Presentation on theme: "24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK"— Presentation transcript:
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK email@example.com
24-May-01D.P.Kelsey, GridPP WG E: Security2 Introduction - Security Essential low-level component for any GRID –also need to inter-operate with other GRIDs General Requirements –Authentication (and single sign-on) –Authorisation –Auditing –Incident discovery and tracking (hacking!) Accounting and Quotas - related, but not this WG WG E is Security Development –not Operations (that comes under WG G)
24-May-01D.P.Kelsey, GridPP WG E: Security3 Authentication Based on X.509 certificates and Globus GSI Implementation by DataGrid WP6 CA sub-group –10 national Certificate Authorities in action Andrew S. et al run the UK Testbed CA at RAL Moving away from use of Globus certs –By M9 only EDG Putting effort into CP and CPS –We must be able to trust each other! –GGF working on this topic Yet to include US CA(s)
24-May-01D.P.Kelsey, GridPP WG E: Security4 Authorisation The big problem! Requirements –Groups, Roles, Privileges … Used in resource allocation and quotas –Link Global and Local security policies –But give Local managers full control Solution for EDG M9/Testbed 1 –Use Globus GRID mapfile –Authorisation all LOCAL, I.e. UNIX gid, uid based –Tool from Andrew McNab to map to generic leased accounts –Tool from INFN to extract group structures from LDAP directories
24-May-01D.P.Kelsey, GridPP WG E: Security5 Future directions Globus Community Authorisation Server (CAS) –User authenticates against CAS using X.509 cert –CAS gives back a community certificate –User presents the community cert to end server –This is mapped onto local security domain Activity in IETF, GGF, … on PMI –Privilege Management Infrastructure Capability vs Access Control We need to investigate –Local access to Global security ( a new service) –How to specify policy
24-May-01D.P.Kelsey, GridPP WG E: Security6 Deliverables/Resources
24-May-01D.P.Kelsey, GridPP WG E: Security7 Task 1 General comment –Still early days - deliverables rather general! Task 1: Gather Requirements (0.2 FTE) –Document initial requirements (year 1) middleware & applications –ongoing requirements through tasks 4 & 8 Deliverables –Year 1 - Produce a document
24-May-01D.P.Kelsey, GridPP WG E: Security8 Task 2 Survey and Track Technology (0.5 FTE) –survey/track developments in GGF, IETF, Globus and elsewhere and make recommendations Deliverables –Year 1: Recommend useful standards and implementations –Years 2/3: Track and make recommendations
24-May-01D.P.Kelsey, GridPP WG E: Security9 Task 3 Design, implement and test (1.6 FTE) –short-term and long-term solutions for authentication, authorisation, auditing and other security services Deliverables –Year 1: Implement and test short-term solutions –Years 2/3: Long-term solutions –Years 2/3: work with other projects and GGF to define common policies and practices
24-May-01D.P.Kelsey, GridPP WG E: Security10 Task 4 Integrate with Other WG/Grids (0.7 FTE) –work with other work groups and projects to ensure common solutions Deliverables –Year 1: Define and establish links –Year 1: Use these links share info, tools etc –Years 2/3: Continue as before with new links as required
24-May-01D.P.Kelsey, GridPP WG E: Security11 Task 5 Architecture (0.25 FTE) –work with other WGs and projects to define the architecture of the security services and their relation to other Grid components Deliverables –Year 1: Define an initial architecture –Years 2/3: Review and refine
24-May-01D.P.Kelsey, GridPP WG E: Security12 Task 6 Security Development (0.75 FTE) –develop tools and services as required, both short and long term Deliverables –Year 1: Provide tools and services for early prototype –Years 2/3: Refine and develop new tools and services as required
24-May-01D.P.Kelsey, GridPP WG E: Security13 Task 7 Management of WG E (0.25 FTE) –project planning and management –includes WG meetings, documentation etc. Deliverables –Year 1: Management –Years 2/3: More management!
24-May-01D.P.Kelsey, GridPP WG E: Security14 Task 8 DataGrid Security (0.5 FTE) –participation and leadership of EDG Security Coordination –not specified in EU contract Deliverables –Year 1: Leadership of DataGrid security group(s) –Years 2/3: Ongoing leadership
24-May-01D.P.Kelsey, GridPP WG E: Security15 Task 9 DataGrid Security Development (0.75 FTE) –to complement Task 6 –development of tools and services for EDG –these will also be useful for GridPP and others Deliverables –Year 1: development work for EDG –Years 2/3: ongoing development
24-May-01D.P.Kelsey, GridPP WG E: Security16 Task 10 Production phase (1.0 FTE) –additional effort to complement other tasks during years 2 and 3 Deliverables –Years 2/3: work in areas to be defined by end of Year 1
24-May-01D.P.Kelsey, GridPP WG E: Security17 Summary of effort (FTE)01/0202/0303/04 TOT Design, Develop, 0.61.91.94.4 Test Manage, Survey, 0.50.80.82.1 Link to others TOTALS184.108.40.206.5
24-May-01D.P.Kelsey, GridPP WG E: Security18 Links to other Grid projects Security must interoperate! GridPP - WG K CERN –WG K also bidding for effort to work on PKI, PMI and security monitoring DataGrid GGF, GriPhyN, PPDG... CLRC e-Science Centre Others...
24-May-01D.P.Kelsey, GridPP WG E: Security19 Future plans DataGrid Security is my top priority right now –Security into architecture (ATF) –operational issues via WP6 –Kick start a Security Task Force to coordinate activities in other WPs meet at CERN on 6th June We need GridPP effort asap! Start to define more detailed Year 1 plans –and identify a security team –Defence (work together): Network + Security
Your consent to our cookies if you continue to use this website.