Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk.

Published byDylan McFarland Modified over 10 years ago

Similar presentations

Presentation on theme: "Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk."— Presentation transcript:

1 Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk

2 21 Jul 2009 Kelsey, Security Policy Overview Why do we need security policies? Joint Security Policy Group –The mandate –Interoperability is important! Overview of JSPG policies –Some example policies Future plans

3 31 Jul 2009 Kelsey, Security Policy Why do we need security policies? Management of IT security –All about management of risks and balancing with availability of services Having performed a risk analysis –Need a Security Plan to mitigate and manage those risks Security Plan includes various Controls –Technical –Operational –Management Security Policy is part of Management Controls (written documents)

4 4 Trust is important Trust is a relationship of reliance. A trusted party is presumed to seek to fulfill policies, ethical codes, law and their previous promises. (wikipedia)policiesethicallaw Trust is a prediction of reliance on an action, based on what a party knows about the other party. Trust is a statement about what is otherwise unknown -- for example, because it is far away, cannot be verified, or is in the future. 1 Jul 2009 Kelsey, Security Policy

5 51 Jul 2009 Kelsey, Security Policy Joint Security Policy Group This started as a WLCG activity in 2003 –LHC Grid (CERN) –To advise GDB and Deployment Manager On all matters related to security In 2004, EGEE started –JSPG remit expanded to cover both projects –Strong participation by OSG, NDGF, … Revised mandate (2008) –http://www.jspg.org/http://www.jspg.org/ –prepares and maintains security policies for its primary stakeholders (EGEE and WLCG) –also able to provide policy advice on any security matter Policies approved and adopted by Grid management

6 61 Jul 2009 Kelsey, Security Policy Policy Interoperability Wherever possible, JSPG aims to –prepare simple and general policies –applicable to the primary stakeholders, but –also of use to other Grid infrastructures (NGI's etc) The adoption of common policies by multiple Grids eases the problems of interoperability (and scaling) Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO) Other participants then know that their actions are already bound by the policies –No need for additional negotiation, registration or agreement

7 7 Interoperability (2) User registers (once) with his/her VO –Must accept Grid AUP Sites willing to delegate registration to VO knowing that VO procedures must follow same VO policy –And that User will have accepted AUP The use of common policies –Allow VOs to easily use resources in multiple Grids as move to EGI in Europe, for example Other Grids are welcome to use our policies –With appropriate acknowledgements! 1 Jul 2009 Kelsey, Security Policy

8 8 Overview of JSPG Policies 1 Jul 2009 Kelsey, Security Policy

9 91 Jul 2009 Kelsey, Security Policy Grid Security Policy The main policy document https://edms.cern.ch/document/428008/ To fulfil its mission, it is necessary for the Grid to protect its resources. This document presents the policy regulating those activities of Grid participants related to the security of Grid services and Grid resources.

10 101 Jul 2009 Kelsey, Security Policy Grid Security Policy (2) Objectives –This policy gives authority for actions which may be carried out by certain individuals and bodies and places responsibilities on all participants. Scope –This policy applies to all participants. Every site participating in the Grid autonomously owns and follows their own local security policies with respect to the system administration and networking of all the resources they own, including resources which are part of the Grid. This policy augments local policies by setting out additional Grid-specific requirements.

11 111 Jul 2009 Kelsey, Security Policy Grid Security Policy (3) Additional Policy documents –Appendix 1 defines additional policy documents which must exist for a proper implementation of this policy. These documents are referred to in section 2. Roles and Responsibilities: Participants –Grid Management –Grid Security Officer & Grid Security Operations –Virtual Organisation Management –Users –Site Management –Resource Administrators

12 121 Jul 2009 Kelsey, Security Policy Grid Security Policy (4) Limits to Compliance –Wherever possible, Grid policies and procedures are designed so that they may be applied uniformly across all sites and VOs. If this is not possible, for example due to legal or contractual obligations, exceptions may be made. Such exceptions must be justified in a document submitted to the Grid Security Officer for authorisation and, if required, approval at the appropriate level of management. –In exceptional circumstances it may be necessary for participants to take emergency action in response to some unforeseen situation which may violate some aspect of this policy for the greater good of pursuing or preserving legitimate Grid objectives. If such a policy violation is necessary, the exception should be minimised, documented, time-limited and authorised at the highest level of the management commensurate with taking the emergency action promptly, and the details notified to the Grid Security Officer at the earliest opportunity.

13 131 Jul 2009 Kelsey, Security Policy Grid Security Policy (5) Sanctions, Liability, Disputes and Intellectual Property Rights –Sites or resource administrators who fail to comply with this policy in respect of a service they are operating may lose the right to have that service instance recognised by the Grid until compliance has been satisfactorily demonstrated again. –Users who fail to comply with this policy may lose their right of access to and/or collaboration with the Grid, and may have their activities reported to their home institute or, if those activities are thought to be illegal, to appropriate law enforcement agencies. –VOs which fail to comply with this policy, together with all the users whose rights with respect to the Grid derives from that VO, may lose their right of access to and/or collaboration with the Grid. –The issues of liability, dispute resolution and intellectual property rights, all of which may be Grid-specific, should be addressed in the additional policy documents.

14 141 Jul 2009 Kelsey, Security Policy Security Policy Site & VO Policies Certification Authorities Traceability and Logging Security Incident Response Accounting Data Privacy Pilot Jobs and VO Portals Grid & VO AUPs JSPG Security Policies

15 151 Jul 2009 Kelsey, Security Policy Sites Operations Policy Accepted and signed by authorized person during registration of Site with the Grid https://edms.cern.ch/document/819783

16 161 Jul 2009 Kelsey, Security Policy VO Operations Policy Accepted and signed by authorized person during registration of VO with the Grid https://edms.cern.ch/document/853968

17 171 Jul 2009 Kelsey, Security Policy Grid AUP Acceptable Use Policy Accepted by User during registration with VO https://edms.cern.ch/document/428036

18 181 Jul 2009 Kelsey, Security Policy Current JSPG work Two revised policies awaiting formal approval and adoption Virtual Organisation Registration Security Policy https://edms.cern.ch/document/573348/8 http://www.jspg.org/wiki/VO_Registration_Policy Virtual Organisation Membership Management Policy https://edms.cern.ch/document/428034/3 http://www.jspg.org/wiki/VO_Membership_Management_Policy Three new policies are in final call Grid Policy on the Handling of User-Level Job Accounting Data VO Portal Policy Security Incident Response Policy

19 191 Jul 2009 Kelsey, Security Policy Future JSPG plans Revise the Grid User AUP –Some Grids use it but have modified our text –Explore why and standardise where possible DEISA, TeraGrid, EU infrastructures, national Grids, … Revise policy framework during next 6 months –More simple, general and consistent –More applicable to EGI world –Broaden the membership – include more NGIs and other Grids Other Grids, volunteers and interested parties welcome

20 201 Jul 2009 Kelsey, Security Policy JSPG Meetings, Web etc Meetings - Agenda, presentations, minutes etc http://indico.cern.ch/categoryDisplay.py?categId=68 JSPG Web sites http://www.jspg.orghttp://www.jspg.org and http://proj-lcg-security.web.cern.ch/ Membership of the JSPG mail list is closed, BUT –Volunteers to work with us are always welcome! Policy documents at http://www.jspg.org andhttp://www.jspg.org http://proj-lcg-security.web.cern.ch/proj-lcg- security/documents.html

21 211 Jul 2009 Kelsey, Security Policy Where are JSPG security policies? http://www.jspg.org/wiki/JSPG_Docs http://proj-lcg-security.web.cern.ch/proj-lcg- security/documents.htmlhttp://proj-lcg-security.web.cern.ch/proj-lcg- security/documents.html https://edms.cern.ch/nav/CERN-0000022711

22 221 Jul 2009 Kelsey, Security Policy Security Policies adopted by EGEE and GridPP? http://osct.web.cern.ch/osct/policies.html http://www.gridpp.ac.uk/deployment/security/ policies/index.htmlhttp://www.gridpp.ac.uk/deployment/security/ policies/index.html

23 1 Jul 2009Kelsey, Security Policy Discussion

Download ppt "Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk."

Similar presentations

An open source approach for grids Bob Jones CERN EU DataGrid Project Deputy Project Leader EU EGEE Designated Technical Director

An open source approach for grids Bob Jones CERN EU DataGrid Project Deputy Project Leader EU EGEE Designated Technical Director
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
LCG/EGEE/OSG Security Incident Response Grid Operations workshop CERN, 2 November 2004 David Kelsey CCLRC/RAL, UK

LCG/EGEE/OSG Security Incident Response Grid Operations workshop CERN, 2 November 2004 David Kelsey CCLRC/RAL, UK
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security - the Grid View The Good, the Bad.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security - the Grid View The Good, the Bad.
9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.

9/25/08DLP1 OSG Operational Security D. Petravick For the OSG Security Team: Don Petravick, Bob Cowles, Leigh Grundhoefer, Irwin Gaines, Doug Olson, Alain.
LCG-France Project Status Fabio Hernandez Frédérique Chollet Fairouz Malek Réunion Sites LCG-France Annecy, May 18-19 2009.

LCG-France Project Status Fabio Hernandez Frédérique Chollet Fairouz Malek Réunion Sites LCG-France Annecy, May
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.

Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group Summary EGI TF David Kelsey 6/28/2015 1.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.

Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.

INFSO-RI Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.

Similar presentations

Ads by Google