Versions Compared

Old Version 7

changes.mady.by.user Ann West (internet2.edu)

Saved on

compared with

New Version 8

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The security of the InCommon Federation Manager (FM), the application used by RA administrators, site administrators, and delegated administrators, is critical to the confidentiality, integrity, and availability of InCommon IdPs and SPs. This document discusses threats, impacts, and potential controls, with emphasis on those threats that relate to identity and access management for the FM.

The approach to taken here is based on the risk assessment framework outlined in NIST Special Publications 800-30 and 800-53 and other documents referenced in the text.   In brief, this process has the following steps:

...

It should be noted that "security" in this context is not simply about the threats posed by digital criminals. Security also concerns itself with any threat to the confidentiality, integrity, or availability of a system. The NIST framework is much broader, addressing not only technical security, but also physical security, disaster recovery, organizational maturity, etc. That said, this document concentrates primarily on digital security.

Finally, the goal here is not to identify the best/strongest controls available to address a threat.   Rather, the goal is to identify controls that are appropriate to the impact levels that have been identified.

...

The maintenance of InCommon metadata is a shared responsibility between InCommon Operations (represented by the RA administrators) and the InCommon participants (represented by the site administrators and delegated administrators). In general, the site administrators and the delegated administrators are responsible for submitting correct metadata, while the RA administrators are the stewards of that metadata. More specifically:

  • Site administrators and delegated administrators are generally considered to be the source of metadata content. There is an exception, however:
    • The RA administrator may insert additional information into an entity descriptor. Examples of such information are organization data, IAP Identity Assurance qualifiers, and SP service provider category qualifiers attributes for which the Federation operator is authoritative.
  • As the steward of metadata, the RA administrator is responsible for:
    • The integrity and availability of participant metadata. (Confidentiality is not an issue.)
    • Controls, to be leveraged by site administrators and delegated administrators, that aid in the submission of correct metadata by authorized individuals. The use of these tools may be required for all administrators, required for certain administrators depending on certified assurance levels, or may be optional. Examples of such controls are authentication mechanisms, secure communication channels, notification of completed transactions, enforced separation of duties, etc.
    • Services such as domain verification validation that help administrators create and maintain correct metadata. (

Note: Despite the controls and services performed by the RA administrator, the responsibility for correct metadata still rests with the participant.

...

When assessing threats to the Federation Manager, we consider the following issues:

...

The metadata contains different types of information that can may be categorized according to the impact of that information being incorrect.  In order to provide guidance for the implementation of appropriate controls, the following table summarizes those categories.

Metadata Category

Impact of Being Incorrect

Certificates in IdP metadata (i.e., a public key in metadata corresponding to the IdP's signing key)

A spoofed IdP may push false identity assertions to SPs that trust the correct IdP.

Endpoints (especially SingleSignOnService endpoints) in IdP metadata

IdP users may be phished. Also, the IdP's user community may suffer a service outage.

Certificates and endpoints in SP metadata

Loss of PII when identity assertions are sent to a spoofed SP. Also, the SP's user community may suffer a service outage.

Entity attributes that indicate the trustworthiness of an entity (e.g., IAP Identity Assurance qualifiers and other qualifiers for which the Federation operator is authoritative)

SPs may place too much trust in an IdP's assertion, or an IdP may send information to an SP that it would not normally trust to receive that information.

User interface elements in metadata (i.e., MDUI elements)

The entity's user community may be presented with confusing information, with the possibility that users will be misled and/or coerced to do the wrong thing.

Potential Threats

Wiki Markup
The following table provides a summary of threats and their impacts.  It also lists potential controls, but the selection of specific controls for implementation is the subject of another document.  \[InCCollaborate:Need a link to Ops's document...\]

...