with Tom Barton from University of Chicago
Wednesday, November 4
3 p.m. EST
Wednesday, November 4
3 p.m. EST
Description of the video:Let me go back to the beginning and welcome. My name is Cheryl Swenson. I'm your host for today's tech First. Thank you for joining us. Today's Tech Burst title is cert Vn baseline expectations. Our presenter today is Tom Barton. Tom is a senior consultant for cyber security and data privacy at the University of Chicago. And he's also a consultant with Internet to Tom will be talking about in Kamen's, namely newly released baseline expectations. And he'll be taking your questions about bringing your organization into compliance with those. You can type your question or comments any time into the Q and a box within the zoom window. And that kinda feedback could also include if you're having difficulty hearing someone or if there's video issues and you can't see what's happening in the screen chairs. Tom, It will provide his contact information in the last slide of this presentation. So if you're watching this in video format rather than live and you think of a question after you've watched through the presentation, you may contact him with those addresses and ask him questions as a follow up there. The session today is public and it is being recorded and it does take a bit of processing time to get the recordings posted. But by early next week, we should have the video and Tom slides available on our public website. Address is www dot ran hyphen Isaac.net. I will also send an email to our discuss list when the video is available so that our members will be aware. Like many people and working from home today. So I'll just apologize in advance if you can hear my gap yelling or if my dogs bark and interrupt us, I will keep myself muted most of the time to minimize that disruption unless I'm speaking or reading out a question for tome. I'd also like to take a moment to recognize my teammates, Todd hearing and Chris O'Donnel in Joseph passionate, who are standing by, logged in, ready to pick a post duties if i should become disconnected or have technical issues that prevent me from participating in the presentation. I also want to reassure folks, we've taken some steps to minimize unwanted guests in our zoom meeting today. And we do have staff standing by as Zoom bouncers who will kick out anybody who was disruptive or I'm professional. Last and certainly not least, you are encouraged to ask questions at any time at your observations and make comments via the Q and a tool. I want to let you know that you can select the anonymous option if you prefer not to show your name. And I'll be reading those out loud for Tom as we go along with that. I'll hand the virtual stage over to Tom. Thank you, Cheryl. Hello everybody. Let me say I'm gong to share my screen with you. And we can let me know if that seems to be working for you. It looks good to me, Tom. Excellent. So I want to reiterate this presentation is to bring you up to speed with some things that are going on. But most importantly, to kind of engage and get your questions because this commit, there might be some questions coming to you from some of your colleagues at your organizations and as a result. So with that and I'll explain fully, I think going by and by here, here. So there's gonna, I will explain what a certify and we'll just baseline expectations in a couple of other things along the way. So let's take a quick look. First of all, that the At what is coming up, I'm going to try to not make assumptions about what you already know or don't know. But I'll give a brief overview of what is federation in the research and education space. What Research Communities and others need from those research education federations. I'll give a brief overview of in common federations, baseline expectations program and a brief overview of certified. And then finally, look at around two, why am I bothering to spend my time and can waste some of yours? And that national come to the last bullet, which is where we're going to spend a good bit of our time in the next over the next 45 minutes. Okay. So why did we why don't we have a grand scale from all the way in space. Basically. This is what's going on where many of us in all kinds of various ways help to support academic collaboration circles, our basic mission across various institutions. So there's faculty and staff, they're everywhere. They have data, other kinds of IP instruments, computing resources. Those are housed and operated at organizations all over the world. And we have global research networks to connect them. And research and educational federation to also connect them. And so the federation partners about managing user access to stuff. And so let's go over that really quickly. Why, why bother with all that? Well, first of all, the network can do it not really. I'm not good enough for end user access, protected resources. We can do it no matter that should result in good user experience, single sign-on using the credentials that person's home organization has given them for all kind of the usual various and sundry daily purposes can be used to access stuff. Hoover Research and Education Federation all over the world. It's done at a very trustworthy way and in a way that we tried to be very useful to solve real problems that academic collaborations have and to manage the risks that they, that they have. Thumb, it scales, you can use it on your campus, you can use it around the world and we push in between. And it also is relatively light on terms of agreements, legally binding agreements, stuff like that. Basically you just need one between your organization and your national federation. And the rest follows. So it's, it's on top of the network and global infrastructure that helps to glue the users in to enable their access to, on a variety of protected resources. So this is going to be a very brief primer on. I won't get a quiz at the end about what goes on a little bit and you look ahead of the lower left hand corner. There's a user over there and it's all about them. And there is something called SP, Service Provider. That's something the user wants to access and use, research service or any kind of a thing. And an IDP that S something that operates, runs at the user's home organization at the university, where they log into things using the universities with single sign-on system. And so roughly what happens is somehow by some Federation magic, they approach the service that they want to work and they referred back to do a login at their home organizations single sign-on service. And the result of that is sent back to the service provider. So authentication credentials and so forth remained local to the home organization. But the service provider, for reasons to do with how federation operates, knows to trust the assertions about authentication that come along with the information provided through the user's browser from their identity brighter and maybe some information about the users themselves. So stepping back, one step, you wonder, why should that service provider trust it? How did it know to reach out to the identity provider that that user comes from? A myriads of questions like that. And really the answers have to do with what Federation operators do. They register entities into their national federations? There's a process, there are a lot of metadata, has gathered certificates for established, for identification and listening a trustworthy to make invocations between entities like service providers might want to do providers, things like that. So they, those federations register entity metadata to enable that transaction and on through to proceed. And then within each country, in communist, one of those for the US and then many countries I think 68 or if you Moreno was taking these members in July have such things. And they all have sort of a an embedded DDI metadata, metadata Exchange Servers called edu game. So basically they can kinda share, cool. The set of entities that each one registers amongst them all. Though that a user at any IDP anywhere could reach a service registered by any Federation anywhere around the world. Not entirely true, but that's, that's to first order, the general idea. So that's kind of federation. And you can see some numbers on the right hand side and button scale. Then there's federated access. So when that user accesses that SP, It's federated access. But you'll notice that there's some boxes up in the top left that research cyber infrastructure in a research project that are not part of international federation. But they're still accessible by federated accidents, by means of proxies that is, something about them is exposed in a federation, present itself as a service provider. So it can happen for something like exceed or Open Science Grid or the European or AEGI are variety of things like this. Where there is a dedicated gateway proxy that hazard which accepts federated walk-ins from the research members on campuses, but all the different services on the local side of the proxy that probably specialized and made necessarily for federation that need for research computing or whatever the special function maybe. And so that's a more beneficial, more efficient to have a proxy and proxy for, for presenting them the access to those services into of or any Federation internationally. So that's sort of the thumbnail. Federations one-on-one. And now we want to talk about briefly, what are some of the most important things that Federation's n0 beyond the ability to authenticate, merely that the values that they can provide to all those service providers, relying parties who actually have risks and manage if they're not going to manage all the accounts and hand out to the users of their servers themselves. They're going to sense kind of outsourcing that to people all over the world by means of RNA federation to their benefit because they don't have to hassle with managing knowledge account and so on and to the benefit of their researchers and users and students and so forth. Because those folks don't need to have an account per for every single thing we wanted to do. They can use there. The university account for many of them. But there are some, there are some division of labor that should happen. And so this expressed in this pyramid. There are some basic things and green, making sure that the metadata, for example, is accurate and complete for each of the entities that are, that are interacting, supporting the users access to the service, including error handling some basic security stuff, which is where are we going to be talking about? Here in a minute? Releasing a little bit, a few attributes about the users in some circumstances, as well as things that are quite familiar with this area. But multifactor authentication and also identity assurance, identity proofing kinds of information. So those are things that would be great to have that do not always obtain currently in, in, in common or at any of the other national RNA Federations. Which all my degrees. But that's kind of what the baseline expectations program where it comes in. So, you know, we have standards, we know how to signal for MFA and we know how to send information about identity proofing levels that a campus may have provided for a given set of accounts. So things like that we know how to do and we can tell we could ask folks and let them know this is available to really good thing, please. Would you please support it at your identity brighter and gets your service provider? And some do, many do not. It's very hard to communicate broadly across 70 countries from 4 thousand identity providers and so many thousands of service providers, it's a little. The coordinate communication and change management challenges are extreme, colossal and global. So to address that in common, developed this baseline expectations Program, which is a way to require basically all of its members to do some things in terms of providing some of those values on that pyramid I just showed you a moment ago. It's linked into the legally binding participation agreement that every incumbent member organization signed. So there's an obligation. Under contractual obligation, it links to follow along. There's community governors asked was everything was the income Federation and particularly the college community trust, an assurance board, which as members of the impounded community from all walks of life. And they're the ones who really kind of drive the baseline expectations program. And in common Steering Committee, which is its governing body for the thing that can formally commit. I encountered federation to do things. And then there are some processes that go into the baseline expectations program. One, this follow to make sure that every time we Launch, who are acetabulum wants to raise the bar a little bit, add more things to that baseline that they're assigned. A well-defined process of getting the community involved in that from the beginning to the end. So that it become the community really quite reasonably is is agreeing to rate or wants to raise the bar on itself. And there's also a dispute resolution process going there. If if if things get too, it's just not possible for someone to make the change and origin follow along, got across to problem there. But most of the work is its support work is change management work and a lot of communication and helped out each participant organization manage that change. A little bit of that communications happen right now. So how far have we gotten up that pyramid with the baseline expectations program? Well, just a little bit. You've taken one step. That was a big one, but it was an important one. But just the first in common Steering Committee on Monday and unanimously voted to start the second step, baseline V2. You can see that it's going to address error handling in basic security of the entities that are operating on federation service providers and identity providers. And by basic security, baseline expectations version TV to really talks about certified and, and the SSL Labs meeting all the criteria. If you've got a grade of a for the web-facing interfaces on IDPs and speaks. So that's really, those are the main things we're going to talk about here. We're talking about certify part of that. And then I mentioned that the other ones that those research and scholarship attributes MFA request response and identity assurance. That's something we built this he Tab believes that over time, that's where we need to go, where they had been common community needs to go. The National Institutes of Health don't have to wait on the in common community each site. What do they already? They have mitten announcement a couple weeks ago and are going to follow up on whether we go to the internet to type extra camp, how they are going to be requiring bathroom or six months or so from now that they're federated users and their research or ensure that come in to access NIH services through Federation must actually support all of those things. That's going to be just required. And so campuses that have more NIH grant activity are going to be more interested in, I would say, to meeting those requirements so that they can meet the needs of their researchers. And so that's kind of foreshadowing things. I think to come over a more expand to a period of time crossing comment more broadly? I would, yes. So okay. So that's kinda baseline. And wearing a federation and where we're trying to get with some security measures. And so let's look and certify just a little bit. So that federation this there. And indeed if one of those compact accounts at an identity provider, like at the University of Chicago. Be compromised. Then whoever is using it, the unauthorized user of that account, it could potentially access whatever. There's my canvas, whatever I may have access to across the almonds or around the world. Now there aren't that many i'd access do but I have access to some and I would not appreciate it if someone else has access it using my account for me. And that's sort of the canonical idea between having a federated security incident. This whole federated infrastructure is another context in which pivoting can happen. So that one place can expand to other places by means of federation. And so that's the general idea. And so certified, which is not quite an acronym, so I won't bother trying to expand. It was developed to try to prepare all the members of all the federations to coordinate activities in managing a security incident that has a federated component to it. So they should be basically, it's sort if I asked, most importantly, be willing to collaborate. If someone should reach out and contact you from a, from a non-contact at another site that does define that they've kind of incident and they think that you may be involved. And so please join the incident management team and work together to solve that you will, to the best of your ability, do so. It also certify also ask that for at least the entities that you exposed to Federation service, mister reporters and identity providers, that you have these basics and there's some basic security protections that, that cover them. And we'll go into those in a few moments. It recognizes that although iPhone always wants to know well, how much, how long, how big be prescriptive about what you're asking me to do. In fact, this is risk management and we really can't tell every single organization in the world, every University and Research Lab and institute, how they should adjust their priorities. They must do so with themselves and certify trust framework recognizes that, okay. We don't need to tell it exactly what they must do. And that there is a way that you can express as himself, consult the search herself, the test to your adherence or compliance with satisfying aspects. I communicating in one way or the other with your federation operator and applying to tag basically to your metadata that says so, so that others can know that about you. So that's sort of certified in a nutshell. So I'm not sure the proportion of the folks on this column. And I believe that at some places around a third or so of Ren, Ren Isaac member organizations also belong to in common or maybe it's a third of uncommon with reasonable willing to read them. I forget which way it is, but there's a big overlap. And so my thought was that, you know, some of you in the security side, some of the folks on the identity management side or CIO's office, they're gonna be the ones to be notified by Nick in common before long that, you know, if they're not already doing certifying that the coming of requirement of membership and the income Federation under the baseline expectation program. And so I wouldn't be surprised if some folks, some of your colleagues at central IT MY turn around, ask someone on the security team, well, what would it take? Much the sort of thing. And what will it take for us to be able to. I'm assert that we've complied with. And so that's what I'm here for today, a stationary to help you get prepared for those questions. So what does it take homes from this kind of look inside a little bit. And at this point, I'm going to hope that with this next slide, you will be able to ask me some questions, because that's going to be the questions you might need to have answers prepared for when someone at your organization asked you about certify business. So certify has criteria and these four areas to do some statements about your operational security readiness, IR readiness, traceability, Cuban logs, and about how humans, participants, your, your users. And a little bit, very mild way. There's a sculpt to these things as we'll see, we can instantly on the following slide. So really, you know, so it's not clear, or should I, does this mean I have to apply this to everything operated by my university? Doesn't mean I just have to apply to identity provider, service providers and so on. And so that actually is not specified. But there's a bit of a consensus that it really isn't meant to. It's meant to address those things as security incidents that have a federated component to them. And so that really is, say, the minimum scope. It's those things that directly interact using Federation protocols, those bits of technology, the ones that are immediately and scope into things that connect directly with them. And so there is this italicized quote here that comes from the spec itself from certify trust framework document. The dressing. That's about how much should each of the things that we're going to talk about it in the following slides. How comprehensively are thoroughly, how long that's going to be something that each organization must decide based upon their own risk assessment, basically their own priority. So for the first of them, let's look at the operational security requirements. There are six. I'm going to give you a few moments to kind of read through this and get a sense for what is in scope. You can see that there are some very basic security practices that we hope will apply to your identity providers and service providers if you're operating them. But security patching, some vulnerability management process of some sort, some intrusion detection capability, ability to actually manage the suspended users access rights. That should come to that. That the users and owners of the surfaces, you know how to contact them in case you shouldn't be too. And that you've got some kind of a security incident response capability. That saying how sophisticated, but whatever it is that they have authority to take those kinds of steps to turn off the users are countered, that's necessary. And otherwise, you know, manage and maintain and container mediate those kinds of things. So I want to pause here for a moment and give you guys a moment to think about. If anyone asks you, do you do these things already for what does it do we meet these requirements? Would you have any questions about your own organizations in terms of before its qplot, you told it to help to. Do you know how you'd answer that each of these questions, basically. And I'll just give a moment for you to think about that. One. Okay. I don't see any questions popping up. And Cerrado, here you're reading and he saw that there aren't any right now. And this is kind of a lot to take in all at once as they may occur to you. Or perhaps when someone asks you, and because a word has gone up to the CIO that the baseline expectations program is going to require certified attestation from them. And they ask you a question at that time. He may send you treating it may send you to the documentation, will need may have some questions and under those circumstances and I'm happy to take them at that time. So I'm sorry. Is there a question that or a Q and a. There is a question that has kind of all there is and you find timely. Yes. And so good question. So we apply patches in a timely manner. I can define timely, but I don't, but certify does not define timing. This is something that is an example of what we're talking about in the previous slide. Let me kinda go back and look at that quotation from the trust framework. That's just one of those degrees of things that we rely on each organization. So whatever year, whatever the organization, however, they to find time for themselves in terms of applying security patches to things that are important to them that timely. And nothing certify itself does not say within 30 days or in inter like negative prescriptive answer has to be what the organization themselves are doing. I'll wait a moment if there's any other questions. Okay. So let's look at the other end. If something comes call, it occurs to you after you've gone and I'm happy to go back. And let's look at the next little batch, the incident response criteria. And there's six of these as well. So you could provide your how to contact for incident response purposes, how to contact your security folks as maybe requested by income and in this case, and that's actually something that's already required by income and under the baseline program, I should say. So all of your organizations meet this requirement already. In the next one is sort of where the rubber hits the road in terms of managing security incident. If someone reaches out from anywhere, sir, let's saying where they had the Large Hadron Collider ends and they notice the suspicious activity from an account from university of Chicago. They will look, I'm in federation metadata, CCC or security contact info in there, which is there because an iron one and make contact with whatever. Listen there. And so the expectation here as well, k will reply and do our best. So by R3 says will basically do arrest. Will the able and willing. There's really not making more specific prescriptive obligations on unless we're going to do our best. Some organizations have great security incident response capabilities, others not at all so great and they'll do their best. And that's all that's being asked here. Whatever your established incident response procedures are followed, them. That includes sharing. Anything the genome constraints or means of sharing with one variation, which is when you share in this federated context with Federated Partners in managing an incident. Here or the agreement says that everyone believes the traffic light protocol to indicate sensitivity of information and how widely it can be shared. So they have to have a common, that much in common. That's the one thing that's prescribed here, but certifies that we'll use GLP to mark up information that gets shared and managing federated and tuned for anything else that you maybe do. Undefeated country not using GLP for other Cheryl and contexts in which you're working, that's fine. This addresses only those whether to federated pulled it to the to the security incident. And I didn't say to IR five, respecting privacy according to your own policies and so forth. So there's no one federation, someone at another federated entity might wish to know identity information about some of the huge versions accounts you've been compromised or something. But if your policy say don't share or if you're gesturing sniffs junction here in Tokyo, that it's okay to walk in a moment here. And here's a quote from Cheryl. Any concerns sharing data without the input of university general counsel? Our superiority to being contacted before we share channel, if that's what you are, policies or procedures or just established expectations are by all means, do so, I would say. So there's nothing about this that says to go around or avoid or ignore any aspect of your established NA, MO, Okay. Hello it. And if that means you may have to be a little slow initially, I think that's the way it has to be. You might reply and respond to that initial response for assistance from cern. Hey, I gotta check with the general counsel. I'll get back to you as soon as I can. That's great. You replied and doing the best you can do even better. Okay, thanks. Any other questions about the, these criteria? Look at the next little badge. This is traceability. So this is about log information. So you should keep logs itself, right? It doesn't say for how long it has to specify the kind of information that should be in there, except for having accurate timestamps and identifiers of the various things that are being logged. And but that and also that whatever is being done, that's basically a wrong, That's good data, common data for US and managing security incidents. And so you should do that. How much it can kinda liked that question that Brett asked earlier about how timely this is in line with what you do for things that you care about, other things that you care about at your, at your organization. So how long do you keep walks for? You may have a default answer to that question. I use that default. And so that's really all, that's really all this is saying. That do have that if you if you don't have it and you're asked to buy CIO to comply with certify, you may find yourself needing attraction and like okay, turn on some logging and keep it for a reasonable period of time. So that it can be available for incident response purposes. In B2 is just another way of saying again, that I think that you're doing so in accordance with your own organization's policies and practices. Is that straightforward reasoning questions for anybody about meeting this requirement for certify compliance. Okay. We'll go on to one more. This has to do with here. It's called participants. Didn't really means users. So there is a wear or organization or its use your stuff, so there isn't an acceptable use policy. Okay. It doesn't say what it has and saying. And in fact, I believe than common baseline expectations version one already requires everyone to publish a URL of their Acceptable Use Policy, if I recall correctly. And so this is probably something that is already met by your organization who may or may not have known that. And you may wonder what your ADP sense you could, there's a way you can go to income and sour website and kinda.org and find out that way. If you're curious. But more so, more operationally. There's this, there's this check box here to ensure that the users your duties are aware of it in some fashion. So commonly that's done because they they're given an opportunity to agree to it during my name when they register their account or claimed their account, perhaps that because I think that that's all that certify asks about users. There's one on the operational security side where you know how to contact a user. And there's this one word. You can say that they've been told about Acceptable Use, whatever the organization has to say about that. I wanted to see if there any questions about acceptable use policies. Okay. So there's a timetable for this. Here it is. The decision to go football I had was me on Monday. There's a formal kickoff in about two weeks. At intranet 2's are tech extra camp, the sea tab and others in common staffer already getting busy with doing a lot of stuff so that they can they can determined who members are not meeting which elements of of baseline v0, v2, and being in reaching out and letting the affected parties nettle of whatever gaps they need to address daily by around July, which officially in common will kind of say, okay, baseline expectations version two, that goes further up the pyramid. That's now the law of the land and the uncommon Federation. Everyone should be complying with all thy stocks. And of course, between between now and then we will had been helping all kinds of folks get into compliance with those new requirements. And, but of course, things are always messy. There are often many very good reasons why they just can't in that particular timeframe. And we always work with them to figure out, well, when can you what's a reasonable mitigation plan here? And then we worked with those parties inward at planning for. Wrapping that up by the end of 2021, calendar year 2021. Sounds it's queuing up and it'll be happening pretty quickly. And so that's I think pretty much what I wanted to present to you guys. And just a little sweeter. And if you have any questions at all about this misinformation or about any of you want to go back to look at any of those specifications from certified trust framework and think about them a little further. I'm happy to do that. Well, in that case, I'll just leave you, there's a few links for later on to the baseline expectations. So these links will be in the PDF of the slide presentation data. Cheryl's Company published, I think she said probably by Monday or snow. So and you can certify so that each one has is it has a whole bunch of materials are related to each of those topics at the targeted to those links. And then for contacting folks for help. There's help it encountered that 4G. And so anything about questions that didn't occur to you today or that may occur when the CIO or someone else in central IT asks you about certify. That's a good place to send questions if you're on unclear but anything there. And now I'll make sure that gets routed correctly, perhaps to bring it to the sea tab, members themselves forward to address. And always I would love to hear any such questions from you and me time. And partly because I work with in common and baseline, I also chair the certify Working Group that has continuing work on much more than just want to talk with you. But your your feedback about how that works for you or doesn't work for you. Those specifications we went over would be really valuable to me and hopefully my answers to you can be really helpful to you. So Cheryl, That's what I had in mind for today. I think that unless there's further questions, well, here's one fret. I mentioned that these standards were built by the community. What's the best way for people to get involved? Well, Brett, actually, there's in common.org website has a community section. And if it's geared towards folks that have this question or curious about or have an interest in getting involved in things like this. And so there is a link. It's not too hard to find. So in common.org and then right across the top someplace I believe it says like community or something like that. And you will find on that page information about how to enquire what's going on and just ways for you to kind of jump in and get involved. So I hope that answers your question. Any other questions? And I'll also encourage our attendees to prevent anything back in that same Q&A to stop children. Well, thank you guys very much for your talk. I will echo that. Thanks for attending and giving us your time. And also Tom, we very much appreciate your time and effort to bring this information to us. A close with a couple of reminders. The recording, as you mentioned, will be posted on our website by early next week. And I'll send an email to our members, sought them know that it's ready. And I may also I may also do some other things to get that on the public likes into a couple of other mailing lists that link in, perhaps tweet about it and our Twitter feed, if that's okay with you, Tom. Absolutely. Thank you. I'll also remind RNA-seq members that you can see I'm coming texture sessions and the members wiki. We're working on getting a few scheduled before the end of the year and there should be details for those available soon. Thanks again for attending today. And there's one piece of feedback that came in from an anonymous attendee town. Since I'm glad to see when Isaac and uncommon coming together on this, I have to agree. Completely. Migraine. Thank you. Kinda view say that if there are no other questions and I don't see any n, Then I'll go ahead and close today's session and say once again, thanks to everybody for your participation.
Identity federations in the global Research & Education sector, such as InCommon in the US, provide a context in which security incidents can propagate. SIRTFI is a trust framework that aims to prepare participants in Research & Education federations to collaborate in managing federated security incidents. The InCommon Federation's Baseline Expectations program defines requirements that all InCommon Participants must meet and helps them get there. A new Baseline has just been established that requires self-attestation of SIRTFI compliance, and InCommon Participants who aren't already compliant will soon be asked to start work on that.
Join Tom Barton from the University of Chicago for a free, open to the public Techburst proposing and answering common questions about making your organization SIRTFI compliant.
Tom Barton is Sr Consultant for Cyber Security & Data Privacy at the University of Chicago and a consultant to Internet2. Previously he was Senior Director and Chief Information Security Officer at UChicago and had earlier assignments as Director of IT Infrastructure and Director of Network Services at the University of Memphis, where he was a member of the mathematics faculty before turning to administration. He's a member of the InCommon Federation's Community Trust & Assurance Board and the Kantara Initiative's Assurance Review Board, chairs the REFEDS SIRTFI Working Group, and co-chairs its Federation 2.0 Working Group, as well as led the Internet2 Grouper project for many years.