Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
HEPiX Virtualisation Working Group Status, July 9 th 2010
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Security Incident Response Trust Framework for Federated Identity (Sir-T-Fi) David Kelsey (STFC-RAL) REFEDS, Indianapolis 26 Oct 2014 and now abbreviated.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.
IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SPG future work EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
Security Policy Update WLCG GDB CERN, 8 Dec 2010 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Draft Security Virtualisation Policy (for Romain Wartel – CERN) EGI Technical.
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20.
EGI-InSPIRE RI SPG Tasks for Year 2011 Jan 2011 Kelsey/Security Policy Group1.
EGI-InSPIRE RI SPG Tasks for Year 2011 Jan 2011 Kelsey/Security Policy Group1.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,
Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.
Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
HEPiX Virtualisation working group Andrea Chierici INFN-CNAF Workshop CCR 2010.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
David Kelsey CCLRC/RAL, UK
LCG Security Status and Issues
David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016
Updated (VO) Community Security Policies
Update - Security Policies
David Kelsey (STFC-RAL)
EGI support services Science gateway developers
Presentation transcript:

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011

Outline Update since Ops-PMB at GridPP26 March 2011 in Brighton Current security policies EGI SPG work plans for 2011 Service Operations Security Policy Endorsement and Operations of Virtual Machine Images Security for Collaborating Infrastructures Attribute Authority Operations 1 Jul 11Security Policy, Kelsey2

EGI Security Policy Group EGI SPG now firmly established – Terms of Ref, procedures etc. Old JSPG (WLCG/EGEE) policy documents –Converted to EGI era –Approved by EGI EB in Sep 2010 (valid from 1 st May 2010) –Apply to GridPP Where are they? Jul 11Security Policy, Kelsey3

Current Security Policy Top-level Grid Security Policy: Grid Security Policy For all Users: Grid Acceptable Use Policy For all Sites: Grid Site Operations Policy Site Registration Security Policy For all VOs: VO Operations Policy Virtual Organisation Registration Security PolicyVirtual Organisation Registration Security Policy Virtual Organisation Membership Management PolicyVirtual Organisation Membership Management Policy VO Portal Policy Other policies for all Grid participants: Traceability and Logging Policy Security Incident Response Policy Approval of Certificate Authorities Policy on Grid Pilot Jobs Grid Policy on the Handling of User- Level Job Accounting DataGrid Policy on the Handling of User- Level Job Accounting Data Glossary of terms used in SPG policy documents: Security Policy Glossary of Terms 1 Jul 11Security Policy, Kelsey4

EGI SPG 2011 SPG work in 2011 includes: Revise Grid Site Operations policy Extend the HEPiX Virtualisation Working Group policy Revise top-level Security Policy (to EGI era) New Data Privacy policy: Extend to storage accounting and cover more general issues Evolving Glossary (as part of EGI Glossary) 1 Jul 11Security Policy, Kelsey5

Service Operations Security Policy Revision of the old Grid Site Operations Policy Extend to Services in general –Whoever runs them (Site, VO or other third party) –Virtual machines as well as services on real hardware Remove operational policy statements –Just keep the security issues –But for now we have to keep in some general issues IPR, Liability, Dispute handling 1 Jul 11Security Policy, Kelsey6

Service Ops Sec Pol (2) By running a Service on the Infrastructure, by providing a service that is part of the Infrastructure, or retaining state that is related to the Infrastructure, either provided as an independent service or hosted in a Resource Centre, You agree to the conditions laid down in this document and other referenced documents, which may be revised from time to time. Internal SPG draft now completed (30 th June 2011) External Draft about to be distributed for wider comment 1 Jul 11Security Policy, Kelsey7

Virtual Machine Images HEPiX Virtualisation Working Group policy – –The aim is to enable Grid Sites to trust and instantiate endorsed VM images that have been generated elsewhere. SPG is now extending this to additional use cases Policy on the Endorsement and Operation of Virtual Machine Images – Aim to complete the internal draft during July and then go for external comment 1 Jul 11Security Policy, Kelsey8

Virtual Machines (2) VM image roles: producer -> endorser -> operator The operator is anyone who has root access to the instantiated image - held responsible for its security Use cases 1.Endorser: Site, VM operator: Site (the trivial case) 2.Endorser: Third party, VM operator: Site (HEPiX use case) 3.Endorser: Third party, VM operator: Third Party (new) In case 3, The Site has no direct trust relationship with the Endorser and may decide to apply specific restrictions to control the access of the VM to other resources, including network services 1 Jul 11Security Policy, Kelsey9

Security for Collaborating Infrastructures SCI: An activity started this year –Building Trust and Developing Policy standards for collaboration –In cases where we cannot just share policy documents WLCG, EGI, OSG, TeraGrid, DEISA/PRACE and others 1 Jul 11Security Policy, Kelsey10

SCI: some example text Security Incident Response It is imperative that every collaborative entity has an organized approach to addressing and managing events that threaten the security of resources, data and overall project integrity. At a minimum a collaborating infrastructure must have the following: A formal Incident Response procedure... Documented contact information for site security teams and expected response times for critical situations... The capability to collaborate in the handling of a security incident... Assurance of compliance with information sharing restrictions... 1 Jul 11Security Policy, Kelsey11

IGTF policies for Attribute Authority Operations AuthZ is as (more?) important than AuthN IGTF has well established profile for AuthN We need minimum requirements for running trustworthy VOMS servers! Aim is to document currently accepted best practice –And improve where necessary See –Tackle all Attributes, not just those used for AuthZ –No longer limit to VOMS Aim to be technology independent 1 Jul 11Security Policy, Kelsey12

Questions? 1 Jul 11Security Policy, Kelsey13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.