Upload
megan-bowe
View
853
Download
0
Embed Size (px)
Citation preview
xAPIsecThe xAPI Information Security Protocol
About this Big Challenge Talk
xAPIsec: The xAPI Information Security Protocol
As xAPI matures and finds usage throughout the commercial and public sectors, it is important to see that the tools which provide, collect, and analyze xAPI data conform to best practices in information security. The xAPIsec initiative commenced in 2015 with the purpose of developing a community-built document to define those best practices — ultimately with the purpose of establishing a series of security certifications for xAPI technologies. In this talk, Yet Analytics’ co-founder Margaret Roth will dive deep into the initiative and provide actionable ways for xAPI Camp participants to become involved.
http://connectionsforum.com/autodesk-san-francisco-february-2016/
“This Memorandum requires that all publicly accessible Federal websites and web services only provide service through a secure connection.”
June 8, 2015 Federal Chief Information OfficerExecutive Office of the President
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
“The strongest privacy and integrity protection currently available for public web connections is Hypertext Transfer Protocol Secure (HTTPS).”
June 8, 2015 Federal Chief Information OfficerExecutive Office of the President
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
“It provides guidance to agencies for making the transition to HTTPS and a deadline by which agencies must be in compliance.”
June 8, 2015 Federal Chief Information OfficerExecutive Office of the President
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
“Newly developed websites and services at all Federal agency domains or subdomains must adhere to this policy upon launch.”
June 8, 2015 Federal Chief Information OfficerExecutive Office of the President
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
“Agencies must make all existing websites and services accessible through a secure connection (HTTPS-only, with HSTS) by December 31, 2016.”
June 8, 2015 Federal Chief Information OfficerExecutive Office of the President
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
“To monitor agency compliance, a public dashboard has been established at https://pulse.cio.gov.”
June 8, 2015 Federal Chief Information OfficerExecutive Office of the President
https://pulse.cio.gov/ - updated January 23, 2016
The Experience API (xAPI) is a technical specification for implementing a Restful architecture consisting of a Learning Record Store (LRS) and 4 specific web-service Application Program Interface (APIs).
ADL is part of a government agency.
xAPI will serve needs of other government agencies.
xAPI should hold itself to the aforementioned Memorandum.
xAPIsec is a proposal for an industry-led xAPI information security standard.
The need was vetted with ADL and it was announced at ADL’s xAPI Bootcamp on July 15, 2015.
Presented by Shelly Blake-PlockYet CEO
https://www.youtube.com/watch?v=CQTbl8IRAeo&feature=youtu.be
First Tier: Initial Suggestions
Best practices for secure xAPI usage with regards to transport-level security, i.e. the security of the external interface of an LRS:
● Strong signing algorithm SHA-256● Strong key exchange (Elliptic-Curve Diffie-
Hellman)● HSTS with long duration - including
subdomains - and preload directive
These mitigate or prevent:● Message interception● Man-in-the-middle (MITM) attacks● Message/statement alteration between AP
and LRS
www.xapisec.org
1
Second Tier: What to Consider
● Infosec standards for Activity Providers considered in isolation from LRS
● Internals and information architecture
● Secure network hierarchy for SaaS
● Data persistence mechanism reliability
www.xapisec.org
2
Third Tier: What to Consider
● Full-stack● Best practices for intrusion
detection systems● Alarm response times● Auditing● Response to zero-day
vulnerabilities● CVE response time standards
www.xapisec.org
3
Language regarding security is included in version 1.0.3 of the xAPI Spec:
“The xAPI Community remains dedicated to determining security best practices. The effort has begun at xAPIsec. Participation is highly encouraged.”
https://github.com/adlnet/xAPI-Spec/blob/1.0.3/xAPI.md#security
xAPIsec application to LRS and data analytics services.
Comparison of employee activity and performance data in xAPI format.
A view from Yet Core - https://yetcore.io
xAPIsec application to non-xAPI-native Web Service integrations.
Activity and performance including frequency and engagement data of developer work habits drawn directly through Yet’s xAPI translation bridges to GitHub and Pivotal Tracker.
A view from Yet Core - https://yetcore.io
xAPIsec application to Connected and Immersive IoT Environments.
Employee experience data collected in a multi-device, multi-modal connected environment.
A view from Yet Core - https://yetcore.io
In practice, these security exercises should matter to both Cloud and on-prem deployments and should therefore complement the security standards of hardware and infrastructure in high-security settings.
Yet is applying these measures to enterprise on-prem xAPI deployments.
Yet Analytics has aligned with the IBM LinuxONE system to deliver a secure and scalable full-stack xAPI deployment.
●Massive scalability●Zero-breach security●Zero observed memory
errors in last 5 years●99.999% uptime●Baked-into-silicon
cryptography
“How do I get involved?”
Contribute to the xAPIsec proposal on GitHub and discuss via Gitter.
For updates, visit xAPIsec.org.
This is an industry-led, community-driven effort.
https://github.com/xapisec/xapisec
Yet Analytics’ Margaret Roth and ADL’s Craig Wiggins will be presenting on the “Data of Experience” at SXSW in March.
http://schedule.sxsw.com/2016/events/event_PP57120
Draft summary of community response will be published in March 2016 during SXSW Interactive.
http://schedule.sxsw.com/2016/events/event_PP57120
Vendor? Researcher? Security expert? User? Get involved:
xAPIsec.org
Margaret RothCMO, SVP of Performance Technologies, Yet [email protected] @teachingdaisy
xAPI Camp, AutodeskFebruary 11, 2016
yetanalytics.com