Security Dashboard

Security pages

• Security and Privacy
• GPII OAuth 2 Guide
• Vulnerability Assessment
• Infrastructure Assessment - Application and infrastructure scanning
• Audit logging Strategy
• GPII Security Plan
• Preferences Server Security
• Security Gateway
• Architecture Ideas, Sketches, and Meeting Notes
• Prosperity4All Security Infrastructure
• UI Options Security Scenarios
• CouchDB Designs for Saving and Retrieving Security Data
• APCP Security Documentation
• Other pages relating to security can be found in the category Security and Privacy.

Designs

• Options Panel - GPII Integration UI
• PMT Signin/Login and Account Management
• Privacy Settings with preferences selection
• Privacy Settings without preferences selection
• Discovery Tool - Save a Preference Set and Receive a Token
• PCP and PMT

GPII Deployment Structures

• GPII Deployment Structures
• GPII Authorization Workflows

Protect the communication between the local flow manager and the cloud based flow manager

• Initial Research on Protecting communication between Local Flow Manager and Cloud Based Flow Manager
• Continued Researches on Possible Approaches for Protecting Communication btw LFM and CBFM
• Workflows to Request and Manage Client Credentials
• Designs of Using a Dedicated Process to Protect the Client Secret Assigned to GPII Local Installation

New GPII Data Model

• Keys, KeyTokens, and Preferences
• Enhanced Data Model for NOVA

Capture Tool APIs

• Capture Tool APIs

GPII Account Setup APIs

• GPII Account Setup APIs

Presentations

• GPII Security Presentation @ APCP Advisory Committee Meeting, Jun 2017
• GPII Security Presentation November 2015

OAuth 2.0 Resources

• RFC 6749 The OAuth 2.0 Authorization Framework
• RFC 6819 OAuth 2.0 Threat Model and Security Considerations
• "OAuth 2 Simplified" article by Aaron Parecki
• GitHub OAuth2 API documentation

Notes and Older Documents

• Early Notes about GPII Architecture Security
• Notes on Security and Privacy

Meetings

• August 18th, 2014 Security Technical Call http://piratepad.net/DsKsRle4XF
• September 8th, 2014 Security Technical Call http://lists.gpii.net/pipermail/architecture/2014-September/002707.html
• October 6th, 2014 Security Technical Call http://piratepad.net/0RmS3vsmgt
• October 13th, 2014 Security Technical Call http://piratepad.net/c4a-security-13-10-2014
• October 14th, 2014 Security Technical Call http://piratepad.net/u2GJv2HqDt
• October 20th, 2014 Security Technical Call http://piratepad.net/c4a-security-20-10-2014
• October 24th, 2014 Meeting with Antranig, Michelle, and Simon http://piratepad.net/SbqR5PCRQU
• October 27th, 2014 Security Technical Call http://piratepad.net/c4a-security-27-10-2014
• November 3rd, 2014 Security Technical Call http://piratepad.net/c4a-security-03-11-2014
• November 6th, 2014 Meeting with Dana, Colin, and Simon http://piratepad.net/FXEU25cW8a
• November 12th, 2014 Meeting with Colin, Antranig, and Simon http://piratepad.net/3fHrF4T3JD
• November 17th, 2014 Security Technical Call http://piratepad.net/c4a-security-17-11-2014
• November 24th, 2014 Security Technical Call http://piratepad.net/c4a-security-24-11-2014
• November 27th, 2014 Meetings with Colin, Kasper, Antranig, and Simon http://piratepad.net/I8uyfSu3UF
• December 4th, 2014 Meeting with Antranig and Simon http://piratepad.net/pkxgwQSUYV
• December 15th, 2014 Security Technical Call http://piratepad.net/zWEZZkEOJu
• December 19th, 2014 Privacy Settings Meeting http://piratepad.net/4VzCh1u02R
• January 5th, 2015 Security Technical Call http://piratepad.net/3THu1Jc4ht
• January 12th, 2015 Security Technical Call http://piratepad.net/WfaVdfWZw5
• January 26th, 2015 Security Technical Call http://piratepad.net/CSA7ikTEXJ
• February 2nd, 2015 Security Technical Call http://piratepad.net/YpFndtIiwy
• February 25th, 2015 Security meeting 2015-02-25
• March 3rd, 2015 Security meeting 2015-03-03
• March 16th, 2015 Security Technical Call http://piratepad.net/glp0XpI6il
• March 23rd, 2015 Security Technical Call http://piratepad.net/1oCRTByGRx
• April 8th, 2015 Security meeting 2015-04-08
• April 13th, 2015 Security meeting 2015-04-13
• May 12th, 2015 Security meeting 2015-05-12
• June 22nd, 2015 Security meeting 2015-06-22
• June 29th, 2015 Security meeting 2015-06-29
• July 22nd, 2015 Security meeting 2015-07-22
• July 29th, 2015 Architecture meeting
• September 1, 2015 UIO Security integration meeting 2015-09-01
• September 8, 2015 UIO and First Discovery Tool integration 2015-09-08
• September 14, 2015 CouchDB security persistence 2015-09-14
• September 15, 2015 UIO and First Discovery Tool integration 2015-09-15
• October 13, 2015 UIO Preference Storage 2015-10-13
• October 23, 2015 Hybrid Flow Manager Ingtegration 2015-10-23
• January 15, 2016 Integrating with the GPII Preferences Server 2016-01-15
• January 18 - February 8, 2016 Continuous talks on integrating with GPII preferences server 2016-01-16, 2016-01-19, 2016-02-08
• March 3, 2016 APCP Security meeting 2016-03-03
• March 9, 2016 APCP Security meeting 2016-03-09
• March 15, 2016 APCP Security meeting 2016-03-15
• March 16, 2016 Next Steps for APCP Security 2016-03-16
• March 22, 2016 APCP Security meeting 2016-03-22
• March 29, 2016 APCP Security meeting 2016-03-29
• April 12, 2016 APCP Security meeting 2016-04-12
• April 14, 2016 APCP Security meeting 2016-04-14
• Oct 25, 2016 & Oct 31, 2016 Identity and Access Management meeting 2016-10-25 & 2016-10-31
• Nov 3, 2016 IAM requirements 2016-11-3
• Nov 17, 2016 GPII Security Next Steps 2016-11-17
• Nov 23, 2016 How to protect the preferences server 2016-11-23
• Nov 28, 2016 Review GPII authorization workflow diagrams 2016-11-28
• December 8, 2016 Washinton DC face to face, Protect the communication between the local flow manager and the cloud based flow manager(1) 2016-12-08
• January 4, 2017 Protect the communication between the local flow manager and the cloud based flow manager(2) 2016-12-08
• Feburary 16, 2017 Protect the communication between the local flow manager and the cloud based flow manager(3) 2017-02-16
• April 12, 2017 Protect the communication between LFM and CBFM: More discussion on securing the communication between a windows service and its child process - line 121 onwards
• May 8 - 12, 2017 Toronto Face to Face Hackathon
• May 8, 2017 Protect the communication between LFM and CBFM: review and discuss the design of using dedicated process to protect the client credential
• May 23, 2017 Protect the communication between LFM and CBFM: Review and discuss UX workflows and the implementations to start
• June 20, 2017 Update the status of GPII security work with Greg
• July 2017 The discussion of auth database document structures
• August 1, 2017 Discussion with UX team on the workflows to request and manage client credentials
• September 11, 2017 Discuss with UX team on questions for "Keys & KeyToken - Their Role and Use" document
• September 15, 2017 Create a to-do list based on "Keys & KeyToken - Their Role and Use" document
• Nov 2017 Remaining work for supporting PSP