Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Slides:

Advertisements

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Database Administration and Security Transparencies 1.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Security Controls – What Works

Information Security Policies and Standards

The State of Security Management By Jim Reavis January 2003.

System and Network Security Practices COEN 351 E-Commerce Security.

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Computer Security: Principles and Practice

Controls for Information Security

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Agenda Do You Need to Be Concerned? Information Risk at Nationwide

Information Security Update CTC 18 March 2015 Julianne Tolson.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

GGF Fall 2004 Brussels, Belgium September 20th, 2004 James Marsteller Pittsburgh Supercomptuing Center

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

Operating Systems Security Chapter Seven Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Engineering Essential Characteristics Security Engineering Process Overview.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Chapter 2 Securing Network Server and User Workstations.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

IS3220 Information Technology Infrastructure Security

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Security Bob Cowles

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Critical Security Controls

Design for Security Pepper.

Federated Environments and Incident Response: The Worst of Both Worlds

Albeado - Enabling Smart Energy

Session 1 – Introduction to Information Security

Presentation transcript:

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the National Science Foundation under grant numbers and

Science Gateway Security Concerns Confidentiality of pre-publication research data Integrity of research results Availability of services Provide trustworthy service to researchers Maintain trust of resource providers Use resources in compliance with policies Each science gateway is unique Assess risks to determine appropriate mitigations Risk = Likelihood x Impact sciencegatewaysecurity.org | trustedci.org

Science Gateway Risk Factors small, closely-knit user community public data (sky survey data) internal resources focused functionality large, distributed, open user community sensitive data (personal health info) external resources wide range of user capabilities sciencegatewaysecurity.org | trustedci.org less riskmore risk

Science Gateways and Resource Providers Deployment models include: Dedicated: Resources managed by science gateway Science Gateway sets its own policies Example: Rosetta Online Server That Includes Everyone (ROSIE) Transparent: Providing a new interface to existing resources Users have accounts on existing resources Example: TeraGrid Visualization Gateway Tiered: Science Gateway manages resource allocation Science Gateway manages its own users Using community account / robot certificate at resource provider May send per-user attributes to resource providers Examples: CIPRES, GENIUS sciencegatewaysecurity.org | trustedci.org

TeraGrid Science Gateway AAAA Model (2005) sciencegatewaysecurity.org | trustedci.org

Existing Security Recommendations Virtual Organization Portal Policy (EGI-InSPIRE SPG, 2010) Securing Science Gateways (Hazlewood and Woitaszek, 2011) sciencegatewaysecurity.org | trustedci.org

VO Portal Policy (EGI-InSPIRE SPG, 2010) sciencegatewaysecurity.org | trustedci.org General Conditions Limit job submission rate  Audit logging Assist in security incident investigations Securely store passwords, private keys, and user data

TeraGrid: Securing Science Gateways (Hazlewood and Woitaszek, 2011) Recommendations: Per-user accounting Limiting access at resource providers (restricted shell, grid interfaces) Separating per-user data from shared software and data Individual accounts for science gateway developers Short-lived certificates for remote access sciencegatewaysecurity.org | trustedci.org

Science Gateway User Authentication Why authenticate users? Access to external resources Personalization Maintaining state across sessions Accounting / tracking usage How to authenticate users? Outsourced: federated identities, identity as a service Internal: password DB managed by science gateway sciencegatewaysecurity.org | trustedci.org

Federated User Authentication Avoid managing user passwords! SAML: campus identities OpenID/OAuth: public identities Enables two-factor authentication sciencegatewaysecurity.org | trustedci.org

Passwords If your science gateway needs to handle user passwords: Protect passwords from online attack Use HTTPS Block brute-force attacks (e.g., Fail2Ban) Protect passwords from offline attack Store password hashes Use a strong hashing algorithm, with per-password salt Use existing password hashing implementation e.g., PHP password_hash() password-hashing/ sciencegatewaysecurity.org | trustedci.org

Science Gateway Operational Security Prevent (eliminate) threats (when possible) Detect security incidents Respond effectively to security issues Goal: manage risks First Step: Early communication with local security staff Provide security services (monitoring, scanning, logging, etc.) Identify security policies and best practice recommendations tailored to your local environment Establish relationships now in case of security incident later sciencegatewaysecurity.org | trustedci.org

Respond/Recover Detect Prevent Basic Operational Security Checklist Software patching Control admin access Vulnerability scanning Firewalls Physical security File integrity checking Intrusion detection Log monitoring Centralized logging Secure backups sciencegatewaysecurity.org | trustedci.org

Continuous Software Assurance The Software Assurance Market Place (SWAMP) is a DHS S&T sponsored open facility to become operational in January It is driven by the goal to expand the adoption of software assurance (SwA) by software developers. The SWAMP will enable you to: Identify new (possible) defects in your software every time you commit a change Identify new (possible) defects in a software/library/module you are using every time a new version is released Track the SwA practices of your project While protecting your privacy and the confidentiality of your data.

Science Gateway Security: Community Resources sciencegatewaysecurity.org | trustedci.org