Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 Security Åke Edlund Security Head PEB All-Activity Meeting, September.

Published byAmbrose Newman Modified over 7 years ago

Similar presentations

Presentation on theme: "EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 Security Åke Edlund Security Head PEB All-Activity Meeting, September."— Presentation transcript:

1 EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 Security Åke Edlund Security Head PEB All-Activity Meeting, September 13, 2004 www.eu-egee.org

2 PEB All-Activity Meeting, September 13, 2004 - 2 Contents Summary of work accomplished since last AA meeting Relationship between JRA3 and JRA1 work and deliverables Hiring status and manpower levels State of deliverables and milestones for PM4-PM6  MJRA3.3 - OGSA SEC service initial recommendations for reengineering  DJRA3.1 - Global security architecture  MJRA3.4 - Security operational procedures and incident handling, definition of a common Grid incident format Risk analysis Issues related to other activities Highest priority steps to take between now and the 2nd project conference in Den Haag

3 PEB All-Activity Meeting, September 13, 2004 - 3 Summary of work accomplished since last AA meeting -Productive meeting, kick-off for the s/w maintenance/development at JRA3. - Global Security Architecture - Security requirements - Incident response capability PM4PM5PM6 MWSG3 August 25 JRA1 All-hands meeting June 28-30 Task 1: Security requirement doc MJRA3.1 (PM3) completed Recurrent tasks: - JRA1 design team, integration, testing - EUGridPMA, QAG - Software maintenance and development Task 5: Taxonomy document on Incident handling and Security operational procedures; definition of a common Grid incident format. (PM6+) In cooperation with JSG and OSG Task 3: Phase1 OGSA doc MJRA3.3 (PM4) completed Task 4: DJRA3.1 Security Architecture doc (PM5) delivery date: Sept. 17 TR7: Software maintenance and development PM5: SOAP over HTTPS 80% PM6: Delegation 45%, AuthZ framework 70%, Mutual AuthZ 10%, VOMS admin & parser (ongoing) PM7: Message level security 70% PM9: Resource access control 10%, Grid enhancements for OpenSSL Started PM11: Site Proxy for GRID cluster Started September 13

4 PEB All-Activity Meeting, September 13, 2004 - 4 Relationship between JRA3 and JRA1 work and deliverables Requirements on gLite: collected and prioritized by MWSG Architecture and design: Security architect and senior developers from JRA3 involved in the gLite architecture and design, from start. DJRA1.1 gLite Architecture DJRA1.2 gLite Design DJRA3.1 gLite Security Architecture Implementation: Security modules needed in gLite are developed in the Nordic (JRA3) cluster. JRA1 Release plan Cluster Nordic Cluster

5 PEB All-Activity Meeting, September 13, 2004 - 5 Relationship between JRA3 and other activites MWSG in collaboration with JSG ensures the horizontal function of JRA3 at this stage. Further developed the working channels to : JRA1: - Design Team (David Groep, and Olle Mulmo from JRA3) - EMT (Åke Edlund from JRA3) - MWSG (All in JRA3, cluster mgrs from JRA1) - Cluster-by-cluster - Integration, testing, data mgmt,... (one member per cluster from JRA3) JRA2: - QAG (Gerben Venekamp/Martijn Steenbakkers from JRA3) SA1: - MWSG (All in JRA3, members from the JSG from SA1) - JSG (Joni Hakala, Åke Edlund from JRA3) NA4: - MWSG (All in JRA3, NA4 representing application-by-application) OSG security: - MWSG (Bob Cowles, Dane Skow )

6 PEB All-Activity Meeting, September 13, 2004 - 6 Hiring Status & Manpower level

7 PEB All-Activity Meeting, September 13, 2004 - 7 State of deliverables and milestones for PM4-PM6 MJRA3.3 OGSA security reengineering recommendations DJRA3.1 Global Security Architecture MJRA3.4 Security operational procedures

8 PEB All-Activity Meeting, September 13, 2004 - 8 Scope, objectives and status of M5/M6 deliverables MJRA3.3 OGSA SEC service initial recommendations for reengineering DJRA3.1 Global security architecture MJRA3.4 Security operational procedures and incident handling, definition of a common Grid incident format

9 PEB All-Activity Meeting, September 13, 2004 - 9 Scope, objectives and status of M5/M6 deliverables MJRA3.3 OGSA SEC service initial recommendations for reengineering DJRA3.1 Global security architecture MJRA3.4 Security operational procedures and incident handling, definition of a common Grid incident format

10 PEB All-Activity Meeting, September 13, 2004 - 10 Scope, objectives and status of M5/M6 deliverables: MJRA3.3 - OGSA SEC service initial recommendations for reengineering (1/4) Reason for the reformulation of this task: Currently available security standards supporting the creation of security components for the Open Grid Services Architecture (OGSA) too scarce. Due to the lack of standards against which to implement, JRA3 decided to focus first (PM4) on security for ordinary web services and postpone the OGSA specific activities to a later stage (PM9). Advantages with the reformulation of the task: Implementation of modules can start at an earlier stage of the project, Early implementation allows us to join other EGEE activities’ iterative software development processes and thus eases future integration of components, The lack of OGSA security standards is no longer an immediate obstacle, and, The experience acquired from the web services security work can be fed in into future OGSA security work: e.g. when implementing and contributing to standardisation efforts etc.

11 PEB All-Activity Meeting, September 13, 2004 - 11 Scope, objectives and status of M5/M6 deliverables: MJRA3.3 - OGSA SEC service initial recommendations for reengineering (2/4) Goal of this task: Identify a set of security modules that can be implemented before the 2nd EGEE conference to address some of the most immediate EGEE security needs, namely those of JRA1. The focus is to work on security modules that serve to improve the security of existing Web Services software components of EGEE middleware. As such, this document serves as input to the overall JRA3 release plan. Longer term security objectives and modules that require more time to implement will only be identified and they serve as place holders to be elaborated on in future versions of this document.

12 PEB All-Activity Meeting, September 13, 2004 - 12 Scope, objectives and status of M5/M6 deliverables: MJRA3.3 - OGSA SEC service initial recommendations for reengineering (3/4) Phase 1 completed, see https://edms.cern.ch/document/488169/1.0 3.1.1Select and study standards relevant to OGSA security, test GTK 3.2 sec implementation 3.1.2Collect and categorize EGEE security requirements wrt first release of JRA1 modules 3.1.3Analyse requirements wrt first release of JRA1 modules 3.1.4Write first release of doc: OGSA security initial recommendations for reengineering 3.1.5Plan reengineering work based on feedback to recommendation doc from 3.1.4 (was 3.1.5) 3.1.6Start reengineering chosen modules according to set priorities (was 3.1.6) 3.3.1Collect and categorize EGEE security requirements wrt OGSA security 3.3.2Analyse requirements wrt OGSA sec & EGEE sec infra 3.3.3Write final release of doc: OGSA security initial recommendations for reengineering Phase2 (PM9) Phase1 (PM4)

13 PEB All-Activity Meeting, September 13, 2004 - 13 Scope, objectives and status of M5/M6 deliverables: MJRA3.3 - OGSA SEC service initial recommendations for reengineering (4/4) Conclusion at this stage: The main conclusion is that the standards and available tools are not mature enough to use. Currently the only viable solution to do authentication and message security is to use transport layer security. The delegation portType is the only actual WS level item chosen to be implemented. The development of message level security standards and tools has to be followed and checked for viability periodically. When the standards and tools mature the recommendations in this document will need to be updated.

14 PEB All-Activity Meeting, September 13, 2004 - 14 Scope, objectives and status of M5/M6 deliverables MJRA3.3 OGSA SEC service initial recommendations for reengineering DJRA3.1 Global security architecture MJRA3.4 Security operational procedures and incident handling, definition of a common Grid incident format

15 PEB All-Activity Meeting, September 13, 2004 - 15 Scope, objectives and status of M5/M6 deliverables MJRA3.3 OGSA SEC service initial recommendations for reengineering DJRA3.1 Global security architecture MJRA3.4 Security operational procedures and incident handling, definition of a common Grid incident format

16 PEB All-Activity Meeting, September 13, 2004 - 16 Scope, objectives and status of M5/M6 deliverables: DJRA3.1 - Global security architecture (1/5) Where to find the document: https://edms.cern.ch/document/487004/ Some of the requirements inputs to the document: - JRA3: Gap analysis - reviewed at the first MWSG - JRA1: gLite architecture document - JRA3: User requirements collection - NA4: Application requirements database Next step: Final release of the document: September 17. Still missing: Use cases (We define a security architecture as A set of features and services that tackles a set of security requirements and can handle a set of use cases.)

17 PEB All-Activity Meeting, September 13, 2004 - 17 Scope, objectives and status of M5/M6 deliverables: DJRA3.1 - Global security architecture (2/5) ServiceDescriptionTime frame Logging and AuditingEnsures monitoring of system activities, and accountability in case of a security event Now AuthenticationCredential storage ensures proper security of (user-held) credentials Now Proxy certificates enable single sign-on TLS, GSI, WS-Security and possibly other X.509 based transport or message-level security protocols ensure integrity, authenticity and (optionally) confidentiality Now EU GridPMA establishes a common set of trust anchor for the authentication infrastructure Now Pseudonymity services addresses anonymity and privacy concerns Mid-term Overview of the security architecture services.

18 PEB All-Activity Meeting, September 13, 2004 - 18 Scope, objectives and status of M5/M6 deliverables: DJRA3.1 - Global security architecture (3/5) ServiceDescriptionTime frame AuthorizationAttribute authorities enable VO managed access control Policy assertion services enable the consolidation and central administration of common policy Authorization framework enables for local collection, arbitration, customisation and reasoning of policies from different administrative domains, as well as integration with service containers and legacy services Now Future Now DelegationAllows for an entity (user or resource) to empower another entity (local or remote) with the necessary permissions to act on its behalf Now Overview of the security architecture services.

19 PEB All-Activity Meeting, September 13, 2004 - 19 Scope, objectives and status of M5/M6 deliverables: DJRA3.1 - Global security architecture (4/5) Overview of the security architecture services. ServiceDescriptionTime frame Data key managementEnables long-term distributed storage of data for applications with privacy or confidentiality concerns Mid-term SandboxingIsolates a resource from the local site infrastructure hosting the resource, mitigating attacks and malicious/wrongful use Mid-term Site proxyEnables applications to communicate despite heterogenous and non-transparent network access Mid-term

20 PEB All-Activity Meeting, September 13, 2004 - 20 Scope, objectives and status of M5/M6 deliverables: DJRA3.1 - Global security architecture (5/5) RequirementFulfilledSolution/Technology/ServiceTime frame Single sign-onYesProxy certificates and a global authentication infrastructure Now User PrivacyPartiallyPseudonymity servicesMid-term Data PrivacyPartiallyEncrypted data storageMid-term Audit abilityPartiallyMeaningful log informationNow AccountabilityYesAll system interactions can be traced back to a user Now VO managed access controlYesVOMSNow Support for legacy and non- WS based software components YesModular authentication and authorization software suitable for integration Now Timely revocation delaysYesGradual transition from CRL based revocation to OCSP based revocation Mid-term Non-homogenous network accessYesSite ProxyFuture High-level requirements and how the architecture address them

21 PEB All-Activity Meeting, September 13, 2004 - 21 Scope, objectives and status of M5/M6 deliverables: DJRA3.1 - Global security architecture (1/6) The user obtains Grid credentials from a credential store, and the necessary tokens that assert the user’s rights to access the resource The user and the service container authenticate identities to each other and establish a secure communication channel across the (open) network with integrity, authenticity and confidentiality protection, and over which a SOAP message payload is conveyed. The established connection event is logged. The authentication layer validates the user’s identity with the trust anchors and credential revocation information. The result of the validation is logged. The service container absorbs the payload and routes it to the correct service endpoint. In the case of message-level security, the authentication step happens here and not before. The authorization routines ensure that the user has permission to access the resource, by combining asserted attributes and the VO policy (sent with the request) with the local site policy and other sources of access control. In the case that delegated credentials are used, the user delegates rights to the delegating resource to act on the user’s behalf. Overview on how the components in the security architecture interact

22 PEB All-Activity Meeting, September 13, 2004 - 22 Scope, objectives and status of M5/M6 deliverables MJRA3.3 OGSA SEC service initial recommendations for reengineering DJRA3.1 Global security architecture MJRA3.4 Security operational procedures and incident handling, definition of a common Grid incident format

23 PEB All-Activity Meeting, September 13, 2004 - 23 Scope, objectives and status of M5/M6 deliverables MJRA3.3 OGSA SEC service initial recommendations for reengineering DJRA3.1 Global security architecture MJRA3.4 Security operational procedures and incident handling, definition of a common Grid incident format

24 PEB All-Activity Meeting, September 13, 2004 - 24 Scope, objectives and status of M5/M6 deliverables: MJRA3.4 Security operational procedures and incident handling, definition of a common Grid incident format. This task is completed together with JSG and OSG PM6: - Inventory of security and incident handling procedures and requirements from GOC and ROCs (internal doc) - Definition of characteristics for a common reporting format (public document) PM7, Den Haag, 2nd EGEE Conf.: - Draft of ”Joint OSG and EGEE incident policies and procedures”. Together with Bob Cowles, Ian Bird, and Dave Kelsey.

25 PEB All-Activity Meeting, September 13, 2004 - 25 Risk titleDescription Security ArchitecturePerformance vs security, E.g. Whether authentication can be turned into and run as an independent credential validation web service is subject to the performance constraint stated by JRA1 (200 ms/message). Security ArchitectureSecurity not prioritized : How this could evolve: Security requirements are not a central point in developing/solving security problems between different activities complicating the coordination of efforts. E.g. developers are not referring to Sec Reqs in developing security solutions Requirement handlingNot making the proper priorities, meeting the application needs. Esp. regarding the biomed applications’ needs. Risk analysis (incomplete)

26 PEB All-Activity Meeting, September 13, 2004 - 26 Issues related to other activities 1. Not delivering security modules fast enough to JRA1. This is JRA3’s problem to solve. Still an issue to JRA1. 2. Clarification regarding horizontal security work - responsibilities, mandates (MWSG catches most of these issues. Ongoing).

27 PEB All-Activity Meeting, September 13, 2004 - 27 Highest priority steps to take between nowand the 2nd project conference in Den Haag  To support JRA1 need of security software, re-engineering, development  Finalize task 4, and 5 (task 1, 2, 3 (phase 1) already delivered).  MWSG, to prioritize and handle requirements, next meeting October 15.  Key Management for Biomed applications. Phase 1: scope, limitations and plan - might need to be speeded up.

28 PEB All-Activity Meeting, September 13, 2004 - 28 Thank you! http://egee-jra3.web.cern.ch/egee-jra3/index.html

Download ppt "EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 Security Åke Edlund Security Head PEB All-Activity Meeting, September."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.

INFSO-RI Enabling Grids for E-sciencE Security (JRA3) Åke Edlund, JRA3 Manager, KTH David Groep, EUGridPMA chair, NIKHEF EGEE 1.
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
Emerging Research Dimensions in IT Security Dr. Salar H. Naqvi Senior Member IEEE Research Fellow, CoreGRID Network of Excellence European.

Emerging Research Dimensions in IT Security Dr. Salar H. Naqvi Senior Member IEEE Research Fellow, CoreGRID Network of Excellence European.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
EGEE is a project funded by the European Union under contract INFSO-RI-508833 NA1 F. Gagliardi EGEE Project Director All Activity Meeting, 13 th September.

EGEE is a project funded by the European Union under contract INFSO-RI NA1 F. Gagliardi EGEE Project Director All Activity Meeting, 13 th September.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks JRA2: Quality Assurance & Security Coordination.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JRA2: Quality Assurance & Security Coordination.
EGEE is a project funded by the European Union under contract IST-2003-508833 JRA1 Testing Activity: Status and Plans Leanne Guy EGEE Middleware Testing.

EGEE is a project funded by the European Union under contract IST JRA1 Testing Activity: Status and Plans Leanne Guy EGEE Middleware Testing.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
EGEE is a project funded by the European Union under contract INFSO-RI-508833 Summary M-E Bégin & B. Jones EGEE Technical Coordination All Activity Meeting,

EGEE is a project funded by the European Union under contract INFSO-RI Summary M-E Bégin & B. Jones EGEE Technical Coordination All Activity Meeting,
EGEE is a project funded by the European Union under contract IST-2003-508833 Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.

EGEE is a project funded by the European Union under contract IST Common Security Components Olle Mulmo JRA3 JRA1 all-hands meeting, June 29.
EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 Security Åke Edlund Security Head PEB All-Activity Meeting, June 18,

EGEE is a project funded by the European Union under contract IST JRA3 Security Åke Edlund Security Head PEB All-Activity Meeting, June 18,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE Security Coordination Group Ake Edlund EGEE Sec Head 9th MWSG meeting, SLAC,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Ake Edlund EGEE Sec Head 9th MWSG meeting, SLAC,
EGEE is a project funded by the European Union under contract IST-2003-508833 Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.
EGEE is a project funded by the European Union under contract IST-2003-508833 JRA1-SA1 requirement gathering Maite Barroso JRA1 Integration and Testing.

EGEE is a project funded by the European Union under contract IST JRA1-SA1 requirement gathering Maite Barroso JRA1 Integration and Testing.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
SA1/SA2 meeting 28 November 2003 - 1 The status of EGEE project and next steps Bob Jones EGEE Technical Director EGEE is proposed as.

SA1/SA2 meeting 28 November The status of EGEE project and next steps Bob Jones EGEE Technical Director EGEE is proposed as.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.

Similar presentations

Ads by Google