Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Draft Security Virtualisation Policy (for Romain Wartel – CERN) EGI Technical.

Slides:

Advertisements

Similar presentations

HEPiX Virtualisation Working Group Status, July 9 th 2010

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Future Plans T. Ferrari/EGI.eu 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Vision for European DCIs Steven Newhouse Project Director, EGI-InSPIRE 15/09/2010.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI (Present and) Future of the EGI Services for WLCG Peter Solagna – EGI.eu.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Workload management, virtualisation, clouds & multicore Andrew Lahiff.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SPG future work EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL.

HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

Security Policy Update WLCG GDB CERN, 8 Dec 2010 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.

HEPiX Virtualisation Working Group Status, February 10 th 2010 April 21 st 2010 May 12 th 2010.

Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Development in EGI.eu/EGI-InSPIRE Damir Marinovic (EGI.eu)

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Plans for PY2 Steven Newhouse Project Director, EGI.eu 30/05/2011 Future.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI UMD Roadmap Steven Newhouse 14/09/2010.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI

EGI-InSPIRE RI SPG Tasks for Year 2011 Jan 2011 Kelsey/Security Policy Group1.

EGI-InSPIRE RI SPG Tasks for Year 2011 Jan 2011 Kelsey/Security Policy Group1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Resource allocation Małgorzata Krakowian 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.

EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud business models and role in HNX Sergio Andreozzi Strategy and Policy Manager.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Technology Sustainability Discussion Points DCI Sustainability Meeting.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI /09/14 1 Appliance lifecycle services Marios Chatziangelou, et al.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI /04/14 1 EGI Community Forum 2014 Federated Cloud image management Marios.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Value and Governance of the EGI Ecosystem Sergio Andreozzi Policy Development.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Usage and future support for the deployed software Survey results TCB April.

EGI-InSPIRE EGI-InSPIRE RI The European Grid Infrastructure Steven Newhouse Director, EGI.eu Project Director, EGI-InSPIRE 29/06/2016CoreGrid.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI A pan-European Research Infrastructure supporting the digital European Research.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI John Gordon EGI Virtualisation and Cloud Workshop Amsterdam 13 th May 2011.

EGI-InSPIRE RI EGI Compute and Data Services for Open Access in H2020 Tiziana Ferrari Technical Director, EGI.eu

The HEPiX Virtualisation Working Group Towards a Grid of Clouds Tony Cass CHEP 2012 May 24 th 2012.

Virtual Machines on BiG Grid INFN Annual Meeting May 2010 Sander Klous, Nikhef.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI John Gordon EGI Virtualisation and Cloud Workshop Amsterdam 12 th May 2011.

HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Sustainability & Business Models Sergio Andreozzi EGI.eu Policy Development.

EGI-InSPIRE RI An Introduction to European Grid Infrastructure (EGI) March An Introduction to the European Grid Infrastructure.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI D4.4 and the EGI review Dr Linda Cornwall 19 th Sept 2011 D4.41.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Scientific Publications Repository

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SVG F2F Virtual Machines VM images, software run on VMS. 3 rd March 2015.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI DCI Collaborations Steven Newhouse 15/09/2010 DCI Vision1.

HEPiX Virtualisation working group

Linked Challenges Virtualisation has a key role to play….

WLCG Collaboration Workshop;

Steven Newhouse, EGI.eu EGI-InSPIRE Project Director

Updated (VO) Community Security Policies

David Kelsey (STFC-RAL)

Presentation transcript:

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Draft Security Virtualisation Policy (for Romain Wartel – CERN) EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL

EGI-InSPIRE RI New policy Draft Security Policy for the Endorsement and Operation of Virtual Machine Images SPG editorial team leader: Romain Wartel, CERN Now under external review –Comments invited by 28 Sep 2011 –spg-discuss AT mailman DOT egi DOT eu 21 Sep 2010 Kelsey/ SPG Virtualisation2

EGI-InSPIRE RI Aims of policy Growing demand for EGI to use Virtual services, e.g. VRCs running their services Several different roles re VM images –Producer –Endorser –Operator How do we build trust such that Resource Centres will allow VM images to be instantiated? 21 Sep 2010 Kelsey/ SPG Virtualisation3

EGI-InSPIRE RI HEPiX Virtualisation Working Group Virtual Grid worker nodes Transparent to end user –Same as payload running on real WN –Same access to local trusted services Producer and Endorser do not have root access to running VM images Endorser maintains signed list of endorsed images Draft security policy 21 Sep 2010 Kelsey/ SPG Virtualisation4

EGI-InSPIRE RI EGI security policy Build on the earlier work of HEPiX Include more use cases Place responsibilities on the VM operator as well as the VM endorser Policy which also works with the StratusLab VM Marketplace –registry of images 21 Sep 2010 Kelsey/ SPG Virtualisation5

EGI-InSPIRE RI Use cases VM endorserVM operator Use case 1Local resource centre Use case 2External 3 rd partyLocal resource centre Use case 3External 3 rd party 21 Sep 2010 Kelsey/ SPG Virtualisation6 Use case 1: Users do not see virtualisation – no extra policy requirements Use case 2: Trust relationship between RC and Endorser Use case 3: Trust relationships between RC and VM Operator and between VM Operator and Endorser Note – this policy does not address the Cloud Provider model – end users able to submit their own images which then run inside a tightly controlled and sandboxed environment

EGI-InSPIRE RI Show actual text 21 Sep 2010 Kelsey/ SPG Virtualisation7

EGI-InSPIRE RI Discussion? 21 Sep 2010 Kelsey/ SPG Virtualisation8