CACTI Call, Tuesday, June 8, 2021
Attending
Members
- Rob Carter, Duke, (Chair)
- Les LaCroix, Carleton College (Vice-Chair)
- Matthew Economou, InCommon TAC Representative to CACTI
- Stoney Gan, University of South Florida
- Michael Grady, Unicon
- Kevin Hickey, Detroit Mercy
- Marina Krenz, REN-ISAC
- Barry Johnson, Clemson
- Jeremy Perkins, Instructure
Internet2
- Kevin Morooney
- Nicole Roy
- Emily Eisbruch
Regrets
- Marina Adomeit, SUNET
- John Bradley, Independent
- Margaret Cullen, Painless Security
- Joshua Drake, Indiana University's Center for Applied Cybersecurity Research
- Chris Phillips, CANARIE
- Bill Thompson, Lafayette College
- Ann West
- Steve Zoppi
Discussion
Action item review:
Action items from March 30, 2021
- AI - Rob and Les - slot the user centric identity topic into a future CACTI agenda
- AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community (ongoing - discussion continuing April 27)
Action items from March 16, 2021
- AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
- AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB) . (Note Banner WG is folding into the MidPoint WG)
Administrivia
- Internet2 Intellectual Property Agreement reminder
- CACTI Charter pointer
Announcements
- New InCommon Community Success Manager, Netta Caligari, (based in Fort Collins, Colorado) has joined the Internet2 staff
- Netta will manage
- InCommon Catalyst Program
- Trust and Identity Working Groups logistics and support
- more
- Netta will fill some of the work functions done in the past by Jessica and also by Dean W
- There will be some rebalancing of community engagement and communications functions for InCommon
- Netta plans to join the CACTI call, on June 22, 2021
August IAM Online planning - status update
- Tuesday, August 11, 2021 at 2 p.m. ET
- Two broad topics
- Supply Chain Security (basis of Solarwinds),
- we need to be sure the InCommon Trusted Access software screens are well protected, protect IAM infrastructure , and that secrets and deployment phases are handled appropriately
- Supply Chain Security (basis of Solarwinds),
- For DevOps and Operations staff, staying on top of security issues
Goal:
- End result of conversation is increased engagement
- We don’t have all the answers/ solutions
- Hope scope the IAM Online is a way to pull people into the conversation,
- with follow up conversations potentially at BaseCAMP, CAMP, ACAMP and other venues
- Operational security is another important topic
- Supply chain risks are an important focus
- Length and breadth of supply chain changes and secrets management issue shifts with it
- InCommon TAC is working on sandbox/workbench. Cloud deployment of the Trusted Access Platform suite.
- Chris and Rob will attend upcoming meeting of Software Integration working group and will ask for topics that could fill a few slides
- Dive into how to protect your own code at your home organization?
- In regard to secrets and security, there is not much difference between open source and closed source these days.
- If you can attack one, all is vulnerable, this is what happened in Solarwinds
- Open source is not differently vulnerable from closed source
- Should there be one or more working groups that CACTI might sponsor around secrets management?
- KevinM: Important that CACTI is doing an IAM Online about security. Sends significant signal
- Three categories of people attend security webinars
- those who want to justify nothing to worry about
- those who are extremely worried
- huge cohort in the middle, there to learn
- Will be good to find out what the community wants to hear more about.
- This security discussion augments the work of CTAB with Baseline Expectations Version 2
Suggestion to conduct one or more Zoom Polls during the IAM Online, for example:
- At beginning of the IAM Online, poll on which of these items is your biggest area of concern now?
- At end of the IAM Online, poll on potential ways / venues for continuing the conversation
- Slides for the August IAM Online
- ChrisP is working on slides for the IAM Online
- Had talked about bringing in experts from campuses to share their story
- Decided that might take excessive time
- Decided it’s best for CACTI members to be the speakers and share overall info
- Giving credit where we received input for the slide deck
Broadening the tent/Federation 2.0 next steps
- What are best ways to strengthening community outreach?
- Build up interconnectedness with other Trust and Identity groups (software integration working group, component architects working group, CTAB)
- Encouraging groups and individual to interact with CACTI
- CACTI involves Trust and Identity, should we (along with CTAB) focus more on Trust?
- Conversations about verifiable credentials, how do you know who is authorized to assert certain things?
- Comment: makes sense to focus more on trust issues
- Bring in non-traditional identity folks, widen the net for getting intel from the community
- Discuss the InCommon Catalyst program, perhaps on our next CACTI call https://www.incommon.org/news/catalyst-program-brings-identity-and-access-management-expertise-support-to-incommon-community/