Conveners
Security Workshop: Security aspects of Federated Identity Management
- Sven Gabriel (Nikhef/EGI)
Security Workshop: Security aspects of Federated Identity Management
- Sven Gabriel (Nikhef/EGI)
Security Workshop: Security aspects of Federated Identity Management
- Sven Gabriel (Nikhef/EGI)
Security Workshop: Security aspects of Federated Identity Management
- Sven Gabriel (Nikhef/EGI)
Description
Organizers:
Tobias Dussa, Sven Gabriel, David Groep, Daniel Kouril, Maarten Kremers, Sascha Kriebitzsch, Davide Vaghetti, Martin Waleczek, Marcus Hardt
Format: Workshop, presentations and table top exercise
A key element of international research projects using distributed (compute) infrastructuresis an Authentication and Authorization Infrastructure. A typical problem here isthat Service Providers (SPs) need to take an authorization decision based on the identity information provided by the user, which in the general case is neither personally known by the service provider, nor does the user has to be in the same country as the Service Provider. eduGAIN addresses this through providing an interfederation service that connects identity federations around the globe, allowing users to use their home organisation authentication credentials managed by the organisations Identity Provider (IdP) to access services provided by another institution.
In a typical setup setup in research communities is the usage of IdP-SP proxies
service. This service often makes use of token technologies which add another
dimension of challenges for the IT Security incident response in the field of of
Federated Identity Management. During the workshop we will give an introduction to the token technology and how to extract and make use of the relevant information from IdP and SP log files.
Federated Identity Management is subject of a variety of threats which need to be addressed by the eduGAIN Computer Security Incident Response Team (CSIRT).
In this workshop we will give an introduction to the eduGAIN service, how
it is organized, the IT security responsibilities of the major roles supporting the
service, and frameworks enabling the coordination of incident response across
the federated organisations (SIRTFI).
The enabled learning objectives (what the participants should learn) include: * Know how eduGAIN is organised, role of Federations, and eduGAIN CSIRT. * Know SIRTFI v2, and understand to apply it. * Tokens, technologies used here, what information is available in the log files. * IdP/SP logfile analysis (check for/find a reported Id). * Name the risks of Federated Identity Management.
After that the participants will take the described roles and apply the IT
Security Incident Response concepts presented before in a Table Top Exercise
(TTX) set-up. Although it's an "made up" scenario, it consists of real world
incidents the authors had to deal with. Since the goal here is to find possible
issues in the eduGAIN Incident Response Procedure, we invite the
participants to help us to find possible dead ends on the way to IT security
incident resolution.
In the second half of the workshop we will look at the wide topic "Risk
Management" in eduGAIN and collaboratively navigate through the terminology used there to find a way to get to an outcome which provides us with a better view on the risks associated with use of federated identity management along with possible means (Security Measures) to increase the resilience of the relevant services.
After an introduction to the to the whole seven step process of the IT Security
Risk Management Methodology (ITSRM), which is based on ISO-27k standards, we will focus on the process steps where IdP, SP, Idp-SP-Proxy managers can provide input to a risk study. These are in particular Risk Identification, Risk Analysis/Evaluation which together would fall under "Risk Assessment" in ISO 27k.
The enabled learning objectives (what the participants should learn) include: * General concepts of Risk Management with ISO/IEC 27001, 27005 and 31010, terminology. * What are the process steps of ITSRM, how to fit in the Risk Assessment in the overall process. * How to get to a basic view of the risk landscape resulting from the Risk Assessment.
