1 / 10

LCG Security

LCG Security. Ian Neilson LCG Security Officer Grid Deployment Group CERN. LCG Security environment. Users. VOs. The players. Experiment data Access patterns Membership …. Personal data Roles Usage patterns …. Grid. Sites. Resources Availability Accountability …. The Risks.

mikasi
Download Presentation

LCG Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN DTI Mission – 29 June 2004 - 1

  2. LCG Security environment Users VOs • The players Experiment data Access patterns Membership … Personal data Roles Usage patterns … Grid Sites Resources Availability Accountability … DTI Mission – 29 June 2004 - 2

  3. The Risks • Top risks from Security Risk Analysis • http://proj-lcg-security.web.cern.ch/proj-lcg-security/RiskAnalysis/risk.html • Launch attacks on other sites • Large distributed farms of machines • Illegal or inappropriate distribution or sharing of data • Massive distributed storage capacity • Disruption by exploit of security holes • Complex, heterogeneous and dynamic environment • Damage caused by viruses, worms etc. • Highly connected and novel infrastructure DTI Mission – 29 June 2004 - 3

  4. GOC Guides Policy – the LCG Security Group Incident Response Certification Authorities Audit Requirements Usage Rules Security & Availability Policy Application Development & Network Admin Guide User Registration http://cern.ch/proj-lcg-security/documents.html DTI Mission – 29 June 2004 - 4

  5. Authentication Infrastructure • Users and Services own long-lived (1yr) credentials • Digital certificates (X.509 PKI) • European Grid Policy Management Authority • “… is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. …” • www.eugridpma.org covers EU (+ USA + Asia) • Jobs submitted with Grid Proxy Certificates • Short-lived (<24hr) credential which “travels” with job • Delegation allows service to act on behalf of user • Proxy renewal service for long-running & queued jobs • Some Issues… • Do trust mechanisms scale up ? • “On-line” certification authorities & Certificate Stores • Kerberized CA • Virtual SmartCard • Limited delegation DTI Mission – 29 June 2004 - 5

  6. Resource VOs Site XYZ VO Manager User Registration (2003-4) 1. “I agree to the Usage Rules please register me, my VO is XYZ” GRID Certificate Submit job User lcg-registrar.cern.ch Usage Rules 2. Confirm email Authz 3. User Details CA Certificates ? Authz 4. Register 6. User Details 5. Notify DTI Mission – 29 June 2004 - 7

  7. Certificate Roles ? XYZ VO Manager User Registration (? 2004 - ) • Some Issues • Static user mappings will not scale up • Multiple VO membership • Complex authorization & policy handling • VO manager needs to validate user data • How ? • Solutions • VO Management Service - Attribute proxy certificates • Groups and Roles - not just static user mapping • Attributes bound to proxy cert., signed by VO Service • Credential mapping and authorization • Flexible policy intersection and mapping tools • Integrate with Organizational databases, but … • What about exceptions ? (the 2-week summer student) • What about other VO models: lighweight, deployment, testing DTI Mission – 29 June 2004 - 8

  8. Audit & Incident Response • Audit Requirements • Mandates retention of logs by sites • Incident Response • Security contact data gathered when site registers • Establish communication channels • maillists maintained by Deployment Team • List of CSIRT lists • Channel for reporting • Security contacts at site • Channel for discussion & resolution • Escalation path • 2004 Security Service Challenges • Check the data is there, complete and communications are open DTI Mission – 29 June 2004 - 9

  9. Security Collaboration • Projects sharing resources & have close links • Need for inter-grid global security collaboration • ? Common accepted Usage Rules • ? Common authentication and authorization requirements • ? Common incident response channels • LCG – EGEE – OSG - ? • LCG Security Group is now Joint Security Group • JSG for LCG & EGEE • Provide requirements for middleware development • Some members from OSG already in JSG DTI Mission – 29 June 2004 - 10

  10. LCG Security Thank you. DTI Mission – 29 June 2004 - 11

More Related