2023-07-11 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 11th of July 2023.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution



ONAP disaggregation impact on SECCOM activities

Disaggregation is getting its momentum.

5-10% of projects time to be focussed on integration efforts.

Aarna used EMCO to deploy slices, the same could be done with ONAP.

ONAP is still handling high level orchestration if it comes to CNF orchestration it is delegated to Nephio. EMCO is talking about connecting to Nephio.

We are looking at dev side of the security which is half part picture.

Imact analysis is needed for ONAP disaggregation with focus on security, testing etc.

SECCOM recommendations: (June 27)

  • Create catalog of APIs for each ONAP project

  • Best practices and global requirements will still apply to each project

  • Keep SECCOM as a resource

  • ONAP becomes a service based on integrations

  • Definition of unmaintained project may have to be modified

  • TSC may have to decide on the bindings and projects

  • Need a task force for disaggregation

  • Action Item: Create a best practice for documenting APIs for the Montreal release – Muddasar will talk to Thomak Kulik

Integration is needed when we want to keep ONAP notion as platform. Otherwise we have several individual components. Those components may have different testing strategies. With service mesh implementation individual authn and authz, or Keyclock are gone. 

We need to talk how to guide and educate companies on each function.

It is critical to document and test APIs (min 3 APIs: management, service and autoreporting) - this is the scope of integration.

Each TSC meeting we plan to progress with the discussion and decisions on ONAP evolution.



Pawel to work with ONAP TSC on addressing target evolution by identifying one by one migration concerns.



LF IT CI/CD security review

Muddasar is not getting support for the ticket opened 1 month ago:

 IT-25429 Review of ONAP CI Threat Model and Security Controls

Matt contacted Muddasar to say he will be on holidays and he will address this issue once he comes back.



Muddasar to send an e-mail to Jess, Kevin and Matt with additional info on what is needed. We expect this is info that could be provided on the fly by REL ENG.



5 Years security questionnaire for Policy project

-https://lf-onap.atlassian.net/wiki/display/DW/PF+-+ONAP+Security+Review+Questionnaire

-Confirmation from Policy project received about review completion.

ongoing

Tony to share initial feedback with Policy team. Next discussion point is 18th of July.



PTL meeting (July 10th)

Interesting discussion with Fiachra, Liam and Toine

Java 17 migration takes several weeks

Wiki already created by Liam for Policy: Dependency Upgrade in Policy Framework

Oparent has served its purpose, multiple projects already override Oparent – to be discussed at the next PTL meeting.



To continue the discussion on Oparent removal at the next PTL meeting.

Secure CI/CD for disaggregated ONAP to be further discussed too.



TSC meeting (July 6th)

-Update on new Global Requirement: Use Native Service Mesh Authentication and Authorization for Intra-ONAP Communication

  • Infosys will work on removing basic auth in SO and AAI

Voting on a London release – accepted.



Meeting with Infosys done. They will do the analysis. Access to environment will be crucial.

Jira ticket for the new Global Requirement to be issued.



Watching SA5 in the scope of Intelligence and automation 

Maggie will keep an eye on it and keep us posted. 







LFN liason with 3GPP Working Groups

It is not clear whether LFN has umbrella liasons - to be further elaborated with Kenny.



Pawel to discuss  on Wednesday's meeting with LFN team and book the slot for TSC meeting.



NEXT SECCOM MEETING CALL WILL BE HELD ON 18th JULY 2023. 













Recordings: 

2023-07-11_SECCOM_week.mp4

SECCOM presentation:

2023-07-11 ONAP Security Meeting - AgendaAndMinutes.pptx