CACTI Call, Tuesday, July 20, 2021


Attending

Members

  • Rob Carter, Duke, (Chair)   
  • Les LaCroix, Carleton College (Vice-Chair)  
  • John Bradley, Independent   
  • Margaret Cullen, Painless Security  
  • Joshua Drake, Indiana University's Center for Applied Cybersecurity Research 
  • Matthew Economou, InCommon TAC Representative to CACTI  
  • Michael Grady, Unicon   
  • Kevin Hickey, Detroit Mercy   
  • Chris Phillips, CANARIE    


Internet2 

  • Kevin Morooney   
  • Ann West   
  • Steve Zoppi     
  • Nicole Roy  
  • Netta Caligari  
  • Emily Eisbruch    

Regrets

  • Marina Adomeit, SUNET
  • Stoney Gan, University of South Florida
  • Marina Krenz, REN-ISAC
  • Barry Johnson, Clemson  
  • Jeremy Perkins, Instructure
  • Bill Thompson, Lafayette College
  • Kevin Morooney, Internet2


   Action items from July 20, 2021

  • AI - Nicole will reach out to CACTI members around providing updates at future CACTI call
  • AI  Rob,  Les and Nicole - work on putting structure around the discussion of CACTI Spheres of Influence


  Action items from March 30, 2021

  • AI - Rob and Les - slot the user centric identity  topic into a future CACTI agenda
  • AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community  

    Action items from March 16, 2021

  • AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
  • AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB)  .  (Note Banner WG is folding into the MidPoint WG)

 

 Discussion

Announcements and Updates 

Update from John Bradley - Cross-sector/etc.

  • FIDO finished CTAP 2.1
  • https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html
  • Adds enterprise management functionality to WEBAUTHN
  • Ability for attestation for device for inventory management
  • Better control on minimum PIN length
  • Added a way for biometric authentication to be set by the authenticator instead of the RP
  • Some were surprised the RP had control of how biometric part of authenticator worked
  • Authenticators now can control that (fixed)
  • SSH certificates work better for sites supporting FIDO w SSH, which GITHUB now does
  • Outreach to Big Vendors
    • Working w Microsoft to add support on Windows 4 , SSH w FIDO authentication to round out passwordless experience
    • Working with Microsoft on back-porting the new features to Windows 10
      • They prefer Windows 10 does not get new features
      • Gamers have had success in getting updates for prior to Windows 11
      • Creating keys in TPM is a challenge for Microsoft
    • Apple devices have good  support for Webauthn
      • Pitching FIDO as enhanced passwords
      • Syncing across devices for users
      • FIDO helps make password management un  PHISHable
    • Google and Apple are on board, Microsoft will likely come along
  • OpenID Connect, activity around SIOP (Self-Issued OpenID Presentations)
    • Call with Roland Hedberg and Mike Jones tomorrow
    • After that, must decide if we want another round of input for the  OpenID Connect Federation spec
    • Or move to a specs vote
    • Spec allows protocols other than OpenID Connect , ie SAML
    • There is some pressure to split spec into 2 pieces, protocol neutral part and other part for SAML 
    • Does it make sense to break up the document? There are pros and cons either way
    • Current draft (check with John B to make sure this is correct before posting notes)


FIPS 140-2 level 2 FIDO authenticator for people who need that for FedRAMP use cases.

Update from Josh Drake - Cybersec

  • Working at Indiana University Center for cybersecurity research
  • Works with Open Science Grid https://opensciencegrid.org/
  • Research SOC (Security Operations Center)
    • 24 hour center
  • Much endpoint management happening
  • Want to be sure devices that have been away from network during COVID are secure when they “return”
  • Increase in use of Multi Factor Authentication
  • Uptick in Password management solutions being used
  • There will be hurdles and endpoints come back inside
  • A few important developments.
  • CIS top 20 updated from v 7.1 to v8
  • Trusted CI uses CIS top 20
  • Center for Internet Security
  • Implementation groups 1,2 and 3
  • Cyber hygiene approach, protects from passive threats
  • Version 8 of the controls released in May 2021
  • Reworked the baseline for security hygiene
  • Continuous vulnerability
  • Do passive vulnerability scanning
  • Requirement for ticketing system to manage vulnerabilities
  •  https://www.cisecurity.org/controls/
  • Will do some educational sessions for community
  • Input monitoring and protection
  • Intrusion detection/ protection
  • Detect potential risks
  • New product to detect endpoint compromise
  • This was in works before SolarWinds
  • Controls to baseline expectations for 3rd party vendors and have contracts
  • Massive gaps in policy to control 3rd party services
  • Template
  • Spreadsheet to CIS controls, new are highlighted in green
  • Feel free to share
  • At EDUCAUSE Cyber Security and Privacy professionals conference, many post pandemic security discussions, and supply chain also discussed
  • Zero trust is a discussed topic
  • Work on secrets managements in cloud computing and container based workflows
  • Practices for data continuity
  • Being sure logs are captured
  • Various solutions for containerized management and trust
  • Automating scanning of containers is almost as tedious as doing it manually
    • Topic for the future, to find solutions
  • At Indiana University, project called Secure My Research
  • Annual challenge on software assurance
  • Looking at static analysis tools
  • Security by design and software development
  • https://blog.trustedci.org/2021/03/announcing-2021-trusted-ci-annual.html


Planning for Updates at next CACTI Call

  • Seeking Volunteers (1-2) to give updates for next time
  • AI - Nicole will reach out to CACTI members around providing updates at future CACTI call
  • If you are interested, contact Rob, Les, Nicole

Rob - IAM Online Status Update

  • IAM Online on Secrets Management will be August 11, 2021
  • Had good planning meeting in June 
  • There is much material; Rob is sifting through it
  • Netta shared a slide deck template that has logos on it we can use:
  • Flow:  intro to who we (CACTI) are , then recent events SolarWinds, Endpoint management tool  that was vulnerable to attack, looking at what InCommon and Trusted Access Platform is doing to protect keys, asking community to participate with us, including perhaps spinning off a CACTI sponsored working group to look at gaps around key management, CICD, containers, etc.

Les / I2 staff - BaseCAMP

  • Discuss on next CACTI call

CACTI “Spheres of Influence” inventory and gap analysis

  • Topic suggested by Kevin Morooney on June 21, 2021 CACTI call
  • Connections to things like:
    • IIW (Internet Identity Workshop)
    • IETF
    • OIDF
    • Identiverse
    • EIC , European Identity Conference
    • Internet2 / GÉANT CAMP
    • GÉANT TNC “The Networking Conference” aka “Terena Networking Conference”
    • REFEDS
    • IdPro
    • Gartner, and similar groups like Forester
    • New W3C Federated Identity group forming, being organized by Heather Flanagan
    • Etc…
  • Brainstorming of other places that CACTI should connect
    • Azure Advisors (ChrisP participates)
    • Atlassian- within a few years, an organization won’t be able to run its own Confluence wiki, it will have to be a cloud service. Noted the Atlassian IAM services could use improvement.   https://www.atlassian.com/migration/journey-to-cloud
  •  Duke recently looked at 3rd party contracts and pivot points (such as Atlassian or Blackboard or Canvas) and what would happen if the contract changed? What are potential pain points, What are key advocacy topics?
  • Do we care about specific instances or about standards? 
  • IMS Global and learning management standards
  • Underlying technologies 
  • Dealing w questions of how to handle applications
  • SteveZ: the Atlassian situation could become a rathole
  • Community has its own way of communicating displeasure with vendors
  • Whether or not Atlassian should be part of the portfolio
  • Internet2 NET+ Services  is part of this https://internet2.edu/cloud/internet2-net-plus-services/
  • We need to be market aware
  • Sometimes a large number of customers does not equal not safety in numbers
  • Atlassian does put high priority on  Higher Education as a vertical
  • It may cost Atlassian more to fix for Higher Education than they are willing to spend
  • It may be more fruitful for CACTI and others  to work at the level of standards bodies
  • Sometimes taking on vendors can have small return
  • We have had some influence on Amazon
  • Less influence on the other big vendors
  • Sometimes teams at big vendors change every 6-8 months
  • Rob: wonder where vendors look for the standards to employ in between their systems (between Amazon and Google, for example)
  • To what extent are vendors interested in standards?
  •  Demands at home institutions have tended to eclipse discretionary availability to participate in standards bodies.
  • There has been a reduction, over time, in higher ed participation in the IETF, which has likely been detrimental
  • AI  Rob,  Les and Nicole - work on putting structure around the discussion of CACTI Spheres of Influence


Next Meeting: Tuesday, August 3, 2021

  • No labels