Date and Time
Date: 2. Dec 2013
Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 0608:00 NZ(+1)
Role Call
Keith Uber
...
Rainer Hoerbe
Patrick Curry
Quorate call
Administration
Anil John is now non-voting due to non-attendance (conflicting call timemeeting conflict?). Colin to inform JohnAnil.
Quorom is 5 participantsnow 5 out of 9 voting.
September 2 minutes approved: Rainer moved, Colin seconded.
1. Charter review
Scope: Ken felt that we were unduly restricting ourselves to governments being relying parties, We should include governments as IDPs as well. Colin has added
Section 8 - Duration - : Reflecting dicussion on previous calls, colin has set the duration at 1 year. We would make a decision in 2014 about remaining as a WG or becoming a discussion group.
Vote on LC call - Colin Charter Vote and forward to LC: Colin moved, Keith and Thomas approvedseconded. Approved.
Reviewed charter to be submitted to leadership council.
AP: Colin to Action
2. IDCloud
analysisGap Analysis
OASIS ID Cloud technical committee which is committee is connecting use cases and solutions/technologies for IDM in cloud services/PaaS. They have done a nice use case document and follow up gap analysis on what is available and standards cover what aspects of identity lifecycle and what is missing in available standards offerings.
The document seems a bit unbalanced. It is s very detailed in UMA, OpenID Connect, etc, but is very light on references to SAML.
STORK should be included, the specific STORK profile should be added to the listThe STORK project's SAML profile was proposed and accepted to be included.
Rainer proposes to put forward to the TC more information about the Kantara SAML eGov Implementation Profile for inclusion in the reportanalysis.
The document is not yet final so is a ‘living document’ - details on STORK were recently added.
Rainer has tried to contact Gershin JansenGershon Janssen (OASIS IDCloud Secretary) re this, no response received to date.
Colin participated in the early stagestages, when the discussion/document was a very high level.
Gap Analysis is not yet a public document.
Q: Is Research/HigherEd interested in cloud use cases?
...
AP: Rainer to write and circulate a draft text response to the OASIS IDCLoud IDCloud TC to the list for comments
...
Patrick Curry presented MACCSA, Multinational Alliance for Collaborative Cyber Situational Awareness. The audio presentation was recorded and will be made available in the days after the call.
Rough notes follow. Please listen to the audio for more detail.
MACCSA
History
Lead Led by the USA
Cyberspace part lead led by the UK
Five areas lead by
Norway - Threats and vulnerabilities
Sweden - Information sharing
Italy - Legal
Finland - Technology
UK- Main experiment which lasted a week - an advanced simulation environment involving 90 people, telco, energy, air traffic management, military
Activity and Experimentation lasted two years to test and evaluate the value of collaborative cyber situational awareness
'You were only 20% effective at best if you didn’t share information - Collaboration is your only choice'
Information sharing framework (ISF) needs to be implemented.
To take that forward and implement it requires an organization.
Over 9 months a series of transitions workshops were arranged
First group consisted of 22 governments
, 35 nations
, 8 EU organizations
, UN
, ITU
NATO
TMFOrum
ITU impact
First group
CSA Cloud security alliance
, NATO, TMForum, ITU, CSA (Cloud Security Alliance).
Outcome was examination of four organizations that could handle this. None were
considered considered appropriate.
Multinational Alliance for Collaborative Cyber Situational Awareness (MACCSA) was wascreated in October 2013 to fill the need.
MACCSA: Legal entity in October 2013, UK Based, Early stage - Legally formed, Has not yet met. First meeting scheduled for 13 December 2013, London.
Founding participants are now being gathered
What do they do?
Information sharing network
Information sharing model, information management model
Federated trust Level 3 PKI
Cyber
Mapping to the four levels of assurance
Collection of
ISO2700 Based on standards collection comprising ISO27000, AUS top 35 mitigation,s US , NIST 800-53, US - release 4Sand TOP ?, SANS Top 20 controlsIncluding , including security metrics, sufficient for audits to occur.
Challenges:
Trust framework audit models have been examinedFrom . from IDM environment to other types of control.
One or more interoperable schemes are required.
We are leveraging what is needed for business to share information.
The same could be applied to citizen or government cases. This work is highly reusable.
Software is being developed by the organization which will be made public.
Fake organizations are their biggest problem. How to detect the authority of individuals within an organization.
How to determine if a company is compliant with requirements of their industry sector.
Need to be accurate to within 24hours.
ROLLO ROLO (Register Of Legal Organisations) doesn’t exist today. Examining joint venture options to create it. It will pull together data that is captured from other public registers.
To be a European business register. Register is voluntary, not legislated. EU has a register interoperability API in place.
The API already supports 76 nations register, so not just EU.
Accurate, complete and timely data is important. The register could support other business activities. Relations to taxations, drug trafficking preventions, money laundering etc.
Fake government organizations is a nightmare scenario. How to check that some org/body is legitimate.
Q from Colin:
The link to Kantara is that the IAF could become a more generic framework with a set of profiles under that (one of them being one for MACCSA)?
Patrick:
Federation model, Most PKI Bridges support one or two policies. Need Need reusable policies across national boundaries
NATO IDM Policy. NATO and EU have agreed to work together to make sure that nations don’t need to have two or more ID systems.
Must be forward looking. Mobile device Needs to be inclusive of Mobile device challenges.
Kantara IAF needs to get on top of biometricsbring in biometrics
Where does liability fall?
Opportunities for Kantara to get these people on board and cooperateco-operate.
NISP
NISP: Network information security platform??
Has three working groups:
- risk management (3 sub groups - risk mgmt and mitigation, metrics, risk mgmt framework and maturity models)
- info sharing
- research and innovation
This research is not confined to EU members. Content will flow back to EU legislation.
...