Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

Published byClaribel Cox Modified over 7 years ago

Similar presentations

Presentation on theme: "OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007."— Presentation transcript:

1 OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007

2 Who am I? Recently joined OSG Security Team Ramping up to be full time OSG Security Working through the OSG Security Plan Helping develop any new items for the Security Plan in Year 2

3 grid job VO VO Infra. & Services Site Storage WN Three separate security domains: – Univ., VO and Site Two trust relationships Researcher accesses Site’s resources due to the trust between the VO and the Site. Researcher A from University X, which is a member of the VO VO trusts ResearcherSite trusts VO Site allows access by Researcher VO-accessible Site Resources

4 Site grants access to the VO. VO delegates the access privilege to its trusted members VO manages its members’ access rights – different access rights to different VO members – E.g. grouping of users based on tasks; or roles played in an experiment VO policy may define “groups” and “roles”

5 Researcher A from University X Researcher B from University Y Job 1’s Data Job 2’s Data VOMRS Group : Univ. X Role: Researcher Group : Univ. Y Role: Researcher VO mappings VOMRS manages member-role mappings Tanya’s talk GUMS retrieves membership info from VO enforces VO assigned privileges at the Site GUMS Retrieve VO mappings

6 Enforced Security Policy VO Policy Site Policy Enforced Policy VO Policy determines: each VO member’s privileges Site’s data storage Site Policy determines: VO has access to the storage can still blacklist particular VO members, if desired WN

7 Researcher A from University X grid job 1 VO VO Infra. & Services Site WN Researcher B from University Y Job 1’s Data Job 2’s Data Unauthorized access

8 What if something goes wrong? Incident Response Researcher A launches attack against the Site Site discovers the attack Site analyzes the attack, temporarily blacklists Researcher A (if it can trace it) Site can Call GOC at 1 317-278-9699, or submit a trouble ticket, Email goc@GOC@opensciencegrid.orgGOC@opensciencegrid.org Or email security-discuss-L@opensciencegrid.orgsecurity-discuss-L@opensciencegrid.org

9 – Inform VO security contact – Site trusts the VO, not individual members – VO finds which member has the privilege Logs and mapping repository (VOMRS) – Determines culpability and take measures over Researcher A’s privileges

10 VO Policy VO must: – List Security Contact and Administrative Contact For incident handling, reporting VO-service problems – Comply with Grid Security Policies: archival, accounting and audit (logs and changes) – Maintain a membership service to generate authentication and authorization data for accessing resources – Treat the membership and logged information confidentially and exercise due diligence – Ensure availability of VO services, comply with grid operational policies – Respond promptly to member’s queries, inform any status changes –

Download ppt "OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007."

Similar presentations

Last update 01/06/2014 03:23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures https://edms.cern.ch/document/503198/

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.

SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.
Designing Active Directory for Security

Designing Active Directory for Security
Designing Group Security Designing security groups Designing user rights.

Designing Group Security Designing security groups Designing user rights.
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Blueprint Meeting Notes Feb 20, 2009. Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Similar presentations

Ads by Google