Attending

  Members

  • Rob Carter, Duke, (Chair)  
  • Les LaCroix, Carleton College (Vice-Chair)  
  • John Bradley, Independent  
  • Margaret Cullen, Painless Security  
  • Joshua Drake, Indiana University's Center for Applied Cybersecurity Research 
  • Matthew Economou, InCommon TAC Representative to CACTI  
  • Michael Grady, Unicon 
  • Kevin Hickey, Detroit Mercy  
  • Marina Krenz, REN-ISAC 
  • Barry Johnson, Clemson  
  • Jeremy Perkins, Instructure 
  • Chris Phillips, CANARIE  

 Internet2 

  • Kevin Morooney  
  • Ann West  
  • Nicole Roy  

 Regrets

  • Marina Adomeit, SUNET
  • Stoney Gan, University of South Florida
  • Bill Thompson, Lafayette College, Internet2
  • Steve Zoppi, Internet2
  • Emily Eisbruch, Internet2 

DISCUSSION

 Administrivia

Announcements

  •  OpenID Foundation (OIDF) Multilateral OIDC spec is ready for review and then vote
    (Chris P /John B)
    • Current Implementer’s Draft for review, linked from: https://openid.net/developers/specs/
    • You don’t need to be a member in order to be a reviewer and provide feedback - open to the whole community
    • Voting requires a $25/year membership/signing the IPR
    • JohnB will forward the announcement to the CACTI list
    • All the specs are public 
    • The working group can be found at: https://openid.net/wg/connect/ 
    • ChrisP notes that this is a good example of outreach along the lines suggested by the Federation 2.0 group


  •   CACTI Call on Tuesday, July 6 ?
    • There is no Tuesday, July 6 CACTI call on the agenda, let Nicole / Rob / Les know if you feel strongly that there should be a call that day.

July IAM Online planning

  • IAM Online is Tuesday, July 20, 2 p.m. ET
  • Topic is Secrets Management
    • Looking for engagement in a direction that leads to outcomes that can be furthered at CAMP?
    • How does this fit with what we’ve proposed for CAMP? https://www.incommon.org/academy/camp-meetings/2021-camp-week/
    • Narrow vs. wide scope, and ease of finding people to help with a presentation
    • Something like a hybrid of a presentation and an office hours? Soliciting community engagement.
    • Could also hit up the other committees to find presenter(s)
  • Presenters - at least one person from CACTI, would also like a point of view from outside CACTI membership, something that is really interesting/laudable
  • This is only one part of a bigger set of issues we may want to socialize with the larger community related to security and trust. 
  • Have not yet fleshed that out. 
  • Have discussed a few possible speakers for some off-the-top-of-our-heads topics.
  •  Ann West and Mike Corn hosted an EDUCAUSE IAM zoom session on May 18, 2021
    • re: IAM software, sparked by discussion on the EDUCAUSE IAM list.
    • ~200 people chimed in on the list saying they would be interested in discussing. 
    • The group wants to do a monthly call - so for at least a few months, we’ll have another context - this new call, which we could work with. 
  • The IAM Online is similar but not the same. We want to spark a renewed focus and sensibility around security practices and IAM.
  • Talk about the overall trust-security relationship
  • Then go into one or more examples
  • CACTI has a number of sessions proposed for CAMP at TechEx Virtual in October https://www.incommon.org/academy/camp-meetings/2021-camp-week/
  • Hoping to feed into those sessions, draw people into them via this IAM Online
  • People want to know “what can I be doing better? When do I know that I’m doing well enough?”
  • 3 staircases to climb:
    • Beginner
    • Intermediate
    • Advanced
  • On the other side of the convo are topics like SIRTFI - how do things like secrets management feed into the required “best practices” called out in specs like that? 
  • A story we should tell at the beginning about how we became interested in this topic, most recently: The SolarWinds issue. 
  • Might be a way to get started with basic level intro/overview. Should also probably mention how InCommon’s Baseline Expectations for Trust in Federation program fits in. SIRTFI, too. Draw a horizontal line: This is where “good enough” currently is.
  • Here’s where we need to get to, here’s where we are, here’s the line we need to get to.
  • Secrets management, specifically, is kind of in the weeds, only get there once you’re actually deploying. The session with the EDUCAUSE IAM group talked a lot about the IAM components, that group was very interested in that set of topics.
  • Ann shared the survey results and notes
  • IAM Online is a good place to “get eyeballs” - we should take advantage of the fact that we can *authentically* put SolarWinds in the abstract. That will attract eyeballs.

AI:   -  Create an abstract that this group can react to and iterate on.

  • Beginning of a draft outline based on today’s discussion: 
    • Welcome
    • What CACTI is / why we’re interested in this topic
    • Here’s what we’re interested in talking about and starting a dialogue with you about today
    • (details) SolarWinds and the thought it caused a lot of people to have. How we are being proactive and reactive based on that. Technical AND business process stuff (secrets mgmt. and incident response, for example) are needed. Containers/CI/CD are a new world for a lot of us. Security landscape looks different. Example: supply-chain.
    • One or more invited speakers to show what they’re doing
    • Wrap-up - continuing the conversation - where/how? CAMP? Other places?
    • There is some concern that we should not make this *too* abstract for the desired audience
    • Don’t want to broaden the topic so much that we can’t focus on things that people want to hear about/show up for. Focus on SIRTFI as a foundation. The *DOs* for participating in the federation/etc. Not everyone will be from inside the federation, however.
    • Likely a number of people who don’t know what CACTI is, need to briefly intro the group.
    • SolarWinds raised a lot of marketing opportunities, but it also raised a lot of technical thinking. What lessons did we learn, and how do we apply those to the problem space? More practical/good topical material for IAM Online.
    • Some interest in IdP/SP intrusion detection. Technical gaps versus business process gaps. “Do I have an incident response plan?” Secrets mgmt/etc. Is important. But taking away an incident response lesson from SolarWinds, rather than a technical lesson. This does not conflict with secrets management, it’s complementary. 
    • Moving away from “one and done” to “defense in depth” mindset. Security is an ongoing process, not a task or project. Same with IAM.
    • We want this to spark a further conversation
    • Secrets management that ties into OIDC Federation and Federation 2.0: Issue with how you get ahold of the public keys for trust relationships in a secure way. LOTS of people out there not validating metadata, etc. How do I get the keys into my client-side storage and using them effectively?
    • Connecting this convo to the EDUCAUSE IAM List convo, and also tying it into the InCommon Component Architects - both ends of the pipeline. Containerized deployments as preference- which means a different world/different set of concerns. Supply chain integrity, etc.


Next steps:

  1. Putting together an abstract that we can use to publicize the IAM online (and that we can use for further planning purposes)
    1. Iterate between calls
    2. Collab on building the abstract/agenda: Matthew E, Chris P with Rob/Les/Nicole. Goal: get abstract out for review/comment by the group by Tuesday, June 1st. 
  2. Getting an announcement out in June
  3. Identify topics and speakers for the invited presenter portion
    1. Rob/Les/Nicole approach potential speaker to ask
    2. Community outreach / component architects

DID NOT COVER REMAINING TOPICS, will introduce at a later date


  • Community outreach/InCommon Component Architects tie-ins/relationships (this can be deferred if we need the time for IAM Online planning)

  • Broadening the tent/Federation 2.0 next steps (this can be deferred if we need the time for IAM Online planning)
    • Broadening the tent as a theme, and possible tension with initiatives, such as a proposed categorization of services which should be allowed in eduGAIN?
    • Possibly particularly eduGAIN requirements? “Making being in eduGAIN more meaningful”
    • Challenges with enforcement at an eduGAIN level
    • Are there things the InCommon community can/should be doing to help?
  • Backlog of possible topics


Next Meeting: Tuesday, June 8th, 2021 

  

  • No labels