Attending
Members
- Rob Carter, Duke, (Chair)
- Les LaCroix, Carleton College (Vice-Chair)
- John Bradley, Independent
- Margaret Cullen, Painless Security
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Matthew Economou, InCommon TAC Representative to CACTI
- Michael Grady, Unicon
- Kevin Hickey, Detroit Mercy
- Marina Krenz, REN-ISAC
- Barry Johnson, Clemson
- Jeremy Perkins, Instructure
- Chris Phillips, CANARIE
Internet2
- Kevin Morooney
- Ann West
- Nicole Roy
Regrets
- Marina Adomeit, SUNET
- Stoney Gan, University of South Florida
- Bill Thompson, Lafayette College, Internet2
- Steve Zoppi, Internet2
- Emily Eisbruch, Internet2
DISCUSSION
Administrivia
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
Announcements
- OpenID Foundation (OIDF) Multilateral OIDC spec is ready for review and then vote
(Chris P /John B)- Current Implementer’s Draft for review, linked from: https://openid.net/developers/specs/
- You don’t need to be a member in order to be a reviewer and provide feedback - open to the whole community
- Voting requires a $25/year membership/signing the IPR
- JohnB will forward the announcement to the CACTI list
- All the specs are public
- The working group can be found at: https://openid.net/wg/connect/
- ChrisP notes that this is a good example of outreach along the lines suggested by the Federation 2.0 group
- CACTI Call on Tuesday, July 6 ?
- There is no Tuesday, July 6 CACTI call on the agenda, let Nicole / Rob / Les know if you feel strongly that there should be a call that day.
- There is no Tuesday, July 6 CACTI call on the agenda, let Nicole / Rob / Les know if you feel strongly that there should be a call that day.
July IAM Online planning
- IAM Online is Tuesday, July 20, 2 p.m. ET
- Topic is Secrets Management
- Looking for engagement in a direction that leads to outcomes that can be furthered at CAMP?
- How does this fit with what we’ve proposed for CAMP? https://www.incommon.org/academy/camp-meetings/2021-camp-week/
- Narrow vs. wide scope, and ease of finding people to help with a presentation
- Something like a hybrid of a presentation and an office hours? Soliciting community engagement.
- Could also hit up the other committees to find presenter(s)
- Presenters - at least one person from CACTI, would also like a point of view from outside CACTI membership, something that is really interesting/laudable
- This is only one part of a bigger set of issues we may want to socialize with the larger community related to security and trust.
- Have not yet fleshed that out.
- Have discussed a few possible speakers for some off-the-top-of-our-heads topics.
- Ann West and Mike Corn hosted an EDUCAUSE IAM zoom session on May 18, 2021
- re: IAM software, sparked by discussion on the EDUCAUSE IAM list.
- ~200 people chimed in on the list saying they would be interested in discussing.
- The group wants to do a monthly call - so for at least a few months, we’ll have another context - this new call, which we could work with.
- The IAM Online is similar but not the same. We want to spark a renewed focus and sensibility around security practices and IAM.
- Talk about the overall trust-security relationship
- Then go into one or more examples
- CACTI has a number of sessions proposed for CAMP at TechEx Virtual in October https://www.incommon.org/academy/camp-meetings/2021-camp-week/
- Hoping to feed into those sessions, draw people into them via this IAM Online
- People want to know “what can I be doing better? When do I know that I’m doing well enough?”
- 3 staircases to climb:
- Beginner
- Intermediate
- Advanced
- On the other side of the convo are topics like SIRTFI - how do things like secrets management feed into the required “best practices” called out in specs like that?
- A story we should tell at the beginning about how we became interested in this topic, most recently: The SolarWinds issue.
- Might be a way to get started with basic level intro/overview. Should also probably mention how InCommon’s Baseline Expectations for Trust in Federation program fits in. SIRTFI, too. Draw a horizontal line: This is where “good enough” currently is.
- Here’s where we need to get to, here’s where we are, here’s the line we need to get to.
- Secrets management, specifically, is kind of in the weeds, only get there once you’re actually deploying. The session with the EDUCAUSE IAM group talked a lot about the IAM components, that group was very interested in that set of topics.
- Ann shared the survey results and notes
- IAM Online is a good place to “get eyeballs” - we should take advantage of the fact that we can *authentically* put SolarWinds in the abstract. That will attract eyeballs.
AI: - Create an abstract that this group can react to and iterate on.
- Beginning of a draft outline based on today’s discussion:
- Welcome
- What CACTI is / why we’re interested in this topic
- Here’s what we’re interested in talking about and starting a dialogue with you about today
- (details) SolarWinds and the thought it caused a lot of people to have. How we are being proactive and reactive based on that. Technical AND business process stuff (secrets mgmt. and incident response, for example) are needed. Containers/CI/CD are a new world for a lot of us. Security landscape looks different. Example: supply-chain.
- One or more invited speakers to show what they’re doing
- Wrap-up - continuing the conversation - where/how? CAMP? Other places?
- There is some concern that we should not make this *too* abstract for the desired audience
- Don’t want to broaden the topic so much that we can’t focus on things that people want to hear about/show up for. Focus on SIRTFI as a foundation. The *DOs* for participating in the federation/etc. Not everyone will be from inside the federation, however.
- Likely a number of people who don’t know what CACTI is, need to briefly intro the group.
- SolarWinds raised a lot of marketing opportunities, but it also raised a lot of technical thinking. What lessons did we learn, and how do we apply those to the problem space? More practical/good topical material for IAM Online.
- Some interest in IdP/SP intrusion detection. Technical gaps versus business process gaps. “Do I have an incident response plan?” Secrets mgmt/etc. Is important. But taking away an incident response lesson from SolarWinds, rather than a technical lesson. This does not conflict with secrets management, it’s complementary.
- Moving away from “one and done” to “defense in depth” mindset. Security is an ongoing process, not a task or project. Same with IAM.
- We want this to spark a further conversation
- Secrets management that ties into OIDC Federation and Federation 2.0: Issue with how you get ahold of the public keys for trust relationships in a secure way. LOTS of people out there not validating metadata, etc. How do I get the keys into my client-side storage and using them effectively?
- Connecting this convo to the EDUCAUSE IAM List convo, and also tying it into the InCommon Component Architects - both ends of the pipeline. Containerized deployments as preference- which means a different world/different set of concerns. Supply chain integrity, etc.
Next steps:
- Putting together an abstract that we can use to publicize the IAM online (and that we can use for further planning purposes)
- Iterate between calls
- Collab on building the abstract/agenda: Matthew E, Chris P with Rob/Les/Nicole. Goal: get abstract out for review/comment by the group by Tuesday, June 1st.
- Getting an announcement out in June
- Identify topics and speakers for the invited presenter portion
- Rob/Les/Nicole approach potential speaker to ask
- Community outreach / component architects
DID NOT COVER REMAINING TOPICS, will introduce at a later date
- Community outreach/InCommon Component Architects tie-ins/relationships (this can be deferred if we need the time for IAM Online planning)
- Broadening the tent/Federation 2.0 next steps (this can be deferred if we need the time for IAM Online planning)
- Broadening the tent as a theme, and possible tension with initiatives, such as a proposed categorization of services which should be allowed in eduGAIN?
- Possibly particularly eduGAIN requirements? “Making being in eduGAIN more meaningful”
- Challenges with enforcement at an eduGAIN level
- Are there things the InCommon community can/should be doing to help?
- Backlog of possible topics
Next Meeting: Tuesday, June 8th, 2021