Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.

Similar presentations

Presentation on theme: "Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007."— Presentation transcript:

1 Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007

2 Kelsey, Security Policy 2 21-Mar-07 Joint Security Policy Group Joint initially was EGEE and LCG –Strong participation by USA Open Science Grid Now Joint = EGEE/OSG/WLCG/NDGF + … Strong links to other security groups –Middleware Security Group –Operational Security Coordination Team –Grid Security Vulnerability Group –EU Grid PMA/IGTF

3 Kelsey, Security Policy 3 21-Mar-07 JSPG membership Application representatives/VO managers Site Security Officers Site/Resource Managers/Security Contacts Security middleware experts/developers CERN Deployment team Now expanded to include other EU Grid projects Other EU Infrastructure projects (may) use our policies –BalticGrid, EELA, EUMedGrid, EUChinaGrid, …

4 Kelsey, Security Policy 4 21-Mar-07 Interoperable Policies Aim to allow applications (VOs) to easily use resources in multiple Grids The simplest approach –Common Policies User AUP Site AUP VO AUP –If not common then at least not conflicting! EU eInfrastructure Reflection Group (eIRG) –EGEE inputs policy for consideration

5 Kelsey, Security Policy 5 21-Mar-07 Grid Security Policy Site & VO Policies Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide Grid & VO AUPs

6 Kelsey, Security Policy 6 21-Mar-07 Grid Security Policy New, revised document –Replaces very old LCG Security and Availability Policy –Simpler and more general –Useful to multiple Grids, not LCG-specific V5.4 (December 06) – EGEE milestone MSA1.7 Current draft (V5.5) from last weeks JSPG meeting –Will be distributed for wider comment soon V5.4 already approved by OSG A major simplification will be tackled during 2007

7 Kelsey, Security Policy 7 21-Mar-07 Grid Site Operations Policy Has to be signed by Sites during registration EGEE-II milestone MSA1.3 – Lots of useful feedback received –Including CERN legal department Close to final –V1.3 agreed at last weeks JSPG meeting Signing will await approval of new top-level policy document –Covering document per Grid also required

8 Kelsey, Security Policy 8 21-Mar-07 Issues for GridPP Security policy in new GridPP Tier 2 MoU Sites say they cannot accept policy that allows others to change this without their approval –Existing GridPP Tier 2 MoU handled this Took snapshot of EGEE policies –Change requires approval of Tier 2 Board But the Grid has to be able to change policies! For EGEE, policy approval process involves full consultation and feedback with Sites –But once approved new policy applies to all

9 Kelsey, Security Policy 9 21-Mar-07 Accounting & Monitoring Data Policy VOs/Grid Ops require access to user-level logs –EU directives and national laws on processing personal data and privacy apply here Dave Kant presented the approach for Accounting yesterday Draft policy document available soon –Will cover accounting and monitoring data Data classification agreed last week (JSPG)

10 Kelsey, Security Policy Mar-07 Informed User consent Grid AUP says…(accepted during registration with VO) Logged information, including information provided by you for registration purposes, shall be used for administrative, operational, accounting, monitoring and security purposes only. This information may be disclosed to other organizations anywhere in the world for these purposes. Although efforts are made to maintain confidentiality, no guarantees are given So the User has given informed consent Together with a policy document on personal data management, should be enough to convince sites to allow access to the appropriate logs

11 Kelsey, Security Policy Mar-07 Logged data classification Private –Contains sensitive personal data –Grid Operations does not create, store or handle such data Personal –Name, Institute, address, X.509 DN Non-public –To be kept confidential within site and/or VO Security considerations, confidentiality Public –World readable – no stipulations Grid needs to have policy for two in red –VOs and applications are responsible for their own data handling

12 Kelsey, Security Policy Mar-07 EGEE security operations Operational Security Coordination Team –Romain Wartel (CERN) – Security Officer –Weekly operational rota –Security Service Challenges –New GridPP Security Officer Grid Security Vulnerability Group –Linda Cornwall (RAL) –Risk Assessment Team handles issues –Full responsible public disclosure now approved

13 Kelsey, Security Policy Mar-07 IGTF International Grid Trust Federation –3 regional PMAs, including EU Grid PMA Number of classic CAs continues to grow –Africa now starting to join EU PMA New Authentication profiles –Short-Lived Cert Service (SLCS) SWITCH Shibboleth CA now approved –Member Integrated Cert Service (MICS) Close to agreement

14 Kelsey, Security Policy Mar-07 JSPG future plans Approval of current draft documents New draft of Audit Policy VO Operations Policy –Signed by VO during registration Grid Service Operations Policy –Obligations of anyone running a Grid service, e.g. VObox In EGEE-III –Move towards EGI with national Grids –Scaling problems of one VO and many Grids –Work with NGIs, e.g. NGS and Grid Ireland

15 Kelsey, Security Policy Mar-07 JSPG Meetings, Web etc Meetings - Agenda, presentations, minutes etc JSPG Web site Policy documents at

Download ppt "Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007."

Similar presentations

Ads by Google