OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

Slides:

Advertisements

Similar presentations

Last update 01/06/ :23 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Site Registration policy & procedures

Advertisements

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

Designing Active Directory for Security

Designing Group Security Designing security groups Designing user rights.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

1 OSG Accounting Service Requirements Matteo Melani SLAC for the OSG Accounting Activity.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Module 6 Securing Content. Module Overview Administering SharePoint Groups Implementing SharePoint Roles and Role Assignments Securing and Auditing SharePoint.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK

Mine Altunay July 30, 2007 Security and Privacy in OSG.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.

LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK

15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Inventory & Monitoring Program SharePoint Permissions Who has access? What can they do with the access? What is the easiest way to manage the permissions?

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

AstroGrid-D Meeting MPE Garching, M. Braun VO Management.

GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.

EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Last update 13/03/ :11 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Status of the Task Force for User Registration of LHC Experiment Users

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Fermilab / FermiGrid / FermiCloud Security Update Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Keith Chadwick Grid.

VO Management Tanya Levshina Computing Division, Fermilab.

Incident Response Forensics and Review OSG Security Drill OSG Site Administrators workshop Indianapolis August Anand Padmanabhan UIUC.

Running User Jobs In the Grid without End User Certificates - Assessing Traceability Anand Padmanabhan CyberGIS Center for Advanced Digital and Spatial.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

New OSG Virtual Organization Security Training OSG Security Team.

OGF PGI – EDGI Security Use Case and Requirements

OSG Security Kevin Hill.

LCG Security Status and Issues

A Model for Grid User Management

LCG/EGEE Incident Response Planning

Update on EDG Security (VOMS)

مراجعه النظم Information Systems Audit

King of France, Louis XVI Restorer of French Liberty

Presentation transcript:

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007

Who am I? Recently joined OSG Security Team Ramping up to be full time OSG Security Working through the OSG Security Plan Helping develop any new items for the Security Plan in Year 2

grid job VO VO Infra. & Services Site Storage WN Three separate security domains: – Univ., VO and Site Two trust relationships Researcher accesses Site’s resources due to the trust between the VO and the Site. Researcher A from University X, which is a member of the VO VO trusts ResearcherSite trusts VO Site allows access by Researcher VO-accessible Site Resources

Site grants access to the VO. VO delegates the access privilege to its trusted members VO manages its members’ access rights – different access rights to different VO members – E.g. grouping of users based on tasks; or roles played in an experiment VO policy may define “groups” and “roles”

Researcher A from University X Researcher B from University Y Job 1’s Data Job 2’s Data VOMRS Group : Univ. X Role: Researcher Group : Univ. Y Role: Researcher VO mappings VOMRS manages member-role mappings Tanya’s talk GUMS retrieves membership info from VO enforces VO assigned privileges at the Site GUMS Retrieve VO mappings

Enforced Security Policy VO Policy Site Policy Enforced Policy VO Policy determines: each VO member’s privileges Site’s data storage Site Policy determines: VO has access to the storage can still blacklist particular VO members, if desired WN

Researcher A from University X grid job 1 VO VO Infra. & Services Site WN Researcher B from University Y Job 1’s Data Job 2’s Data Unauthorized access

What if something goes wrong? Incident Response Researcher A launches attack against the Site Site discovers the attack Site analyzes the attack, temporarily blacklists Researcher A (if it can trace it) Site can Call GOC at , or submit a trouble ticket, Or

– Inform VO security contact – Site trusts the VO, not individual members – VO finds which member has the privilege Logs and mapping repository (VOMRS) – Determines culpability and take measures over Researcher A’s privileges

VO Policy VO must: – List Security Contact and Administrative Contact For incident handling, reporting VO-service problems – Comply with Grid Security Policies: archival, accounting and audit (logs and changes) – Maintain a membership service to generate authentication and authorization data for accessing resources – Treat the membership and logged information confidentially and exercise due diligence – Ensure availability of VO services, comply with grid operational policies – Respond promptly to member’s queries, inform any status changes –