Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam.

Published byClinton Harrington Modified over 8 years ago

Similar presentations

Presentation on theme: "Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam."— Presentation transcript:

1 Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam

2 Why traceability and isolation ? Current situation What’s “new” “glExec” Black boxes The future? Vincent Brillault, CERN/EGI-CSIRT2 Overview GDB Mars 2015, Amsterdam

3 For security, but not only! Traceability: Identify, reconstruct & understand – Security incidents: catch bad users, fix vulnerability – Issues/bugs/strange behaviors Isolation: – Prevent credential theft & impersonalization – Prevent jobs from harming each-other Vincent Brillault, CERN/EGI-CSIRT3 Why? GDB Mars 2015, Amsterdam

4 Site responsible for (policy-wise): – Recording all activity: when, where, who, what – Securely and centrally store logs for months – Process logs upon CSIRT request during incidents Identifying and isolating users: – WN/pilot jobs: glExec (if/when deployed & used) – Endpoint/services: end-user x509 certificate/proxy Multi-site analysis difficult: – Broadcast warning/regex and wait/hope… – Rely on VO frameworks or central services Vincent Brillault, CERN/EGI-CSIRT4 Current situation GDB Mars 2015, Amsterdam

5 New technology on the rise: – Virtualization & VMs: black boxes managed by VOs – Cgroups/namespaces: new isolation solution? Multi-user pilot-jobs on the decline VOs have large frameworks & log activity Vincent Brillault, CERN/EGI-CSIRT5 What’s “new” GDB Mars 2015, Amsterdam

6 Promising technology: cgroup & namespaces Explore new solutions: – Identify what needs to be isolated from users, e.g: Pilot job own credentials (if kept) VO logging facilities & framework callback (if any) – See if new technology can cover out needs – Identify/resolve OS dependencies (EL7+ ?) Accept a split log “responsibility” – When/where Who: Site + VO – When/where What: Site & VO We may be able to retire glExec and close this debate! Vincent Brillault, CERN/EGI-CSIRT6 “glExec” GDB Mars 2015, Amsterdam

7 Pilot jobs/VMs becoming black boxes – Site: Log externally observable behavior – VOs: Log what happens inside Identify how to keep site expertise: – Identify strange behaviors (e.g. Bitcoin mining) – Debugging/problem resolution Keep response capability: – User suspension: Service/endpoints: OK (x509 certificates/proxy) Shared resources (e.g. network): ?? – Properly integrate VOs in response procedures Vincent Brillault, CERN/EGI-CSIRT7 Black boxes GDB Mars 2015, Amsterdam

8 New model possible: – Consider pilot jobs/VMs as black box – Build and trust central security VO logs – Concentrate on unprivileged isolation There is a lot of questions, no clear solution yet VOs’ expertise needed: – Keep making sure pilot jobs are protected – How to take advantage of job frameworks Sites’ expertise needed: – What data/access/control is needed – What technology can be supported Vincent Brillault, CERN/EGI-CSIRT8 The future? GDB Mars 2015, Amsterdam

Download ppt "Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam."

Similar presentations

Www.eu-eela.eu E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Towards A User-Centric Identity-Usage Monitoring System - ICIMP 2008 - Daisuke Mashima and Mustaque Ahamad College of Computing Georgia Institute of Technology.

Towards A User-Centric Identity-Usage Monitoring System - ICIMP Daisuke Mashima and Mustaque Ahamad College of Computing Georgia Institute of Technology.
National Energy Research Scientific Computing Center (NERSC) Computer Security – The New Threats Stephen Lau NERSC Center Division, LBNL June 24, 2004.

National Energy Research Scientific Computing Center (NERSC) Computer Security – The New Threats Stephen Lau NERSC Center Division, LBNL June 24, 2004.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006.

Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Virtual Workspaces Kate Keahey Argonne National Laboratory.

Virtual Workspaces Kate Keahey Argonne National Laboratory.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks EGEE-EGI Grid Operations Transition Maite.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE-EGI Grid Operations Transition Maite.
LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 November 2007.

LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 November 2007.

Similar presentations

Ads by Google