Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.

Published byGodfrey Holt Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s slides at ISGC Taiwan 2008) David Bouvet – IN2P3-CC Planning for Grid Deployment and Usage in South Africa Meraka Institute, CSIR campus, Pretoria 12-13 may 2008

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 2 Computer security incident What is a “Security Incident”? –A security incident is the act of violating an explicit or implied security policy What can motivate attackers? –Money (and little risk of being caught) –Less likely: political motivation, challenge, ego, fame, etc. How do attackers often proceed? –Most attacks are partly/fully automated –First find an entry point (weak network service, stolen credentials, etc.) –Install necessary toolkit to maintain a 'quiet' access –Implant payload (DDOS, Botnet, SPAM engine, etc.) –Harvest additional credentials

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 3 Security Incidents Statistics

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 4 Top risks for the grid Attacks against other sites (ex: DDoS) Storage, distribution or sharing of illegal/inappropriate material Disruption of service, damage to user data This can involve: Damage to the project/sites reputation Legal/financial actions against participants –http://proj-lcg-security.web.cern.ch/proj-lcg-security/RiskAnalysis/risk.htmlhttp://proj-lcg-security.web.cern.ch/proj-lcg-security/RiskAnalysis/risk.html

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 5 EGEE Security groups (initial picture by Ake Edlund)

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 6 Policies JSPG is producing a set of security policies The following policies have been approved by the EGEE PEB and the WLCG GDB –Grid Security Policy (= top level policy)  Grid Acceptable Use Policy  Grid Site Operations Policy Site Registration Policy Audit Requirements Policy Grid Security Incident Response Policy  VO Security Policy VO Operations Policy User Registration Policy  Approval of Certification Authorities

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 7 Certification Authorities IGTF (International Grid Trust Federation) is a body to establish common policies and guidelines between its Policy Management Authorities (PMAs) members. –current PMAs :  Europe: EUGridPMA  Asia-Pacific: APGridPMA  Latin America, Carribean, North America: TAGPMA To create a new PMA, see http://www.gridpma.org/ or contact David Groep (davidg@nikhef.nl) to get more information on the procedures.http://www.gridpma.org/davidg@nikhef.nl In EGEE, there is the possibility to use “catch-all” CA –France (CNRS) for all non HEP VOs –CERN for HEP VOs ⇨ African users can ask CNRS or CERN to get their certificates (need to have a minimal structure about identity verification on new certificate request: one person per lab)

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 8 Incident response - coordination ROC Security Contacts are part of the EGEE Operational Security Coordination Team (OSCT) Incidents coordination: ROC Security Contact on duty

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 9 Security incident prevention The EGEE Operational Security Coordination Team has three main activities: –Incident Response improvement  Security service challenges (SSC) SSC1, SSC2, SSC3 (in work) http://cern.ch/grid-deployment/ssc/SSC_2/SSC_2_google.html  IR channels (lists, IM)  IR scenarios –Incident detection and containment (=monitoring)  Several monitoring tools available to the sites  Central security tests (SAM) –Incident prevention  Best practice ex: https://cic.gridops.org/index.php?section=roc&page=securityissueshttps://cic.gridops.org/index.php?section=roc&page=securityissues  Training events

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 10 Incident response - coordination A large part of the incident response coordination consists in managing the flow of information The role of the coordinator is to: –Process the available information as soon as possible and follow the most likely leads –Provide accurate information to the sites –Contact and follow up with the relevant CERTs/CSIRTs –Ensure the process does not stall The objective is to: –Understand what was the vector of attack (ex: entry point) –Ensure the incident is contained –Establish a detailed list of what has been lost (ex: credentials, data) –Take corrective action to prevent re-occurrence

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 11 Incident response – main issues Main issues: –It is essential to establish and maintain trust between the sites –Obtain relevant and accurate information and collaboration from all possibly affected sites –Cope with the information flow (large incidents) (during a multi-site incident, the coordinator had to process 500+ incoming emails during the first 5 days, including 280 at day 3) –Redistribute the information with an appropriate level of details –Prevent information leaks, which are a serious problem. They can discourage other sites from sharing their findings in the future and expose sensitive information (personal details, etc.)

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 12 SSC3 – Early results

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 13 Conclusion Training and dissemination requires significant efforts, as it is difficult to improve security practices at the sites Tests (security service challenges) are extremely useful Increased expertise in the team to manage multi-sites security incidents Need to build and maintain trust between the participants Cooperation and sharing with peer grids (ex: OSG) and with other involved parties (ex: NRENs) is essential

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 14 Links IGTF web site: http://www.gridpma.org/ http://www.gridpma.org/ OSCT web site: https://twiki.cern.ch/twiki/bin/view/LCG/OSCT https://twiki.cern.ch/twiki/bin/view/LCG/OSCT OSCT web site: http://cern.ch/osct http://cern.ch/osct Incident response guide: https://edms.cern.ch/file/428035/LAST_RELEASED/Inci dent_Response_Guide.pdf https://edms.cern.ch/file/428035/LAST_RELEASED/Inci dent_Response_Guide.pdf

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 15 Security aspects Discussion

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s."

Similar presentations

INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.

INFSO-RI Enabling Grids for E-sciencE Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
INFSO-RI-508833 Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:

Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE AP ROC Min-Hong Tsai ASGC SA1 Transition Meeting May 8 th, 2008

EGEE-II INFSO-RI Enabling Grids for E-sciencE AP ROC Min-Hong Tsai ASGC SA1 Transition Meeting May 8 th, 2008
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Romanian SA1 report Alexandru Stanciu ICI.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Romanian SA1 report Alexandru Stanciu ICI.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Enabling Grids for E-sciencE www.eu-egee.org EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.

Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks EGEE – paving the way for a sustainable infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE – paving the way for a sustainable infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Coordination Group Ake Edlund EGEE Sec Head 9th MWSG meeting, SLAC,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Ake Edlund EGEE Sec Head 9th MWSG meeting, SLAC,
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Training and Dissemination Enabling Grids for E-sciencE www.eu-egee.org Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

Similar presentations

Ads by Google