You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

In order to support effective incident response among Sirtfi-compliant organisations, it has been proposed that both Federation Operators and eduGAIN OT provide a supporting role.  Neither of these roles are defined or scoped within the current Sirtfi framework.  AARC produced a paper than analysed these roles with a set of proposals for eduGAIN.  These are analysed below along with other requirements to take on this role.  It is assumed that the primary contact for this type of support will be edugain-support, with appropriate support from the GÉANT NOC / CERT teams. 

High Level Needs

  • Recruit support role.  Request is with Shaun / HR.
  • Coordinate roles: eduGAIN-support,GÉANT CERT, GÉANT NOC.
  • Document workflow.
  • Training.

Proposed Requirements

SourceProposalRequirements
AARC reportAssist federation participants and Federation Security Incident Response Coordinator in performing appropriate investigation, system analysis and forensics, and strive to understand the cause of the security incident, as well as its full extent. Identifying the cause of security incidents is essential to prevent them from reoccurring. The time and effort needs to be commensurate with the scale of the problem and with the potential damage and risks faced by affected participants.
  • Unique global identifier for the incident to support communication.
  • Support for incident response classification with edugain-support area of OTRS.
  • Define how far into the analysis and forsenics the eudGAIN team will be required to go.  Is this purely support / coordination or is this managing forsenic analysis on behalf of participants.
  • Secure communication channel (secure IRC channel?  e-mail?).  Challenge will be to not restrict communication through use of non-friendly tools.
  • Would suggest an additional role of ensuring the correct e-mail addresses (Sirtfi contacts) are being used in the communication.
AARC reportIn collaboration with Federation Security Incident Response Coordinators, ensure all affected participants in all federations are notified via their security contact with a “heads-up” within one local working day.
  • Robustly covered support desk with back-up and holiday cover to meet this target.  Even then identifying on this timescale is a challenge.
  • Can only cover orgs with security contacts, or use other contacts?
AARC reportCoordinate the security incident resolution process and communication with affected participants until the security incident is resolved.
  • Identify if / when Federation Operators have signed up to play a role.
  • Clarity on coordination vs management of incident.
AARC reportEnsure suspension of service (if applicable) is announced in accordance with federation and interfederation practices.
  • Just ensure it is announced or that it happens?
  • Requires action by Federation Operator (eduGAIN OT cannot suspend individual services).
  • Requires metadata refresh.
AARC reportShare additional information as often as necessary to keep all affected participants up-to-date with the status of the security incident and enable them to investigate and take action should new information appear.
  • As per typical request ticket.
AARC reportAssist and advise participants in taking corrective action, or restoring access to service (if applicable) and legitimate user access.
  • Define expectations here.  What can eduGAIN actually achieve?
AARC reportProduce and share a report of the incident with all Sirtfi-compliant organisations in all affected federations within one month. This report should be labelled TLP AMBER [3] or higher.
  • We need to define a communication process here.  There will be a need to share 1) at a public level and 2) at affected parties level.  I don't see why a Sirtfi contacts only level would be appropriate, needs clarifying.
  • Define a role for the comms team - training through CLAW workshop?
AARC reportUpdate documentation and procedures as necessary.
  • Ensure responsible owners are actioned in eduGAIN OT, Service Management, support desk etc.
  • No labels