© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre Grid Security Workshop, NESC, 05-06.

Slides:

Advertisements

Similar presentations

Introduction of Grid Security

Advertisements

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Lecture 23 Internet Authentication Applications

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Grid Security. Typical Grid Scenario Users Resources.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Security Controls – What Works

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Chapter 12 Network Security.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

(Geneva, Switzerland, September 2014)

Computer Security: Principles and Practice

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Storage Security and Management: Security Framework

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Aspects of application security Jens Jensen, STFC 3 rd T&S workshop, NeSC July 2008.

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Orphaned Servers and Broken Processes 2007 Security Professionals Conference April 12, 2007.

INFSO-RI Enabling Grids for E-sciencE Getting Started Guy Warner NeSC Training Team Induction to Grid Computing and the National.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

August Mr. Mike Finley, CISSP Senior Security Engineer Computer Science Corporation.

E-Science Projects and Security M. Angela Sasse & Mike Surridge.

Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Engineering Essential Characteristics Security Engineering Process Overview.

Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

INSA LYON1 Security Policy Configuration Issues in Grid Computing Environments George Angelis, Stefanos Gritzalis, and Costas Lambrinoudakis Presentation.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

Technology Services – National Institute of Standards and Technology Conformity Assessment ANSI-HSSP Workshop Emergency Communications December 2, 2004.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK

LCG Security Status and Issues

The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture

David Kelsey (STFC-RAL)

Intrusion Detection system

Introduction to the PACS Security

Presentation transcript:

© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre Grid Security Workshop, NESC, Dec 2002

© IT Innovation Centre, 2002 Overview IntroductionsIntroductions The Grid Security ProblemThe Grid Security Problem –as seen by a Comb-e-Chem chemists... –motivation for the Rough Guide report Risks and issuesRisks and issues –what could go wrong with our Grid security –lots of questions – our job is to find answers Issues for discussionIssues for discussion COMMERCIAL IN CONFIDENCE

© IT Innovation Centre, 2002 IT Innovation The IT Innovation Centre is an autonomous research centre, alongside the research groups and industrial units of the Department of Electronics and Computer Science at the University of SouthamptonThe IT Innovation Centre is an autonomous research centre, alongside the research groups and industrial units of the Department of Electronics and Computer Science at the University of Southampton We deliver strategies, road maps, proofs-of-concept, demonstrators and novel operational systemsWe deliver strategies, road maps, proofs-of-concept, demonstrators and novel operational systems Our innovation capabilities are in the best traditions of Southampton's outstanding record of technological R&DOur innovation capabilities are in the best traditions of Southampton's outstanding record of technological R&D We have broken new ground in making these capabilities available through a dedicated off-campus Centre with a professional service cultureWe have broken new ground in making these capabilities available through a dedicated off-campus Centre with a professional service culture

© IT Innovation Centre, 2002 A Culture Gap (A Chemist’s View of Grid Security) Provided the user is properly authenticated [and you vouch for them] they can access [Chemistry] kit via the [University] firewall.Provided the user is properly authenticated [and you vouch for them] they can access [Chemistry] kit via the [University] firewall. If they want to use [University] kit, they will need approval from Computing Services.If they want to use [University] kit, they will need approval from Computing Services. If anything bad happens then [you Chemists] are responsible, and are in deep trouble...If anything bad happens then [you Chemists] are responsible, and are in deep trouble...

© IT Innovation Centre, 2002 The Rough Guide Intended to raise awareness of Grid securityIntended to raise awareness of Grid security Aimed atAimed at –project managers and principal investigators –Grid users and application developers –Grid infrastructure developers –computing services and Grid support teams ConclusionsConclusions –operational security is a team effort –everyone needs to be aware of the key issues

© IT Innovation Centre, 2002 Security Best Practice Build security in depth –like a medieval castle! Assume breaches will occur –don’t rely on a single barrier –design for containment Continuous security –intrusion detection methods –security advisories and updates –well-defined operating protocols –review, challenge and audit

© IT Innovation Centre, 2002 Grid Authentication Based on strong public-key encryptionBased on strong public-key encryption –unlikely that a digital signature could be faked But operational factors are important, e.g.But operational factors are important, e.g. –is the CA procedure rigorous enough for you? –are the RAs trained to operate it correctly? –does the certificate profile meet your needs? –could the user’s private key have been lost/stolen? –what if a user’s GSI proxy were hijacked? And...85% of intrusions come from withinAnd...85% of intrusions come from within

© IT Innovation Centre, 2002 Grid PKI User User Resource Resource The CA

© IT Innovation Centre, 2002 Conventional PKI UserUser ResourceResource CA1 CAn

© IT Innovation Centre, 2002 Grid Authorisation Typically done via local account mappingsTypically done via local account mappings –allowing resource owners to retain control Difficult to implement operationallyDifficult to implement operationally –local resource access controls may not exist –local admin teams don’t scale with the size of Grid Can use role-based schemes and CASCan use role-based schemes and CAS –but might CAS be disabled via DoS or spoofing? –should outsiders defined/assigned user roles? –who is responsible for correct role attribution...?

© IT Innovation Centre, 2002 Grid Infrastructure Presumably security loopholes exist(!)Presumably security loopholes exist(!) –e.g buffer overflow vulnerabilities Security advisory/updates (Jun-Nov’02):Security advisory/updates (Jun-Nov’02): –Apache: 5 updates –Sendmail/Fetchmail: 2 updates –OpenSSH/OpenSSL: 4 updates –DNS: 2 updates What about our Grid softwareWhat about our Grid software –who can provide security updates rapidly? –how can they be distributed rapidly? –who will apply them?

© IT Innovation Centre, 2002 Grid Applications Security depends on application developersSecurity depends on application developers –need awareness of classic vulnerabilities Uploaded user applicationsUploaded user applications –practically uncontainable if malicious... –users (and their code) must be 100% trustworthy Legacy applicationsLegacy applications –not designed for secure remote operation –may be full of shell escapes and system calls Commercial applicationsCommercial applications –eg. Finite Element codes with VB interpreters!

© IT Innovation Centre, 2002 Damn Those Pesky Firewalls

© IT Innovation Centre, 2002 Firewall Management Issues

© IT Innovation Centre, 2002 Firewall Management Issues

© IT Innovation Centre, 2002 Firewalls and Containment

© IT Innovation Centre, 2002 Intrusion Response Containment within and between Grid sitesContainment within and between Grid sites –firewalls, sandboxes, etc Detection using standard tools (Tripwire, etc)Detection using standard tools (Tripwire, etc) –what if a Grid account is compromised at another site? –how might we detect this? –can we assume all sites are equally vigilant? Coherent intrusion response between sitesCoherent intrusion response between sites –need for consistent (and realistic) usage policies? –do we need multi-site project response plans? –do we need a UK E-Science/Grid CERT?

© IT Innovation Centre, 2002 A Chemist’s Checklist Risk assessment and managementRisk assessment and management –with computing services involvement and support –what are the critical resources and risks? Technology choicesTechnology choices –taking account of advisory services, etc –backed up by sufficient training? Consistent operation and usage policiesConsistent operation and usage policies –including firewalls, intrusion detection, sanctions, response plans,... User training and awarenessUser training and awareness Continuous reviewContinuous review

© IT Innovation Centre, 2002 Summary Grid technology: pretty good but not well testedGrid technology: pretty good but not well tested –need for multiple PKI and/or CA? –need for operable authorisation mechanisms? –need for coherent intrusion containment/detection strategy? Operational issues just as importantOperational issues just as important –risk assessment and asset management/protection? –need for advisories and updates? –need for coherent intrusion responses or CERT? People must be the key to successPeople must be the key to success –need for awareness raising and training? –how to get buy-in from sys/net admin teams? –how to address human factors?