1. www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20 th January 2015 EGI Fed Cloud F2F 19-21 st January 20151

2. www.egi.eu EGI-InSPIRE RI-261323 What do we want? Software deployed on the Cloud infrastructure to not cause security problems that lead to security incidents This means, as a minimum:-- Software doesn’t have obvious security problems or basic security errors If software security vulnerabilities are found, then they are handled appropriately, product teams are easy to contact, and problem is fixed in a timely manner according to the severity, parties deploying software notified and able to update. 20th January 2015 2

3. www.egi.eu EGI-InSPIRE RI-261323 And when a vulnerability is found EGI SVG is able to handle according to an approved procedure Investigation by SVG and the development team If valid – carry out a risk assessment (Critical, High, Moderate or Low) Set Target Date for resolution according to Risk Advisory issued to sites when problem is fixed For e.g. linux announcements – only risk assess for our environment - advisory for high or critical Since 2006 - Vulnerabilities handled consistently across EGI Grid infrastructure (see last slide to find more info) 20 th January 2015 3

4. www.egi.eu EGI-InSPIRE RI-261323 Some progress since Sept (Big data) Acceptance that this activity continues to be important in the Fed Cloud 4 new SVG members Alvaro Lopez Garcia, Enol Fernandez del Castillo (both Fed Cloud) Edward Karavakis (WLCG), Bartlomiej Balcerek Other new members are welcome, especially those with FedCloud technical expertise

5. www.egi.eu EGI-InSPIRE RI-261323 Some clarification has occurred Fed cloud says ‘User’ is in change – which is what the policy group has called ‘VM Operator’ High skill level instantiates VMs See Security Policy for the Endorsement and Operation of Virtual Machine Images https://documents.egi.eu/public/ShowDocument?docid=771 ‘End User’ – (e.g. scientist) connects to VMs to carry out their work Less skilled

6. www.egi.eu EGI-InSPIRE RI-261323 Software the fed cloud depends on must be O.K. Started on Technology provider questionnaire Good for security critical software which Fed Cloud depends on (I’ve had no time to work on this recently) Possibility of smaller checklist, for all software Very basic checks, e.g. for insecure constructs, not validating user input. More detailed assessment for some, e.g. AAI No clear source of effort for this

7. www.egi.eu EGI-InSPIRE RI-261323 VM Operator software VM operators also need to use secure software within their VMs Possibly Checklist For ‘End User’ access, certain methods or software could be assessed by EGI and recommended for use This is something that could add value to the EGI Fed cloud compared to using others

8. www.egi.eu EGI-InSPIRE RI-261323 Vulnerability handling Main next step is to revise SVG vulnerability issue handling procedure To take account of Fed Cloud situation Commercial announcements, community s/w Cloud enabling s/w, VO software Contacts etc. All s/w on which EGI Fed cloud depends must be maintained

9. www.egi.eu EGI-InSPIRE RI-261323 Software Security Support All software on which EGI fed cloud depends MUST be under security support I.e. someone must be available to fix any vulnerabilities found Minimum is if a research institute says someone unfunded is providing support in working time Problem if someone doing work as a hobby Do we really want to depend on hobby support?

10. www.egi.eu EGI-InSPIRE RI-261323 Contacts for S/W enabling fed cloud It should be clear how to contact software providers, who are providing software which enables fed cloud For a large commercial provider their web page may provide details on how to report problems For community software, SVG should have direct contact details (persons, e-mail list.)

11. www.egi.eu EGI-InSPIRE RI-261323 Contact –VO software VO specific software – i.e. that instantiated by a VM Operator – VO contact details acceptable. Needs to be clear to which VO something belongs No more than 1 between SVG and the development team E.g. contact VO security contacts, they know the development team VO software, software instantiated by VM Operator may get stopped if security probs

12. www.egi.eu EGI-InSPIRE RI-261323 VM images and updates (if not discussed previously in security session) Images in AppDB must be kept up to date Endorser's job doesn’t end with the production of the image VM images must be kept up to date Short lived and re-instantiate or patched? Training/certification for endorsers?

13. www.egi.eu EGI-InSPIRE RI-261323 SVG (re)-invigorate Possibly a F2F meeting, with new members and old Need to combine experience of established SVG members and new Cloud members Establish how we do vulnerability handling in the Fed Cloud

14. www.egi.eu EGI-InSPIRE RI-261323 Software dependencies generally There is an issue that EGI is dependent on a lot of 3 rd party software Linux, OpenStack, OpenNebula, java, ….. Possibly EGI should consider whether our infrastructure can influence such software development and maintenance

15. www.egi.eu EGI-InSPIRE RI-261323 Questions/Discussion ??

16. www.egi.eu EGI-InSPIRE RI-261323 More Info on EGI SVG EGI SVG Wiki https://wiki.egi.eu/wiki/SVG:SVG Basic vulnerability handling summary https://wiki.egi.eu/wiki/SVG:Issue_Handling_Summary Approved issue handling procedure https://documents.egi.eu/public/ShowDocument?docid=717 Presentation from EGI Community Forum https://indico.egi.eu/indico/getFile.py/access?contribId=52&sessionId=33& resId=0&materialId=slides&confId=1994 25 th Sept 2014 Linda Cornwall, STFC, Software security 16