Integrated Site Security for Grids ISSeG Integrated Site Security for Grids EU-FP6 Project 026745 Brief Overview Denise Heagerty, CERN 17 April 2007 Lead partner for Work Package (WP) 4 is CCLRC. Presentation by David Jackson (d.j.b.jackson@rl.c.uk) from CCLRC. Note, from 1st April 2007, CCLRC and PPARC will merge in to a new Research Council in the UK known as STFC. This should have no effect on the ISSeG project.
Integrated Site Security Concept
The ISSeG Process WP2 WP2 WP4 builds on the work in WP1, 2 and 3.
Benefits of WP2 to ISSeG Introduces requirements of other communities Based on threat analysis Tests a methodology for site assessment Targeted for Grid sites Leading to a questionnaire for self assessment Identifies differentiating factors Leading to site security categorization Provides side benefits Defines a relationship with relevant standards Identifies security improvements due to the ISS approach
Methodology for deploying ISS
D4.1: Target audiences Who is being trained? Who wants the material? Taken from figure 1 in D4.1. This was an example of how existing documentation (enisa ‘How to Raise Information Security Awareness’) was used and adapted for use in the project.
D4.1: Site and role types Time
Draft/Example Recommendations R1 Broaden the use of centralized management Centrally manage accounts Centrally manage patches and system configurations Centrally manage Internet Services Small Medium Large When dealing with ~ 10 machines, this is not a big issue. When dealing with ~ 100 machines, this starts to become an issue. With over 100 machines, it is an issue. How do to capture the attention of the audience so that they wish to read about this? The relevance of the recommendation varies with the site type (size) and the individual that has responsibility/interest what is being recommended. Not interested Interested Users Management System administrators
D4.2: Multiple routes to recommendations
Draft Recommendations (1) R1 Broaden the use of centralized management Centrally manage accounts Centrally manage patches and system configurations Centrally manage Internet Services R2 Integrate identity and resource management Provide integrated identity management Ensure resources link to the people in charge of them Define responsibilities using roles and groups R3 Manage network connectivity Restrict Intranet access to authorised devices Restrict Internet access to authorised connections Segregate networks dedicated to sensitive devices Expand the use of application gateways
Draft Recommendations (2) R4 Use security mechanisms and tools Strengthen authentication and authorisation Increase the use of vulnerability assessment tools Adapt incident detection to meet evolving trends Strengthen and promote network monitoring tools Enhance spam filter tools and mailing security Extend policy enforcement R5 Strengthen administrative procedures and training Adapt training to requirements of users, developers and system administrators Integrate security training and best practices into organisational structures Maintain administrative procedures in step with evolving security needs Extend policy regulations Regulate the use and coexistence of legacy Operating Systems
Timelines 26 Apr Peer Review Meeting Mid May Threat list sent for feedback to OSCT and community contacts End May Security assessment questionnaire sent for feedback to OSCT and community contacts 31 May CD1: Report on Peer Review Meeting (Final) 20 Jun Joint ISSeG/OSCT Meeting, Edinburgh 29 Jun CD2: Comparative analysis of requirements based on threats (top ten per community) 31 Jul CD3: Comparative auditing report comparing security at CERN, FZK and CCLRC CD4: Questionnaire for assessing new sites 15 Oct CD5: ~50 recommendations completed