Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk.

Slides:



Advertisements
Similar presentations
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Advertisements

Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Authorization WG Update David Kelsey EU Grid PMA, Copenhagen 27 May 2008.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group Summary EGI TF David Kelsey 6/28/
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Trust and Security for FIM (Sirtfi/SCI) David Kelsey (STFC-RAL) FIM4R at CERN 4 Feb 2015.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Security Policy Group EGI Technical Forum Sep 2010 David Kelsey.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
INFSO-RI Enabling Grids for E-sciencE EGEE/LCG Joint Security Policy Group David Kelsey, CCLRC/RAL, UK EGEE.
WLCG Security: A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) CHEP2013, Amsterdam 17 Oct 2013.
Security Policy Update LCG GDB Prague, 4 Apr 2007 David Kelsey CCLRC/RAL
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and OSG: Common Security Policies? OSG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks JSPG Status and plans EGEE’06 Conference.
INFSO-RI Enabling Grids for E-sciencE External Projects Integration Summary – Trigger for Open Discussion Fotis Karayannis, Joanne.
LCG Pilot Jobs + glexec John Gordon, STFC-RAL GDB 7 November 2007.
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
INFSO-RI Enabling Grids for E-sciencE EGEE SA1 in EGEE-II – Overview Ian Bird IT Department CERN, Switzerland EGEE.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
David Groep Nikhef Amsterdam PDP & Grid Some Comments on “Problem description for non-proliferation issues in Grids” Joint Security Policy Group 7 December.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) 1 st WISE, Barcelona 20 Oct 2015.
A Trust Framework for Security Collaboration among Infrastructures David Kelsey (STFC-RAL, UK) WLCG GDB, CERN 10 Jul 2013.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Additional Services: Security and IPv6 David Kelsey STFC-RAL.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Service Operations Security Policy the new generalised site operations security policy.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SPG future work EGI Technical Forum Lyon, 21 Sep 2011 David Kelsey, STFC/RAL.
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
EGEE is a project funded by the European Union under contract IST Roles & Responsibilities Ian Bird SA1 Manager Cork Meeting, April 2004.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and JSPG activities David Kelsey CCLRC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
18-May-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) Barcelona 18 May 2004 David Kelsey CCLRC/RAL, UK
Security Policy Update WLCG GDB CERN, 8 Dec 2010 David Kelsey STFC/RAL david.kelsey AT stfc.ac.uk.
Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK
Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.
Grid Security Update David Kelsey (RAL) HEPiX, LBNL 28 Oct 2009.
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
LCG User, Site & VO Registration in EGEE/LCG Bob Cowles OSG Technical Meeting Dec 15-17, 2004 UCSD.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI VOMS Proxy Lifetime UCB 21 Aug 2012 David Kelsey STFC.
Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.
Security Policy Update WLCG GDB CERN, 11 June 2008 David Kelsey STFC/RAL
David Kelsey CCLRC/RAL, UK
Open Science Grid Consortium Meeting
LCG Security Status and Issues
Ian Bird GDB Meeting CERN 9 September 2003
David Kelsey STFC-RAL 2nd WISE workshop, XSEDE16, Miami 18 July 2016
EGI Security Policy Update
David Kelsey CCLRC/RAL, UK
Update - Security Policies
David Kelsey (STFC-RAL)
WISE, SCI & policy templates David Kelsey (STFC-RAL, UK Research and Innovation) FIM4R & TIIME, Vienna, 11 February 2019.
Presentation transcript:

Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk

216 Sep 2009 Kelsey, Security Policy Overview Joint Security Policy Group –The mandate –Interoperability of policies Overview of current JSPG policies New policy framework for EGI era –Feedback very welcome EGI Security Policy Group –Proposed operation

316 Sep 2009 Kelsey, Security Policy Joint Security Policy Group This started as a WLCG activity in 2003 –LHC Grid (CERN) –To advise GDB and Deployment Manager On all matters related to security In 2004, EGEE started –JSPG remit expanded to cover both projects –Strong participation by OSG, NDGF, … Revised mandate (2008) – –prepares and maintains security policies for its primary stakeholders (EGEE and WLCG) –also able to provide policy advice on any security matter Policies approved and adopted by Grid management

416 Sep 2009 Kelsey, Security Policy Policy Interoperability Wherever possible, JSPG aims to –prepare simple and general policies –applicable to the primary stakeholders, but –also of use to other Grid infrastructures (NGI's etc) The adoption of common policies by multiple Grids eases the problems of interoperability (and scaling) Users, VOs and Sites all accept the same policies during their (single) registration (with Grid or VO) Other participants then know that their actions are already bound by the policies –No need for additional negotiation, registration or agreement

5 Interoperability (2) User registers (once) with his/her VO –Must accept Grid AUP Sites willing to delegate registration to VO knowing that VO procedures must follow same VO policy –And that User will have accepted AUP The use of common policies –Allow VOs to easily use resources in multiple Grids as move to EGI in Europe, for example Other Grids are welcome to use our policies –With appropriate acknowledgements! 16 Sep 2009 Kelsey, Security Policy

6 Overview of current JSPG Policies 16 Sep 2009 Kelsey, Security Policy

716 Sep 2009 Kelsey, Security Policy Grid Security Policy The main policy document To fulfil its mission, it is necessary for the Grid to protect its resources. This document presents the policy regulating those activities of Grid participants related to the security of Grid services and Grid resources.

816 Sep 2009 Kelsey, Security Policy Grid Security Policy (2) Objectives –This policy gives authority for actions which may be carried out by certain individuals and bodies and places responsibilities on all participants. Scope –This policy applies to all participants. Every site participating in the Grid autonomously owns and follows their own local security policies with respect to the system administration and networking of all the resources they own, including resources which are part of the Grid. This policy augments local policies by setting out additional Grid-specific requirements.

916 Sep 2009 Kelsey, Security Policy Grid Security Policy (3) Additional Policy documents –Appendix 1 defines additional policy documents which must exist for a proper implementation of this policy. These documents are referred to in section 2. Roles and Responsibilities: Participants –Grid Management –Grid Security Officer & Grid Security Operations –Virtual Organisation Management –Users –Site Management –Resource Administrators

1016 Sep 2009 Kelsey, Security Policy Grid Security Policy (4) Limits to Compliance –Wherever possible, Grid policies and procedures are designed so that they may be applied uniformly across all sites and VOs. If this is not possible, for example due to legal or contractual obligations, exceptions may be made. Such exceptions must be justified in a document submitted to the Grid Security Officer for authorisation and, if required, approval at the appropriate level of management. –In exceptional circumstances it may be necessary for participants to take emergency action in response to some unforeseen situation which may violate some aspect of this policy for the greater good of pursuing or preserving legitimate Grid objectives. If such a policy violation is necessary, the exception should be minimised, documented, time-limited and authorised at the highest level of the management commensurate with taking the emergency action promptly, and the details notified to the Grid Security Officer at the earliest opportunity.

1116 Sep 2009 Kelsey, Security Policy Grid Security Policy (5) Sanctions, Liability, Disputes and Intellectual Property Rights –Sites or resource administrators who fail to comply with this policy in respect of a service they are operating may lose the right to have that service instance recognised by the Grid until compliance has been satisfactorily demonstrated again. –Users who fail to comply with this policy may lose their right of access to and/or collaboration with the Grid, and may have their activities reported to their home institute or, if those activities are thought to be illegal, to appropriate law enforcement agencies. –VOs which fail to comply with this policy, together with all the users whose rights with respect to the Grid derives from that VO, may lose their right of access to and/or collaboration with the Grid. –The issues of liability, dispute resolution and intellectual property rights, all of which may be Grid-specific, should be addressed in the additional policy documents.

1216 Sep 2009 Kelsey, Security Policy Security Policy Site & VO Policies Certification Authorities Traceability and Logging Security Incident Response Accounting Data Privacy Pilot Jobs and VO Portals Grid & VO AUPs JSPG Security Policies

1316 Sep 2009 Kelsey, Security Policy Sites Operations Policy Accepted and signed by authorized person during registration of Site with the Grid

1416 Sep 2009 Kelsey, Security Policy VO Operations Policy Accepted and signed by authorized person during registration of VO with the Grid

1516 Sep 2009 Kelsey, Security Policy Grid AUP Acceptable Use Policy Accepted by User during registration with VO

1616 Sep 2009 Kelsey, Security Policy Recent JSPG work Five recently approved and adopted policies Virtual Organisation Registration Security Policy Virtual Organisation Membership Management Policy Grid Policy on the Handling of User-Level Job Accounting Data VO Portal Policy Security Incident Response Policy

17 Ongoing revisions Site Registration Security Policy –One remaining policy to be revised Grid AUP –Some Grids use it but have modified our text –Some find it does not meet their needs –Explore why and standardise where possible DEISA, TeraGrid, EU infrastructures, national Grids, … 16 Sep 2009 Kelsey, Security Policy

18 From EGEE to EGI 16 Sep 2009 Kelsey, Security Policy

19 New policy framework for EGI A framework to enable interoperation of collaborating Grids Identify policy components necessary to create trust between collaborating Grids Not imposing a single policy for all We started from the current set of JSPG policies –Not re-writing these –Taking high-level view to identify those components which are necessary Other components of current JSPG policies which are either too EGEE-specific or are operational rather than related to security are not part of this framework Each Grid will have security policies consisting of the framework components and their own Grid-specific components 16 Sep 2009 Kelsey, Security Policy

20 Framework (2) Specifies the issues that need to be addressed in a Grid's security policy At this stage does not define minimum standards or requirements –Standards will (hopefully) come later This is aimed at Grids preparing or revising security policies, not at end users, sites, application communities etc. As an aside... we found it very useful to have been through the whole JSPG "experience" to identify those issues which need to be addressed! 16 Sep 2009 Kelsey, Security Policy

16 Sep 2009 Operational Security User Responsibilities Includes VOs & application communities Site Responsibilities Includes Resource providers & Service providers Data Protection Incident Response Security Policy Framework We have considered and deliberately excluded: IPR, liability, software licensing, copyright.

16 Sep 2009 Operational Security Vulnerabilities Patching Security officer User Responsibilities AUP Traceability VO managmnt Site Responsibilities Traceability Collaboration with Grid Ops Controlling access Data Protection Confidential information handling Personal data protection Incident Response Inform others Collaborate Timely handling Policy Framework (2) Some early ideas of policy components

16 Sep 2009 Operational Security Vulnerabilities Patching Security officer User Responsibilities AUP Traceability VO managmnt Site Responsibilities Traceability Collaboration with Grid Ops Controlling access Data Protection Confidential information handling Personal data protection Incident Response Inform others Collaborate Timely handling Policy Framework (3) EGEE- specific components JSPG today - mixing general components and EGEE issues

24 Now to the details… 16 Sep 2009 Kelsey, Security Policy

25 Framework – Next steps Create template of generic wording for the policy components –This will necessarily involve setting minimum standards and therefore reaching agreement will take time There is also a need for people with different roles (Site/resource managers, users, etc.) to easily identify policy components that apply to them 16 Sep 2009 Kelsey, Security Policy

26 Policy in EGI EGI Proposal V1 includes a Security Policy Group (SPG) –Development and maintenance of security policies –Advice on any security policy issue –Primary stakeholders: NGIs, Sites, Application communities – but include other infrastructures –Build on JSPG work –Continue to aim for common, simple policies for interoperation 16 Sep 2009 Kelsey, Security Policy

27 EGI SPG(2) Membership: NGI reps, Sites, VOs, middleware, security ops Participate in EUGridPMA, IGTF, OGF, TERENA federations, etc. Small editorial team to prepare policies –Meet face to face Full consultation by Annual face to face meeting? Coordination with other security activities and informing everyone are important 16 Sep 2009 Kelsey, Security Policy

2816 Sep 2009 Kelsey, Security Policy JSPG Meetings, Web etc Meetings - Agenda, presentations, minutes etc JSPG Web sites and Membership of the JSPG mail list is closed, BUT –Volunteers to work with us are always welcome! Policy documents at andhttp:// security/documents.html

2916 Sep 2009 Kelsey, Security Policy Where are JSPG security policies? security/documents.htmlhttp://proj-lcg-security.web.cern.ch/proj-lcg- security/documents.html

16 Sep 2009Kelsey, Security Policy Discussion

31 Discussion topics General approach? Merge Operational Security and Incident Response? Do we need a Security Officer? Does Operational Security include “banning users”? What should we say about AuthN and AuthZ? 16 Sep 2009 Kelsey, Security Policy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.