Federated Environments and Incident Response: The Worst of Both Worlds

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Lecture 23 Internet Authentication Applications

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Understanding Active Directory

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Federated Incident Response Jim Basney

NOS Objectives, YR 4&5 Tony Rimovsky. 4.2 Expanding Secure TeraGrid Access A TeraGrid identity management infrastructure that interoperates with campus.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Secure Access to Research Infrastructure via the InCommon Federation.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF Fall 2004 Brussels, Belgium September 20th, 2004 James Marsteller Pittsburgh Supercomptuing Center

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Sergiu April 2006June 2006 Overview of TeraGrid Security Working Group Activities James Marsteller CISSP, Working Group Chair.

Network, Operations and Security Area Tony Rimovsky NOS Area Director

Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Security Bob Cowles

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

CernVM and Volunteer Computing Ivan D Reid Brunel University London Laurence Field CERN.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Chapter 5 Network Security Protocols in Practice Part I

LIGO Identity and Access Management

Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch

Cryptography and Network Security

HellasGrid CA & euGridPMA

Authentication Applications

THE STEPS TO MANAGE THE GRID

Clemson University: Jill Gemmill

Managing Digital Identity

Goals Introduce the Windows Server 2003 family of operating systems

Some data about the CBIC Federation

MyProxy Integration with PubCookie

David Kelsey (STFC-RAL)

TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch

A Grid Authorization Model for Science Gateways

Federated Incident Response

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Designing IIS Security (IIS – Internet Information Service)

This material is based upon work supported by the National Science Foundation under Grant #XXXXXX. Any opinions, findings, and conclusions or recommendations.

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Federated Environments and Incident Response: The Worst of Both Worlds Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois at Urbana-Champaign jbasney@ncsa.uiuc.edu This material is based upon work supported by the National Science Foundation under Grant No. 0503697. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

(7500+ registered users from 450+ organizations) What is the TeraGrid? NSF-funded facility to offer high end compute, data and visualization resources to the nation’s academic researchers (7500+ registered users from 450+ organizations) www.teragrid.org

TeraGrid Federations TeraGrid Core Services TeraGrid Central Database (TGCDB) Manages accounts / allocations across resources / sites Centralized resource usage accounting X.509 Public Key Infrastructure (PKI) International Grid Trust Federation (IGTF) (gridpma.org) Includes Certificate Authorities operating outside of TeraGrid Single sign-on across TeraGrid systems TeraGrid membership in Shibboleth InCommon Federation (planned) Campus login to TeraGrid resources by researchers and students TeraGrid Science Gateways Program Self-managed scientific communities Gateway acts as identity provider and resource broker

TeraGrid Risks of Primary Concern Service disruption Account compromise interrupts access for account holder System compromise interrupts access for all account holders Being the source of attacks on other systems High performance computers and networks used by attackers Spread of compromise via stolen credentials Corruption / loss of scientific data Delay or invalidation of scientific results

TeraGrid Incident Response Single point of contact help@teragrid.org 1-866-907-2383 24/7/365 response Cross-site coordination for incident response Centralized ticket tracking system Emergency contact directory Secure teleconference lines Secure email lists

Secure Email List Service (SELS) Being evaluated by TeraGrid Incident Response Team Provides message-level security for emails exchanged on mailing lists Confidentiality, Integrity, and Authentication Minimally trusted List Server List Server does not get access to email plaintext Proxy encryption techniques enable transformation of ciphertext Developed with COTS and open-source components Integrated with GnuPG on subscriber side; no extra software to install Integrated with Mailman on server side with easy installation Lists can be hosted by NCSA sels.ncsa.uiuc.edu

Federated Identity & Incident Response Network attacks across administrative boundaries Not a new problem but still a challenge! Coordination across organizational CSIRTs CERT/CC, US-CERT, REN-ISAC, FIRST New challenge: Compromise of federated identity React Disable access Revoke credentials Notify other service providers Contact identity provider Contact identity holder Recover Re-credential identity holder Coordinate with identity provider Coordinate with service providers Restore accounts/systems Re-enable access Compromise can spill outside the federation

TG Requirements for Federated Identity Ability to contact the Identity Provider Phone number Email address Public key (PGP, S/MIME) Ability to block unwanted user behavior Persistent user identifier Ability to directly contact the user Email address and/or phone number Taken from requirements gathering process for TG Science Gateway program.

TeraGrid Science Gateways Use SAML assertion to convey user identifier and email address gridshib.globus.org

Proposed Discussion Topics Support from identity providers for incident response Preparation Timely and secure communication Prompt credential revocation Confirmation of credential reset / re-issuance Assistance with incident investigation Audit records and system logs Effective communication and coordination Should incident responders contact users directly? Can the identity provider help to coordinate? Value for incident response of a persistent user identifier Facilitates blacklisting eduPersonPrincipalName? eduPersonTargetedID?