EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operational Security Coordination Team Ian Neilson, SA1 EGEE-II conference, Geneva, 2006

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 2 OSCT Overview –Policy Environment  Incident Handling and Response Guide –Security Contact Management –OSCT-1 Meeting –GGUS Security Support Unit –OSCT & Incident Handling –Security Service Challenges –Some Issues –NRENS –ISSeG –Tools

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 3 OSCT - Incident Response Guide The Incident Handling and Response Guide –Common policy for LCG, EGEE, OSG  –What it mandates (MUST do’s)  REPORT : RESPOND : PROTECT INFORMATION : ANALYSE Reporting –Provide contact information  Individual contacts  Monitored list (optional but HIGHLY desirable)  Management now through GOCDB –Reports go through LOCAL site security  = sites should have local plan  Does NOT replace or interfere with local plans –Report to project-{lcg,egee}-security-csirts.at. cern.ch  Incident notification only, no chat  Discussion to project-{lcg,egee}-security-contacts.at. cern.ch

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 4 OSCT - Security Contact Management Site Registration –JSPG Policy -  The name, address and telephone number of the Site Security Contact.  …  The address of a managed list for contact with the site security incident response team. Site entry of data into GOCDB Should be provided before site is approved Individual Contacts have GOCDB ‘role’ of Security Contact –View restricted to same site, other Sec. Contacts, Managers, … Populating IR lists –CSIRT s loaded to incident report list –CONTACT s loaded to discussion list –Still a manual periodic operation Some (many) missing CONTACTS Always some dead entries

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 5 OSCT - OSCT-1 Meeting OSCT-1 CERN, June 2006 –To more clearly define  WHO is the OSCT  WHAT the OSCT does  What LINKS the OSCT has with other groups –Define some basic responsibilities –Update on current activities –Near-term actions 9 out of 11 ROCs came

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 6 What the OSCT does? EGEE-II has a ROC-centric support model –From the EGEE-II Technical Annex ROC responsibilitiesTechnical Annex  Responsible for ensuring that operational problems in the region or in resource centres in the region are resolved and followed-up. The ROC owns the operational problems and is responsible for them;  Coordinate Grid security in the region; provide incident response teams (with members from the sites); –Operational support  Tickets raised from several sources (may result in Incident) ROC-on-duty process (SFT/SAM) GGUS Ticket Process Management (TPM) (User/VO) –Incident Support  Incident Handling Guide CSIRTS and CONTACTS lists –Representation of Operations Security in/to other groups  MWSG, GSVG, JSPG, SCG  ‘attitude’ of sites in the region to security developments  peer grids, NRENS

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 7 Operations Support Model Regional Operations Centre …… Resource Centre Resource Centre … Regional Operations Centre Resource Centre Resource Centre … Grid Operator on-duty ROC and Site work to resolve the problem OSCT Peer Grids

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 8 OSCT- Security Support Unit OSCT and GGUS Support –All ROCs register generic address of regional security support team  project-egee-security-support.at. cern.ch –Trouble tickets raised from any source: user, VO, site, …  Could be an incident (but should be reported to site sec. contact) –Responsible ROC unit takes ownership (assigns to self)  From affected site. OSCT “duty contact” (OSCT-DC) –To act as safety net for unassigned/idle problems  Does not deal with problems. Routing and negotiation role. –Follows same ROC rotation as ROC-on-duty –Monitor ‘unstructured’ data sources: rollout list, weekly operations meeting –Escalation to incident handling process

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 9 OSCT - Incident Handling Flat incident reporting structures –Computer Security Incident Response Teams –Computer Security Contacts –Responsibilities on the reporter for follow-up What is the role for the OSCT?  At times when a Team Leader should be required to coordinate response (Section 6.2) it is expected that this will initially be organised between the reporting site(s) and the Regional Operations Centre (ROC) security contact(s). The ROC contact will ensure that an appropriate mailing list is available and populated for incident follow-up. Incident Team needs - –Clear process for formation to avoid confusion/duplication  Responsibilities should be clear –Basic facilities to be available –  Access to contacts  Access to communications channels  Access to expertise –To communicate  Report to sites (contacts)  Report to management

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 10 OSCT – Incident Handling Responsibilities must be clear: Ownership 1.Regional ROC contact 2.OSCT-DC or backup 3.Other OSCT –Announced to OSCT Core, followed by general notice  Can be delegated if appropriate but must be clearly notified –OSCT contact is not always the TEAM leader but is responsible Access to contacts –GOCDB Communications –OSCT to maintain – (?authentication) IM id’s Telephone details Per-ROC telephone conference facilities/details –We must test these regularly!!

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 11 OSCT – Some Issues Incident follow-up can be VERY time consuming –Do we retain the resources and expertise? –Tools to help? “Grid” incidents and “non-grid” incidents –Can we really draw a boundary (should we) ? –Confusion over whether to report Must encourage a culture of reporting –Must keep the “noise” to acceptable levels  Off-topic chat, SPAM Must prevent unintended leakage –Can be damaging and discourage reporting  e.g. onto public web mail archives Can we deploy fixes or mitigation fast enough?

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 12 OSCT – Security Service Challenges Service Challenge 1 review –Summary of OSCT presentation by Pal AndersenOSCT presentation  –Principal site of each ROC challenged:June 2005  9 of 11 ROCs were able to respond  Debriefing report outAugust 2005 –Challenge passed over to the ROCS14 October 2005  Response from the first ROCNovember 2005  First reminder sent 9 January incorrect Security Contact, 4 acknowledgements  Escalation reminder sent 3 February additional acknowledgement –Status30 April 2006  9 of 11 ROCs executed the challenge  ~130 sites out of ~190 have responded, ~ 68%

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 13 OSCT – Security Service Challenges Service Challenge 2 plans –Traceability of storage operations –Three pieces of information will be provided to the challenged site:  A time interval (~ 15 minutes)  The Distinguished Name (DN) used by the challenger  The Worker Node (WN) from which operations were executed –The question asked is:  What sequence of storage operations affected which files? –Delay because some logging clearly absent from configuration. Has a long cycle time ~ 1 year –This should speed up with practice What to challenge next ? –Apart from the real ones!

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 14 OSCT- ISSeG Grid Security depends on site security EU-funded ISSeG project - Integrated Site Security for Grids Milestones & achievements –Integrated Site Security deployments at CERN & FZK sites progressing well –Input for recommendations is being collected from deployment experience –Training and dissemination plan is being created –Web site is active: –Information sheets are published Issues –Currently discussing scope of site security assessments/audits with the EU Plans –2 year project (February 2006 – January 2008) –To document experience with Integrated Site Security: combining technical, administrative and educational security solutions relevant for academic and research sites –To disseminate recommendations and training to Grid sites for improving site security based on a practical approach and best practices, to complement work on Grid security: –Strengthening general site security helps to protect Grids.

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 15 OSCT - NRENS NRENS –More involved in regional grid infrastructure projects  SWITCH, RedIRIS, DFN, …. –Existing CSIRTs network –Terena workshop focus on security – April 2006  –Still not clear how to link up with EGEE/LCG security  “…vital that the Grid community experts and NREN CERT teams develop collaborative links and formal communications links.” – Workshop Report

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 16 OSCT - Tools There is lots that can be done and discussed Monitoring –Sites using Pakiti for patch monitoringPakiti –Logging and auditing services  e.g. central syslog servers  (see also Security For Open Science proposal Monday’s EGEE/OSG meeting)Security For Open Science proposal –Firewall configuration  Local and ?grid Testing –? SAM for security testing

Enabling Grids for E-sciencE EGEE-II INFSO-RI OSCT - EGEE-II conference, Geneva. 17 OSCT Thank You