Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Managing Incident Response in Identity Federations

Thursday, October 3, 2013 - 08:32

In talking with service providers at this week’s conferences on federated access management in Helsinki it’s become apparent that many of them are asking identity providers to supply not only the information that they need for normal operations, but also information that will only actually be needed if a problem occurs. For example it seems that some service providers may request every user’s real name just in case a user mis-behaves and breaks the service provider’s policy.

Since most service providers won’t have a direct relationship with their users - indeed the service provider and user are increasingly likely to be in different countries - there’s probably a better way to deal with problems. The identity provider, who is likely to have a contract or other agreement with their student or member of staff, is much more likely to be able to talk to them face-to-face and, if necessary, impose a punishment for misbehaviour. And if the identity provider agrees to deal with problems there may be no need for every user’s real identity to be disclosed every time they access a service; indeed it may not even be necessary to disclose it if a particular user mis-behaves so long as the service provider trusts the identity provider to work out which user caused the problem and deal effectively with them.

This approach has been used for many years with federated network access under the Janet eduroam policy. Each time a user is authenticated their home organisation passes a session identifier to the visited organisation; if the user causes problems then the visited organisation can report the relevant log extracts and the identifier and the home organisation is obliged by the policy to deal with the user as if they had breached their Acceptable Use Policy at home. The policy thereby reassures organisations offering visitor services that problem users will be dealt with, while protecting the privacy of every user of eduroam. Stefan Winter of RESTENA gave a presentation on how to trace a mis-user at a TF-CSIRT seminar in 2010.  If a home organisation fails to deal with a problem their breach of the policy can be reported to the eduroam operator; if the misuse is an immediate serious threat to the visited organisation they are able to temporarily suspend access by all visitors from that home organisation.

The same bargain, where a home organisation agrees to deal with individual problems with the possibility of a general suspension if they fail to do so and pose a risk to others, is also used by the Janet Security Policy. Under clause 9 connected sites agree to deal effectively with reported policy breaches, and the policy allows network operator to restrict or suspend service if they fail to do so.

Some identity federations already have agreements that cover incident response, for example the UK Access Management Federation Rules of Membership require that members "must give reasonable assistance to any other Member investigating misuse" (clause 3.5) and the Recommendations on Use of Personal Data suggest that problems should be reported to, and dealt with by, the user’s home organisation (section 4). Where a federation agreement doesn’t contain similar provisions it may be possible for service providers to seek assurances from either the federation operator or individual identity providers. This should permit the service provider to request less personal data as a matter of routine, thus complying with data protection law’s minimisation principle, reducing the compliance risk to both service provider and identity provider, and perhaps making the identity provider more willing to release the information that is needed for routine access to the service. Agreeing effective incident response measures to permit reduced routine data transfer seems like a win for all: service providers, identity providers and users.

Given the benefits of agreeing a different process and information flow for handling policy breaches, it may be worth considering whether there are other exceptional circumstances that could be treated in the same way. One situation that was mentioned is where a virtual organisation needs to check which user(s) have incurred costs or used quota with a service provider. Here there needs to be an exchange of information between the service provider and the VO (and possibly the IdPs as well): agreeing the exception process in advance may both give more confidence that it will work, and allow a reduction in routine information transfers.

Access Management
incident response
data protection
#VAMP2013
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo

Comments

I agree in principle with the comment but I know where the SPs are coming from (being an SP.) Nearly all "incidents" are not serious enough to register on the IdP (organisation)'s radar, as you mention in the last paragraph. A user may have a runaway job which we'd have to kill, or have files which do not appear in a catalogue and we want to contact them about it. Or it may be just an invitation to a user meeting.  This is a long way from an AUP violation and is just part of operating a good service, particularly when it's a group quota rather than an individual.  An IdP may not want to handle a request like this.  Also, occasionally these have to be handled quickly, e.g. if the missing catalogue entries causes jobs to fail, and the turnaround via the IdP helpdesk may delay things for days and waste the group's (and our) resources.

The grid had a portal where registered sysadmins could paste in a DN (from a log file) and type some stuff into a box and the portal would send a mail to the user, without revealing the user's email address.  This was useful for all sorts of reasons. I think it's still there somewhere.

Submitted by Jens Jensen on Thu, 2013-10-03 09:57

Jens, thanks for the extra examples. I wonder whether at least some of them could be handled by those users who wanted the (additional) service voluntarily providing their own information, though? For example "join this mailing list if you want to hear about user meetings"? Rather than sending every user's details, just to cover the subset who do.

Though I admit that "register here if you want us to tell you why your jobs don't complete" doesn't sound as convincing ;-) But isn't there a way to get error messages back through the Grid submission process, rather than relying on e-mail as a back-channel? I know there are protocols around that have very flimsy support for error reporting, but hoped the Grid wasn't one of them :(

Background is that I keep hearing suggestions that more organisations would connect to more services if they didn't have to release as much personal data in order to do so. I don't deal directly with user organisations, so don't have actual evidence either way (I'd be very interested to hear from anyone who does). But hence wondering whether handling routine and non-routine processes separately, and maybe differently, might help?

Cheers, Andrew

Submitted by Andrew Cormack on Fri, 2013-10-04 09:43