1 / 10

Developing a Comprehensive GENI Cyber Security Program

Developing a Comprehensive GENI Cyber Security Program. Adam Slagell (slagell@illinois.edu) GEC 7, Duke & RENCI March 17, 2010. What is a “comprehensive security program”?. About operational security & incident response Not GENI software stack, authN/Z mechanisms, etc

hailey
Download Presentation

Developing a Comprehensive GENI Cyber Security Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Developing a Comprehensive GENI Cyber Security Program Adam Slagell (slagell@illinois.edu) GEC 7, Duke & RENCI March 17, 2010

  2. What is a “comprehensive security program”? • About operational security & incident response • Not GENI software stack, authN/Z mechanisms, etc • Not writing code, but developing processes & policies • Describes mechanisms for prevention & detection of security incidents • Including roles for different parties • Focuses on collaborative, cross-organizational efforts • Has plans to react to incidents • What do all the stakeholders do? • Many roles, with different responsibilities. • Materials and processes to disseminate plans

  3. How do we develop our security program? • Understand assets, threats & risks • Perform risk analysis • Develop security policy architecture • Includes high-level policies, standards, guidelines, procedures and agreements • More about social processes than technology specific • Develop security architectures • Monitoring tools for incident response • Configuration guidelines and standards • Especially for centrally located or shared assets • Education, Training, & Compliance • Not clear this early what that means for GENI • Need to understand roles and responsibilities first

  4. Performing a risk assessment • Identify assets and their value • Very qualitative • Identify threats & vulnerabilities • Determine probability and impact of threats • Select countermeasures • Limited options here: policies, hardening guidelines, collaborative monitoring tools

  5. Developing security policies • Many types of policies • Agreements: with researchers, aggregates, universities, partners, etc • Policies about monitoring, processes for IR, organizational roles and responsibilities • Best practices for researchers, aggregate security, updates • We can’t wait for risk assessment first! Spiral 3 coming! • Need a interim policies, Vic discussed some of the content • Base off of lessons learned in OSG, PlanetLab, etc

  6. Developing security architectures • Most assets not owned centrally by GENI • System is going to evolve organically, less amenable to top-down approach • What can we define? • IDS, tools for collaboration, logging & monitoring infrastructure • Maybe are aggregates connected, and how do we provide isolation • How are centralized resources hardened (e.g., CA’s, clearing houses) • Not clear what may be centrally controlled by GMOC • We can provide guidelines in any case

  7. Where are we now? • NCSA started work after GEC 6 • Caveat: 1/3 FTE total • We created incident response use cases • Long list of potential things a GENI IR team may encounter • E.g., Request from LE, experiment used for attack, etc • Welcome feedback, go to our wiki page • Stakeholder and asset identification • Qualitative values of assets • Tangible and intangible • First, first draft; needs feedback!

  8. We need you! • We cannot evaluate criticality of assets in isolation • Need input on the methodology • Need input from all stakeholders on actual assed values • Are we complete? • Some assets may be obsolete as they will no longer exist • May be new things since we read docs • May just not be creative enough • Feedback is vital before we start evaluating impact of threats.

  9. Timeline for feedback • Asset Valuation and Risk Assessment report v. 0.1 • When: Now • Where: on our project wiki space • Asset Valuation and Risk Assessment report v. 0.2 • Added some threats, incorporated feedback • When: May 1, 2010 • Asset Valuation and Risk Assessment report v. 0.3 • Risk analysis of partial list of threats, incorporated feedback • When: June, 2010 • Interim Operational Security Plan 0.1 • When: during the month after & during GEC 8

  10. A modest proposal • Observations • There are a LOT of GENI documents • There are lots of versions of each • They are spread out everywhere • Some people don’t even upload them to the GENI wiki • Security and operations need to think holistically • I spend an inordinate amount of time searching for new docs • People in OMIS likely interested in similar docs • Proposal • Utilize the email list more. • Send a note with link and summary when you create a new doc (or make major revisions)

More Related