JIRA Issue

[#REVIEW-49] XCI-185 Analyze SSO Hub usage - Design/Security Review

[REVIEW-49] XCI-185 Analyze SSO Hub usage - Design/Security Review Created: 11/21/2017  Updated: 02/16/2018  Resolved: 12/19/2017

Status: Closed
Project: Technical Reviews
Component/s: None
Fix Version/s: None

Type: Design and Security Review
Reporter: JP Navarro Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Review
is review of XCI-185 Analyze SSO Hub usage Closed
Review Materials:

https://software.xsede.org/displayvc/xsede/xci/activities/xci-185/trunk/Deliverables/XCI-185-SSOHubUsage-Design.pdf?revision=3985&view=co

Review Criteria:

Please focus on these questions:

  1. Does the proposed design gather the most useful usage information?
  2. Are the methods proposed to gather capture usage information appropriate?
  3. Are the methods proposed to analyze usage appropriate?
  4. Are relevant XSEDE security policies and best practices followed?
  5. Is the proposed usage information data access and privacy reasonable?

and the following solution support scenarios:

  1. XSEDE has recent and historical SSO hub usage information (as a service and as a client to other SSH services)
Discussion Thread: https://software.xsede.org/discussion-forums/xci-185-design
Review Summary:
  1. Using Globus Usage stats for GSISSH Servers to determine the number of logins from the SSO hub was found not to be possible because the server stats don't include client info.
  2. A suggestion for compiling the number of unique IP addresses for each user to determine potentially compromised accounts was found to be out of scope and also redundant since SSO Hub has other security measures in place for that kind of scenarios.
  3. A suggestion to determine how many logged in users are sitting idle (and for how long) on the SSOHub was determined to be out of scope.
  4. A suggestion for a metric on the total number of gsissh connections over the specified period was accepted.
  5. A suggestion to specify that filtered raw data would be generated on a daily basis and sent to a central repository being designed as part of XCI-187 was accepted and the design doc updated.
Public Review Link: https://software.xsede.org/jira/view/reviews/REVIEW-49
Review Material Developers: Venkat Yekkirala, vyekkira@illinois.edu, Developer
Jim Basney, jbasney@illinois.edu, Designer
Target Review Start Date:
Target Reviewer Feedback Due Date:
Target Written Feedback Assessment Due Date:
Actual Review Start Date:
Actual Reviewer Feedback Received Date:
Actual Written Feedback Received Date:
Actual Review End Date:
Reviewer Feedback Due Soon Reminder Date:
Reviewer Feedback Due Today Reminder Date:
Developer Feedback Reminder Date:

 Description   

General design and security risk review for new SSO hub usage collection and analysis