Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

Slides:



Advertisements
Similar presentations
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Advertisements

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
The LHC experiments AuthZ Interoperation requirements GGF16, Athens 16 February 2006 David Kelsey CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin
The EU Grid PMA David Kelsey CCLRC/RAL 16 April 2004, Dublin
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Grid Trust Fabric TNC 2006, Catania 16 May 2006 David Kelsey CCLRC/RAL, UK
RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
13-May-03D.P.Kelsey, WP8 CA and VO organistion1 CA’s and Experiment (VO) Organisation WP8 Meeting EDG Barcelona, 13 May 2003 David Kelsey CCLRC/RAL, UK.
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
TERENA TF-EMC2 Workshop David Groep,
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Linda Cornwall CCLRC (RAL) FP6 Security workshop.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Security Operations David Kelsey GridPP Deployment Board 3 Mar 2005
NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI Enabling Grids for E-sciencE An overview of EGEE operations & support procedures Jules Wolfrat SARA.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGEE is a project funded by the European Union under contract IST EGEE Security Åke Edlund Security Head EU IST-FP6 Concertation, 17 th September.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and JSPG activities David Kelsey CCLRC/RAL.
Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK
18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, Security Expert, NIKHEF EGEE 1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
15-May-03D.P.Kelsey, SCG Summary1 Security Coord Group (SCG) EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Bob Jones EGEE Technical Director
David Kelsey CCLRC/RAL, UK
LCG Security Status and Issues
David Kelsey CCLRC/RAL, UK
Ian Bird GDB Meeting CERN 9 September 2003
David Kelsey CCLRC/RAL, UK
Presentation transcript:

Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

29-Apr-05David Kelsey, Grid Security, ISGC Introduction The Grid aim –Easy and open sharing of resources However –Highly distributed resources and communities –Independent administrative domains The Internet today –An ever-increasingly hostile environment –Growing need for firewalls and other controls Therefore need to convince –Computer Centres to allow Grid services –Developers & Users to take security seriously Grid functionality versus Security –A major challenge!

29-Apr-05David Kelsey, Grid Security, ISGC Outline These slides are available at Security requirements –Security groups & requirements in EGEE The Grid Security model Authentication Authorization & VO Management Security Policy & Procedures Operational Security –Security Service Challenges Future plans Final words

29-Apr-05David Kelsey, Grid Security, ISGC Security Requirements Users require –Open/easy access to cpu and data –Single Registration (once per VO) –Single Sign-On (login once per session) –Not to be bothered by security! But they do need Availability and Data Integrity Computer Centres/Security Officers require –Full local control of access to their resources –Knowledge of User details –Ability to audit (Who? What? When?) –Secure middleware, applications and services –Not to be bothered by security incidents

Enabling Grids for E-sciencE INFSO-RI David Kelsey, Grid Security, ISGC JRA3JRA1 NA4 Middleware Security Group Joint Security Policy Group NA4 Solutions/Recommendations Req. SA1 “Joint Security Policy Group” defines policy and procedures and inputs requirements to MWSG (For LCG/GDB and EGEE/SA1) (Cross Membership of US OSG Sec Team) CA Coordination Security Middleware Applications Operations OSG LCG OSCT Security requirements - Understanding how input from applications, sites and operations are handled.

29-Apr-05David Kelsey, Grid Security, ISGC The Security Model

29-Apr-05David Kelsey, Grid Security, ISGC The Security Model Authentication – proof of identity –GSI: Globus Grid Security Infrastructure (interoperate) –Single sign-on via X.509 certificates (PKI) –Delegation (via short-lived proxy certs) to services Global Authorization – right to access resources –Virtual Organisation (VO) – e.g. a Biomed experiment Maintains list of registered users Allocates users to groups and/or roles Controls global policy and allocations Local Authorization – site access control –Via local (e.g. Unix) mechanisms or –Callouts to local AuthZ enforcement (Grid developments) –Grid ACL’s - global identity or VO AuthZ attributes Policy –Grids (e.g. EGEE, OSG) define security policy –Many stakeholders also contribute to “policy”

Enabling Grids for E-sciencE INFSO-RI David Kelsey, Grid Security, ISGC Security Baseline assumptions Be Modular and Agnostic –Allow for new functionality to be included as an afterthought –Don’t settle on particular technologies needlessly Be Standard –Interoperate (GGF, WS-I, OSG, …) –Don’t roll our own, to the extent possible Be Distributed and Scalable –“Central services are evil” –Always retain local control Slide from Olle Mulmo – EGEE-3 Athens 19 April 2005

Enabling Grids for E-sciencE INFSO-RI David Kelsey, Grid Security, ISGC Baseline assumptions VOs self-govern the resources made available to them –Yet try to minimize VO management! –Use AuthN to tie policy to individuals/resources An open-ended system –No central point of control –Can’t tell where the Grid ends Best-effort solutions –rather than “appropriate” solutions Slide from Olle Mulmo – EGEE-3 Athens 19 April 2005

29-Apr-05David Kelsey, Grid Security, ISGC Security Policy Graphics from Globus Alliance & GGF OGSA-WG Policy comes from many stakeholders

29-Apr-05David Kelsey, Grid Security, ISGC Authentication

29-Apr-05David Kelsey, Grid Security, ISGC Authentication Keep Authentication and Authorization separate –Authentication best done at Institute level –Authorization best done at VO level Provide the User with one (Grid) electronic identity –For use in many Grid projects or VOs –For user convenience Have successfully built a global PKI (X.509) –Mutual Authentication of people and services What is the most appropriate scale? –One CA per country/region (ideally for all eScience) EU Grid PMA has coordinated the (global) CA’s –“minimum requirements” for accredited CA’s Now three worldwide PMA’s for Authentication –Asia/Pacific, The Americas and EU –International Grid Federation coordinates these Federation agreement aimed for GGF in June 2005

29-Apr-05David Kelsey, Grid Security, ISGC EU Grid PMA CAs Other Accredited CAs:  DoEGrids (USA)  GridCanada  ASCCG (Taiwan)  ArmeSFO (Armenia)  Russia  Israel  Pakistan “Catch-all” CAs operated by CNRS (for EGEE) US DoE (for LCG) SEE-GRID (for SE Europe) Austria Belgium CERN Cyprus Czech Republic Estonia France Germany Greece Hungary Ireland Italy Nordic countries Poland Portugal Slovakia Slovenia Spain Switzerland The Netherlands UK Under consideration Baltic Grid Bulgaria China – IHEP TERENA TACAR repository (for root certificates)

29-Apr-05David Kelsey, Grid Security, ISGC Authorization and VO Management

29-Apr-05David Kelsey, Grid Security, ISGC Authorization & VO Management In EGEE gLite Release 1 Global AuthZ (VOMS) –Virtual Organization Membership Service VO members, their groups and roles Provides digitally signed AuthZ “attributes” –Included in the grid proxy certificate Local AuthZ –Local Centre Authorization Service (LCAS) A framework to handle local policy (e.g. banned users) –Local Credential Mapping (LCMAPS) Provides local credentials (Kerberos/AFS, ldap nss…) Local policy decisions (CE and SE) –Can decide and enforce policy on VOMS attributes n.b. LCAS/LCMAPS is just one local AuthZ service

29-Apr-05David Kelsey, Grid Security, ISGC AuthZ – VOMS & LCAS VO-VOMS user service authentication & authorization info user cert (long life ) VO-VOMS CA low frequency high frequency host cert (long life ) authz cert (short life) service cert (short life) authz cert (short life) proxy cert (short life) voms-proxy-init crl update registration LCAS

29-Apr-05David Kelsey, Grid Security, ISGC Security Policy

29-Apr-05David Kelsey, Grid Security, ISGC EGEE/LCG Security Policy During 2003/04, the LCG project agreed a first version of its Security Policy –Written by the Joint Security Policy Group –Approved by the Grid Deployment Board A single common policy for the whole project –But does not override local policies An important step forward for a production Grid The policy –Defines Attitude of the project towards security and availability –Gives Authority for defined actions –Puts Responsibilities on individuals and bodies Now being used by EGEE and (some) national Grids

29-Apr-05David Kelsey, Grid Security, ISGC EGEE/LCG Security Policy (2) Security & Availability Policy User AUP Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide picture from Ian Neilson VO AUP Under Revision

29-Apr-05David Kelsey, Grid Security, ISGC Operational Security and Security Service Challenges

EGEE3 Athens 21 April Operational Security After LCG Workshop and EGEE2 Practical information for sys admins System monitoring tools Incident response Security Service Challenge EGEE Operational Security Coordination Team Slide from Ian Neilson – EGEE-3 Athens 19 April 2005

EGEE Athens 21 Apr Operational Security Coordination Security Service Challenges Objectives ( a) Evaluate the effectiveness of current procedures by simulating a small and well defined set of security incidents. b) Use the experiences of a) in an iterative fashion (during the challenges) to update procedures. c) Formalise the understanding gained in a) & b) in updated incident response procedures. d) Provide feedback to middleware development and testing activities to inform the process of building security test components. Slide from Pal Anderssen – EGEE-3 Athens 21 April 2005

EGEE Athens 21 Apr Future Plans

29-Apr-05David Kelsey, Grid Security, ISGC Future plans Authentication Many concerns about user-managed credentials –Too complex and too insecure Several solutions to be considered –Smart Cards –Credential Repositories (e.g. MyProxy) Long-term credentials never held by user –Site Integrated Proxy Services (SIPS) e.g. Kerberos CA Better certificate revocation technologies –E.g. OCSP

29-Apr-05David Kelsey, Grid Security, ISGC Future plans (2) Other foreseen EGEE security developments include Logging and Auditing Authorization –Local policy decisions and enforcement –Standards based (OGSA-AuthZ) Delegation Data Key management –privacy & confidentiality Isolation and Sandboxing Dynamic Connectivity (Site Proxy) See EGEE Global Security Architecture EGEE Site Access Control Architecture

29-Apr-05David Kelsey, Grid Security, ISGC Future plans (3) Security Policy and Procedures Joint Security Policy Group –With OSG –Revise all security policy documents Aim to make more general (wherever possible) –e.g. by working on joint documents –Today, too LCG-specific Currently working on User AUP and VO AUP –See Bob Cowles’ talk Security Vulnerability Detection and Reduction Look for and record known problems –Middleware and Deployment –And encourage speedy fixes Work started in UK GridPP Now collaborating with EGEE JRA3

29-Apr-05David Kelsey, Grid Security, ISGC Future plans (4) Operational Security In Europe, EGEE OSCT will continue the work recently started Incident Response –see Bob Cowles’ talk on OSG work –EGEE using same approach Perform Security Service Challenges Security Monitoring Forensic Analysis Best practice guides

29-Apr-05David Kelsey, Grid Security, ISGC References LCG/EGEE Joint Security Policy Group EGEE JRA3 (Security) Open Science Grid Security EU DataGrid Security LCG Guide to Application, Middleware and Network Security EU Grid PMA (CA coordination) TERENA Tacar (CA repository)

29-Apr-05David Kelsey, Grid Security, ISGC Final Words Much has been achieved over recent years –Authentication –Authorization –Policy and Procedures –Operational Security “Keep Security Simple” – or deployers & users will turn it off But Grid middleware is less mature than Operating Systems –and see the many security patches for OS’s Security incidents will happen –Well defined/agreed response procedures are essential –Grid services/middleware will need frequent security patches Perhaps this will be the first sign of maturity?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.