Presentation is loading. Please wait.

Presentation is loading. Please wait.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Published byTayler Cuthbertson Modified over 9 years ago

Similar presentations

Presentation on theme: "Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the."— Presentation transcript:

1 Science Gateway Security Recommendations Jim Basney jbasney@illinois.edu Von Welch vwelch@indiana.edu This material is based upon work supported by the National Science Foundation under grant numbers 1127210 and 1234408.

2 Science Gateway Security Concerns Confidentiality of pre-publication research data Integrity of research results Availability of services Provide trustworthy service to researchers Maintain trust of resource providers Use resources in compliance with policies Each science gateway is unique Assess risks to determine appropriate mitigations Risk = Likelihood x Impact sciencegatewaysecurity.org | trustedci.org

3 Science Gateway Risk Factors small, closely-knit user community public data (sky survey data) internal resources focused functionality large, distributed, open user community sensitive data (personal health info) external resources wide range of user capabilities sciencegatewaysecurity.org | trustedci.org less riskmore risk

4 Science Gateways and Resource Providers Deployment models include: Dedicated: Resources managed by science gateway Science Gateway sets its own policies Example: Rosetta Online Server That Includes Everyone (ROSIE) Transparent: Providing a new interface to existing resources Users have accounts on existing resources Example: TeraGrid Visualization Gateway Tiered: Science Gateway manages resource allocation Science Gateway manages its own users Using community account / robot certificate at resource provider May send per-user attributes to resource providers Examples: CIPRES, GENIUS sciencegatewaysecurity.org | trustedci.org

5 TeraGrid Science Gateway AAAA Model (2005) sciencegatewaysecurity.org | trustedci.org http://dx.doi.org/10.1145/1838574.1838576

6 Existing Security Recommendations Virtual Organization Portal Policy (EGI-InSPIRE SPG, 2010) Securing Science Gateways (Hazlewood and Woitaszek, 2011) sciencegatewaysecurity.org | trustedci.org

7 VO Portal Policy (EGI-InSPIRE SPG, 2010) sciencegatewaysecurity.org | trustedci.org General Conditions Limit job submission rate  Audit logging Assist in security incident investigations Securely store passwords, private keys, and user data https://documents.egi.eu/document/80

8 TeraGrid: Securing Science Gateways (Hazlewood and Woitaszek, 2011) Recommendations: Per-user accounting Limiting access at resource providers (restricted shell, grid interfaces) Separating per-user data from shared software and data Individual accounts for science gateway developers Short-lived certificates for remote access sciencegatewaysecurity.org | trustedci.org http://doi.acm.org/10.1145/2016741.2016781

9 Science Gateway User Authentication Why authenticate users? Access to external resources Personalization Maintaining state across sessions Accounting / tracking usage How to authenticate users? Outsourced: federated identities, identity as a service Internal: password DB managed by science gateway sciencegatewaysecurity.org | trustedci.org

10 Federated User Authentication Avoid managing user passwords! SAML: campus identities OpenID/OAuth: public identities Enables two-factor authentication sciencegatewaysecurity.org | trustedci.org

11 Passwords If your science gateway needs to handle user passwords: Protect passwords from online attack Use HTTPS Block brute-force attacks (e.g., Fail2Ban) Protect passwords from offline attack Store password hashes Use a strong hashing algorithm, with per-password salt Use existing password hashing implementation e.g., PHP password_hash() http://security.blogoverflow.com/2013/09/about-secure- password-hashing/ sciencegatewaysecurity.org | trustedci.org

12 Science Gateway Operational Security Prevent (eliminate) threats (when possible) Detect security incidents Respond effectively to security issues Goal: manage risks First Step: Early communication with local security staff Provide security services (monitoring, scanning, logging, etc.) Identify security policies and best practice recommendations tailored to your local environment Establish relationships now in case of security incident later sciencegatewaysecurity.org | trustedci.org

13 Respond/Recover Detect Prevent Basic Operational Security Checklist Software patching Control admin access Vulnerability scanning Firewalls Physical security File integrity checking Intrusion detection Log monitoring Centralized logging Secure backups sciencegatewaysecurity.org | trustedci.org

14 Continuous Software Assurance The Software Assurance Market Place (SWAMP) is a DHS S&T sponsored open facility to become operational in January 2014. It is driven by the goal to expand the adoption of software assurance (SwA) by software developers. The SWAMP will enable you to: Identify new (possible) defects in your software every time you commit a change Identify new (possible) defects in a software/library/module you are using every time a new version is released Track the SwA practices of your project While protecting your privacy and the confidentiality of your data. http://continuousassurance.org

15 Science Gateway Security: Community Resources http://trustedci.org/help http://sciencegatewaysecurity.org/discussion http://xsede.org/gateways sciencegatewaysecurity.org | trustedci.org

Download ppt "Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Controls for Information Security

Controls for Information Security

Similar presentations

Ads by Google