Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.

Slides:

Advertisements

Similar presentations

Tier-1 Evolution and Futures GridPP 29, Oxford Ian Collier September 27 th 2012.

Advertisements

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

Building the Ultimate IT Portfolio from Scratch Peter Grant Advisor, IBRS

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.

Constellation Technologies Providing a support service to commercial users of gLite Nick Trigg.

INFSO-RI Enabling Grids for E-sciencE Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Strategic Information Systems Planning

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

1 Resource Provisioning Overview Laurence Field 12 April 2015.

Evolution of Grid Projects and what that means for WLCG Ian Bird, CERN WLCG Workshop, New York 19 th May 2012.

Cloud Computing Project By:Jessica, Fadiah, and Bill.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

Virtualised Worker Nodes Where are we? What next? Tony Cass GDB /12/12.

GDB July 2015 Jeremy’s quick summary notes Also refer to the meeting minutes

TNC 2006, Catania TERENA Technical Programme 2006 update Claudio Allocchio VP Technical Programme.

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

Slide David Britton, University of Glasgow IET, Oct 09 1 Prof. David Britton GridPP Project leader University of Glasgow UK-T0 Meeting 21 st Oct 2015 GridPP.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Reflections “from around the block.” (Security) Ian Neilson GridPP Security Officer STFC RAL.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Workload management, virtualisation, clouds & multicore Andrew Lahiff.

LHC Computing, CERN, & Federated Identities

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

Ian Bird Overview Board; CERN, 8 th March 2013 March 6, 2013

1 Cloud Services Requirements and Challenges of Large International User Groups Laurence Field IT/SDC 2/12/2014.

Trust and Identity Infrastructure Services Above the Network Ann Harding, SWITCH/GÉANT UbuntuNetConnect 2014.

Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.

David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.

Resource Provisioning EGI_DS WP3 consolidation workshop, CERN Fotis Karayannis, GRNET.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Business Engagement Program for SMEs Javier Jiménez Business Development.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

STFC in INDIGO DataCloud WP3 INDIGO DataCloud Kickoff Meeting Bologna April 2015 Ian Collier

Traceability WLCG GDB Amsterdam, 7 March 2016 David Kelsey STFC/RAL.

CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.

Computing Fabrics & Networking Technologies Summary Talk Tony Cass usual disclaimers apply! October 2 nd 2010.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.

New OSG Virtual Organization Security Training OSG Security Team.

Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.

Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam.

Ian Bird, CERN WLCG Project Leader Amsterdam, 24 th January 2012.

Evolution of storage and data management

Bob Jones EGEE Technical Director

Ian Bird GDB Meeting CERN 9 September 2003

LCG/EGEE Incident Response Planning

How to enable computing

ASSET - Automotive Software cyber SEcuriTy

LEGAL & ETHICAL ISSUES InsurTech & Health Insurance Providers

WLCG Collaboration Workshop;

LCG Operations Workshop, e-IRG Workshop

Input on Sustainability

Building a minimum viable Security Operations Centre

Future GridPP Security

Presentation transcript:

Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon

Current model Changing technology Evolving trust fabric Changing threat landscape Possible ways forward 2 Overview 1st February 2016, Security Challenges for WLCG

Traceability not control Relationship between sites and VOs and users is based on trust – This works pretty well Incident response based on sites & collaboration CSIRT teams All traceability information (in theory) at sites – Central loggers – But in practice, must contact VO to identify so be able to suspend credential associated with problematic activity Anonymous pilot jobs but separation & traceability supported by glexec – again in theory – After 10 years still not used universally – Not really ‘loved’ by either sites or VOs 3 Current model 1st February 2016, Security Challenges for WLCG

Increasing use of virtualisation and containers – VMs on cloud platforms – Containers within ‘traditional’ batch systems – Who maintains the VMs/containers? Should strive for best management – tools to streamline Offers alternate route to job separation Removes direct access to & trust of execution environment. – May no longer be able to trust logs Makes maintenance of underlying OS easier for sites – But they pick up complexity of cloud management frameworks On plus side these have much larger communities behind them than grid software. Technology & VO workflow changes create constant pressure on incident response teams – Emergence of cloud technologies a particular challenge 4 Changing technology 1st February 2016, Security Challenges for WLCG

Federated identity management promises huge potential benefits – as well as bringing with it not a few challenges Will take significant changes at all levels But mixing assurance from different sources (not just CAs) will bring benefits – Not least making it easier to co-exist in a world where WLCG is one among many large users of distributed infrastructure Eduroam example is instructive – The benefits are now obvious - it is really convenient – But it has been quite a bumpy ride 5 Evolving trust fabric 1st February 2016, Security Challenges for WLCG

Rise of organised, very businesslike cybercriminals – They no longer ignore us – Sophisticated, targeted attacks – especially phishing Identity/personal information is now the major target – Federation just increases the cost of compromised credentials Our infrastructure itself may be ‘secure enough’ – The challenge now to protect our people As we move to more standard software & interfaces attack surface is also more standard – Much of the effort that used to go into making our bespoke software more secure will be needed protecting ‘standard’ software & interfaces Most incidents are discovered through external reports – Must improve our ability to exchange intelligence with other communities (industry, law enforcement, etc.) 6 Changing threat landscape 1st February 2016, Security Challenges for WLCG

Treat VMs/containers as processes – Shift focus to externally observable behaviour Logs from inside VMs not as trustworthy – Better logging of network flows – often neglected – may have implications for network hardware choices and costs ‘Big data’ tools for storing, aggregating, searching larger volumes of data – Security Operations Centre – Significant effort to deploy – Can we develop an ‘appliance’ for this (similar to what Perfsonar does for network monitoring) Can we then ‘forget’ about glexec? 7 Ways forward I 1st February 2016, Security Challenges for WLCG

Bring VOs more fully into incident response process Improve the capability for collaboration traceability? – Better intrumenting VO frameworks to (centrally?) log data – Can we take advantage of VOs being based at CERN to ingest appropriate traceability data directly into the SoC as it develops? More emphasis on protecting people in order to protect our infrastructure – Phishing, sharing threat & incident intelligence Put effort in to supporting & exploiting federated identity management – not forgetting impacts on traceability and incident response 8 Ways forward II 1st February 2016, Security Challenges for WLCG

Separation via VMs/containers – drop glexec Invest in deploying ‘big data’ tools for managing traceability data Invest in better intelligence/trust links with other communities Embrace global & federated identity management 9 Summary 1st February 2016, Security Challenges for WLCG

Over to the others 10