Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam.

Slides:

Advertisements

Similar presentations

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

Advertisements

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Towards A User-Centric Identity-Usage Monitoring System - ICIMP Daisuke Mashima and Mustaque Ahamad College of Computing Georgia Institute of Technology.

National Energy Research Scientific Computing Center (NERSC) Computer Security – The New Threats Stephen Lau NERSC Center Division, LBNL June 24, 2004.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Virtual Workspaces Kate Keahey Argonne National Laboratory.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE-EGI Grid Operations Transition Maite.

LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 November 2007.

Glexec, SCAS & CREAM. Milestones CREAM-CE capable of large-scale direct job submission Glexec & SCAS capable of large-scale use on WN in logging only.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

Mar 27, gLExec Accounting Solutions in OSG Gabriele Garzoglio gLExec Accounting Solutions in OSG Mar 27, 2008 Middleware Security Group Meeting Igor.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

Workload management, virtualisation, clouds & multicore Andrew Lahiff.

Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

1 Cloud Services Requirements and Challenges of Large International User Groups Laurence Field IT/SDC 2/12/2014.

TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.

Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.

Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.

LHCb 2009-Q4 report Q4 report LHCb 2009-Q4 report, PhC2 Activities in 2009-Q4 m Core Software o Stable versions of Gaudi and LCG-AA m Applications.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20.

Traceability WLCG GDB Amsterdam, 7 March 2016 David Kelsey STFC/RAL.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

Virtual Machines on BiG Grid INFN Annual Meeting May 2010 Sander Klous, Nikhef.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.

Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL

Traceability & Isolation WG Vincent BRILLAULT, CERN/EGI-CSIRT GDB June 2016, CERN.

J. Templon Nikhef Amsterdam Physics Data Processing Group Monitoring Session Summary EGI Virtualization Workshop May, Amsterdam Thanks to all the.

Containers as a Service with Docker to Extend an Open Platform

OGF PGI – EDGI Security Use Case and Requirements

Multi User Pilot Jobs update

HTCondor Security Basics

VIRTUALIZATION & CLOUD COMPUTING

LCG Security Status and Issues

Ian Bird GDB Meeting CERN 9 September 2003

WLCG experiments FedCloud through VAC/VCycle in the EGI

LCG/EGEE Incident Response Planning

Federated Identity Management for Researchers (FIM4R)

Outline Introduction Characteristics of intrusion detection systems

Understanding of Health and Safety

Monitoring Session Intro

Solutions for federated services management EGI

Privilege Separation in Condor

Chapter 27 Security Engineering

Reengineering the Audit with Blockchain and Smart Contracts

Procedure for adding a Trusted Site

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Dr Linda Cornwall STFC/RAL EGI OMB 27th September 2013

Federated Incident Response

Presentation transcript:

Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam

Why traceability and isolation ? Current situation What’s “new” “glExec” Black boxes The future? Vincent Brillault, CERN/EGI-CSIRT2 Overview GDB Mars 2015, Amsterdam

For security, but not only! Traceability: Identify, reconstruct & understand – Security incidents: catch bad users, fix vulnerability – Issues/bugs/strange behaviors Isolation: – Prevent credential theft & impersonalization – Prevent jobs from harming each-other Vincent Brillault, CERN/EGI-CSIRT3 Why? GDB Mars 2015, Amsterdam

Site responsible for (policy-wise): – Recording all activity: when, where, who, what – Securely and centrally store logs for months – Process logs upon CSIRT request during incidents Identifying and isolating users: – WN/pilot jobs: glExec (if/when deployed & used) – Endpoint/services: end-user x509 certificate/proxy Multi-site analysis difficult: – Broadcast warning/regex and wait/hope… – Rely on VO frameworks or central services Vincent Brillault, CERN/EGI-CSIRT4 Current situation GDB Mars 2015, Amsterdam

New technology on the rise: – Virtualization & VMs: black boxes managed by VOs – Cgroups/namespaces: new isolation solution? Multi-user pilot-jobs on the decline VOs have large frameworks & log activity Vincent Brillault, CERN/EGI-CSIRT5 What’s “new” GDB Mars 2015, Amsterdam

Promising technology: cgroup & namespaces Explore new solutions: – Identify what needs to be isolated from users, e.g: Pilot job own credentials (if kept) VO logging facilities & framework callback (if any) – See if new technology can cover out needs – Identify/resolve OS dependencies (EL7+ ?) Accept a split log “responsibility” – When/where Who: Site + VO – When/where What: Site & VO We may be able to retire glExec and close this debate! Vincent Brillault, CERN/EGI-CSIRT6 “glExec” GDB Mars 2015, Amsterdam

Pilot jobs/VMs becoming black boxes – Site: Log externally observable behavior – VOs: Log what happens inside Identify how to keep site expertise: – Identify strange behaviors (e.g. Bitcoin mining) – Debugging/problem resolution Keep response capability: – User suspension: Service/endpoints: OK (x509 certificates/proxy) Shared resources (e.g. network): ?? – Properly integrate VOs in response procedures Vincent Brillault, CERN/EGI-CSIRT7 Black boxes GDB Mars 2015, Amsterdam

New model possible: – Consider pilot jobs/VMs as black box – Build and trust central security VO logs – Concentrate on unprivileged isolation There is a lot of questions, no clear solution yet VOs’ expertise needed: – Keep making sure pilot jobs are protected – How to take advantage of job frameworks Sites’ expertise needed: – What data/access/control is needed – What technology can be supported Vincent Brillault, CERN/EGI-CSIRT8 The future? GDB Mars 2015, Amsterdam