1. www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC, OMB 27 th February 2014 6/18/2016 1

2. www.egi.eu EGI-InSPIRE RI-261323 Purpose Grid based technology and deployment is mature from a security point of view Cloud based technology and deployment is much newer, we need to ensure it is as secure as possible and that any problems are addressed to make it secure Use and adapt experiences of the security team to the changing technology Much not technology specific, required for secure sharing of resources 6/18/2016 2

3. www.egi.eu EGI-InSPIRE RI-261323 I’ve heard it said Security doesn’t matter in the Cloud If something is running in a VM then no- one is interested in what I am doing, it doesn’t affect anyone else. I can do it easily on Amazon, why not here?

4. www.egi.eu EGI-InSPIRE RI-261323 No one interested in what I do on VM Those paying for resources will not want something done outside policy E.g. bitcoin mining Something may affect our reputation Something may be done which affects us Attempts at RSA cracking 6/18/2016 4

5. www.egi.eu EGI-InSPIRE RI-261323 Non-Repudiation With discussions on the possibility of billing a user, this becomes more important. High impact on traceability, secure logging, etc. 6/18/2016 EGI Federated Cloud F2F, January 13-14 2014. Linda Cornwall 5

6. www.egi.eu EGI-InSPIRE RI-261323 To start 2 Questionnaires 1 for cloud technology providers E.g. OpenStack, OpenNebula Primarily for providers from collaborating projects 1 for Sites/Resource Providers Which are part of the EGI Federated cloud

7. www.egi.eu EGI-InSPIRE RI-261323 Questionnaire to Technology Providers We want to have some confidence we are deploying secure technology Secure by design Is able to comply with policies such as AAI, User/Identity management, ID suspension, logging, traceability Secure implementation Any security problems/vulnerabilities found will be addressed This is not a complete detailed vulnerability assessment, just some questions to give some confidence that the product is able to meet our basic security requirements

8. www.egi.eu EGI-InSPIRE RI-261323 Description of Product 10 questions Short answers where possible Already existing documentation may be referred to Basically about credential handling, traceability, logging, blocking a user Based on questionnaire for pilot jobs framework Re-used from WLCG exercise in 2008

9. www.egi.eu EGI-InSPIRE RI-261323 Description of Product questions Provide any existing documentation Describe components of system Describe how user proxies are handled Non X509 Authentication – if present Identity management Sandboxing

10. www.egi.eu EGI-InSPIRE RI-261323 Description of product questions (2) Logging of user actions Describe how user task is spawned How a user or identity may be blocked How connections to another site may be blocked

11. www.egi.eu EGI-InSPIRE RI-261323 5 Questions on Code Has any sort of assessment been made by security experts? No is acceptable, but we would like to know if it has Is all input validated? Check file permissions Is the code maintainable? Is the code open source?

12. www.egi.eu EGI-InSPIRE RI-261323 5 Contact details and maintenance Confirm this software is under security support How long will it remain under security support? Contact details Confirm you agree to EGI Software Vulnerability handling You are invited to join SVG

13. www.egi.eu EGI-InSPIRE RI-261323 Contact and maintenance For Grid Middleware (EMI/IGE) SLA between EGI and project, vulnerability handling by EGI SVG – OK, fine For Linux (e.g. RedHat), carry out their own handling, and EGI just has to decide risk in our environment. – OK, fine For some software deployed, difficult to get response/fix from company when security problems found **NOT OK**

14. www.egi.eu EGI-InSPIRE RI-261323 Questionnaire to Sites Introduction states that EGI security policies apply in the Cloud Changing technology does not mean that sites and users can suddenly ignore everything that has gone before Caveat that this is the first version, subject to revision. May evolve as a result of experience CRPs? Cloud Resource Providers?

15. www.egi.eu EGI-InSPIRE RI-261323 Checklist for Certification of CRPs 4 sections About the Cloud Resource Provider infrastructure About the Cloud Service itself About the Virtual Machines instantiated in the Cloud About EGI and non-EGI co-tenancy Only applicable for cloud providers who provide services to non EGI customers

16. www.egi.eu EGI-InSPIRE RI-261323 About the Cloud Resource Provider's Infrastructure Check Site-security-contact and CSIRT mail in GOCDB State Cloud technology used What is the process for keeping services and OS patched? Provider network separation Document network separation of management and service traffic Policies Does CRP agree to be bound by Security policies? What processes exist to maintain audit logs E.g. for use during an incident?

17. www.egi.eu EGI-InSPIRE RI-261323 About the Cloud Service itself Who is allowed to access the machine(s) on which the service(s) run, and how to they obtain access? State whether identity providers other than EGI approved are enabled. What mechanisms are in place to suspend a user or group

18. www.egi.eu EGI-InSPIRE RI-261323 About the Virtual Machines instantiated in the Cloud Does CRP follow exclusively EGI Federated cloud model of running ‘endorsed’ VM from a trusted EGI market place? What mechanism is in place to ensure only endorsed VMs are executed on the infrastructure? Can your cloud management framework separate VM operators from users?

19. www.egi.eu EGI-InSPIRE RI-261323 About VMs instantiated in cloud (2) Describe how network monitoring is implemented for customer VMs Describe your ability to participate in incident response and investigation Are any non-standard configurations in place?

20. www.egi.eu EGI-InSPIRE RI-261323 About EGI and non-EGI co-tenancy (Only relevant if non EGI FedCloud VMs used) Customer identification How are non EGI customers identified? Can these users be authenticated and positively distinguished from EGI users? What mechanisms are in place to ensure actions are not inadvertently associated with identified EGI users? Policies Including do you have an AUP? VM execution

21. www.egi.eu EGI-InSPIRE RI-261323 About EGI and non-EGI co-tenancy (2) What is the process of keeping the services and OS patched and up to date? What mechanisms are in place to suspend customers or customer groups? How long are identity and audit records for customers retained?

22. www.egi.eu EGI-InSPIRE RI-261323 VM endorsement questionnaire We have also identified a need for a VM endorsement questionnaire Not really started on yet

23. www.egi.eu EGI-InSPIRE RI-261323 Acknowledgements CSIRT and SVG members have provided input to both documents David Groep did most of the work on the Site/CRP document Members of SPG have provided input/comments/discussion too. Special thanks in particular to Maarten Litmaath, Sven Gabriel, Oxana Smirnova, Stephen Burke for work and useful discussions

24. www.egi.eu EGI-InSPIRE RI-261323 Questions?