David Groep Nikhef Amsterdam PDP & Grid Some Comments on “Problem description for non-proliferation issues in Grids” Joint Security Policy Group 7 December.

Slides:

Advertisements

Similar presentations

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Advertisements

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI_DS – WP3 Workshop – CERN – Jan th 2008 WP3 Consolidation Workshop CERN, Jan th WP4 Status – Anne-Claire Blanchard - CNRS/IN2P3.

Defining France Grilles resource allocation strategy Gilles Mathieu, IN2P3 Computing Centre France Grilles International Advisory Committee – March 2011.

Training & research for academic newcomers A project of the King Baudouin Foundation © 2013 Gabriella Calderari1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Towards the new EGI governance model Arjen van Rijn (Nikhef) Chair Organizational Taskforce (EGI_DS and Local Host)

Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL

Ian Bird LCG Project Leader OB Summary GDB 10 th June 2009.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Pilot Jobs John Gordon Management Board 23/10/2007.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks SA1: Grid Operations Maite Barroso (CERN)

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

INFSO-RI Enabling Grids for E-sciencE EGEE SA1 in EGEE-II – Overview Ian Bird IT Department CERN, Switzerland EGEE.

EGEE-III-INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE-III All Activity Meeting Brussels,

Authentication and Authorisation for Research and Collaboration David Kelsey AARC AHM Milan And mechanisms NA3 Task 4 – Scalable.

SEE-GRID-SCI NA1-Technical Execution Plan Overview Open of PSC-03 Bucharest Ioannis Liabotis Greece GRNET iliaboti grnetSPAMFREE.gr.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Gergely Sipos Activity Deputy Manager MTA.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.

EGI-InSPIRE Steven Newhouse Interim EGI.eu Director EGI-InSPIRE Project Director Technical Director EGEE-III 1GDB - December 2009.

IOTA AP Towards Differentiated Identity Assurance David Groep, Nikhef supported by the Netherlands e-Infrastructure and SURFsara.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Going from EGEE-NA ES cluster to EGI SSC.

A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Robin McConnell NA3 Activity Manager 02.

Negotiation of Proposals Dr. Evangelos Ouzounis Directorate C DG Information Society European Commission.

Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.

WLCG Laura Perini1 EGI Operation Scenarios Introduction to panel discussion.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

1 Formulate Alternatives Planning Step 5. 2 Social Science Activities in Land Use Planning Planning Steps Social Science Activities Steps 1 & 2: Identify.

TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.

7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.

David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.

Resource Provisioning EGI_DS WP3 consolidation workshop, CERN Fotis Karayannis, GRNET.

Fabrizio Gagliardi EGEE Project Coordinator EGEE is proposed as a project funded by the European Union under contract IST

1 Dublin 23/24 April CONCLUSIONS Regulatory Co-ordination Responses to Deliverables 3 and 4 due by 8 th May Papers redrafted to take comments into account.

WP2: Consolidation of existing state of the art Dr. Ognjen Prnjat, GRNET.

David Groep Nikhef Amsterdam PDP & Grid AARC Authentication and Authorisation for Research and Collaboration an impression of the road ahead.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk.

15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK

Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL

IGTF in 10 years enabling the interoperable global trust federation Nikhef, Amsterdam supported the Dutch national e-Infrastructure funded and coordinated.

North Carolina Council on Developmental Disabilities

David Kelsey CCLRC/RAL, UK

Global Banning List and Authorization Service

SPF Assessment Based National Dialogue – Methodology and Process

Romain Wartel EGEE08 Conference, Istanbul, 23rd September 2008

Nordic ROC Organization

Leveraging the IGTF authentication fabric for research

Leveraging the IGTF authentication fabric for research

Updated (VO) Community Security Policies

AARC Blueprint Architecture and Pilots

David Kelsey (STFC-RAL)

North Carolina Council on Developmental Disabilities

Transmission Planning Code Review

Presentation transcript:

David Groep Nikhef Amsterdam PDP & Grid Some Comments on “Problem description for non-proliferation issues in Grids” Joint Security Policy Group 7 December 2009 Following from an EGI Council Input Document

David Groep Nikhef Amsterdam PDP & Grid IPM and the CMS collaboration LCG-CatchAll event Founding a national CA IGTF Distribution Release v1.22 On Those Who Must Not Be Named Differentiating Authentication & Authorization ◦... again (June 2009) History

David Groep Nikhef Amsterdam PDP & Grid New document (27 Nov 2009) Problem description for non-proliferation issues in Grids W. Juling (KIT and DFN), K. Schauerhammer (DFN), M. Spiro (CNRS and IN2P3), K. Ullmann (DFN), D. Vandromme (Renater) Sent to EGI Council Describing the Issue

David Groep Nikhef Amsterdam PDP & Grid I. Local distribution (i.e. in one legal organisation for example in a university), II. National distribution (i.e. in several legal organisations but all these organisations in one national legal area (i.e. country) or III. International distribution (same as national but the machines are distributed over several national legal areas (i.e. countries). Scenarios considered from the document

David Groep Nikhef Amsterdam PDP & Grid 1. What does in legal terms define a VO in scenario II and III? What is the liability of a VO? 2. What is the minimum necessary for the formulation of a common (to that Grid) legal framework for the contractual relation between a VO and the consortium of resource providers covering UN Security Council resolutions for scenario II (national Grid)? 3. What is the minimum necessary for the formulation of a common (to that Grid) legal framework for the contractual relation between a VO and the consortium of resource providers covering UN embargo decisions for scenario III (international Grid)? 4. What is the liability of a “responsible person” as defined in II and III? Problems identified in II and III from the document

David Groep Nikhef Amsterdam PDP & Grid A possible track for an implementation of these ideas could be the following model: a) An individual charter of good conduct1 signed by the user (as a person) and its employer: this would allow the employer to take measures in case of misconduct of the user of the GRID. Often such issues may be covered already in the employment contracts. b) A charter of good conduct between a VO and its users c) A MoU signed by each VO and the resource providers / resource provider consortium where the VO manager through national VO representatives commits to monitor the use of resources for the application the VO is responsible of, and where the resource providers commit for the site non vulnerability and security. Finally the NGI could monitor the functioning of this machinery in each country. Possible implementation from the document

David Groep Nikhef Amsterdam PDP & Grid Responsibilities Arising from the document

David Groep Nikhef Amsterdam PDP & Grid AuthN and AuthZ got their proper place! Responsibilities roughly resemble current policy Good inventory of issues, likely supported by Council We can’t suppress the issue anymore, it seems Proposed “MoU” for the VOs ◦ Potential to be extremely heavy and scare user communities away ◦ Do all VOs have ‘national VO representatives’? ◦ Compulsory monitoring by VO managers? ◦ Proposed ‘commitment’ by sites unachievable ◦ NGI gets a role, but can it take this responsibility? High potential for ‘back-pollution’ NGIs and Sites Special role for NPT in Statutes is rather ‘weird’ The Good and the Improvable

David Groep Nikhef Amsterdam PDP & Grid Anticipate responsibility scheme? Disseminate JSPG policy set? Encourage a realistic approach to VO responsibilities? Introduce ‘home grid’ for VOs to ease VO registration? Come up with a more generic statement regarding permitted use of EGI ◦ Keeping in mind differences between National Legal Areas ◦ Scoping it to EGI and cross-national VOs ◦ Make the Statutes clause less ‘obviously targeted’ Continue to be vigilant: is banning ‘dual use codes’ next? What to do?