David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly.

Slides:



Advertisements
Similar presentations
European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies Scalability.
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
CERN, Information Technology Department
Grid Computing Test beds in Europe and the Netherlands David Groep, NIKHEF
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
An Introduction to the Open Science Data Cloud Heidi Alvarez Florida International University Robert L. Grossman University of Chicago Open Cloud Consortium.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
TERENA Certificate Service (TCS) 9 June Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
Grid Computing Status Report Jeff Templon PDP Group, NIKHEF NIKHEF Scientific Advisory Committee 20 May 2005.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
The DutchGrid Platform – An Overview – 1 DutchGrid today and tomorrow David Groep, NIKHEF The DutchGrid Platform Large-scale Distributed Computing.
David Groep Nikhef Amsterdam PDP & Grid TERENA Certificate Service Certificates4All! David Groep standing in for Licia Florio, TERENA, using material from.
Next Steps: becoming users of the NGS Mike Mineter
Next Steps.
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
David Groep Nikhef Amsterdam PDP & Grid Some Comments on “Problem description for non-proliferation issues in Grids” Joint Security Policy Group 7 December.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Additional Services: Security and IPv6 David Kelsey STFC-RAL.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.
Research organization technology David Groep, October 2007.
David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.
Grid Computing Jeff Templon Programme: Group composition (current): 2 staff, 10 technicians, 1 PhD. Publications: 2 theses (PD Eng.) 16 publications.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
A worldwide e-Infrastructure and Virtual Research Community for NMR and structural biology Alexandre M.J.J. Bonvin Project coordinator Bijvoet Center for.
Status of the NL-T1. BiG Grid – the dutch e-science grid Realising an operational ICT infrastructure at the national level for scientific research (e.g.
DutchGrid KNMI KUN Delft Leiden VU ASTRON WCW Utrecht Telin Amsterdam Many organizations in the Netherlands are very active in Grid usage and development,
EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
J. Templon Nikhef Amsterdam Physics Data Processing Group Large Scale Computing Jeff Templon Nikhef Jamboree, Utrecht, 10 december 2012.
1 MSWG, Amsterdam, December 15, 2005 DEISA security Jules Wolfrat SARA.
Grid Colombia Workshop with OSG Week 2 Startup Rob Gardner University of Chicago October 26, 2009.
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.
Bob Jones EGEE Technical Director
Accessing the VI-SEEM infrastructure
A Dutch LHC Tier-1 Facility
Bring the WLCG federation Home
LCG Security Status and Issues
One independent ‘policy-bridge’ PKI
LCG/EGEE Incident Response Planning
Tweaking the Certificate Lifecycle for the UK eScience CA
Boosting AAI for research and collaboration
Assessing Combined Assurance
Assessing Combined Assurance
Infrastructure in 2009 and beyond ‘looking in, looking around, looking out’ VL-e workshop David Groep, Nikhef for P4: the Scaling Programme.
SHA-2 Migration status David Groep Nikhef Nikhef, Amsterdam
AARC Blueprint Architecture and Pilots
David Kelsey (STFC-RAL)
Presentation transcript:

David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly connected world

David Groep Nikhef Amsterdam PDP & Grid

David Groep Nikhef Amsterdam PDP & Grid ‘De wereld draait door’ – VARA, 8 december 2010 –

David Groep Nikhef Amsterdam PDP & Grid Distributed Denial of Service (DDoS)

David Groep Nikhef Amsterdam PDP & Grid

David Groep Nikhef Amsterdam PDP & Grid Just A Note These were ‘white hat’ challenges performed as part of controlled network validation and scaling tests – so do not try this yourself!

David Groep Nikhef Amsterdam PDP & Grid Stoomboot: data retrieval rate stoomboot AWS price: 1.6MUS$ setup TB/month

David Groep Nikhef Amsterdam PDP & Grid Compute-to-data-traffic NDPF/Grid BiG Grid: network utilisation at the central Nikhef

David Groep Nikhef Amsterdam PDP & Grid the Netherlands Tier 1 for wLCG is a service by BiG Grid, the Dutch e-Science Grid

David Groep Nikhef Amsterdam PDP & Grid 372 sites globally 10 – 40 Gbps network CPU cores TByte storage Data source: gSTAT, December 2010, Image source: wLCG,

David Groep Nikhef Amsterdam PDP & Grid Need to stand up to analysis load ◦ Analysis is a denial-of-service attack! ◦ high-bandwidth infrastructure needed ◦ even then only sustainable with ‘right’ access pattern... but for the rest of the world, we are a potential threat – when abused ◦ cluster & network has monetary value in and of itself ◦ infected systems typically used in criminal contexts Security and Availability

David Groep Nikhef Amsterdam PDP & Grid price in US$ per 1000 bots per hour on an ADSL link 3-yr reserved discounted rate... only compute, not even storage! setup * 2.3 MUS$ monthly 202 k US$ * every 3 years

David Groep Nikhef Amsterdam PDP & Grid need to secure our resources allow you, the ‘right people’, in whilst keeping out the ‘bad guys’ is about both security and availability

David Groep Nikhef Amsterdam PDP & Grid “Firewall” by Sandy Smith,

David Groep Nikhef Amsterdam PDP & Grid “Firewall” by Sandy Smith,

David Groep Nikhef Amsterdam PDP & Grid... keeping out the ‘bad guys’ Site Access Control software development white and blacklists grid-aware security vulnerability assessment CSIRT: Incident Response monitoring & forensics communications security exercises 2009 and 2010 compared Sven Gabriel: Security Service Challenges LCG T1’s CSIRT response scores

David Groep Nikhef Amsterdam PDP & Grid... the ‘right people’,...

David Groep Nikhef Amsterdam PDP & Grid Before the Grid...

David Groep Nikhef Amsterdam PDP & Grid... the ‘right people’,...

David Groep Nikhef Amsterdam PDP & Grid Grid Identity and Community

David Groep Nikhef Amsterdam PDP & Grid graphic: Open Grid Services Architecture, © Global Grid Forum 2005, GFD.30

David Groep Nikhef Amsterdam PDP & Grid ‘but we know who we are – we’re us!’ allow you,... simple computer identities depend on the system involved... but for the grid we need a global identity

David Groep Nikhef Amsterdam PDP & Grid Your Global Identity Authentication each person globally unique name forever persistent traceable to a real person Authorization based on the unique AuthN ID grants or denies access VO & Site joint security responsible

David Groep Nikhef Amsterdam PDP & Grid

David Groep Nikhef Amsterdam PDP & Grid Where ever you are... IGTF! International Grid Trust Federation – EUGridPMA –

David Groep Nikhef Amsterdam PDP & Grid Federated Identity – we no longer run alone! grid structure was not too much different! Single sign-on across academia and research the no. 1 ICT request from the ESFRI projects

David Groep Nikhef Amsterdam PDP & Grid web-SSO federations have matured HR and ICT processes aligned integration of ‘high-value grid’ & web federation now becomes reality... and we keep running... Federation peers rely on and trust home institutes to manage their users Trust has become global: accounts get high, global value

David Groep Nikhef Amsterdam PDP & Grid SSO for everything!

David Groep Nikhef Amsterdam PDP & Grid Access to new federated services Same login for most services ◦ Desktops and login.nikhef.nl ◦ and spam filter settings ◦ Instant Grid certificates and access to wLCG ◦ Elsevier – Science Direct ◦... windows and more web applications planned as well New applications require better controls ◦ account registration and expiration requirements needed to keep our infra secure and remain trustworthy for our global federation partners SSO for You

David Groep Nikhef Amsterdam PDP & Grid or

David Groep Nikhef Amsterdam PDP & Grid Your Certificate in 5 Clicks... and in120 Seconds for the longer-term future, we are working on completely hiding this... &

David Groep Nikhef Amsterdam PDP & Grid Yes: unfortunately – security is needed Yes: we are an interesting target... and we strive to become even more we support development of security software and processes aiming at user friendliness and still remain effective Security & Availability Take-Away allow you, the ‘right people’, in whilst keeping out the ‘bad guys’

David Groep Nikhef Amsterdam PDP & Grid Image: MasterJM taken at Uni Bielefeld, DE found at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.