Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.

Published byBernice Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon."— Presentation transcript:

1 Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon

2 Current model Changing technology Evolving trust fabric Changing threat landscape Possible ways forward 2 Overview 1st February 2016, Security Challenges for WLCG

3 Traceability not control Relationship between sites and VOs and users is based on trust – This works pretty well Incident response based on sites & collaboration CSIRT teams All traceability information (in theory) at sites – Central loggers – But in practice, must contact VO to identify so be able to suspend credential associated with problematic activity Anonymous pilot jobs but separation & traceability supported by glexec – again in theory – After 10 years still not used universally – Not really ‘loved’ by either sites or VOs 3 Current model 1st February 2016, Security Challenges for WLCG

4 Increasing use of virtualisation and containers – VMs on cloud platforms – Containers within ‘traditional’ batch systems – Who maintains the VMs/containers? Should strive for best management – tools to streamline Offers alternate route to job separation Removes direct access to & trust of execution environment. – May no longer be able to trust logs Makes maintenance of underlying OS easier for sites – But they pick up complexity of cloud management frameworks On plus side these have much larger communities behind them than grid software. Technology & VO workflow changes create constant pressure on incident response teams – Emergence of cloud technologies a particular challenge 4 Changing technology 1st February 2016, Security Challenges for WLCG

5 Federated identity management promises huge potential benefits – as well as bringing with it not a few challenges Will take significant changes at all levels But mixing assurance from different sources (not just CAs) will bring benefits – Not least making it easier to co-exist in a world where WLCG is one among many large users of distributed infrastructure Eduroam example is instructive – The benefits are now obvious - it is really convenient – But it has been quite a bumpy ride 5 Evolving trust fabric 1st February 2016, Security Challenges for WLCG

6 Rise of organised, very businesslike cybercriminals – They no longer ignore us – Sophisticated, targeted attacks – especially phishing Identity/personal information is now the major target – Federation just increases the cost of compromised credentials Our infrastructure itself may be ‘secure enough’ – The challenge now to protect our people As we move to more standard software & interfaces attack surface is also more standard – Much of the effort that used to go into making our bespoke software more secure will be needed protecting ‘standard’ software & interfaces Most incidents are discovered through external reports – Must improve our ability to exchange intelligence with other communities (industry, law enforcement, etc.) 6 Changing threat landscape 1st February 2016, Security Challenges for WLCG

7 Treat VMs/containers as processes – Shift focus to externally observable behaviour Logs from inside VMs not as trustworthy – Better logging of network flows – often neglected – may have implications for network hardware choices and costs ‘Big data’ tools for storing, aggregating, searching larger volumes of data – Security Operations Centre – Significant effort to deploy – Can we develop an ‘appliance’ for this (similar to what Perfsonar does for network monitoring) Can we then ‘forget’ about glexec? 7 Ways forward I 1st February 2016, Security Challenges for WLCG

8 Bring VOs more fully into incident response process Improve the capability for collaboration traceability? – Better intrumenting VO frameworks to (centrally?) log data – Can we take advantage of VOs being based at CERN to ingest appropriate traceability data directly into the SoC as it develops? More emphasis on protecting people in order to protect our infrastructure – Phishing, sharing threat & incident intelligence Put effort in to supporting & exploiting federated identity management – not forgetting impacts on traceability and incident response 8 Ways forward II 1st February 2016, Security Challenges for WLCG

9 Separation via VMs/containers – drop glexec Invest in deploying ‘big data’ tools for managing traceability data Invest in better intelligence/trust links with other communities Embrace global & federated identity management 9 Summary 1st February 2016, Security Challenges for WLCG

10 Over to the others 10

Download ppt "Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon."

Similar presentations

Tier-1 Evolution and Futures GridPP 29, Oxford Ian Collier September 27 th 2012.

Tier-1 Evolution and Futures GridPP 29, Oxford Ian Collier September 27 th 2012.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
Building the Ultimate IT Portfolio from Scratch Peter Grant Advisor, IBRS 0417 005 500.

Building the Ultimate IT Portfolio from Scratch Peter Grant Advisor, IBRS
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.

Open Cloud Sunil Kumar Balaganchi Thammaiah Internet and Web Systems 2, Spring 2012 Department of Computer Science University of Massachusetts Lowell.
Constellation Technologies Providing a support service to commercial users of gLite Nick Trigg.

Constellation Technologies Providing a support service to commercial users of gLite Nick Trigg.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.

INFSO-RI Enabling Grids for E-sciencE Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Strategic Information Systems Planning

Strategic Information Systems Planning
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.

Alert Logic Security and Compliance Solutions for vCloud Air High-level Overview.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

Similar presentations

Ads by Google