

•  Assure confidentiality of information exchanged •  Identify trusted contacts •  Guarantee a response during collaboration

Incident Response

•  Improve the usefulness of logs •  Ensure logs are kept in accordance with policy

Traceability

•  Confirm that end users are aware of an appropriate AUP

Participant Responsibilities

h"ps://aarc-project.eu

• BasedontheInCommonsecuritycontactType• Whattoinclude?

•  Individualorgroupemailcontact?Recommendgeneric•  Telephonenumberincasecri4calinfrastructuredown?Wouldthatreallyhelp?•  PGPKey?

• Thespecifica4onisflexible,sec4on2.3.2.2ofh"ps://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

22

SecurityIncidentResponseSirbi,securitycontactdetails

CredittoDavidGroep(Nikhef)forthisslide

<ContactPersoncontactType="other"xmlns:icmd="http://refeds.org/metadata" icmd:contactType="http://refeds.org/metadata/contactType/security"> <GivenName>SecurityResponseTeam</GivenName> <EmailAddress>security@institution.edu</EmailAddress>

</ContactPerson>

h"ps://aarc-project.eu

• Asser4ngcomplianceviastandardOASISspecifica4on• AppliedtoregisterwithIANA

23

SecurityIncidentResponseSirbi,expressingcompliance

<attr:EntityAttributes><saml:Attribute

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"Name="urn:oasis:names:tc:SAML:attribute:assurance-certification”><saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>

</saml:Attribute></attr:EntityAttributes>

h"ps://aarc-project.eu 24

SecurityIncidentResponseBenefitsofSirbi

IdPs

Gain access to useful services that only allow authentication from Sirtfi

compliant IdPs

SPsGain users whose home organisations only allow authentication at Sirtfi

compliant SPs

Guarantee an efficient and effective response from partner organisations during incident response

Raise the bar in operational security across eduGAIN

h"ps://aarc-project.eu 25

SecurityIncidentResponseFindoutmore–HomePage

h"ps://refeds.org/sirVi

h"ps://aarc-project.eu 26

SecurityIncidentResponseFindoutmore–TechnicalWiki

h"ps://wiki.refeds.org/display/SIRTFI/SIRTFI+Home

h"ps://aarc-project.eu

RecordingAdop:onSelfAssessment

• Communi4esarehappywithselfassessmentaslongasthegroupisrela4velysmall

• TheeduGAINworldisnotsmall!• Someusecasesrequirepeerreview• Atalargerscaleautoma4onwillbenecessary• Howdoweensurethecorrectpeoplecompletetheassessment?

27

eduGAINStats Federa:ons:38 Allen::es:3157 IdPs:2007 SPs:1151

h"ps://aarc-project.eu

RecordingAdop:onSelfAssessment

• SpinoffprojectfromLoA/SirViac4vi4estodevelopaselfassessmenttool*

•  Op4onalPeerReview•  Integra4onwithSAMLMetadata•  Adop4onMonitoring

• Feedbackhasbeenposi4ve,butmustensuredesignscales

• Unclearhowthistoolwillbedeveloped,lookingtothenextroundofAARCandGEANTProjects

28

*h"ps://docs.google.com/document/d/10kguCdxWn38z_EGRnrdjCI4GSeO44zFGeXWHGmzz27o

h"ps://aarc-project.eu

Conclusions

• TheAARCProjectaimstoensurethatiden4tyfedera4onsucceeds,bothintechnologiesandpolicies

• MeasurestoaddressperceivedassurancegapswereincludedinthePoliciesandBestPrac4cesHarmonisa4onWorkPackage

• CommunitybasedinterviewshavedefinedaminimumacceptableLoA,thiswillbethebasisforanassuranceprofile

• Thereisaclearassurancegapinfederatedsecurity,whichisbeingaddressedbyatrustframework

• ASelf-Assessmenttoolwouldprovevaluableformul4pleusecasestoscaleadop4on

29

h"ps://aarc-project.eu 30

Appendix,SirbiAsser:ons

h"ps://aarc-project.eu

Opera:onalsecurity

•  [OS1]Securitypatchesinopera4ngsystemandapplica4onsozwareareappliedina4melymanner.

•  [OS2]Aprocessisusedtomanagevulnerabili4esinsozwareoperatedbytheorganisa4on.

•  [OS3]Mechanismsaredeployedtodetectpossibleintrusionsandprotectinforma4onsystemsfromsignificantandimmediatethreats

•  [OS4]Auser’saccessrightscanbesuspended,modifiedorterminatedina4melymanner.

•  [OS5]UsersandServiceOwners(asdefinedbyITIL[ITIL])withintheorganisa4oncanbecontacted.

•  [OS6]Asecurityincidentresponsecapabilityexistswithintheorganisa4onwithsufficientauthoritytomi4gate,containthespreadof,andremediatetheeffectsofasecurityincident.

26/04/16 31

h"ps://aarc-project.eu

Incidentresponse

•  [IR1]Providesecurityincidentresponsecontactinforma4onasmayberequestedbyanR&Efedera4ontowhichyourorganiza4onbelongs.

•  [IR2]Respondtorequestsforassistancewithasecurityincidentfromotherorganisa4onspar4cipa4ngintheSirVitrustframeworkina4melymanner.

•  [IR3]Beableandwillingtocollaborateinthemanagementofasecurityincidentwithaffectedorganisa4onsthatpar4cipateintheSirVitrustframework.

•  [IR4]Followsecurityincidentresponseproceduresestablishedfortheorganisa4on.

•  [IR5]Respectuserprivacyasdeterminedbytheorganisa4onspoliciesorlegalcounsel.

•  [IR6]RespectandusetheTrafficLightProtocol[TLP]informa4ondisclosurepolicy.

26/04/16 32

h"ps://aarc-project.eu

Traceability

•  [TR1]Relevantsystemgeneratedinforma4on,includingaccurate4mestampsandiden4fiersofsystemcomponentsandactors,areretainedandavailableforuseinsecurityincidentresponseprocedures.

•  [TR2]Informa4ona"estedtoin[TR1]isretainedinconformancewiththeorganisa4on’ssecurityincidentresponsepolicyorprac4ces.

26/04/16 33

h"ps://aarc-project.eu

Par:cipantresponsibili:es

•  [PR1]Thepar4cipanthasanAcceptableUsePolicy(AUP).•  [PR2]ThereisaprocesstoensurethatallusersareawareofandaccepttherequirementtoabidebytheAUP,forexampleduringaregistra4onorrenewalprocess.

26/04/16 34

h"ps://aarc-project.eu

©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnova4onprogrammeunderGrantAgreementNo.653965(AARC).

ThankyouAnyQues4ons?

h"ps://aarc-project.eu

hannah.short@cern.ch