Attendees: 

Present: Brad Christ, Chris Misra, Christine Miki, Dave Robinson, Jeremey Livingston, Kristi Holmes, Laura Paglione, Marc Wallman, Michael Berman, Rachana Anathakrishnan, Ann West,

With: David Bantz, Keith Wessel, Kevin Morooney , Steve Zoppi, Albert Wu, Kim Milford, Rob Carter, Tom Barton

ABSENT:

Agenda - Security

  1.  InCommon Operations (internal) (Kevin et al, 10 min)
    1. Pre-reads, background
      1. https://incommon.org/incident-response/
      2. https://spaces.at.internet2.edu/display/federationops/Incident+Handling
  2.  InCommon federation risk discussion (external) (Tom, 20 min)
  3. REN-ISAC and InCommon (Ann, Kim, 20 min)

 

Minutes

Kevin provided very high-level overview of the following topics (internally focused): 

  1. Participant self-serve "portals" (manage federation metadata, eduroam roles, cert service)
  2. Federation metadata management (eduGAIN ingestion, integration, filtering, signing, publishing)
  3. Key management (for signing metadata)
  4. Contact management (both for InCommon communications and in metadata)
  5. eduroam-us RADIUS servers and related
  6. Trusted Access Platform software-development pipeline

Kevin then asked these questions: 

  1. What about any of the above is most sensitive due to privacy, integrity, or availability considerations?
    • Signing the metadata/signing key that ensures the integrity of the information. 
  2. What standards does InCommon use to gauge security of the above stuff?
    • Generally we’re guided by NIST
  3. What are the main gaps between implementation and what those standards require?
    • InCommon does not have a recent gap analysis.  Other services in greater need of such analyses were prioritized over InCommon, it is close to time when we need to do a secops analysis for InCommon federation.
  4. Does Internet2 have cyber risk insurance? (YES) Does it need it? (YES) Does it use it? (We have not yet had to use it) 

Tom Barton (Risk Management, external focus) 

Slide Deck was shared

Tom delivered this presentation to help explain a variety of different kinds of risks InCommon needs to consider in operating the federation.

Chris - InCommon is trading on its brand. The non-quantifiable trust needs to be built tighter. InCommon is viewed as the arbiter of the community trust.

Kevin - We have to be more intentional and communicate about how we support trust. 

Jeremy - InCommon should do more security testing to gird community trust. 

David - Are these requirements or recommendations? There may be institutions that take a long time, but meeting standard requirements is what builds the trust and confidence of the community. 

Tom - Yes they are requirements. 

Michael Berman - Analog to the requirements of PCI - They are “binding” and have a level of assurance that is consistent with the Federation.  Recommends doing “audit” in addition to “monitoring”.

Kim Milford discussion

  • What *is* the REN-ISAC and what is its value to the R&HE environment
  • Not sure where it’s ultimately going
  • Primary Sharing:
    • Threats
    • Proactive information
    • Tactical/Technical
  • More conversation about other topics
    • Cyber Insurance
    • Risk Management
  • How coordination has improved
    • Monthly meetings
    • Collaboration isn’t quite the word of the day - yet, but coordination has improved


Meeting adjourned 

  • No labels