CACTI Call, Tuesday, April 13, 2021
Attending
Members
- Rob Carter, Duke, (Chair)
- Les LaCroix, Carleton College (Vice-Chair)
- John Bradley, Independent
- Margaret Cullen, Painless Security (Trust and Identity PAG rep)
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Matthew Economou, InCommon TAC Representative to CACTI
- Stoney Gan, University of South Florida
- Michael Grady, Unicon
- Kevin Hickey, Detroit Mercy
- Marina Krenz, REN-ISAC
- Barry Johnson, Clemson
- Jeremy Perkins, Instructure
Internet2
- Kevin Morooney
- Steve Zoppi
- Nicole Roy
- Emily Eisbruch
Regrets
- Marina Adomeit, SUNET
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
- Ann West, Internet2
Action items
Action item from April 13, 2021
- AI Nicole will check with Dean on timing for blog and for IAM Online around Secrets Management
Action items from March 30, 2021
- AI - Rob and Les - slot the user centric identity topic into a future CACTI agenda
- AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community
Action items from March 16, 2021
- AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
- AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB) . (Note Banner WG is folding into the MidPoint WG)
DISCUSSION
- Administrivia
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
- Announcements
- IAM Online on Wed April 14, 2021
National Institutes of Health and Identity Management Requirements
- IAM Online on Wed April 14, 2021
Trust and Identity Program Advisory Group (PAG) update (Margaret)
- https://spaces.at.internet2.edu/x/xY2TBg
- Margaret, Kevin, Steve and Ann attended recent Trust and Identity PAG call
- Spiral development model was discussed
- Assessment of threats and opportunities, iteratively
- Moving out on spiral, there are 4 quadrants
- Current landscape includes threat to federation going forward due to consumerization of limited function of identity
- Can use IDs across sites
- Line up with Google ID and then there’s a persistent identity
- Threat to SAML federation as it’s used today
- Many are not sharing attributes
- But using the federation for a constant identifier
- Where does R&E federation fit in this universe?
- Federation 2.0 work is relevant
- Fed 2.0 Working Group is developing a paper: https://wiki.refeds.org/display/GROUPS/Federation+2.0
- Focus on how federation fits in the future
- At the PAG call, there was talk of possibly involving CACTI, eduroam advisory committee and REFEDs in this dicsussion in the future
- KevinM: Decided to have open ended conversation on the PAG call about is this time different, with new threats?
- Looking at what’s happening with NIH suggests federation is needed more than ever
- The conversation will continue
- Trust and Identity PAG will also discuss eduroam in the future
Secrets Management (Rob and Les / all)
- Framing the conversation at the appropriate level for CACTI
- Pulse check: Is this worth CACTI's time to pursue?
- High-level problem statement
- Seeking community input on the issue
- Next steps
- At March 30, 2021 CACTI call, the discussion was fairly detailed,
- sharing containerized applications, etc.
- Security is key to trust in federation
- Today we may want to talk at higher level
- It's important to have good processes/guidance around key compromise
- Need guidance on how to detect and respond to key compromise
- Community and Federation Operator can help provide guidance
- HSM (hardware security module) is the right answer for secrets management, but very hard to implement.
- Detection and reporting might fall to SIRTFI https://wiki.refeds.org/display/GROUPS/SIRTFI
- Does the community in general have enough awareness/concern about this issue?
- Stronger policy signal needed for key management issue in general and key compromise specifically
- CACTI can put together community outreach, to advise community
- Develop a list of specific suggestions, might tie into Internet2 NET+
- Raising awareness is the starting point
- Best practices will be useful
- What are the sensitive pieces of info? Best practices for storing that info, etc.
- Possibly the community needs to reach consensus on these topics
- KevinM: suggestion for IAM Online on Secrets Management
- Kevin could kick this off
- then have two campuses discuss how they’ve handled secrets management (best in class, different approaches)
- A CACTI member could do call for ideas at the end
- Get good attendance, by a catchy title for the IAM Online, perhaps including SolarWinds
- Suggestion for outreach prior to an IAM Online to convince the community that this is an important topic
- Blog to raise awareness and to announce an upcoming IAM Online would make sense
- AI Nicole will check with Dean on timing for blog and for IAM Online around Secrets Management
- July IAM Online may make sense for this
- The plan is to try to generate interest in developing best practices after the July IAM Online
- It was noted that many of the secrets management practices come related to some other effort, such as deploying Grouper
- SteveZ: A CACTI working group, or asking the InCommon TAC to look at secrets management best practices/guidance, might make sense
- Possible issue of treating symptoms without treating the problem
- Rob: perhaps we are grabbing onto one currently hot symptom of an overarching issue
- Topic goes beyond key management / secrets management
- Security is hard, some are shy to say how much they don’t understand
- Trust is the basis of federation, if security and trust erodes, this is a threat to federation
- Longer term: a series of awareness raising opportunities around security practices would be helpful
- Perhaps a 3-5 session training program that InCommon co-brands and co-markets with REN ISAC
- Re-use a talk by Tom Jordan from a recent conference
- Rob, Les and Nicole will steer conversations on next steps around Federation 2.0 and related issues
Next Meeting: Tuesday, April 27th, 2021