...
Emergency powers could simply be a way for incident response teams to disable accounts directly or remove authorizations for the infrastructure. Even if they cannot remove all access at a single resource provider, they should be able to remove users from centralized authentication, authorization and access control to limit the spread of an instance. For example, they might revoke certificates and access to a user portal for a user, while the individual resource providers retain control of local credentials to other services. Critically, an infrastructure should be able to contain a compromise to their infrastructure and from spreading to other infrastructures, .e.g, by revoking certificates or disabling accounts in their identity provider.
Incident Response
[IR1]
Security contact information for all service providers, resource providers and communities together with expected response times for critical situations.
A simple spreadsheet or wiki page with security contacts for the resource providers and the owners/operators of any services suffices.
Dave, what do we mean by communities?.
Expected incident response times for an infrastructure must be documented and shared, and do not necessarily need formal SLAs, MOUs, charters, etc.
[IR2]
A formal Incident Response procedure. This must address: roles and responsibilities, identification and assessment of an incident, minimizing damage, response & recovery strategies, communication tools and procedures.
Do you have answers to the following questions?
- Who might be pulled into an incident response activity and what are their responsibilities?
- What counts as a real incident? How do you rate the criticality?
- How do you contain common kinds of incidents, such as, account compromise?
- How do you determine when a service can be returned to normal operations or an account restored?
- How do you securely communicate with everyone one who is investigating and responding to an incident?
...
Some explanations from Dave Kelsey (my personal views - recalling the history)
...