Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

Published byBrianna McCarthy Modified over 9 years ago

Similar presentations

Presentation on theme: "OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014."— Presentation transcript:

1 OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014

2 Key Initiatives Traceability for Certificate-Free Jobs – Working with GLOW. Finished a first pass at evaluating the Glow VO. – Only 3 submit nodes are managed by Glow. The rest is managed by individual PIs. – Issues: Have concerns over how well the PIs are managing security of their own nodes. Also it is not scalable to evaluate every single PI. Concerned about jobs submitted from the PI-managed nodes. Currently, they run at OSG sites other than Fermi. If anything goes wrong, will the PI be able to find the user and take action? Could Glow trace jobs back to a PI? We want to do an incident drill to check all of this. – Will initially allow only Glow managed submit nodes to submit certificate-free jobs. – Will think about PI managed nodes later. Need to consult with Fermilab security

3 Key Initiatives Reducing the number of Worker Node Certs – New initiative to analyze and reduce the number of worker node certificates. Glexec-gums authentication no longer requires a worker node cert. Hope to reduce certificate number by asking sites to use the new glexec. Got the breakdown of all host certs issued by OSG CA from OIM – 5000 total host certs (All numbers are rounded) – Fermi CMS Tier 1 as 1500 host certs – FermiCloud has 1000 host certs – Wisc Tier 2 has 500 host certs – The rest of the sites has anywhere between 20-50.

4 Key Initiatives Why some sites need so many certs: – Fermi CMS Tier 1 needed for the glexec requirement. They already siwtched to new glexec and will need only 500 certs for gridftp servers – FermiCloud needs it for each VM they have. They will continue to have this many certs – Wisc needs it for gridftp servers. We thought glexec requirement was the major reason for worker node certs. In fact only one site CMS tier 1 affected by that and they took action to reduce it. Gridftp servers seem to be the biggest cause now for the high number of certs. We have no more action items on this project. We also invite your help to understand why so many gridftp servers are needed on a site.

5 Key Initiatives OSG IdP and OSGConnect integration – Getting OSG users easily onboard with the OSGConnect project – OSG users will authenticate with OIM and take the authentication result to OSGConnect to prove their identity – Need an OSG IdP. – Soichi created a prototype and demonstrated that it works. – Security team evaluated the OSGConnect registration workflow and designed the interaction between OSG and OSGConnect. – Security team gave approval to move the prototype into production. The work will proceed according to GOC/Production calendar. On a separate note: while evaluating the OSGConnect registration workflow, we identified that we have to evaluate their job submission system and ensure that they have traceability and operational security in the system. The end users appear to log into the system via ssh username/passwd. We already requested restricted resource access for such users.

6 Key Initiatives Certificate-free access to storage – Very excited to start the work. – Goal is to do the same thing we did for the job submission. Access data without end user certs in a secure manner – In early stages but have some promising potential. – Almost all VOs have group-based access to data. A pilot can be assigned to each group to access on group’s behalf. While the jobs are running, pilot can access data securely. – The more problematic part is how to move the data to local storage once the analysis jobs are finished. – Working with storage experts to understand the technology and VO needs. – Significantly affect the identity management roadmap

7 CILogon Basic CA adoption Has been on the back burner because we give priority to certificate-free access. So far 6 sites accept these certificates: FNAL, BNL, Purdue, Wisconsin, sprace, UNL. These sites provide %40 to %45 of used wall clock time in OSG.

8 Other notable work items Continuing training for new VOs Security presentation at Hepix. Paper accepted at ISGC on our traceability work. Will submit a full paper. Operational security: – NTP DDOS attacks. Evaluated perfSonar security and sent out an announcement. – Evaluated changes to OASIS service. Will conduct a incident drill with GOC. Goal: how do we react if one of the nodes have compromised data?

9 Operational Security 1.Vulnerabilities: Many OSG resources have Java 6 running. No patches available for Java 6. Will ask sites to upgrade to Java 7. 2.SHA-2 transition is starting on Dec 1 st. CA will start issuing new SHA-2 compliant certificates after this date. 1.CMS is not ready to make the transition. Dcache problems with SHA-2. They need time to upgrade dcache. 2.CERN CA is not likely to make the transition soon. VOMRS does not work with SHA-2 certs. Until VOMRS is replaced by VOMS Admin 3.Security Controls and Assessment was completed. Now we are looking at the results and identify services/operations that need better security.

Download ppt "OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014."

Similar presentations

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Key Accomplishments and Work Plans OSG Security Team July 11, 2012.

Key Accomplishments and Work Plans OSG Security Team July 11, 2012.
SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.

SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.
Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.

Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.
OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
OSG Security Review Mine Altunay June 19, 2008. June 19, 2008 2 Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.

VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Similar presentations

Ads by Google