TIIME 2017: Session 14 Sirtfi2017 Work plan

(Hannah Short)

Security Incident Response Trust Framework for Federal Identity

Right now there are 130 different federal identities supporting SIRTFI

The danger of a federation as access method.

• –29 R&E Federal support or plan to support Sirtfi.
• –4 no plan, 33 unknown.
• –2 R&E Feds have comprehensive support.
• –135 Sirtfi tagged entities, mostly IdPs.
• –639 with security contact info.

Survey/outreach to federations Learn status and how to help them adopt.

Tooling Response support platform.

Lookout notify SIRTIFI

Federal Security Incident Framework in which Participants, Federations Operators, and eduGain Operator coordinate response to a security incident.

Security Incident response Plan for response Operator Template starting point to help R&E Federations establish security procedures.

Incorporate research CIs into above Sirtfi Security incident response procedures and tooling should suitably integrate with research CIs.

FSIRP declare procedures to eduGain support

If someone reaches out to you and if you are certified you need to do your best to resolve the problem.

The other option is just to report it.

This should not end up keeping logs about any transaction, the only thing that certifies is support from minimizing the data.

Responsibility of an IdP is to keep some amount of log for a certain time and response in a specific timeframe.

Relevant system generated information, including accurate timestamps and identifiers of system components and actors, retained and available for use security incident response procedures.

The biggest problem is keeping logs it needs to be kept but it represents a big liability.

The problem is if don't keep the logs and need to notify people at some point about their account we are going to notify way more people than needed in this case .

Response support platform - it would be very helpful to have a standard way of communicating, the structure of what is being sent some kind of format how that information is being passed. Scheme for certain kind of messages.

Don't bother with IdP tooling it's a distraction maybe misleading as a false requirement for SIRTIFI.

The more centralized it can be done the more successful it will be.

Tool - nonfederated SIRTIFI - tag metadata registration.

Work plan ahead

• More tooling online self-assessment for Participants
• Online courseware
• Federal education materials Supporting new standards, tools, etc. . .
• Get the word out; gain input and participation which groups and organizations should loop in?

What events should we aim to participate in?

Identity what notification groups should be automatically maintained.

Guidelines for conditions in which to notify who

Table top exerciseThere needs to be an organization fulfilling a coordinating role. Perhaps this should be at eduGAIN. This function should be set up from the start.

Discussion of use of / implementation of ID event draft / automation as a part of this framework: https://tools.ietf.org/html/draft-ietf-secevent-token-00

-Distributed, whereas Confirm thought hubs were the way to do this