In order to support effective incident response among Sirtfi-compliant organisations, it has been proposed that both Federation Operators and eduGAIN OT provide a supporting role.  Neither of these roles are defined or scoped within the current Sirtfi framework.  AARC produced a paper than analysed these roles with a set of proposals for eduGAIN.  These are analysed below along with other requirements to take on this role.  It is assumed that the primary contact for this type of support will be edugain-support, with appropriate support from the GÉANT NOC / CERT teams. 

High Level Needs

  • Support Sirti at eduGAIN.
  • Recruit support role.  Request is with Shaun / HR.
  • Coordinate roles: eduGAIN-support,GÉANT CERT, GÉANT NOC.
  • Document workflow.
  • Training.

Proposed Requirements

There are two levels that need to be supported:

  • Support for Sirtfi within eduGAIN.
  • Support for Incident Response coordination at eduGAIN.

This page outlines requirements for both of those. 

Tasks: Sirtfi Support at eduGAIN

This is part of JRA3 Task 1. Campus and Federation (sub-task 1: eduGAIN Policy Review).

SourceProposalRequirements
JRA3 T1Establish Sirtfi as a BCP

What does it mean to have a BCP?

  • Documented on the eduGAIN website.
  • These will be monitored and shown as warning in validators (including history).
  • Warnings will be followed up by edugain-support.
  • We will advertise and promote the BCP.
JRA3 T1Review validator requirements
  • Work with eduGAIN-OT - should be mostly in place.
JRA3 T1Ensure validator warnings are being follow-up with by edugain-support
  • Establish support process for eduGAIN validator warnings. 
JRA3 T1Gather security contacts for federations
  • Discuss at eduGAIN SG.
JRA3 T1Create a Incident Management Framework Template for Federations
  • For discussion. 

Requirements: Support for Incident Response coordination at eduGAIN

This is part of JRA3 Task 1. Campus and Federation (sub-task 4: eduGAIN Incident Response).

SourceProposalRequirementsWorkplan Mapping
AARC reportAssist federation participants and Federation Security Incident Response Coordinator in performing appropriate investigation, system analysis and forensics, and strive to understand the cause of the security incident, as well as its full extent. Identifying the cause of security incidents is essential to prevent them from reoccurring. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.
  • Identity a team!  Proposal of 3 IR people on rotation to support edugain-support
  • Unique global identifier for the incident to support communication.
  • Support for incident response classification with edugain-support area of OTRS.
  • Define how far into the analysis and forsenics the eduGAIN team will be required to go.  Is this purely support / coordination or is this managing forsenic analysis on behalf of participants.
  • Secure communication channel (secure IRC channel?  e-mail?).  Challenge will be to not restrict communication through use of non-friendly tools.
  • Enabling use of signed / encrypted email.  Can be difficult if people are not using personal certificates as a day-to-day process.
  • Would suggest an additional role of ensuring the correct e-mail addresses (Sirtfi contacts) are being used in the communication.

AARC reportIn collaboration with Federation Security Incident Response Coordinators, ensure all affected participants in all federations are notified via their security contact with a “heads-up” within one local working day.
  • Robustly covered support desk with back-up and holiday cover to meet this target.  Even then identifying on this timescale is a challenge.
  • Define hours that the team operates.
  • Can only cover orgs with security contacts, or use other contacts?

AARC reportCoordinate the security incident resolution process and communication with affected participants until the security incident is resolved.
  • Identify if / when Federation Operators have signed up to play a role.
  • Clarity on coordination vs management of incident.

AARC reportEnsure suspension of service (if applicable) is announced in accordance with federation and interfederation practices.
  • Just ensure it is announced or that it happens?
  • Requires action by Federation Operator (eduGAIN OT cannot suspend individual services).
  • Requires metadata refresh.

AARC reportShare additional information as often as necessary to keep all affected participants up-to-date with the status of the security incident and enable them to investigate and take action should new information appear.
  • As per typical request ticket.

AARC reportAssist and advise participants in taking corrective action, or restoring access to service (if applicable) and legitimate user access.
  • Define expectations here.  What can eduGAIN actually achieve?  Will depend on central skillset and focus. 
  • Balance of expectations between FOs and SPs / IdPs.

AARC report

Produce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER [3] or higher.

Coordinate communications around incident.

  • We need to define a communication process here.  There will be a need to share 1) at a public level and 2) at affected parties level.  I don't see why a Sirtfi contacts only level would be appropriate, needs clarifying.
  • Secure data store for documentation related to incidents.
  • Define a role for the comms team - training through CLAW workshop?

AARC reportUpdate documentation and procedures as necessary.
  • Ensure responsible owners are actioned in eduGAIN OT, Service Management, support desk etc.

GeneralFreshness of contact data
  • Put in place a response testing process for Sirtfi email addresses.

General

GDPR compliance of supporting information sharing and appropriately expiring tickets.

GDPR compliance of contact data.

 - AAI specific 15
 - Federation 9
 - Individual 109
 - Security specific 142
 - IT Support 31
 - Unclear 25


GeneralBridging the circles of trust / mismatch between the expectations of contact types.
  • As per Hannah's stats, there are very different people potentially receiving messages, who will have very different expectations as to what to do / have different access and experience to tools / terminology etc.  What can be done here?

GeneralDisclosure policy
  • Align with GÉANT or something more specific?

GeneralWho is responsible for checking and enforcing Sirti errors.
  • At metadata level: checking by eduGAIN OT.  Are we emailing out when errors are identified? 
  • In terms of responsiveness: Mario's testing tools.

  • No labels