Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan

Information Security Policies and Standards

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

University of California, Davis1 Draft Wireless Network Policy Administrative Computing Coordinating Council September 10, 2001.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

Stephen S. Yau CSE , Fall Security Strategies.

Payment Card Industry (PCI) Data Security Standard

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

CHEP2006 Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore,

Network security policy: best practices

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Virtualization within FermiGrid Keith Chadwick Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

LHCb and DataGRID - the workplan for 2001 Eric van Herwijnen Wednesday, 28 march 2001.

Metrics and Monitoring on FermiGrid Keith Chadwick Fermilab

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Advanced Accounting Information Systems Day 23 Operating Systems Security October 16, 2009.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.

IT Audit 2006 Deborah Joyner, Marjorie Tucker, Kay Simpson, Dawn Rountree, Kathy Jones.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Chapter 2 Securing Network Server and User Workstations.

Introduction to Information Security

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Metrics and Monitoring on FermiGrid Keith Chadwick Fermilab

Portal Update Plan Ashok Adiga (512)

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

June 6, 2006OSG - Draft VO AUP1 Open Science Grid Trust as a Foundation June 6, 2006 Keith Chadwick.

An Introduction to Campus Grids 19-Apr-2010 Keith Chadwick & Steve Timm.

Lesson 6: Controlling Access to Local Hardware and Applications

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

2.0 PROJECT INITIATION AND PLANNING The initiating and planning are the phase where process or workflow to develop the system will identify and planning.

LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 December 2007.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Fermilab / FermiGrid / FermiCloud Security Update Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Keith Chadwick Grid.

April 18, 2006FermiGrid Project1 FermiGrid Project Status April 18, 2006 Keith Chadwick.

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Al Lilianstrom CD/LSC/SOS/ESG  Blocked?  Operating Systems  Baselines  Detection  TiSSUE  Compliance  Windows  OS/X  Questions.

FermiGrid The Fermilab Campus Grid 28-Oct-2010 Keith Chadwick Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.

OGF PGI – EDGI Security Use Case and Requirements

f f FermiGrid – Site AuthoriZation (SAZ) Service

THE STEPS TO MANAGE THE GRID

CMGT 431 STUDY Education for Service- -cmgt431study.com.

IT Development Initiative: Status and Next Steps

Chapter 27: System Security

UConn NIST Compliance Project

NTC 328 Great Wisdom/tutorialrank.com. NTC 328 All Assignments For more course tutorials visit NTC 328 Assignment Week 1 Practice.

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Presentation transcript:

Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

03-Mar-2008Fermilab Open Science Enclave1 What - Is an Enclave? All Computers at Fermilab General Computing Enclave Open Science Enclave Major App Minor App Major App Minor App Minor App Major App

03-Mar-2008Fermilab Open Science Enclave2 How - Do the Enclaves Differ? General Computing Enclave:  Systems accessed via Strong Authentication (Kerberos).  Windows and Scientific Linux.  Interactive+Batch computing.  Storage.  Strong authentication for batch and interactive use.  Strong authentication and X509 certificate authentication for “file” access.  Major and Minor Applications within the Enclave. Open Science Enclave:  Systems can be accessed via Credentials not issued by Fermilab (DOEgrids).  Scientific Linux only.  Batch computing “only” - very limited interactive access.  X509 certificate authentication for “batch” computing resource use.  X509 certificate authentication for “file” access.  Major and Minor Applications within the Enclave

03-Mar-2008Fermilab Open Science Enclave3 Why - Purpose of the Baseline The settings in the Fermilab Open Science Enclave (OSE) baseline are intended to:  Minimize the exposure of computing resources in the Fermilab Open Science Enclave to known vulnerabilities, and to:  Reduce the risk of compromise of computing resources in the General Computing Enclave.

03-Mar-2008Fermilab Open Science Enclave4 OSE Computing Resource Definition A computing resource is administratively defined as being in the Fermilab Open Science Enclave if it meets the following definition:  A computing resource must be part of the Open Science Enclave (OSE) if it is managed by Fermilab and allows grid users to install and/or run software using credentials which are not issued and revocable by Fermilab.  Other explicitly identified computing resources supporting the operation of the OSE may be designated part of the OSE by Fermilab. “Current” inventory of OSE Computing Resources: 

03-Mar-2008Fermilab Open Science Enclave5 Baseline Document The Fermilab OSE baseline was developed by the Fermilab OSE Working Group over a (approximately) four month period:  Mine Altunay, Eileen Berman, Keith Chadwick, Matt Crawford, Mike Diesburg, Stu Fuess, Irwin Gaines, Don Petravick, Igor Sfiligoi, Steven Timm & Dan Yocum. The current draft of the Fermilab OSE baseline document is available here: 

03-Mar-2008Fermilab Open Science Enclave6 Mandatory & Recommended Settings The baseline presents both the minimum (mandatory) and recommended (best practice) levels of security settings. The baseline is supposed to be a “living” document:  It is not “written in stone”,  Today's copy does have things that need additional work,  It will evolve to address issues and threats as they are identified in the future. The forum for discussing the changes to the baseline is the OSE working group:  Weekly face-to-face meeting,  “fermigrid-security-discuss” list,  “homework” assignments. Output from the OSE working group is presented to the Fermilab Computer Security Executive (CSEXEC) for acceptance or additional work.  There is roughly 50% overlap between the OSE WG and the CSEXEC.

03-Mar-2008Fermilab Open Science Enclave7 Areas Covered by the Baseline Physical Security. System Registration. Secure Installation. Daily OS and other updates (CRLs). Policies for Accounts. Pilot Jobs and gLExec. Network Configuration. File Systems and File Services (NFS, AFS, other). Installation and Configuration of Grid Middleware. Accepted Certificate Authorities. Required use of Central Grid Services (VOMS, GUMS, SAZ). Web Servers, Squid, MyProxy. Xen, Edge, VOBox Services. Certificates and Certificate Storage. Logging and Auditing. Backup and Recovery. Systems Authorized to Offer “Restricted Central Grid Services”. Detailed assessment of where specific systems are with respect to compliance with the (draft) baseline.

03-Mar-2008Fermilab Open Science Enclave8 Baseline Status The baseline is currently in draft form, awaiting incorporation of comments from the review of the baseline by experimental communities, a review of the revised baseline by the experimental communities and the Computing Division management. Once the baseline is formally accepted by the Computing Division, All systems in the Fermilab Open Science Enclave will be required to (eventually) come into compliance with the baseline. Several Fermilab organizations are already taking steps to move to configurations which are closer to compliance with the baseline.

03-Mar-2008Fermilab Open Science Enclave9 Fin Any Questions?