9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.

Slides:

Advertisements

Similar presentations

Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk.

Advertisements

What you need to know Security Awareness for the OSG D. Petravick OSG Security Officer March, 2007.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

Information Security Policies and Standards

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Security Guide for Interconnecting Information Technology Systems

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Open Science Ruth Pordes Fermilab, July 17th 2006 What is OSG Where Networking fits Middleware Security Networking & OSG Outline.

Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.

Engineering Essential Characteristics Security Engineering Process Overview.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Working with HIT Systems

Mine Altunay July 30, 2007 Security and Privacy in OSG.

LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 November 2007.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Open Science Grid & its Security Technical Group ESCC22 Jul 2004 Bob Cowles

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.

Status Organization Overview of Program of Work Education, Training It’s the People who make it happen & make it Work.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Operations Activity Doug Olson, LBNL Co-chair OSG Operations OSG Council Meeting 3 May 2005, Madison, WI.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

WLCG Laura Perini1 EGI Operation Scenarios Introduction to panel discussion.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

June 6, 2006OSG - Draft VO AUP1 Open Science Grid Trust as a Foundation June 6, 2006 Keith Chadwick.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SPG future work EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

IS3220 Information Technology Infrastructure Security

LCG User, Site & VO Registration in EGEE/LCG Bob Cowles OSG Technical Meeting Dec 15-17, 2004 UCSD.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Open Science Grid Security Activities D. Olson, LBNL OSG Deputy Security Officer For the OSG Security Team: M. Altunay, FNAL, OSG Security Officer, D.O.,

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

New OSG Virtual Organization Security Training OSG Security Team.

1 Open Science Grid Progress & Vision Keith Chadwick, Fermilab

15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK

SCI & Sirtfi David Kelsey (STFC-RAL) EGI Conference, Lisbon 19 May 2015.

Bob Jones EGEE Technical Director

OSG Security Kevin Hill.

Open Science Grid Consortium Meeting

JRA3 Introduction Åke Edlund EGEE Security Head

Monitoring and Information Services Technical Group Report

Information Technology Sector

LCG Security Status and Issues

Ian Bird GDB Meeting CERN 9 September 2003

David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016

OSG Computer Security Plans

Open Science Grid: What is New?

Input on Sustainability

D. Petravick Fermilab/OSG security officer March 8, 2006

Open Science Grid at Condor Week

Managing IT Risk in a digital Transformation AGE

Presentation transcript:

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain Roy, Vikram Andem EGEE06 Sept 25, 2006

9/25/08DLP2 Background OSG Project now funded by DOE and NSF as a national production level distributed facility. Moves on from the Grid3-Trillium era as being a relied upon, sustained infrastructure. As a contributor to the WLCG OSG must satisfy the security requirements of the LHC. OSG Security is building on prior work of Trillium collaborating with EDG, EGEE, WLCG.

9/25/08DLP3 Illustrative example User VO Site Jobs VO infra. Data Storage CECE W WW WWW WW W WW W W W W I trust it is the VO (or agent) I trust it is the user I trust it is the user’s job I trust the job is for the VO

9/25/08DLP4 OSG Site-VO Interoperation Perceived Risk Actual Risk? Implement controls OperateOperate n y Perceived Risk Actual Risk? Implement controls n VO OperateOperate y Site

9/25/08DLP5 Risk based view of the world Organizations implement controls over their activities so as to obtain acceptable residual risk. Organizations: Sites, VOs and Grids. –Each has a security process lifecycle. –Satisfaction jointly and severally. Each organization is captain of its own ship. –However, constrained to interoperate. Standards (e.g. OSG AUP’s) aid interoperation. OSG will accept agreements from small VOs and work with them as their security agent..

9/25/08DLP6 Two Broad Documents in the NIST pattern. Risk Assessment –Analyzes threats and vulnerabilities With mitigation in 13 control clusters To see if the residual risk is acceptable. Security Plan –Explains each control cluster. –Establishes tests of effectiveness.

9/25/08DLP7 (Imagined) Security Assessment –Do you have focus? Have you written down what is important and what is not (Risk Assessment) –Have you written down your Policies? –Do you have plan? Do you know it is working? (Security Plan)

9/25/08DLP8 RA(1) Threats to OSG Careless or uninformed authorized person Squatter Vandals Thief Malware Author Spy Alarmist

9/25/08DLP9 RA(2)Vulnerabilities Reliance on Third Parties. –This is a “whopper”. Improper (core person/user) Actions Remote Access. Exploits latent in Vulnerable Software.

9/25/08DLP10 RA(3)Impact Impact to be consistent with LCG T2 requirements (among others) The goal is to get to LOW –Occurrence -- Less than 5x/year –Perception … OSG can be Relied on. –No single occurrence disrupts … all. Then there are medium and high, but the point of the analysis is to get to low. How do you get to low? Controls.

9/25/08DLP11 SP(1)Controls Written as if all are in place. Management –Integrated Sec Mgt; Sec processes; Trust Relationships & Agreements Operational –Awareness; Response; Data Integrity; Config Management; Vul. ID; Physical Technical –Monitoring; Scanning; Control of people

9/25/08DLP12 SP(2)Draft Cluster -- Vul. Mgt. General Vulnerability Reporting Primary Vulnerability Reporting Secondary Vulnerability Awareness Vulnerability Mitigation Vulnerability Communication Vulnerability Awareness

9/25/08DLP13 (SP3)DRAFT Primary Vulnerability Reporting Plan: … entities operating a service or running a process for the OSG have primary responsibility for identifying vulnerabilities. … requires services and processes to report vulnerabilities inconsistent with acceptable risk to the OSG. to the OSG security officer. Acceptable risk is defined in the OSG Risk Assessment. Evaluation This control is evaluated annually by an inspection of the vulnerabilities logs –Comparing the primary reports to reports from the secondary chain. –Comparing the primary reports to vulnerabilities exploited in incidents.

9/25/08DLP14 Summary Security interoperation is required for grid interoperation. –Without work, interoperation is n**2 agreements. –Each organization must satisfy its self-identified security needs. –Common policies (such as the user AUP) speed up the n**2 process. –In the OSG, VO’s with heavy infrastructure seem to face diligence approximately equal to a site. –We are hear to learn about EGEE. –One way forward which may provide maximum interoperation and scaling seems to be to agree on Control Clusters, and then drill down. OSG has begun writing plans in a structure based on an understanding of NIST. OSG is working with the Site and VO Managers to clarify and collaborate on Security matters (as well as with EGEE and TeraGrid).