Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK

Slides:



Advertisements
Similar presentations
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Advertisements

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.
Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.
Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
INFSO-RI Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Ake Edlund EGEE Sec Head 9th MWSG meeting, SLAC,
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and OSG: Common Security Policies? OSG.
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JSPG Status and plans EGEE’06 Conference.
UKI ROC/GridPP/EGEE Security Mingchao Ma Oxford 22 October 2008.
LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 November 2007.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Linda Cornwall CCLRC (RAL) FP6 Security workshop.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks ROC Security Contacts R. Rumler Lyon/Villeurbanne.
Security Operations David Kelsey GridPP Deployment Board 3 Mar 2005
Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005
INFSO-RI Enabling Grids for E-sciencE Security Summary Åke Edlund, JRA3 4 th EGEE Conference Pisa, Italy 28 th October 2005.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI Enabling Grids for E-sciencE An overview of EGEE operations & support procedures Jules Wolfrat SARA.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Additional Services: Security and IPv6 David Kelsey STFC-RAL.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and JSPG activities David Kelsey CCLRC/RAL.
EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK
Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK
Recent lessons learned: Operational Security David Kelsey CCLRC/RAL, UK GDB Meeting, BNL, 5 Sep 2006.
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
LCG User, Site & VO Registration in EGEE/LCG Bob Cowles OSG Technical Meeting Dec 15-17, 2004 UCSD.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk.
INFSO-RI Enabling Grids for E-sciencE JRA3 Åke Edlund On behalf of JRA3 EGEE 8th All-activity meeting January 18-19,
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
David Kelsey CCLRC/RAL, UK
Open Science Grid Consortium Meeting
LCG Security Status and Issues
David Kelsey CCLRC/RAL, UK
Ian Bird GDB Meeting CERN 9 September 2003
LCG/EGEE Incident Response Planning
David Kelsey CCLRC/RAL, UK
Presentation transcript:

Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK

17-Mar-05David Kelsey, Security, ARM-32 Aims Status report on JSPG activities –and work with Open Science Grid (OSG) Security Service Challenges JRA3 deliverables Authentication: CA PMAs Security Best Practice/Guides US HEP Cybersecurity workshop GridPP work on Vulnerability analysis Hopefully time for discussion!

17-Mar-05David Kelsey, Security, ARM-33 Who does what? EGEE JRA3 –Responsible for EGEE Security EGEE Middleware Security Group –JRA3, JRA1, SA1, NA4, Other projects –See JRA3 agenda page LCG/EGEE Joint Security Policy Group (JSPG) –Reports to LCG GDB and EGEE ROC Managers –Cross participation with USA OSG EGEE Operational Security Coord Team (OCST) –Led by Ian Neilson (CERN) – Security Officer –All ROCs have a representative –Mail list exists (and used sometimes) –But not yet met

17-Mar-05David Kelsey, Security, ARM-34 JSPG Policy/Procedures Site Registration Acceptable Use Policy (AUP) –For Users –For Sites (not today) VO Security Policy LHC Experiment User Registration (not today) Security Incident Response Have removed the 3 obsolete GOC “guides” –SLA, Self Audit, Resource Managers Future work

17-Mar-05David Kelsey, Security, ARM-35 Site Registration Site Registration document (Maria Dimou) –Approved by GDB (yesterday) – Discussed with ROC Managers many times –Many thanks for valuable input/comments Final change was to remove all references to –Dispute escalation/resolution –Removal of sites (suspend or de-register)

17-Mar-05David Kelsey, Security, ARM-36 AUP (Users) Similar policy to OpenScienceGrid (these are their words) –Keep it short and simple (users may read) (1) You may only perform work and store data consistent with the charters of the organizations of which you are a member, and only on resources authorized for use by those organizations. (2) You will not attempt to circumvent administrative and security controls on the use of resources. If you are informed that some aspect of your grid usage is creating a problem, you will adjust your usage and investigate ways to resolve the complaint. You will immediately report any suspected compromise of your grid credentials or suspected misuse of grid resources (3) Resource providers have the right to regulate access as they deem necessary for either operational or security- related reasons.

17-Mar-05David Kelsey, Security, ARM-37 VO Security Policy Draft document distributed this week (Ian N) VO Registration Requirements –Information that must be captured/maintained VO Membership Policy –Clearly states the goals of the VO –Requires all members to act within constraints –Allows sites to decide whether to accept the VO VO Community Responsibilities –Users and VO managers VO membership rights –Use of resources –Privacy

17-Mar-05David Kelsey, Security, ARM-38 Security Incident Response Current policy/procedures – Near future –Aim for common approach with OSG –With minimal changes This was presented in EGEE-2 (Den Haag) The OSG document is at bin/docdb/osg_public/ShowDocument?docid=19&v ersion=2http://computing.fnal.gov/cgi- bin/docdb/osg_public/ShowDocument?docid=19&v ersion=2

17-Mar-05David Kelsey, Security, ARM-39 JSPG future work Complete VO Security Policy document New top-level Policy document –More general –To apply to EGEE and LCG (and others?) Revise all other sub-documents –Again more general –Bring up to date Then seek approval by EGEE and LCG management Revise/Update the Security Risk Analysis –And work on risk management/mitigation Continue to lobby for better security

17-Mar-05David Kelsey, Security, ARM-310 Security Service Challenges OSG recently tested their communication channels –Emergency reporting list –Discuss list –Highlighted several problems – but it worked! EGEE –OSCT will organise and do first test –Test audit trails Logs exist, contain enough info, can be analysed All in timely manner –Planning to have first try in March/April –Before the EGEE-3 meeting (Athens)

17-Mar-05David Kelsey, Security, ARM-311 JRA3 deliverables MJRA3.6 - Security Operational Procedures (first revision) – –Author: Yuri Demchenko 3 sections –Operational Procedure Documents –Vulnerability Analysis & Incident Definition –IODEF for incident reporting MJRA3.7 – EUGridPMA Accreditation Procedure – –Author: David Groep Comments to authors please

17-Mar-05David Kelsey, Security, ARM-312 CA PMAs EU Grid PMA: –Met in Marseille at end of Jan 2005 –Next meeting in Estonia – end of May –Several new CAs discussed/approved The Americas PMA (TAGPMA): –Now exists –Working on requirements for online CAs This week in GGF (Seoul) –International Grid Federation (IGF) meets –Asia/Pacific, TAG and EU PMAs OSG has formally requested the PMAs to accredit CAs for use in OSG (and specified some requirements) EGEE should do same? –And revise our own CA Acceptance policy document

17-Mar-05David Kelsey, Security, ARM-313 Security Best Practice Work started by some members of OSCT –Following Nov 2004 Operations Workshop –Alessandra Forti (Manchester, UK) –Romain Wartel (UK/I ROC) –Miguel Cardenas Montes (Ciemat, ES) –Ian Neilson (CERN) Contents: –Forensic analysis Some early draft web pages (mainly structure) exist –for now on GridPP deployment web – –But also aimed at EGEE/LCG

17-Mar-05David Kelsey, Security, ARM-314 US Cybersecurity workshop LBNL (Oakland), 9-10 March ~30 participants –Denise Heagerty and DPK represented CERN/EU/LCG Goal: to produce a work-plan for Grid Deployment to ensure US LHC Computing will be as secure as possible in 2007 No time to report here in detail Important issues –Risk Analysis, Management and Mitigation –Big concers about use of LCG for external DOS attacks –Must have good monitoring, auditing, incident response –Must be able to regain control quickly after an incident Proposal/Work Plan now being developed

17-Mar-05David Kelsey, Security, ARM-315 Vulnerability Analysis GridPP work (Linda Cornwall/RAL) Was also a report in the US workshop –Vulnerability analysis of Condor being done Design and code reviews Draft GridPP document exists (Linda) –“Vulnerability – detection and reduction” –See recent EGEE MWSG meeting – 137http://agenda.cern.ch/fullAgenda.php?ida=a activities –Checklists (deployment and middleware) –Vulnerability logging and tracking –Anti-use cases

17-Mar-05David Kelsey, Security, ARM-316 Vulnerability (2) Aim to review gLite (V1) and LCG (v2.4) –Goal is to improve middleware and deployment How/where to report problems? JSPG encourages reporting of security holes –UK sites keen to go “public” –But problems of public/archived mail lists We have a responsibility to our colleagues/projects JSPG investigating secure area in GGUS –But unlikely to be available this year –Create our own database? In the meantime please report to Linda Cornwall –She is starting to gather info

17-Mar-05David Kelsey, Security, ARM-317 Discussion?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.