As uptake of federated authentication systems like SURFconext grows, maintaining trust in the system is essential. Interfederation with eduGAIN further increases the amount of service providers and identity providers that can communicate. Although this is of course a good thing, the distance between operators of service providers and identity providers grows because they may be part of different federations. And the larger a federation becomes, the more impact a compromised account can have.
Sirtfi: incident response in federations
To control the risks while maintaining the benefits of federations, international group REFEDS, in which SURFconext takes part, has launched the Sirtfi initiative. Sirtfi provides a self-asserted baseline of security and incident handling capabilities for federation participants (SPs and IdPs), along with the possibility to specify a security contact point for an entity. Should an incident arise that requires coordination, an explicit, responsive and trusted contact point is then available to resolve the matter quickly and effectively. Service Providers may decide to only allow logins from IdPs that claim Sirtfi compatibility.
Sirtfi and SURFnet
When implementing Sirtfi at SURFconext, the first thing we did is trying to leverage as much as possible of what was already there.
Incident response is of course nothing new to SURFnet. Our incident response team SURFcert exists since 1991 and deals with a large volume of incidents daily, including incidents that quite resemble those that could affect SURFconext, e.g. “mail account x has been compromised and is sending phishing emails” or “eduroam account y sends suspicious traffic, please investigate”. SURFcert has experience, procedures, contacts and systems in place to receive and handle incidents 24/7, register and follow up on them, and escalate when problems occur. SURFcert is active in national and international incident response communities, and fosters a community for knowledge exchange between our institutions.
We try to re-use this experience and these networks as much as possible, since we believe there’s a lot more that unites federated incidents and ‘regular’ incidents than that separates them. Also, as a hub and spoke federation, SURFconext has audit logs in place, and can – sometimes must – be involved in resolving or controlling a security incident.
Sirtfi for Identity Providers
SURFconext therefore opted to put SURFcert as the contact point for all our Identity Providers (connected institutions). This by-and-large mirrors how it works for IP-address-space. Of course we worked with SURFcert to ensure that proper information is shared, and talked about Sirtfi in our IdP newsletter and on SURFnet’s Community for Incident Response Teams (SCIRT) to make sure institutions, both the IdP operator and local CSIRT members, are aware of each other’s existence and role. For the self-assertions that are part of Sirtfi, we looked at existing contracts and practices in place. The SURFnet agreement and SURFconext addendum already put demands on the institution’s ability to trace individual users, and to adequately respond to security incidents. These, combined with existing practices and experience, make us confident that our institutions are compliant with this baseline.
Sirtfi for Service Providers
The above of course goes for Identity Providers. Service Providers are quite different, because they are not necessarily SURFnet members, but could be run by companies located anywhere in the world. Therefore we do not assert Sirtfi for our SP’s automatically, or define a security contact for them. We’ve contacted our SP’s and asked them to provide such an assertion if they want to, and with the contact information they think is best. We will propagate that information to eduGAIN when present.
Combined, these approaches bring us a framework for organizing swift, reliable and trustworthy incident response between federations.
Luckily the amount of incidents related to SURFconext has been very low to date. It however means that we do not have much data to conclusively decide if our approach will indeed be the right one, or that adjustments are needed. It should be noted that each federation is different, and our approach is very much tailored to our situation. Other federations might make different decisions on how to implement Sirtfi. In any case, we believe that more attention to incident response will in the long run only be beneficial for all parties involved, and further enhances the trust framework on which federations are built.