Presentation is loading. Please wait.

Presentation is loading. Please wait.

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

Published byLaurence Dalton Modified over 8 years ago

Similar presentations

Presentation on theme: "9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK"— Presentation transcript:

1 9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk

2 9-Oct-03D.P.Kelsey, LCG-GDB-Security2 Overview Just one topic LCG Security and Availability Policy –Draft 3 presented at 9 th Sep 03 GDB –Aiming for approval at this meeting This draft (V4b) produced on 30 th Sep Security Group meetings (also working on risk analysis) –10 th September 2003 –24 th September 2003 http://agenda.cern.ch/displayLevel.php?fid=68

3 9-Oct-03D.P.Kelsey, LCG-GDB-Security3 Changes since last GDB “LCG Security and Availability Policy” –Trevor Daniels (GOC task force) is main author –In collaboration with Security Group Incorporated comments made last month by GDB –Ownership –Role of home employing institute –No personnel screening Lots of minor changes –To make document clearer –Changed document template to LCG SEC format Also distributed V4b to Site Security contacts –but no feedback to date

4 9-Oct-03D.P.Kelsey, LCG-GDB-Security4 Section 1: Objectives and Scope Objectives –Agreed set of statements –Attitude of the project towards security and availability –Authority for defined actions –Responsibilities on individuals and bodies Promote the LHC science mission Control of resources and protection from abuse Minimise disruption to science Obligations to other network (inter- and intra- nets) users Broad scope: not just hacking Maximise availability and integrity of services and data Resources, Users, Administrators, Developers (systems and applications), and VOs Does NOT override local policies Procedures, rules, guides etc contained in separate documents

5 9-Oct-03D.P.Kelsey, LCG-GDB-Security5 Section 1: Ownership, maintenance and review The Policy is –Prepared and maintained by Security Group and GOC –Approved by GDB –Formally owned and adopted as policy by SC2 Technical docs implementing or expounding policy –Procedures, guides, rules, … –Owned by the Security Group and GOC timely and competent changes GDB approval for initial docs and significant revisions –Must address the objectives of the policy Review the top-level policy at least every 2 years –Ratification by SC2 via GDB if major changes required

6 9-Oct-03D.P.Kelsey, LCG-GDB-Security6 Section 2: LCG services and resources Definition of … Resources –Equipment, software, data Services –Defined by GOC web-site –example list defined

7 9-Oct-03D.P.Kelsey, LCG-GDB-Security7 Section 3: Roles and Responsibilities LCG Organisation VOs –Acts with LCG Organisation, sites and home institutes of users Sites Resource Administrators Users Developers GOC Some examples here. Details in associated documents

8 9-Oct-03D.P.Kelsey, LCG-GDB-Security8 Section 4: Physical security Expected to be covered by site local policy and practices –Should aim to reduce the risks Should be consistent with the SLA defined by the resource administrator

9 9-Oct-03D.P.Kelsey, LCG-GDB-Security9 Section 5: Network security Covered by local site policy –Should aim to reduce risks Again consistent with SLA LCG policy to reduce the risk exposed by applications which need to communicate across the Internet, BUT Firewalls required to allow transit of inbound and outbound packets to/from some port numbers

10 9-Oct-03D.P.Kelsey, LCG-GDB-Security10 Section 6: Access Control Global components of the common grid security infrastructure must be deployed by all sites and resources Additional local components allowed Resource providers and Users must comply with all relevant associated documents

11 9-Oct-03D.P.Kelsey, LCG-GDB-Security11 Section 7: Compliance Require Site self-audit at least every 2 years –Check policy (and associated procedures and practices) is being followed Independent audit (by or for GOC) allowed if –Self audit not performed –Not following policy –At random Audit summaries to be published (by GOC) Emergency exceptions allowed –Time-limited, authorised and GOC informed

12 9-Oct-03D.P.Kelsey, LCG-GDB-Security12 Section 8: Sanctions Sanctions defined for failure to comply Sites or admins –remove services Users, Admins, Developers –remove right of access –May have activities reported to home institute or to law enforcement agencies –Appropriate body will decide course of action Responsibility of the VO to define the body VOs –Remove right of access for them and all their users

13 9-Oct-03D.P.Kelsey, LCG-GDB-Security13 Section 9: Associated documents User Registration and VO Management (exists) Rules for use of LCG-1 (exists) Procedures for Resource Administrators Approval of LCG CA’s (exists) Guide for network administrators Procedures for site self-audit SLA Guide Incident Response (exists) Audit Requirements (exists)

14 9-Oct-03D.P.Kelsey, LCG-GDB-Security14 Issues since 30 th Sep We use the term GOC in the singular –Means the GOC “service” i.e. several GOC’s Assumes that sites join LCG –How can we cope with other Grids offering resources, but not part of LCG? We need to require they agree to our policy

Download ppt "9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK"

Similar presentations

Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk.

Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Contractor Safety Management

Contractor Safety Management
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
B O N N E V I L L E P O W E R A D M I N I S T R A T I O N 1 Network Operating Committee (NOC) June 12 th, 2014.

B O N N E V I L L E P O W E R A D M I N I S T R A T I O N 1 Network Operating Committee (NOC) June 12 th, 2014.
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.

Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.
WHO COURSE FOR THE CARs MONITORING AND AUDITING OF FOOD LAW COMPLIANCE AND ENFORCEMENT.

WHO COURSE FOR THE CARs MONITORING AND AUDITING OF FOOD LAW COMPLIANCE AND ENFORCEMENT.
1 Updates to Texas Administrative Code 1TAC 206 Jeff Kline, Statewide Accessibility Coordinator Texas Department of Information Resources February 8, 2012.

1 Updates to Texas Administrative Code 1TAC 206 Jeff Kline, Statewide Accessibility Coordinator Texas Department of Information Resources February 8, 2012.
Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP-002-1 through CIP-009-1 Larry Bugh ECAR Standard Drafting Team.

Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.
Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.

Federal Aviation Administration Federal Aviation Administration 1 Presentation to: Name: Date: Federal Aviation Administration AMHS Security Security Sub-Group.
Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.

Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.
Oilpalm.wildasia.org RSPO SCC Standard Group Certification (Part 3) RSPO LEAD AUDITOR SERIES SCCS M2c May 2013.

Oilpalm.wildasia.org RSPO SCC Standard Group Certification (Part 3) RSPO LEAD AUDITOR SERIES SCCS M2c May 2013.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

Similar presentations

Ads by Google