LCG Security Status and Issues

Slides:



Advertisements
Similar presentations
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
Advertisements

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.
INFSO-RI Enabling Grids for E-sciencE Operational Security OSCT JSPG March 2006 Ian Neilson, CERN.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
12-May-03D.P.Kelsey, SCG Online Authentication1 Online Authentication SCG Meeting EDG Barcelona, 12 May 2003 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
LCG and HEPiX Ian Bird LCG Project - CERN HEPiX - FNAL 25-Oct-2002.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
LCG/EGEE Security Update HEPiX, Fall 2004 BNL, 18 October 2004 David Kelsey CCLRC/RAL, UK
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
TERENA TF-EMC2 Workshop David Groep,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
UKI ROC/GridPP/EGEE Security Mingchao Ma Oxford 22 October 2008.
Mine Altunay July 30, 2007 Security and Privacy in OSG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Linda Cornwall CCLRC (RAL) FP6 Security workshop.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks SA1: Grid Operations Maite Barroso (CERN)
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
INFSO-RI Enabling Grids for E-sciencE EGEE SA1 in EGEE-II – Overview Ian Bird IT Department CERN, Switzerland EGEE.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operational Security Coordination Team Ian.
Security Operations David Kelsey GridPP Deployment Board 3 Mar 2005
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
INFSO-RI Enabling Grids for E-sciencE An overview of EGEE operations & support procedures Jules Wolfrat SARA.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and JSPG activities David Kelsey CCLRC/RAL.
Security EGEE/SA1 ROC Managers ARM-3 meeting Lyon, 17 March 2005 David Kelsey CCLRC/RAL, UK
EGEE ARM-2 – 5 Oct LCG/EGEE Security Coordination Ian Neilson Grid Deployment Group CERN.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
Recent lessons learned: Operational Security David Kelsey CCLRC/RAL, UK GDB Meeting, BNL, 5 Sep 2006.
Last update 13/03/ :11 LCG 1Maria Dimou- cern-it-gd Maria Dimou IT/GD Status of the Task Force for User Registration of LHC Experiment Users
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
LCG User, Site & VO Registration in EGEE/LCG Bob Cowles OSG Technical Meeting Dec 15-17, 2004 UCSD.
EGEE is a project funded by the European Union under contract IST New VO Integration Fabio Hernandez ROC Managers Workshop,
1Maria Dimou- cern-it-gd LCG End of the Task Force for VO User Registration of LHC Experiment Users Grid Deployment.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
INFSO-RI Enabling Grids for E-sciencE Operational Security Coordination Team OSCT report EGEE-4, Pisa Ian Neilson, CERN.
Security Bob Cowles
Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk.
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Bob Jones EGEE Technical Director
David Kelsey CCLRC/RAL, UK
Open Science Grid Consortium Meeting
JRA3 Introduction Åke Edlund EGEE Security Head
SA1 Execution Plan Status and Issues
David Kelsey CCLRC/RAL, UK
Ian Bird GDB Meeting CERN 9 September 2003
LCG/EGEE Incident Response Planning
EGEE VO Management.
Romain Wartel EGEE08 Conference, Istanbul, 23rd September 2008
David Kelsey CCLRC/RAL, UK
EGEE: Grid Operations & Management
Leigh Grundhoefer Indiana University
Ian Bird LCG Project - CERN HEPiX - FNAL 25-Oct-2002
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
David Kelsey (STFC-RAL)
Presentation transcript:

LCG Security Status and Issues Ian Neilson Grid Deployment Group CERN LHCC 15 November, 2005 - 1

LCG Security Status and Issues Overview Security Policy Joint Security Policy Group Authentication & Authorization Infrastructure International Grid Trust Federation LHC Experiment Virtual Organisations Operational Security Operational Security Coordination Team Incident Response Planning Security Monitoring Tools Security Service Challenges plus some related activities LHCC 15 November, 2005 - 2

Security Policy Joint Security Policy Group LCG & EGEE with strong input from OSG Policy Set - Security & Availability Policy Usage Rules Certification Authorities Audit Requirements Incident Response User Registration & VO Management Application Development & Network Admin Guide VO Security LHCC 15 November, 2005 - 3

Security Policy Policy Revision In Progress/Completed Grid Acceptable Use https://edms.cern.ch/document/428036/ common, general and simple AUP for all VO members using many Grid infrastructures EGEE, OSG, SEE-GRID, DEISA, national Grids… VO Security https://edms.cern.ch/document/573348/ responsibilities for VO managers and members VO AUP to tie members to Grid AUP accepted at registration Incident Handling and Response https://edms.cern.ch/document/428035/ defines basic communications paths defines requirements (MUSTs) for IR reporting response protection of data analysis not to replace or interfere with local response plans LHCC 15 November, 2005 - 4

Security Policy Issues Can generic ‘simple’ policies be binding? can they protect across legislative domains? Release of accounting data some site policies restrict release of per-user data legal implications of EU directives on privacy needed to properly manage and account to VOs More policy updates needed but revision process is slow top-level security and availability policy new policy for Data Handling/Protection needed Depth of policy review and discussion varies Risk Analysis should be repeated http://cern.ch/proj-lcg-security/RiskAnalysis/risk.html LHCC 15 November, 2005 - 5

Authentication Infrastructure IGTF – International Grid Trust Federation LCG currently accepts certificates from EUGridPMA CAs plus FNAL Kerberized CA IGFT officially formed at GGF15 3 regional PMAs: Europe, Asia Pacific, Americas addresses scalability issues felt by EUGridPMA separate the management of authentication profiles EUGridPMA: ‘classic’ CA TAGPMA: Short-lived Credential Generation Services brings FNAL KCA under an IGTF profile in future for myproxy and Shibboleth based services For LCG – “relying parties” what service is expected beyond credential issuing? revocation processing CA world is still “settling down”, will it stabilize? move from grid sites to NRENS LHCC 15 November, 2005 - 6

Authorization Infrastructure LHC Experiment Virtual Organisations VO Management service now deployed in beta at CERN VOMRS registration interface – good collaboration with FNAL Managed CERN Oracle service DB All 4 LHC experiments Back-end tied to CERN HR database view (ORGDB) allows use of existing exp. registration relies on membership lifecycle maintenance! but VO manager retains control e.g. https://lcg-voms.cern.ch:8443/vo/atlas/vomrs LHCC 15 November, 2005 - 7

Authorization Infrastructure VOMS+VOMRS gives managed VO group+role flexibility BUT grid service authorization now based on simple group/role only authorization workshop discussed near-term requirements – SC4 http://agenda.cern.ch/fullAgenda.php?ida=a054503 VO Management and Authorization Services Critical service but has been hard to deploy HR interface Oracle support gLite packaging Limited experience in real operation Debug Performance LHCC 15 November, 2005 - 8

Operational Security Coordination Team OSCT membership = EGEE ROC security contacts What it is not: Not focused on middleware security architecture Not focused on vulnerabilities Vulnerabilities Group formed and operational Focus on Incident Response Coordination Assume it’s broken, how do we respond? Planning and Tracking Focus on ‘Best Practice’ Advice Monitoring Analysis Coordinators for each EGEE ROC plus OSG LCG Tier 1 + Taipei LHCC 15 November, 2005 - 9

Operational Security Coordination Team Incident Response Monitoring Tools Security Service Challenge Policy HANDBOOK Procedures Resources Reference Playbook Infrastructure Agents Deployment SSC1 - Job Trace SSC2 - Storage Audit Infrastructure LHCC 15 November, 2005 - 10

Operational Security Coordination Team Incident Response issues Contact management Use of site registration process and GOCDB Shift from site-based to regional/grid coordination Operational role for OSCT Live incident Lack of real incident experience incidents WILL happen and they WILL be disruptive OSCT can plan BUT cannot anticipate all eventualities Lack of dedicated resources Should be provided by EGEE-II NREN CSIRTS – overlap of IR activities understanding how/when/if to use Security Service Challenges Lessons from SSC1 Plan for SSC2 (storage) and beyond LHCC 15 November, 2005 - 11

LCG Security Status and Issues Related activities Optical Private Network Security Working group formed by GDB Disaster Recovery Planning Recent presentations at HEPiX and EGEE-4 ISSeG Proposed EU-funded project on Integrated Site Security for Grids CERN/Openlab lead LHCC 15 November, 2005 - 12

Thank You LHCC 15 November, 2005 - 13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.