2020-05-12 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the  SECCOM meeting that was held on 12th of May 2020.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Synch meeting with Requirements Subcommittee

 We had a meeting on May 11th where we presented SECCOM requirements for Guilin release. 

 

We were asked to fulfill our non functional requirements on this wiki.

Jira Epics to be started for each project.

Deadline is 27th of May

 

IAM requirement

1)

SECCOM-136

ONAP MUST support the creation of multiple unique IDs so that individual accountability can be supported.

For our point of view must be:

ONAP MUST support the creation of multiple unique IDs so that individual accountability is supported.

2)

Due to lack of any requirement around the Traceability

New requirement propsoed

ONAP MUST associate each action to a responsible user and logged in order to be exported to an external component (e.g. Syslog, SIEM/SOC, etc.)

 

SECCOM-136: Review ONAP security req [idam-1]Open

 

 

 

 

 

 

 

SECCOM-172: Review ONAP security req [analytics-11]Open

to be reviewed by Fabian.

 

OOM requirements for Guilin - follow-up discussion with Sylvain

AAF is optional  - this was the intention. Bell Canada does not want to have AAF inegrated in their setup. RBAC and https should be possible to disable it - based on Sylvain's point of view.

Consultation on AAF approach with Architecture Subcommittee was not done and we think it should be.

Why Bell Canada does not address their need with TSC?

We agreed we need to have consistent requirements with OOM team ones, although the ability to turn off security is a bit odd for SECCOM.

We still do not know if AAF has a new PTL.

We should have documentation on how to deploy certificates with AAF Certman and without it.

Service mesh POC should answer some questions.

 

AAF inegration effort to be checked with PTLs.

We should have LoE estimation for those few projects on service mesh integration. 

 

Communication matrix

Is still valid for an external communication. How to get this information automatically- OOM to be consulted.

 

To check with Sylvain if we can retrieve information valid for us. For DCAE external communication is already done.

Other external communication types to be identified.

 

 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 19th OF MAY'20.