1 GENI Operational Security GEC4 Stephen Schwab Miami, Florida.

Slides:

Advertisements

Similar presentations

1 Spiral 1 Requirements Demonstrate GENI Clearinghouse & control framework in Spiral 1 projects as a central GENI concept. Demonstrate End-to-end.

Advertisements

RPKI Certificate Policy Status Update Stephen Kent.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Enhanced XA Security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

A responsibility based model EDG CA Managers Meeting June 13, 2003.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

Professional Behaviour

Contractor Safety Management

DESIGNING A PUBLIC KEY INFRASTRUCTURE

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Stephen S. Yau CSE , Fall Security Strategies.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

ENTERPRISE DATA INTEGRATION APPLICATION ARCHITECTURE COMMITTEE OCTOBER 8, Year Strategic Initiatives.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

WP3 Semivirtual Campus Progress Report Petr Grygarek VSB-CZ.

Digital Object Architecture

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Pass SOX security audits and Improve XA security CISTECH Security Solutions Belinda Daub, Senior Consultant Technical Services

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Troubleshooting Windows Vista Security Chapter 4.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

Sponsored by the National Science Foundation GENI Security Architecture Toolkit (GSAT) Spiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen Schwab.

GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.

Module 9: Fundamentals of Securing Network Communication.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Security and the Questions Business Users should be asking the Techies.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

1 Updating the ESnet Site Coordinator Model (Presented to SLCCC, June, 2004) Joe Burrescia Mike Collins William E. Johnston DRAFT FOR COMMENT 7/19/04.

Grid Canada Certificate Authority Darcy Quesnel

Unit 4: Operational Phases and Implementation. Unit 4 Objectives  Explain the four phases of continuity and relate their application to the continuity.

11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK

EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.

Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.

Labs. Session 1 Lab 1: Designing an Active Directory Forest Infrastructure in Windows Server 2008 Exercise 1: Designing an Active Directory Forest Exercise.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

PROGRESS ON THE IMPLEMENTATION OF AUDIT RECOMMENDATIONS FOR 2014/15: INFORMATION AND COMMUNICATION TECHNOLOGY (ICT) 1 Briefing presentation to the Portfolio.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

Business Continuity Disaster Planning

Effort Reporting Initiative December What is Effort Reporting? Federal regulations require that the University certify effort devoted to sponsored.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

Securing Privileged Identities Joseph Dadzie, Principal PM Manager, Microsoft 2016 Redmond Summit | Identity Without Boundaries May 26, 2016 James Cowling,

IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.

Managing Trust Professor Richard Walton CB. Exam Question The importance of Trust in Data Protection (This essay should discuss the relationship between.

TAG Presentation 18th May 2004 Paul Butler

Security Development Lifecycle (SDL) Overview

TAG Presentation 18th May 2004 Paul Butler

IS4680 Security Auditing for Compliance

THE STEPS TO MANAGE THE GRID

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

1 GENI Operational Security GEC4 Stephen Schwab Miami, Florida

2 Operational Security GENI Control Frameworks – Are deploying now, or commencing operations within the next 6 months – In many cases already operate testbed component managers/aggregate managers – Will need guidance about how and when to align with GENI operational security concerns What does it mean for something to be part of GENI?

3 Security Architecture “Major Points” Explicit Trust Least Privilege Revocation Auditability and Accountability – All of the above address central security properties of GENI Infrastructure

4 Security Architecture Draft Spiral 1 Action Items list – Roots of Trust: GENI Control Frameworks with root or CA certificates – adopt posture to protect private keys Generate true self-signed super-root certificates, use to sign operational root certificates, backup and limit exposure of super-root private keys. May not be supported yet. Alternative is to have a way replace root or CA certificates – pre-plan for this change-over. – POCs and operational information Who are the system admins/super users? Register contact information for primary and alternate POCs with GPO. (Plan for registering/updating contact information when system admins change.) Super-users should have non-super-user identities and certificates for exercising GENI or doing regular work – Physical and Configuration Audits Identify list of and physical location of security relevant machines.

5 Security Architecture Draft Spiral 1 Action Items list – Source Code reviews Have someone other than the developers review the security relevant code in new control frameworks (should SPARTA staff be tasked to help, within available limits?) Not a formal process – slides and a talk on what the security source code does would be adequate – Emergency Shutdown procedures Not expected to be used, but if GENI substrate can support a shutdown or kill-switch mechanism, is there someone designated by GPO to grant this privilege to? For each cluster: identify if the cluster control framework or each individual GENI project has “emergency shutdown authority”, and who that individual will b – Draft Security Architecture for Review and Comments: groups.geni.net/geni/attachments/wiki/GENISecurity/ GENI-SEC-ARCH- 0.4.{doc,pdf}

6 User and Site Management Research User Management – Document how identities/credentials assigned for new users – Maintain list of users, GENI identities, real world contact information, privileges/slices/access rights Site testbed component monitoring – Plan/tools to monitor local activities – Coordination with Campus NOC

7 GENI Resource Usage Policy Are we setting the right usage policy out-of-the- gate? How should the usage policy be managed to evolve over time? – Can we gauge the risk of experiment activities each quarter and adjust as GENI grows or adds capabilities? What sanity checks do we need to see if we are over- or under- estimating the risks? – To each site/campus – To the Internet – To the GENI project’s reputation