Presentation is loading. Please wait.

Presentation is loading. Please wait.

LCG Security Status and Issues

Similar presentations


Presentation on theme: "LCG Security Status and Issues"— Presentation transcript:

1 LCG Security Status and Issues
Ian Neilson Grid Deployment Group CERN LHCC 15 November,

2 LCG Security Status and Issues
Overview Security Policy Joint Security Policy Group Authentication & Authorization Infrastructure International Grid Trust Federation LHC Experiment Virtual Organisations Operational Security Operational Security Coordination Team Incident Response Planning Security Monitoring Tools Security Service Challenges plus some related activities LHCC 15 November,

3 Security Policy Joint Security Policy Group
LCG & EGEE with strong input from OSG Policy Set - Security & Availability Policy Usage Rules Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide VO Security LHCC 15 November,

4 Security Policy Policy Revision In Progress/Completed
Grid Acceptable Use common, general and simple AUP for all VO members using many Grid infrastructures EGEE, OSG, SEE-GRID, DEISA, national Grids… VO Security responsibilities for VO managers and members VO AUP to tie members to Grid AUP accepted at registration Incident Handling and Response defines basic communications paths defines requirements (MUSTs) for IR reporting response protection of data analysis not to replace or interfere with local response plans LHCC 15 November,

5 Security Policy Issues Can generic ‘simple’ policies be binding?
can they protect across legislative domains? Release of accounting data some site policies restrict release of per-user data legal implications of EU directives on privacy needed to properly manage and account to VOs More policy updates needed but revision process is slow top-level security and availability policy new policy for Data Handling/Protection needed Depth of policy review and discussion varies Risk Analysis should be repeated LHCC 15 November,

6 Authentication Infrastructure
IGTF – International Grid Trust Federation LCG currently accepts certificates from EUGridPMA CAs plus FNAL Kerberized CA IGFT officially formed at GGF15 3 regional PMAs: Europe, Asia Pacific, Americas addresses scalability issues felt by EUGridPMA separate the management of authentication profiles EUGridPMA: ‘classic’ CA TAGPMA: Short-lived Credential Generation Services brings FNAL KCA under an IGTF profile in future for myproxy and Shibboleth based services For LCG – “relying parties” what service is expected beyond credential issuing? revocation processing CA world is still “settling down”, will it stabilize? move from grid sites to NRENS LHCC 15 November,

7 Authorization Infrastructure
LHC Experiment Virtual Organisations VO Management service now deployed in beta at CERN VOMRS registration interface – good collaboration with FNAL Managed CERN Oracle service DB All 4 LHC experiments Back-end tied to CERN HR database view (ORGDB) allows use of existing exp. registration relies on membership lifecycle maintenance! but VO manager retains control e.g. LHCC 15 November,

8 Authorization Infrastructure
VOMS+VOMRS gives managed VO group+role flexibility BUT grid service authorization now based on simple group/role only authorization workshop discussed near-term requirements – SC4 VO Management and Authorization Services Critical service but has been hard to deploy HR interface Oracle support gLite packaging Limited experience in real operation Debug Performance LHCC 15 November,

9 Operational Security Coordination Team
OSCT membership = EGEE ROC security contacts What it is not: Not focused on middleware security architecture Not focused on vulnerabilities Vulnerabilities Group formed and operational Focus on Incident Response Coordination Assume it’s broken, how do we respond? Planning and Tracking Focus on ‘Best Practice’ Advice Monitoring Analysis Coordinators for each EGEE ROC plus OSG LCG Tier 1 + Taipei LHCC 15 November,

10 Operational Security Coordination Team
Incident Response Monitoring Tools Security Service Challenge Policy HANDBOOK Procedures Resources Reference Playbook Infrastructure Agents Deployment SSC1 - Job Trace SSC2 - Storage Audit Infrastructure LHCC 15 November,

11 Operational Security Coordination Team
Incident Response issues Contact management Use of site registration process and GOCDB Shift from site-based to regional/grid coordination Operational role for OSCT Live incident Lack of real incident experience incidents WILL happen and they WILL be disruptive OSCT can plan BUT cannot anticipate all eventualities Lack of dedicated resources Should be provided by EGEE-II NREN CSIRTS – overlap of IR activities understanding how/when/if to use Security Service Challenges Lessons from SSC1 Plan for SSC2 (storage) and beyond LHCC 15 November,

12 LCG Security Status and Issues
Related activities Optical Private Network Security Working group formed by GDB Disaster Recovery Planning Recent presentations at HEPiX and EGEE-4 ISSeG Proposed EU-funded project on Integrated Site Security for Grids CERN/Openlab lead LHCC 15 November,

13 Thank You LHCC 15 November,


Download ppt "LCG Security Status and Issues"

Similar presentations


Ads by Google