CACTI Public Meeting Notes 8-June-2021

CACTI Call, Tuesday, June 8, 2021

Attending

Members

• Rob Carter, Duke, (Chair) 
• Les LaCroix, Carleton College (Vice-Chair)  
• Matthew Economou, InCommon TAC Representative to CACTI  
• Stoney Gan, University of South Florida  
• Michael Grady, Unicon  
• Kevin Hickey, Detroit Mercy 
• Marina Krenz, REN-ISAC  
• Barry Johnson, Clemson 
• Jeremy Perkins, Instructure 

Internet2 

• Kevin Morooney  
• Nicole Roy  
• Emily Eisbruch 

Regrets

• Marina Adomeit, SUNET
• John Bradley, Independent 
• Margaret Cullen, Painless Security
• Joshua Drake, Indiana University's Center for Applied Cybersecurity Research  
• Chris Phillips, CANARIE 
• Bill Thompson, Lafayette College
• Ann West   
• Steve Zoppi  

Discussion

Action item review:

  Action items from March 30, 2021

• AI - Rob and Les - slot the user centric identity  topic into a future CACTI agenda
• AI - Rob and Les - form ideas to share with CACTI for continuing the secrets management discussion with others in the community (ongoing - discussion continuing April 27)

    Action items from March 16, 2021

• AI - Rob reach out to the CACTI email list to start to gather contacts and use cases for upcoming discussions around OIDC.
• AI - Rob reach out to leaders of MidPoint/Banner Integration working group to talk with CACTI re: Banner, (AnnW did intro with MattB)  .  (Note Banner WG is folding into the MidPoint WG)

 Administrivia

• Internet2 Intellectual Property Agreement reminder
• CACTI Charter pointer

Announcements

• New InCommon Community Success Manager, Netta Caligari, (based in Fort Collins, Colorado) has joined the Internet2 staff

• Netta will manage 
• InCommon Catalyst Program
• Trust and Identity Working Groups logistics and support
• more
• Netta will fill some of the work functions done in the past by Jessica and also by Dean W
• There will be some rebalancing of community engagement and communications functions for InCommon
• Netta plans to join the CACTI call, on June 22, 2021

August IAM Online planning - status update  

• Tuesday, August 11, 2021 at 2 p.m. ET
  
• Two broad topics 
  • Supply Chain Security (basis of Solarwinds), 
    • we need to be sure the InCommon Trusted Access software screens are  well protected, protect IAM infrastructure , and that secrets and deployment phases are handled appropriately

• • For DevOps and Operations staff, staying on top of security issues

Goal:  

• End result of conversation is increased engagement
• We don’t have all the answers/ solutions
• Hope scope the IAM Online is a way to pull people into the conversation,
• with follow up conversations potentially at BaseCAMP, CAMP, ACAMP and other venues
• Operational security is another important topic

•  Supply chain risks are an important focus
• Length and breadth of supply chain changes and secrets management issue shifts with it
• InCommon TAC is working on sandbox/workbench. Cloud deployment of the Trusted Access Platform suite.
• Chris and Rob will attend upcoming meeting of Software Integration working group and  will ask for topics that could fill a few slides
•  Dive into how to protect your own code at your home organization?
•  In regard to secrets and security, there is not much difference between open source and closed source these days.
  • If you can attack one, all is vulnerable, this is what happened in Solarwinds
  • Open source is not differently vulnerable from closed source
• Should there be one or more working groups that CACTI might sponsor around secrets management?
• KevinM: Important that CACTI is doing an IAM Online about security. Sends significant signal
• Three categories of people attend security webinars  
  • those who want to justify nothing to worry about 
  • those who are extremely worried 
  •  huge cohort in the middle, there to learn 
• Will be good to find out what the community wants to hear  more about.
• This security discussion augments the work of CTAB with Baseline Expectations Version 2

Suggestion to conduct one or more Zoom Polls during the IAM Online, for example:

• • At beginning of the IAM Online, poll on which of these items is your biggest area of concern now?
  • At end of the IAM Online, poll on potential ways / venues for continuing the conversation 

• Slides for the August IAM Online

• ChrisP is working on slides for the IAM Online
• Had talked about bringing in experts from campuses to share their story
• Decided that might take excessive time
• Decided it’s best for CACTI members to be the speakers and share overall info
• Giving credit where we received input for the slide deck

Broadening the tent/Federation 2.0 next steps 

• What are best ways to strengthening community outreach?
• Build up interconnectedness with other Trust and Identity groups (software integration working group, component architects working group, CTAB)
• Encouraging groups and individual to interact with CACTI
• CACTI involves Trust and Identity, should we (along with CTAB) focus more on Trust?
• Conversations about verifiable credentials, how do you know who is authorized to assert certain things? 
• Comment: makes sense to focus more on trust issues  
• Bring in non-traditional identity folks, widen the net for getting intel from the community 

• Discuss the InCommon Catalyst program, perhaps on our next CACTI call https://www.incommon.org/news/catalyst-program-brings-identity-and-access-management-expertise-support-to-incommon-community/

Next Meeting: Tuesday, June 22nd, 2021