CACTI Call, Tuesday, April 13, 2021


Attending

 Members

  • Rob Carter, Duke, (Chair) 
  • Les LaCroix, Carleton College (Vice-Chair) 
  • John Bradley, Independent 
  • Margaret Cullen, Painless Security (Trust and Identity PAG rep)  
  • Joshua Drake, Indiana University's Center for Applied Cybersecurity Research  
  • Matthew Economou, InCommon TAC Representative to CACTI   
  • Stoney Gan, University of South Florida  
  • Michael Grady, Unicon  
  • Kevin Hickey, Detroit Mercy  
  • Marina Krenz, REN-ISAC  
  • Barry Johnson, Clemson  
  • Jeremy Perkins, Instructure  

 Internet2 

  • Kevin Morooney  
  • Steve Zoppi  
  • Nicole Roy 
  • Emily Eisbruch 

 Regrets

  • Marina Adomeit, SUNET
  • Chris Phillips, CANARIE  
  • Bill Thompson, Lafayette College  
  • Ann West, Internet2

 Action items 

  Action item from April  13, 2021

  • AI Nicole will check with Dean on timing for blog and for IAM Online around Secrets Management

  Action items from March  30, 2021

  • AI - Rob and Les - slot the user centric identity  topic into a future CACTI agenda
  • AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community

  Action items from March 16, 2021

  • AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
  • AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB)  .  (Note Banner WG is folding into the MidPoint WG)


DISCUSSION

    • IAM Online on Wed April 14, 2021   
             National Institutes of Health and Identity Management Requirements


Trust and Identity Program Advisory Group (PAG) update (Margaret)

    • https://spaces.at.internet2.edu/x/xY2TBg
    • Margaret, Kevin, Steve and Ann attended recent Trust and Identity PAG call 
    • Spiral development model was discussed
    • Assessment of threats and opportunities, iteratively
    • Moving out on spiral, there are 4 quadrants
    • Current landscape includes threat to federation going forward due to consumerization of limited function of identity
    • Can use IDs across sites
    • Line up with Google ID and then there’s a persistent identity
    • Threat to SAML federation as it’s used today
    • Many are not sharing attributes
    • But using the federation for a constant identifier
    • Where does R&E federation fit in this universe?
    •  Federation 2.0 work is relevant
    • Fed 2.0 Working Group is developing a paper: https://wiki.refeds.org/display/GROUPS/Federation+2.0
    • Focus on how federation fits in the future
    • At the PAG call, there was talk of possibly involving CACTI, eduroam advisory committee and REFEDs in this dicsussion  in the future
    • KevinM:  Decided to have open ended conversation on the PAG call about is this time different, with new threats?
    • Looking at what’s happening with NIH suggests federation is needed more than ever
    • The conversation will continue
    • Trust and Identity PAG will also discuss eduroam in the future

Secrets Management (Rob and Les / all)

    • Framing the conversation at the appropriate level for CACTI
    • Pulse check: Is this worth CACTI's time to pursue?
    • High-level problem statement
    • Seeking community input on the issue
    • Next steps
    • At March 30, 2021 CACTI call, the discussion was fairly detailed, 
      • sharing containerized applications, etc. 
      • Security is key to trust in federation
    • Today we may want to talk at higher level
    • It's important to have good processes/guidance around key compromise
    • Need guidance on how to detect and respond to key compromise
    • Community and Federation Operator can help provide guidance
    • HSM (hardware security module) is the right answer for secrets management, but very hard to implement.
    • Detection and reporting might fall to SIRTFI https://wiki.refeds.org/display/GROUPS/SIRTFI
    • Does the community in general have enough awareness/concern about this issue?
    • Stronger policy signal needed for key management issue in general and key compromise specifically
    • CACTI can put together community outreach, to advise community
    • Develop a list of specific suggestions, might tie into Internet2 NET+
    • Raising awareness is the starting point
    • Best practices will be useful
    • What are the sensitive pieces of info? Best practices for storing that info, etc.
    • Possibly the community needs to reach consensus on these topics
    • KevinM: suggestion for IAM Online on Secrets Management 
      • Kevin could kick this off 
      • then have two campuses discuss how they’ve handled secrets management (best in class, different approaches)
      • A CACTI member could do call for ideas at the end
      • Get good attendance, by a catchy title for the IAM Online, perhaps including SolarWinds
    • Suggestion for outreach prior to an IAM Online to convince the community that this is an important topic
    • Blog to raise awareness and to announce an upcoming IAM Online would make sense 
    • AI Nicole will check with Dean on timing for blog and for IAM Online around Secrets Management
    • July IAM Online may make sense for this
    • The plan is to try to generate interest in developing best practices after the July IAM Online
    • It was noted that many of the secrets management practices come related to some other effort, such as deploying Grouper
    • SteveZ:  A CACTI working group, or asking the InCommon TAC to look at secrets management best practices/guidance, might make sense
    • Possible issue of treating symptoms without treating the problem
    • Rob: perhaps we are grabbing onto one currently hot symptom of an overarching issue
    • Topic goes beyond key management / secrets management
    • Security is hard, some are shy to say how much they don’t understand
    • Trust is the basis of federation, if security and trust erodes, this is a threat to federation
    • Longer term: a series of awareness raising opportunities around security practices would be helpful
    • Perhaps a 3-5 session training program that InCommon co-brands and co-markets with REN ISAC
    • Re-use a talk by Tom Jordan from a recent conference
    • Rob, Les and Nicole will steer conversations on next steps around Federation 2.0 and related issues

Next Meeting: Tuesday, April 27th, 2021

  • No labels