1 / 13

LCG Security Status and Issues

LCG Security Status and Issues. Ian Neilson Grid Deployment Group CERN. LCG Security Status and Issues. Overview Security Policy Joint Security Policy Group Authentication & Authorization Infrastructure International Grid Trust Federation LHC Experiment Virtual Organisations

williamreeves
Download Presentation

LCG Security Status and Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LCG Security Status and Issues Ian Neilson Grid Deployment Group CERN LHCC 15 November, 2005 - 1

  2. LCG Security Status and Issues • Overview • Security Policy • Joint Security Policy Group • Authentication & Authorization Infrastructure • International Grid Trust Federation • LHC Experiment Virtual Organisations • Operational Security • Operational Security Coordination Team • Incident Response Planning • Security Monitoring Tools • Security Service Challenges • plus some related activities LHCC 15 November, 2005 - 2

  3. Incident Response Certification Authorities Audit Requirements Usage Rules Security & Availability Policy VOSecurity Application Development & Network Admin Guide User Registration & VO Management Security Policy • Joint Security Policy Group • LCG & EGEE with strong input from OSG • Policy Set - LHCC 15 November, 2005 - 3

  4. Security Policy • Policy Revision In Progress/Completed • Grid Acceptable Use • https://edms.cern.ch/document/428036/ • common, general and simple AUP • for all VO members using many Grid infrastructures • EGEE, OSG, SEE-GRID, DEISA, national Grids… • VO Security • https://edms.cern.ch/document/573348/ • responsibilities for VO managers and members • VO AUP to tie members to Grid AUP accepted at registration • Incident Handling and Response • https://edms.cern.ch/document/428035/ • defines basic communications paths • defines requirements (MUSTs) for IR • reporting • response • protection of data • analysis • not to replace or interfere with local response plans LHCC 15 November, 2005 - 4

  5. Security Policy • Issues • Can generic ‘simple’ policies be binding? • can they protect across legislative domains? • Release of accounting data • some site policies restrict release of per-user data • legal implications of EU directives on privacy • needed to properly manage and account to VOs • More policy updates needed but revision process is slow • top-level security and availability policy • new policy for Data Handling/Protection needed • Depth of policy review and discussion varies • Risk Analysis should be repeated • http://cern.ch/proj-lcg-security/RiskAnalysis/risk.html LHCC 15 November, 2005 - 5

  6. Authentication Infrastructure • IGTF – International Grid Trust Federation • LCG currently accepts certificates from EUGridPMA CAs • plus FNAL Kerberized CA • IGFT officially formed at GGF15 • 3 regional PMAs: Europe, Asia Pacific, Americas • addresses scalability issues felt by EUGridPMA • separate the management of authentication profiles • EUGridPMA: ‘classic’ CA • TAGPMA: Short-lived Credential Generation Services • brings FNAL KCA under an IGTF profile • in future for myproxy and Shibboleth based services • For LCG – “relying parties” • what service is expected beyond credential issuing? • revocation processing • CA world is still “settling down”, will it stabilize? • move from grid sites to NRENS LHCC 15 November, 2005 - 6

  7. Authorization Infrastructure • LHC Experiment Virtual Organisations • VO Management service now deployed in beta at CERN • VOMRS registration interface – good collaboration with FNAL • Managed CERN Oracle service DB • All 4 LHC experiments • Back-end tied to CERN HR database view (ORGDB) • allows use of existing exp. registration • relies on membership lifecycle maintenance! • but VO manager retains control • e.g. https://lcg-voms.cern.ch:8443/vo/atlas/vomrs LHCC 15 November, 2005 - 7

  8. Authorization Infrastructure • VOMS+VOMRS gives managed VO group+role flexibility • BUT grid service authorization now based on simple group/role only • authorization workshop discussed near-term requirements – SC4 • http://agenda.cern.ch/fullAgenda.php?ida=a054503 • VO Management and Authorization Services • Critical service but has been hard to deploy • HR interface • Oracle support • gLite packaging • Limited experience in real operation • Debug • Performance LHCC 15 November, 2005 - 8

  9. Operational Security Coordination Team • OSCT membership = EGEE ROC security contacts • What it is not: • Not focused on middleware security architecture • Not focused on vulnerabilities • Vulnerabilities Group formed and operational • Focus on Incident Response Coordination • Assume it’s broken, how do we respond? • Planning and Tracking • Focus on ‘Best Practice’ • Advice • Monitoring • Analysis • Coordinators for each EGEE ROC • plus OSG LCG Tier 1 + Taipei LHCC 15 November, 2005 - 9

  10. Monitoring Tools IncidentResponse SecurityServiceChallenge Infrastructure Procedures Infrastructure SSC1 - Job Trace Resources Agents HANDBOOK SSC2 - Storage Audit Reference Deployment Playbook Operational Security Coordination Team Policy LHCC 15 November, 2005 - 10

  11. Operational Security Coordination Team • Incident Response issues • Contact management • Use of site registration process and GOCDB • Shift from site-based to regional/grid coordination • Operational role for OSCT • Live incident • Lack of real incident experience • incidents WILL happen and they WILL be disruptive • OSCT can plan BUT cannot anticipate all eventualities • Lack of dedicated resources • Should be provided by EGEE-II • NREN CSIRTS – overlap of IR activities • understanding how/when/if to use • Security Service Challenges • Lessons from SSC1 • Plan for SSC2 (storage) and beyond LHCC 15 November, 2005 - 11

  12. LCG Security Status and Issues • Related activities • Optical Private Network Security • Working group formed by GDB • Disaster Recovery Planning • Recent presentations at HEPiX and EGEE-4 • ISSeG • Proposed EU-funded project on Integrated Site Security for Grids • CERN/Openlab lead LHCC 15 November, 2005 - 12

  13. Thank You LHCC 15 November, 2005 - 13

More Related