1. EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Operational Security Coordination Team Ian Neilson, SA1 EGEE-II conference, Geneva, 2006

2. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 2 OSCT Overview –Policy Environment  Incident Handling and Response Guide –Security Contact Management –OSCT-1 Meeting –GGUS Security Support Unit –OSCT & Incident Handling –Security Service Challenges –Some Issues –NRENS –ISSeG –Tools

3. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 3 OSCT - Incident Response Guide The Incident Handling and Response Guide –Common policy for LCG, EGEE, OSG  https://edms.cern.ch/document/428035 https://edms.cern.ch/document/428035 –What it mandates (MUST do’s)  REPORT : RESPOND : PROTECT INFORMATION : ANALYSE Reporting –Provide contact information  Individual contacts  Monitored list (optional but HIGHLY desirable)  Management now through GOCDB –Reports go through LOCAL site security  = sites should have local plan  Does NOT replace or interfere with local plans –Report to project-{lcg,egee}-security-csirts.at. cern.ch  Incident notification only, no chat  Discussion to project-{lcg,egee}-security-contacts.at. cern.ch

4. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 4 OSCT - Security Contact Management Site Registration –JSPG Policy - https://edms.cern.ch/document/503198https://edms.cern.ch/document/503198  The name, email address and telephone number of the Site Security Contact.  …  The email address of a managed list for contact with the site security incident response team. Site entry of data into GOCDB Should be provided before site is approved Individual Contacts have GOCDB ‘role’ of Security Contact –View restricted to same site, other Sec. Contacts, Managers, … Populating IR lists –CSIRT emails loaded to incident report list –CONTACT emails loaded to discussion list –Still a manual periodic operation Some (many) missing CONTACTS Always some dead entries

5. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 5 OSCT - OSCT-1 Meeting OSCT-1 meeting @ CERN, June 2006 –To more clearly define  WHO is the OSCT  WHAT the OSCT does  What LINKS the OSCT has with other groups –Define some basic responsibilities –Update on current activities –Near-term actions 9 out of 11 ROCs came

6. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 6 What the OSCT does? EGEE-II has a ROC-centric support model –From the EGEE-II Technical Annex ROC responsibilitiesTechnical Annex  Responsible for ensuring that operational problems in the region or in resource centres in the region are resolved and followed-up. The ROC owns the operational problems and is responsible for them;  Coordinate Grid security in the region; provide incident response teams (with members from the sites); –Operational support  Tickets raised from several sources (may result in Incident) ROC-on-duty process (SFT/SAM) GGUS Ticket Process Management (TPM) (User/VO) –Incident Support  Incident Handling Guide CSIRTS and CONTACTS lists –Representation of Operations Security in/to other groups  MWSG, GSVG, JSPG, SCG  ‘attitude’ of sites in the region to security developments  peer grids, NRENS

7. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 7 Operations Support Model Regional Operations Centre …… Resource Centre Resource Centre … Regional Operations Centre Resource Centre Resource Centre … Grid Operator on-duty ROC and Site work to resolve the problem OSCT Peer Grids

8. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 8 OSCT- Security Support Unit OSCT and GGUS Support –All ROCs register generic address of regional security support team  project-egee-security-support.at. cern.ch –Trouble tickets raised from any source: user, VO, site, …  Could be an incident (but should be reported to site sec. contact) –Responsible ROC unit takes ownership (assigns to self)  From affected site. OSCT “duty contact” (OSCT-DC) –To act as safety net for unassigned/idle problems  Does not deal with problems. Routing and negotiation role. –Follows same ROC rotation as ROC-on-duty –Monitor ‘unstructured’ data sources: rollout list, weekly operations meeting –Escalation to incident handling process

9. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 9 OSCT - Incident Handling Flat incident reporting structures –Computer Security Incident Response Teams –Computer Security Contacts –Responsibilities on the reporter for follow-up What is the role for the OSCT?  At times when a Team Leader should be required to coordinate response (Section 6.2) it is expected that this will initially be organised between the reporting site(s) and the Regional Operations Centre (ROC) security contact(s). The ROC contact will ensure that an appropriate mailing list is available and populated for incident follow-up. Incident Team needs - –Clear process for formation to avoid confusion/duplication  Responsibilities should be clear –Basic facilities to be available –  Access to contacts  Access to communications channels  Access to expertise –To communicate  Report to sites (contacts)  Report to management

10. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 10 OSCT – Incident Handling Responsibilities must be clear: Ownership 1.Regional ROC contact 2.OSCT-DC or backup 3.Other OSCT –Announced to OSCT Core, followed by general notice  Can be delegated if appropriate but must be clearly notified –OSCT contact is not always the TEAM leader but is responsible Access to contacts –GOCDB Communications –OSCT to maintain – Email (?authentication) IM id’s Telephone details Per-ROC telephone conference facilities/details –We must test these regularly!!

11. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 11 OSCT – Some Issues Incident follow-up can be VERY time consuming –Do we retain the resources and expertise? –Tools to help? “Grid” incidents and “non-grid” incidents –Can we really draw a boundary (should we) ? –Confusion over whether to report Must encourage a culture of reporting –Must keep the “noise” to acceptable levels  Off-topic chat, SPAM Must prevent unintended leakage –Can be damaging and discourage reporting  e.g. onto public web mail archives Can we deploy fixes or mitigation fast enough?

12. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 12 OSCT – Security Service Challenges Service Challenge 1 review –Summary of OSCT presentation by Pal AndersenOSCT presentation  https://twiki.cern.ch/twiki/bin/view/LCG/LCGSecurityChallenge https://twiki.cern.ch/twiki/bin/view/LCG/LCGSecurityChallenge –Principal site of each ROC challenged:June 2005  9 of 11 ROCs were able to respond  Debriefing report outAugust 2005 –Challenge passed over to the ROCS14 October 2005  Response from the first ROCNovember 2005  First reminder sent 9 January 2006 1 incorrect Security Contact, 4 acknowledgements  Escalation reminder sent 3 February 2006 1 additional acknowledgement –Status30 April 2006  9 of 11 ROCs executed the challenge  ~130 sites out of ~190 have responded, ~ 68%

13. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 13 OSCT – Security Service Challenges Service Challenge 2 plans –Traceability of storage operations –Three pieces of information will be provided to the challenged site:  A time interval (~ 15 minutes)  The Distinguished Name (DN) used by the challenger  The Worker Node (WN) from which operations were executed –The question asked is:  What sequence of storage operations affected which files? –Delay because some logging clearly absent from configuration. Has a long cycle time ~ 1 year –This should speed up with practice What to challenge next ? –Apart from the real ones!

14. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 14 OSCT- ISSeG Grid Security depends on site security EU-funded ISSeG project - Integrated Site Security for Grids Milestones & achievements –Integrated Site Security deployments at CERN & FZK sites progressing well –Input for recommendations is being collected from deployment experience –Training and dissemination plan is being created –Web site is active: http://www.isseg.euhttp://www.isseg.eu –Information sheets are published Issues –Currently discussing scope of site security assessments/audits with the EU Plans –2 year project (February 2006 – January 2008) –To document experience with Integrated Site Security: combining technical, administrative and educational security solutions relevant for academic and research sites –To disseminate recommendations and training to Grid sites for improving site security based on a practical approach and best practices, to complement work on Grid security: –Strengthening general site security helps to protect Grids.

15. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 15 OSCT - NRENS NRENS –More involved in regional grid infrastructure projects  SWITCH, RedIRIS, DFN, …. –Existing CSIRTs network –Terena workshop focus on security – April 2006  http://www.terena.nl/activities/nrens-n-grids/workshop-03/ http://www.terena.nl/activities/nrens-n-grids/workshop-03/ –Still not clear how to link up with EGEE/LCG security  “…vital that the Grid community experts and NREN CERT teams develop collaborative links and formal communications links.” – Workshop Report

16. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 16 OSCT - Tools There is lots that can be done and discussed Monitoring –Sites using Pakiti for patch monitoringPakiti –Logging and auditing services  e.g. central syslog servers  (see also Security For Open Science proposal Monday’s EGEE/OSG meeting)Security For Open Science proposal –Firewall configuration  Local and ?grid Testing –? SAM for security testing

17. Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 OSCT - EGEE-II conference, Geneva. 17 OSCT Thank You