aarc assurance profiles · h"ps://aarc-project.eu 1. the accounts in the home organisaons...
TRANSCRIPT
h"ps://aarc-project.eu
Authen4ca4onandAuthorisa4onforResearchandCollabora4on
HannahShort
Kantara
AddressingFederatedSecurityIncidentResponseAARCAssuranceProfiles
April7th,2016
h"ps://aarc-project.eu
TheAARCProject
Policy&BestPrac4ceHarmonisa4onWorkPackage
• MinimumLoA• SirVi
AssuranceGaps
• SelfAssessment
RecordingAdop4on
2
Agenda
h"ps://aarc-project.eu
• Authorisa4onandAuthen4ca4onforResearchandCollabora4on• EuropeanCommissionfundedproject• 2years,2015/17• 20partnersfromNRENs,E-Infrastructures&Libraries• Buildsonexis4ngAAIsandonproduc4onfederatedinfrastructures.
3
AARC
TheAARCvisionistocreateafutureinwhiche-Infrastructuresandnewresearchcollabora4onscooperateseamlesslyontopofascalableand
interoperableAAI.
h"ps://aarc-project.eu
h"ps://aarc-project.eu
• Globalscope,thoughEurope-focused
• Manymovingparts…
• Mustensureanypolicyadop4on/technicalchangesare:• Easytoadopt• Legallyacceptable• Financiallybeneficial/neutral
• AARC2proposalsubmi"ed
• 2017/19• 27partners(sogrowing!)• Focusonusers
4
AARC
h"ps://aarc-project.eu 5
AARC
h"ps://aarc-project.eu
Policyandbestprac:cesharmonisa:on
Whatdoesassurancemean?Andtowhom?Howmuchdifferen:a:onofLoAcanpeoplehandle?
What’sasustainabledistribu:onofresponsibili:esamongstAAIpar:cipants?
Whatistheplaceofthird-partycommercialandeGovproviders?Howdoesthathelpguestiden:ty?
Howcanwesharenecessaryaccoun:ng?
Howcanweaddressincidentsthatpropagatethroughthefederatedspace?
Canwegetpolicycoordina:ontoscale?
CredittoDavidGroep(Nikhef)forthisslide
h"ps://aarc-project.eu
• Taskschosenaroundperceivedpolicygaps
• Areasiden4fiedjointlybye-infrastructures,researchinfrastructuresandNRENs
7
Policyandbestprac:cesharmonisa:on
Deliveryofanassurancebaselineanddifferen4atedassuranceframework;
Iden4fyaminimalsetofpoliciestoenablea"ribute
aggrega4on;
Explorepolicyandsecurityaspectstoenabletheintegra4onofa"ribute
providersandofcreden4altransla4onservices;
Enableconsistenthandlingofsecurityincidentswhenfederatedaccessisenabled;
Developsupportmodelsfor(inter)federatedaccesstocommercialservices;
Developguidelinestoenableexchangeof
accoun4ngandusagedata.
h"ps://aarc-project.eu
CommonBaselineLevelofAssurance
• Mul4pleLoAprofilesexistbuttendtobelocalised&requireconsiderablenego4a4ontoadopt
• Basedonempiricalstudies,whatisareasonablebaselineofassurancetoexpectfromR&EIdPs?
SecurityIncidentResponse
• Canwefacilitatecollabora4veincidentresponse?
• Isthereawaytomakethisa"rac4vetopar4cipants?
8
Policyandbestprac:cesharmonisa:onAssuranceGaps
h"ps://aarc-project.eu
• Interviewed6researchinfrastructures• CLARIN(languageresearch)• DARIAH(artsandhumani4es)• ELIXIR(lifescience)• LIGO(physics)• photon/neutronfacili4es(physics)• WLCG(physics)
• Interviewed2e-infrastructures• EGI• PRACE
• Interviewresults:h"ps://wiki.geant.org/x/nQHbAg
9
MinimumLoAResearchcommunityinterviews
CredittoMikaelLindenforthisslide
h"ps://aarc-project.eu
1. TheaccountsintheHomeOrganisa:onsmusteachbelongtoaknownindividual
2. Persistentuseriden:fiers(i.e.,noreassignofuseriden:fiers)
3. Documentediden:tyveSngprocedures(notnecessarilyface-to-face)
4. Passwordauthen:ca:on(withsomegoodprac:ces)5. Depar:nguser’seduPersonAffilia:onmustchange
promptly6. Self-assessment(supportedwithspecificguidelines)
Thedocument:h"ps://wiki.geant.org/x/wIEVAw
10
MinimumLoAInterviewresults
CredittoMikaelLindenforthisslide
h"ps://aarc-project.eu
• REFEDSworkinggroup• LikelythateachminimumLoArequirementwillbeaseparateEn4tyCategory
11
MinimumLoANextsteps
h"ps://aarc-project.eu 12
Policyandbestprac:cesharmonisa:onThechainofassurance
Authen'catorsIden'tyve2ng
IdMPolicyA8ributerelease
Federa'oncontractTrustmarks&categories
Confedera'on‘eduGAIN’
Federa'oncontractDataprotec'on&privacy
DataexchangeInfrastructureCommons
representa'ona8ributesourcehiding
IncidentResponse
?
CredittoDavidGroep(Nikhef)forthisslide
h"ps://aarc-project.eu
• Clearlyaninvi4ngvectorofa"ack• Thelackofacentralisedsupportsystemforsecurityincidentresponseisaniden4fiedrisktothesuccessofeduGAIN
• Wewillneedpar4cipantstocollaborateduringincidentresponse–thismaybeoutsidetheirremit
13
SecurityIncidentResponseTheproblem
!
AllIneedisone
account…
Federa4on3
Federa4on1
Federa4on2
SP
SP
SP
SP
SP
SP
SPSPSP
SP
IdP
IdP
IdPIdP
IdP
h"ps://aarc-project.eu
IdPSP
Itallseemslikecommonsense…
26/04/16 14
SPno4cessuspiciousjobsexecutedbya
handfulofusersfromanIdP
IdPiden4fiesover1000compromisedaccounts
No'fiesIdP
IdPiden4fiesallSPsaccessed
SP
SP
SP
No'fiesSPs
h"ps://aarc-project.eu
IdPSP
…butinreality
26/04/16 15
SPno4cessuspiciousjobsexecutedbya
handfulofusersfromanIdP
IdPiden4fiesover1000compromisedaccounts
No'fiesIdP
IdPiden4fiesallSPsaccessed
SP
SP
SP
No'fiesSPs
LargeSPdoesnotsharedetailsofcompromise,forfearofdamagetoreputa4on
SmallIdPmaynothavecapabilitytoblockusers,ortracetheirusage
SPsarenotboundtoabidebyconfiden4alityprotocolanddisclosesensi4veinforma4on
!
!
!
!Nosecuritycontactdetails!
X
XX
X
h"ps://aarc-project.eu
• A"acksinevitableL• Butwecanmakesecuritycapabilitytransparentandbuildrela4onshipsbetweenorganisa4onsandpeopleJ
…Weneedatrustframework!
16
SecurityIncidentResponseThesolu:on
Inviting new vector of
attack
Uncertainty in security
capability of participants
Lack of trust
h"ps://aarc-project.eu
2012 2013 2014 2015 2016 2017 2018 2019
FIM4RPaper
SecurityforCollabora4ngInfrastructures(SCI)
REFEDSWorkingGroup
AARC
SirViv1.0Published
FirstRoundDeployment
RFC
AARC2
SecondRoundDeployment
17
SecurityIncidentResponseAhistoryandthefuture
h"ps://aarc-project.eu
• IssueofIdMraisedbyITleadersfromEIROforumlabs(Jan2011)• CERN,EFDA-JET,EMBL,ESA,ESO,ESRF,EuropeanXFELandILL
• Theselaboratories,aswellasna4onalandregionalresearchorganiza4ons,facesimilarchallenges
• Preparedapaperthatdocumentscommonrequirementsh"ps://cdsweb.cern.ch/record/1442597
18
SecurityIncidentResponseFIM4R
CredittoDavidKelsey(STFC)forthiscontent
“Suchaniden'tyfedera'onintheHighEnergyPhysics(HEP)communitywouldrelyon:•Awell-definedframeworktoensuresufficienttrustandsecurityamongthedifferentIdPsandrelyingpar'es.“
“Securityproceduresandincidentresponsewouldneedtobereviewed.Today,eachresourceproviderisforexampleresponsiblefortermina'ngaccessbyknowncompromisediden''es.Withiden'tyfedera'on,thisresponsibilitywillbeshiYedtotheIdPthoughresourceproviderswillinsistontheabilitytorevokeaccess.”
h"ps://aarc-project.eu
SecurityIncidentResponseSecurityforCollabora:ngInfrastructures(SCI)
• Acollabora4veac4vityofinforma4onsecurityofficersfromlarge-scaleinfrastructures
• EGI,OSG,PRACE,EUDAT,CHAIN,WLCG,XSEDE,…
• Laidthefounda4onsforaTrustframework• Enableinteropera4on(securityteams)• Managecross-infrastructuresecurityrisks• Developpolicystandards• Especiallywherenotabletoshareiden4calsecuritypolicies
• ProceedingsoftheISGC2013conferenceh"p://pos.sissa.it/archive/conferences/179/011/ISGC%202013_011.pdf
19
CredittoDavidKelsey(STFC)forthisslide
h"ps://aarc-project.eu
• TheSCIdocumentformedthebasisfortheSecurityIncidentResponseTrustFrameworkforFederatedIden4ty
20
SecurityIncidentResponseSirbi
ü Ar4culateframeworkrequirementsü CompleteCommunityConsulta4onü PublishSirViframeworkü CreateTrainingmaterialq Confirmmetadataextensionsq Beginadop4onq SupportfilteringbasedonSirVi
h"ps://aarc-project.eu 21
SecurityIncidentResponseSirbi
• Require that a security incident response capability exists with sufficient authority to mitigate, contain the spread of, and remediate the effects of an incident.
Operational Security
• Assure confidentiality of information exchanged • Identify trusted contacts • Guarantee a response during collaboration
Incident Response
• Improve the usefulness of logs • Ensure logs are kept in accordance with policy
Traceability
• Confirm that end users are aware of an appropriate AUP
Participant Responsibilities
h"ps://aarc-project.eu
• BasedontheInCommonsecuritycontactType• Whattoinclude?
• Individualorgroupemailcontact?Recommendgeneric• Telephonenumberincasecri4calinfrastructuredown?Wouldthatreallyhelp?• PGPKey?
• Thespecifica4onisflexible,sec4on2.3.2.2ofh"ps://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
22
SecurityIncidentResponseSirbi,securitycontactdetails
CredittoDavidGroep(Nikhef)forthisslide
<ContactPersoncontactType="other"xmlns:icmd="http://refeds.org/metadata" icmd:contactType="http://refeds.org/metadata/contactType/security"> <GivenName>SecurityResponseTeam</GivenName> <EmailAddress>[email protected]</EmailAddress>
</ContactPerson>
h"ps://aarc-project.eu
• Asser4ngcomplianceviastandardOASISspecifica4on• AppliedtoregisterwithIANA
23
SecurityIncidentResponseSirbi,expressingcompliance
<attr:EntityAttributes><saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"Name="urn:oasis:names:tc:SAML:attribute:assurance-certification”><saml:AttributeValue>https://refeds.org/sirtfi</saml:AttributeValue>
</saml:Attribute></attr:EntityAttributes>
h"ps://aarc-project.eu 24
SecurityIncidentResponseBenefitsofSirbi
IdPs
Gain access to useful services that only allow authentication from Sirtfi
compliant IdPs
SPsGain users whose home organisations only allow authentication at Sirtfi
compliant SPs
Guarantee an efficient and effective response from partner organisations during incident response
Raise the bar in operational security across eduGAIN
h"ps://aarc-project.eu 25
SecurityIncidentResponseFindoutmore–HomePage
h"ps://refeds.org/sirVi
h"ps://aarc-project.eu 26
SecurityIncidentResponseFindoutmore–TechnicalWiki
h"ps://wiki.refeds.org/display/SIRTFI/SIRTFI+Home
h"ps://aarc-project.eu
RecordingAdop:onSelfAssessment
• Communi4esarehappywithselfassessmentaslongasthegroupisrela4velysmall
• TheeduGAINworldisnotsmall!• Someusecasesrequirepeerreview• Atalargerscaleautoma4onwillbenecessary• Howdoweensurethecorrectpeoplecompletetheassessment?
27
eduGAINStats Federa:ons:38 Allen::es:3157 IdPs:2007 SPs:1151
h"ps://aarc-project.eu
RecordingAdop:onSelfAssessment
• SpinoffprojectfromLoA/SirViac4vi4estodevelopaselfassessmenttool*
• Op4onalPeerReview• Integra4onwithSAMLMetadata• Adop4onMonitoring
• Feedbackhasbeenposi4ve,butmustensuredesignscales
• Unclearhowthistoolwillbedeveloped,lookingtothenextroundofAARCandGEANTProjects
28
*h"ps://docs.google.com/document/d/10kguCdxWn38z_EGRnrdjCI4GSeO44zFGeXWHGmzz27o
h"ps://aarc-project.eu
Conclusions
• TheAARCProjectaimstoensurethatiden4tyfedera4onsucceeds,bothintechnologiesandpolicies
• MeasurestoaddressperceivedassurancegapswereincludedinthePoliciesandBestPrac4cesHarmonisa4onWorkPackage
• CommunitybasedinterviewshavedefinedaminimumacceptableLoA,thiswillbethebasisforanassuranceprofile
• Thereisaclearassurancegapinfederatedsecurity,whichisbeingaddressedbyatrustframework
• ASelf-Assessmenttoolwouldprovevaluableformul4pleusecasestoscaleadop4on
29
h"ps://aarc-project.eu 30
Appendix,SirbiAsser:ons
h"ps://aarc-project.eu
Opera:onalsecurity
• [OS1]Securitypatchesinopera4ngsystemandapplica4onsozwareareappliedina4melymanner.
• [OS2]Aprocessisusedtomanagevulnerabili4esinsozwareoperatedbytheorganisa4on.
• [OS3]Mechanismsaredeployedtodetectpossibleintrusionsandprotectinforma4onsystemsfromsignificantandimmediatethreats
• [OS4]Auser’saccessrightscanbesuspended,modifiedorterminatedina4melymanner.
• [OS5]UsersandServiceOwners(asdefinedbyITIL[ITIL])withintheorganisa4oncanbecontacted.
• [OS6]Asecurityincidentresponsecapabilityexistswithintheorganisa4onwithsufficientauthoritytomi4gate,containthespreadof,andremediatetheeffectsofasecurityincident.
26/04/16 31
h"ps://aarc-project.eu
Incidentresponse
• [IR1]Providesecurityincidentresponsecontactinforma4onasmayberequestedbyanR&Efedera4ontowhichyourorganiza4onbelongs.
• [IR2]Respondtorequestsforassistancewithasecurityincidentfromotherorganisa4onspar4cipa4ngintheSirVitrustframeworkina4melymanner.
• [IR3]Beableandwillingtocollaborateinthemanagementofasecurityincidentwithaffectedorganisa4onsthatpar4cipateintheSirVitrustframework.
• [IR4]Followsecurityincidentresponseproceduresestablishedfortheorganisa4on.
• [IR5]Respectuserprivacyasdeterminedbytheorganisa4onspoliciesorlegalcounsel.
• [IR6]RespectandusetheTrafficLightProtocol[TLP]informa4ondisclosurepolicy.
26/04/16 32
h"ps://aarc-project.eu
Traceability
• [TR1]Relevantsystemgeneratedinforma4on,includingaccurate4mestampsandiden4fiersofsystemcomponentsandactors,areretainedandavailableforuseinsecurityincidentresponseprocedures.
• [TR2]Informa4ona"estedtoin[TR1]isretainedinconformancewiththeorganisa4on’ssecurityincidentresponsepolicyorprac4ces.
26/04/16 33
h"ps://aarc-project.eu
Par:cipantresponsibili:es
• [PR1]Thepar4cipanthasanAcceptableUsePolicy(AUP).• [PR2]ThereisaprocesstoensurethatallusersareawareofandaccepttherequirementtoabidebytheAUP,forexampleduringaregistra4onorrenewalprocess.
26/04/16 34
h"ps://aarc-project.eu
©GÉANTonbehalfoftheAARCproject.TheworkleadingtotheseresultshasreceivedfundingfromtheEuropeanUnion’sHorizon2020researchandinnova4onprogrammeunderGrantAgreementNo.653965(AARC).
ThankyouAnyQues4ons?
h"ps://aarc-project.eu