OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-taxii] Question about multiple trust group support

Hey Terry - I am sorry but I still have a really hard time trying to understand this use case.

I find it easier to talk through examples than theory, so here is a federated example - we have Bank A and Bank B in the FS-ISAC trust group. There are 3 TAXII servers at play - Bank A and Bank B both have their own TAXII servers, as does the FS-ISAC.

I still don't understand this idea that Bank A and Bank B would want to share users or groups - they wouldn't. Bank A's server would have Bank A's employees on it, and various groups of those employees would have access to various feeds. The same would be true of Bank B. Bank A would *never* allow their employee lists and groups to be federated through FS-ISAC to Bank B... it just would never happen. I can't see it happening in any trust group actually.

The way Bank A and Bank B share data in their trust group, is via the FS-ISAC shared server... they post data to their Bank A server. Their server then takes (presumably subsets) of that data and relays up to a "Bank A Channel" on the FS-ISAC server. Bank B can therefore receive data from the "Bank A channel" if they (a) want to trust that data, and (b)they have access to it.

There is no need to federate users or groups to do any of this. It is actually almost the opposite.. you don't want to share groups at all because you want different levels of authorization and access depending on where in the "trust pyramid" you are sitting.

Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for Terry MacDonald ---2015/09/30 09:09:33 PM---In which case, I have a few more questions. Bullet pointsTerry MacDonald ---2015/09/30 09:09:33 PM---In which case, I have a few more questions. Bullet points for them seem easiest.

From: Terry MacDonald <terry.macdonald@threatloop.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Davidson II, Mark S" <mdavidson@mitre.org>, Terry MacDonald <terry.macdonald@threatloop.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "Thompson, Dean" <Dean.Thompson@anz.com>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 2015/09/30 09:09 PM
Subject: Re: [cti-taxii] Question about multiple trust group support
Sent by: <cti-taxii@lists.oasis-open.org>

In which case, I have a few more questions. Bullet points for them seem easiest.I had always envisaged TAXII v2.0 to be distributed, and resilient. The idea was, just like TCP/IP, the removal of a particular node would not affect the ability of the platform to operate. By ensuring distribution of data across multiple TAXII servers, and having the ability (if the TAXII server admin allowed it) for administration to be done for groups or channels on any of the TAXII nodes that were part of the trustgroup, the platform would be able to lose nodes, and TAXII clients could easily use any of the other nodes without losing access to the data. This would support a fully distributed decentralized model if that was required, but would also support a single centralized model such as you have described but enforcing adminstrative restrictions.

I guess my major concern is that we appear to be developing for silos, then are trying to 'add-on' the ability to share between them. I believe we should be developing for sharing, then just allow users to restrict that into silos if they wish to.


Terry MacDonald
| STIX, TAXII, CybOX Consultant

M: +61-407-203-026
E: terry.macdonald@threatloop.com
W: www.threatloop.com

Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.

On 30 September 2015 at 23:49, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]