Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK

Published bySandra Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 17-Mar-05David Kelsey, Security, ARM-32 Aims Status report on JSPG activities –and work with Open Science Grid (OSG) Security Service Challenges JRA3 deliverables Authentication: CA PMAs Security Best Practice/Guides US HEP Cybersecurity workshop GridPP work on Vulnerability analysis Hopefully time for discussion!

3 17-Mar-05David Kelsey, Security, ARM-33 Who does what? EGEE JRA3 –Responsible for EGEE Security EGEE Middleware Security Group –JRA3, JRA1, SA1, NA4, Other projects –See JRA3 agenda page LCG/EGEE Joint Security Policy Group (JSPG) –Reports to LCG GDB and EGEE ROC Managers –Cross participation with USA OSG EGEE Operational Security Coord Team (OCST) –Led by Ian Neilson (CERN) – Security Officer –All ROCs have a representative –Mail list exists (and used sometimes) –But not yet met

4 17-Mar-05David Kelsey, Security, ARM-34 JSPG Policy/Procedures Site Registration Acceptable Use Policy (AUP) –For Users –For Sites (not today) VO Security Policy LHC Experiment User Registration (not today) Security Incident Response Have removed the 3 obsolete GOC “guides” –SLA, Self Audit, Resource Managers Future work

5 17-Mar-05David Kelsey, Security, ARM-35 Site Registration Site Registration document (Maria Dimou) –Approved by GDB (yesterday) –https://edms.cern.ch/document/503198/https://edms.cern.ch/document/503198/ Discussed with ROC Managers many times –Many thanks for valuable input/comments Final change was to remove all references to –Dispute escalation/resolution –Removal of sites (suspend or de-register)

6 17-Mar-05David Kelsey, Security, ARM-36 AUP (Users) Similar policy to OpenScienceGrid (these are their words) –Keep it short and simple (users may read) (1) You may only perform work and store data consistent with the charters of the organizations of which you are a member, and only on resources authorized for use by those organizations. (2) You will not attempt to circumvent administrative and security controls on the use of resources. If you are informed that some aspect of your grid usage is creating a problem, you will adjust your usage and investigate ways to resolve the complaint. You will immediately report any suspected compromise of your grid credentials (security@opensciencegrid.org) or suspected misuse of grid resources (abuse@opensciencegrid.org).security@opensciencegrid.orgabuse@opensciencegrid.org (3) Resource providers have the right to regulate access as they deem necessary for either operational or security- related reasons.

7 17-Mar-05David Kelsey, Security, ARM-37 VO Security Policy Draft document distributed this week (Ian N) https://edms.cern.ch/document/573348/ VO Registration Requirements –Information that must be captured/maintained VO Membership Policy –Clearly states the goals of the VO –Requires all members to act within constraints –Allows sites to decide whether to accept the VO VO Community Responsibilities –Users and VO managers VO membership rights –Use of resources –Privacy

8 17-Mar-05David Kelsey, Security, ARM-38 Security Incident Response Current policy/procedures –https://edms.cern.ch/document/428035/https://edms.cern.ch/document/428035/ Near future –Aim for common approach with OSG –With minimal changes This was presented in EGEE-2 (Den Haag) The OSG document is at http://computing.fnal.gov/cgi- bin/docdb/osg_public/ShowDocument?docid=19&v ersion=2http://computing.fnal.gov/cgi- bin/docdb/osg_public/ShowDocument?docid=19&v ersion=2

9 17-Mar-05David Kelsey, Security, ARM-39 JSPG future work Complete VO Security Policy document New top-level Policy document –More general –To apply to EGEE and LCG (and others?) Revise all other sub-documents –Again more general –Bring up to date Then seek approval by EGEE and LCG management Revise/Update the Security Risk Analysis –And work on risk management/mitigation Continue to lobby for better security

10 17-Mar-05David Kelsey, Security, ARM-310 Security Service Challenges OSG recently tested their communication channels –Emergency reporting list –Discuss list –Highlighted several problems – but it worked! EGEE –OSCT will organise and do first test –Test audit trails Logs exist, contain enough info, can be analysed All in timely manner –Planning to have first try in March/April –Before the EGEE-3 meeting (Athens)

11 17-Mar-05David Kelsey, Security, ARM-311 JRA3 deliverables MJRA3.6 - Security Operational Procedures (first revision) –https://edms.cern.ch/document/566174/https://edms.cern.ch/document/566174/ –Author: Yuri Demchenko 3 sections –Operational Procedure Documents –Vulnerability Analysis & Incident Definition –IODEF for incident reporting MJRA3.7 – EUGridPMA Accreditation Procedure –https://edms.cern.ch/document/565290/https://edms.cern.ch/document/565290/ –Author: David Groep Comments to authors please

12 17-Mar-05David Kelsey, Security, ARM-312 CA PMAs EU Grid PMA: http://www.eugridpma.orghttp://www.eugridpma.org –Met in Marseille at end of Jan 2005 –Next meeting in Estonia – end of May –Several new CAs discussed/approved The Americas PMA (TAGPMA): http://www.tagpma.org/http://www.tagpma.org/ –Now exists –Working on requirements for online CAs This week in GGF (Seoul) –International Grid Federation (IGF) meets http://www.gridpma.org/ –Asia/Pacific, TAG and EU PMAs OSG has formally requested the PMAs to accredit CAs for use in OSG (and specified some requirements) EGEE should do same? –And revise our own CA Acceptance policy document

13 17-Mar-05David Kelsey, Security, ARM-313 Security Best Practice Work started by some members of OSCT –Following Nov 2004 Operations Workshop –Alessandra Forti (Manchester, UK) –Romain Wartel (UK/I ROC) –Miguel Cardenas Montes (Ciemat, ES) –Ian Neilson (CERN) Contents: –Forensic analysis Some early draft web pages (mainly structure) exist –for now on GridPP deployment web –http://www.gridpp.ac.uk/deployment/security/index.htmlhttp://www.gridpp.ac.uk/deployment/security/index.html –But also aimed at EGEE/LCG

14 17-Mar-05David Kelsey, Security, ARM-314 US Cybersecurity workshop LBNL (Oakland), 9-10 March 2005 http://hpcrd.lbl.gov/HEPCybersecurity/ ~30 participants –Denise Heagerty and DPK represented CERN/EU/LCG Goal: to produce a work-plan for Grid Deployment to ensure US LHC Computing will be as secure as possible in 2007 No time to report here in detail Important issues –Risk Analysis, Management and Mitigation –Big concers about use of LCG for external DOS attacks –Must have good monitoring, auditing, incident response –Must be able to regain control quickly after an incident Proposal/Work Plan now being developed

15 17-Mar-05David Kelsey, Security, ARM-315 Vulnerability Analysis GridPP work (Linda Cornwall/RAL) Was also a report in the US workshop –Vulnerability analysis of Condor being done Design and code reviews Draft GridPP document exists (Linda) –“Vulnerability – detection and reduction” –See recent EGEE MWSG meeting –http://agenda.cern.ch/fullAgenda.php?ida=a051 137http://agenda.cern.ch/fullAgenda.php?ida=a051 137 3 activities –Checklists (deployment and middleware) –Vulnerability logging and tracking –Anti-use cases

16 17-Mar-05David Kelsey, Security, ARM-316 Vulnerability (2) Aim to review gLite (V1) and LCG (v2.4) –Goal is to improve middleware and deployment How/where to report problems? JSPG encourages reporting of security holes –UK sites keen to go “public” –But problems of public/archived mail lists We have a responsibility to our colleagues/projects JSPG investigating secure area in GGUS –But unlikely to be available this year –Create our own database? In the meantime please report to Linda Cornwall –Linda.Cornwall@rl.ac.uk –She is starting to gather info

17 17-Mar-05David Kelsey, Security, ARM-317 Discussion?

Download ppt "Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK"

Similar presentations

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.

GGF16, Athens AuthZ Interoperability Here and Now Workshop, 16 Feb 2006.
Last update 01/06/2014 03:23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures https://edms.cern.ch/document/503198/

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK

Grid Security in EGEE/LCG ISGC 2005, Taipei, Taiwan 29 April 2005 David Kelsey CCLRC/RAL, UK
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.

INFSO-RI Enabling Grids for E-sciencE Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.
Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Session David Kelsey GridPP13, Durham 5 Jul 2005
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:

Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK

LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005

Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.

JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Similar presentations

Ads by Google