WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012

Overview WLCG Security TEG EGI & GridPP Security Risk Analysis Federated Identity Management 18 Apr 12Security, Kelsey2

WLCG Security TEG –Chaired by Romain Wartel and Steffen Schreiner ~20 active members –Security people, Sites and Experiments –More on mail list, but still not enough Site input List of sub-tasks –Risk Assessment (Romain) –AAI on worker nodes (Steffen) –AAI on storage systems (Maarten Litmaath) –Usability versus security (Von Welch) –Federated Identity (Dave K) 18 Apr 12Security, Kelsey3

WLCG Security Risks Risk Management –key aspect of security Identify assets to be protected Evaluate different threats Prioritise and focus efforts An ongoing process –Needs regular review 18 Apr 12Security, Kelsey4

Security incident & auditing Must understand what happened –To prevent it happening again –To contain its impact –But keep services running Traceability is essential for this –To protect against misused credentials –And keep services running Response commensurate with problem 18 Apr 12Security, Kelsey5

Assets – to be protected 18 Apr 12Security, Kelsey6

Security threats 18 Apr 12Security, Kelsey7

Risk evaluation 18 Apr 12Security, Kelsey8

Risks (1) 18 Apr 12Security, Kelsey9

Risks (2) 18 Apr 12Security, Kelsey10

Mitigation e.g. Misused identities Compromised identities once detected must be blocked and access to resources blocked too –Time is of the essence –A central blocking service is essential –Too many distributed services to rely on local blocking 18 Apr 12Security, Kelsey11

Security on WNs 3 parts –Security of the pilot job –Security of the user jobs –Traceability & accountability 5 requirements –Reduce pilot job credential to minimum –Protect the pilot job –Mutually isolate user jobs –Provide minimal credential for user job –Prove a job’s authenticity and log it before execution 18 Apr 12Security, Kelsey12

Pilots - protecion & isolation Different options –Virtualisation –ID switching (gLExec, sudo) –SELinux –More? (Linux Containers?) Only serious option – in short term –ID switching with gLExec –4 LHC expts (getting) ready for this 18 Apr 12Security, Kelsey13

Beyond short term - WNs Can we develop a more secure proxy/delegation system –Current proxies are too powerful No restrictions –(Often) too long-lived –Not secure – proxy can be exposed –Transfer of user proxy with pilot job does not tie user to the job 18 Apr 12Security, Kelsey14

Security: Storage & data access Data protection issues –Do all types of data need same security? –Confidentiality – data one VO not readable by another VO But data transferred over insecure channels Access traceability (security and performance) Information leakage (e.g. filenames) Accidental commands Malicious attacks –For insiders reduce privs –Require 2 users for bulk delete? 18 Apr 12Security, Kelsey15

Usability vs Security Usability – key factor for security Identified a number of issues –And recommendations Issues for Users –Credential management –Proxy storage on complex systems –Lack of web authentication –Lack of internationlisation 18 Apr 12Security, Kelsey16

Usability – admins/ops Managing revocation Expired hosts and service certs Managing authorisation policies Client AuthZ of services Inconsistent user banning Mixing AuthN and AuthZ e.g. proxy Lack of debugging and forensics Inconsistent proxy implementations X.509 validation overhead 18 Apr 12Security, Kelsey17

Usability – short term Some recommendations Hide X.509 from end users –Easier enrolment via Federated IdM –Use of short-lived credentials Tools for multiple credentials Tools for service credentials Improve revocation Standards for logging Usability evaluation 18 Apr 12Security, Kelsey18

Sec TEG Future work Security model for WNs More on security for storage Usability evaluation Identity Management (see later) 18 Apr 12Security, Kelsey19

EGI & GridPP risk analysis EGI security assessment being completed now (EGI D4.4 refers) – more detailed than WLCG analysis GridPP security milestone –C3.11 Review GridPP Security Risk Assessment (related to EGI D4.4) –August 2012 –Involve whole GridPP security team here! 18 Apr 12Security, Kelsey20

Federated Identity Management Use of a digital identity credential issued by one body (typically home institute) for access to other services Federations – common trust and policy framework –E.g. the UK Access Management Federation For WLCG/GridPP/EGI we already use federated identities in form of X.509 PKI (IGTF) TERENA Cert Service connects national identity federation to a CA for personal certs 18 Apr 12Security, Kelsey21

Federated IdM in HEP But many other services (not just Grid) –E.g. Collaboration tools – Wikis, mail lists, webs, agenda pages, etc. Today CERN has to manage 10s of thousands of users eduroam is one solution (for wireless) What about other services/federations? –Using Shibboleth, OpenID, etc 18 Apr 12Security, Kelsey22

Federated IdM in Research A collaborative effort started in 2011 Involves photon/neutron facilities, social science & humanities, high energy physics, atmospheric science, bioinformatics and fusion energy 3 workshops to date (next one in June 2012) Documenting common requirements, a common vision and recommendations –To research communities, identity federations, funding bodies An important use case for inter-federation 18 Apr 12Security, Kelsey23

WLCG Federated Identity Security TEG just started on this –Very much linked to IdM for Research work Trust is essential –not just technology How to involve IGTF? We need to agree a good HEP pilot project to get some experience 18 Apr 12Security, Kelsey24

More GridPP involvement in the WLCG Security TEG is welcome Questions? Discussion? 18 Apr 12Security, Kelsey25