Personnel segmentation

gene · May 31, 2017, 8:57pm

( This email involves a general question to the infosec team as well as a specific question spawned from that general question for the IAM project )

The “Second Opinion” system I’m building for the IAM project provides a second opinion on a given users identity and authorization so that a compromise of auth0 or LDAP or an IAM administrators account does not compromise a website using the second opinion model.

For this to work we need to ensure that no single administrator (e.g. infosec team member) has rights in both the Auth0/LDAP/CIS system and the second-opinion system.

Question for infosec :I know there are some other areas where we intentionally have some team members with some rights and others without those same rights to create separation. What are those examples? I’d like to document them.

Question for IAM project (and infosec) I think for at least the time being I’ll need to administer the second opinion system while we get some experience under our collective belts. Given that I think I need to relinquish my rights that relate to Auth0 administration, and anything else that I could escalate into the ability to modify LDAP or any of those systems. Do we have enough auth0 admins without me or should we promote someone else? Is there any problem with me relinquishing these rights now?

-Gene

kang · May 31, 2017, 10:10pm

Hi,

We reference personnel segmentation in the principles here: https://wiki.mozilla.org/Security/Fundamentals/Security_Principles#Segment_the_environment

Examples: admin access to the 2FA mechanism/service, but no access to he first factor mechanism/service (and the opposite is also true of course). We also ensure that accounts used for this need to either reauthenticate or use a separate account (ie gene_adm@mozilla.com or similar - see https://mana.mozilla.org/wiki/display/POLICIES/Standard%3A+Admin+accounts) are used for this.

Notes:

another way to achieve that is to require double (or more) sign-off on operations (i.e. 1 person mock the change, 2nd person is requested to approve of it before the change is rolled out/applied).
Auth0 cannot write to LDAP (thus cannot “escalate” though it does have the list of users for example) in it’s current state (and hopefully forever)
You would still want to relinquish the Auth0 administrative access
I am most likely going to have to relinquish Auth0 administration production rights at some point as well, for the same reasons (most likely when CIS is completed), thus the question of having this position officially filled is a good one regardless.

Guillaume

jbryner · May 31, 2017, 10:10pm

I think kang/andrew/jabba/gene are currently auth0 admins so probably safe to relinquish.

I agree with the separation between primary auth (auth0/ldap/cis) and second opinion. Can we have someone from parsys ride along with you?

Alicia_Smith · May 31, 2017, 10:30pm

Some team members have access to the nessus scanner (I think?) and others don’t - that could be a case study for what you are trying to accomplish.