Download presentation
Presentation is loading. Please wait.
Published byLaurence Dalton Modified over 9 years ago
1
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk
2
9-Oct-03D.P.Kelsey, LCG-GDB-Security2 Overview Just one topic LCG Security and Availability Policy –Draft 3 presented at 9 th Sep 03 GDB –Aiming for approval at this meeting This draft (V4b) produced on 30 th Sep Security Group meetings (also working on risk analysis) –10 th September 2003 –24 th September 2003 http://agenda.cern.ch/displayLevel.php?fid=68
3
9-Oct-03D.P.Kelsey, LCG-GDB-Security3 Changes since last GDB “LCG Security and Availability Policy” –Trevor Daniels (GOC task force) is main author –In collaboration with Security Group Incorporated comments made last month by GDB –Ownership –Role of home employing institute –No personnel screening Lots of minor changes –To make document clearer –Changed document template to LCG SEC format Also distributed V4b to Site Security contacts –but no feedback to date
4
9-Oct-03D.P.Kelsey, LCG-GDB-Security4 Section 1: Objectives and Scope Objectives –Agreed set of statements –Attitude of the project towards security and availability –Authority for defined actions –Responsibilities on individuals and bodies Promote the LHC science mission Control of resources and protection from abuse Minimise disruption to science Obligations to other network (inter- and intra- nets) users Broad scope: not just hacking Maximise availability and integrity of services and data Resources, Users, Administrators, Developers (systems and applications), and VOs Does NOT override local policies Procedures, rules, guides etc contained in separate documents
5
9-Oct-03D.P.Kelsey, LCG-GDB-Security5 Section 1: Ownership, maintenance and review The Policy is –Prepared and maintained by Security Group and GOC –Approved by GDB –Formally owned and adopted as policy by SC2 Technical docs implementing or expounding policy –Procedures, guides, rules, … –Owned by the Security Group and GOC timely and competent changes GDB approval for initial docs and significant revisions –Must address the objectives of the policy Review the top-level policy at least every 2 years –Ratification by SC2 via GDB if major changes required
6
9-Oct-03D.P.Kelsey, LCG-GDB-Security6 Section 2: LCG services and resources Definition of … Resources –Equipment, software, data Services –Defined by GOC web-site –example list defined
7
9-Oct-03D.P.Kelsey, LCG-GDB-Security7 Section 3: Roles and Responsibilities LCG Organisation VOs –Acts with LCG Organisation, sites and home institutes of users Sites Resource Administrators Users Developers GOC Some examples here. Details in associated documents
8
9-Oct-03D.P.Kelsey, LCG-GDB-Security8 Section 4: Physical security Expected to be covered by site local policy and practices –Should aim to reduce the risks Should be consistent with the SLA defined by the resource administrator
9
9-Oct-03D.P.Kelsey, LCG-GDB-Security9 Section 5: Network security Covered by local site policy –Should aim to reduce risks Again consistent with SLA LCG policy to reduce the risk exposed by applications which need to communicate across the Internet, BUT Firewalls required to allow transit of inbound and outbound packets to/from some port numbers
10
9-Oct-03D.P.Kelsey, LCG-GDB-Security10 Section 6: Access Control Global components of the common grid security infrastructure must be deployed by all sites and resources Additional local components allowed Resource providers and Users must comply with all relevant associated documents
11
9-Oct-03D.P.Kelsey, LCG-GDB-Security11 Section 7: Compliance Require Site self-audit at least every 2 years –Check policy (and associated procedures and practices) is being followed Independent audit (by or for GOC) allowed if –Self audit not performed –Not following policy –At random Audit summaries to be published (by GOC) Emergency exceptions allowed –Time-limited, authorised and GOC informed
12
9-Oct-03D.P.Kelsey, LCG-GDB-Security12 Section 8: Sanctions Sanctions defined for failure to comply Sites or admins –remove services Users, Admins, Developers –remove right of access –May have activities reported to home institute or to law enforcement agencies –Appropriate body will decide course of action Responsibility of the VO to define the body VOs –Remove right of access for them and all their users
13
9-Oct-03D.P.Kelsey, LCG-GDB-Security13 Section 9: Associated documents User Registration and VO Management (exists) Rules for use of LCG-1 (exists) Procedures for Resource Administrators Approval of LCG CA’s (exists) Guide for network administrators Procedures for site self-audit SLA Guide Incident Response (exists) Audit Requirements (exists)
14
9-Oct-03D.P.Kelsey, LCG-GDB-Security14 Issues since 30 th Sep We use the term GOC in the singular –Means the GOC “service” i.e. several GOC’s Assumes that sites join LCG –How can we cope with other Grids offering resources, but not part of LCG? We need to require they agree to our policy
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.