1. www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the EGI CSIRT team 20 th January 2015 1

2. www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud Model IaaS provided by distributed RPs Brokerage on top of this Endorsed VMs only allowed (provided in AppDB) ‘User’ is in change – which is what the policy group has called ‘VM Operator’ This has lead to some confusion in the past See Security Policy for the Endorsement and Operation of Virtual Machine Images https://documents.egi.eu/public/ShowDocument?docid=771 20 th January 2015 2

3. www.egi.eu EGI-InSPIRE RI-261323 3 main players RP = Resource Provider – Provides IaaS VM Operator – person instantiating VMs On behalf of the VO Would usually have ‘root’ access to VM Has appropriate high level of skills End User – User (e.g. scientist) who connects to VMs to carry out their work Less skilled

4. www.egi.eu EGI-InSPIRE RI-261323 Lower level of skill VM Operator? Do we envisage a lower skilled level person instantiating VMs e.g. specialized ones which for certain applications? Probably NOT with User having root? Possibly with specific S/W installed? Would this be appropriate for small VOs?

5. www.egi.eu EGI-InSPIRE RI-261323 Responsibility Fed Cloud view? RP agrees to support a VO. VM Operator instantiates VMs on behalf of a VO. AUP signed by VO VM Operator is then wholly responsible for the VM RP does NOT get to look at image Takes no action unless AUP or law broken Not updating for critical vulnerabilities does not trigger action Probably this is where security team disagrees with Fed Cloud people’s view Anyway how does RP know if AUP broken if can’t look at an image?

6. www.egi.eu EGI-InSPIRE RI-261323 RP scanning VMs Commercial providers e.g. Amazon DO scan VMs Customers DO have to agree that Amazon has a right to scan VMs Probably necessary from a ‘due diligence’ legal point of view AUP should be modified so that VOs/VM Operators agree RPs have a right to scan VMs.

7. www.egi.eu EGI-InSPIRE RI-261323 Highly confidential Data Is data to be stored or processed on the Fed Cloud which is highly confidential and hence RP scanning not acceptable? Heard called the ‘embassy cloud’ where RP has no access to data. General thought is that private data, e.g. biomed should be on private data server Is there any requirement to host e.g. private biomed in the cloud? Is RP scanning acceptable?

8. www.egi.eu EGI-InSPIRE RI-261323 What can VM operator do? Fed Cloud wishes to define that the VM Operator can do anything they wish No restrictions as commercial operators do not have restrictions But commercial operators have their own large security teams We are likely to have a ‘due diligence’ legal responsibility issue Need to flag to management that there are legal issues which they should investigate

9. www.egi.eu EGI-InSPIRE RI-261323 RPs and VOs and AAI EGI has AUP with VO RPs agree to support VO AAI is VOMS only at present DN and technology as Grid Need to ensure any new AAI is adequately secure Both from technical and trust view Getting something that works is one thing. Ensuring it is free from vulnerabilities is another. Building trust with other entities is another

10. www.egi.eu EGI-InSPIRE RI-261323 VM Operator as service provider The VM Operator is effectively a service provider, providing services to the end user Hence Policies on the service provider are applicable to the VM Operator What Fed Cloud has called a ‘User’ IS therefore a service provider The VO, and the VM Operator is a service provider and has the same responsibilities as other service providers Service providers is like a site admin – can we trust them? Need to update policy on service operation

11. www.egi.eu EGI-InSPIRE RI-261323 Logging and traceability We have policies on logging and traceability These effectively feed into requirements on the RPs and VM Operators to log and keep Essential for incident response Not clear what logging is in place at present Need to define more specific required logging and traceability What is logged How long logs are kept

12. www.egi.eu EGI-InSPIRE RI-261323 ‘End User’ access VM Operator will need to give End Users access to resources. What methods does the EGI Fed Cloud use now? Does it depend on institute IDs? Institutes tend to have quite strict conditions. EGI Fed Cloud should provide recommended methods and criteria for End User access. Both concerning technology and trust

13. www.egi.eu EGI-InSPIRE RI-261323 Security Incident Response What when an incident occurs? And they will Can an incident be traced to end user? If it cannot it is necessary to suspend the whole VO. After VO is suspended, will need to be able to investigate before can re-enable So incident response, whether via the VM operator/VO or by EGI CSIRT remains essential

14. www.egi.eu EGI-InSPIRE RI-261323 2 ‘reasonable’ options EGI CSIRT has access to information This means logging and traceability policy/requirements must be met Need to trace to the end user Full co-operation from the VO, VM Operator VO has it’s own CSIRT/IRTF function and investigates Might be appropriate for large VO (e.g. probably netflicks has own security team) Not reasonable for small/medium VOs

15. www.egi.eu EGI-InSPIRE RI-261323 What advantages are there to using Fed Cloud rather than commercial? One may be that a VO does NOT need to have it’s own security team As well as help with AAI, endorsed VMs etc., EGI Fed cloud can provide the security services

16. www.egi.eu EGI-InSPIRE RI-261323 Problematic VMs There is a desire in Fed Cloud NOT to suspend VMs Commercial providers don’t do this What do we need to do? In case of multiple instances of a problematic VM. Need some way of quarantining images

17. www.egi.eu EGI-InSPIRE RI-261323 Endorsed VM images Endorser is responsible for endorsed images This responsibility continues while image is available Includes ensuring they are up to date concerning vulnerabilities After VMs instantiated, are they updated? How do you ensure VMs which are in use are kept up to date? Or are they fairly short lived?

18. www.egi.eu EGI-InSPIRE RI-261323 Problematic images If a VM has problems, do others having same VM Id get suspended? Only one may be problematic, due to a modification, how can it be quickly found whether a one off due to change to that image or whether a problem with all instances? How is data/work kept if images are problematic? I.e. how to quarantine and keep

19. www.egi.eu EGI-InSPIRE RI-261323 VM requirements Requirements on endorsed images including patching Training/best practice needed for VM endorsers How do we endure images in operation are up to date concerning security patches? (short life or updates) Criteria for suspending and quarantining problematic images, including keeping work

20. www.egi.eu EGI-InSPIRE RI-261323 General Need to write down usage model in detail Need to write down security model Responsibility/legal model, agreed with management Enough people to carry out work – some as part of EGI engage Security Threat Risk assessment – When more is documented and better info is available to carry this out

21. www.egi.eu EGI-InSPIRE RI-261323 Questions and discussion. ??