OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

Slides:

Advertisements

Similar presentations

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Advertisements

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Key Accomplishments and Work Plans OSG Security Team July 11, 2012.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 SAN Certificate in Unity Connection Presenter Name: Bhawna Goel.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

Key Project Drivers - FY11 Ruth Pordes, June 15th 2010.

OSG PKI Grid Admin (GA) Training Mine Altunay, Jim Basney OSG PKI Team October 8, 2012.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Security Program Review OSG Security Team M. Altunay, FNAL, OSG Security Officer, D. Olson LBNL, Ron Cudzewicz FNAL J. Basney NCSA, Anand Padmanabhan.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

G RID M IDDLEWARE AND S ECURITY Suchandra Thapa Computation Institute University of Chicago.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/3/2013.

Discussion Topics DOE Program Managers and OSG Executive Team 2 nd June 2011 Associate Executive Director Currently planning for FY12 XD XSEDE Starting.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

OSG Security Review Mine Altunay December 4, 2008.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Rob Quick OSG Operations Area Coordinator Manager High Throughput Computing Indiana University Integrating OSG Operational Services Rob Quick OSG Operations.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch OSG Council August 23, 2012.

OSG PKI Contingency and Recovery Plans Mine Altunay, Von Welch October 16, 2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 11/02/2011.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.

Meeting Minutes and TODOs TG has no distributed monitoring. During incident response, use a manual twiki page to distribute information TG monitors the.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 4/11/2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI CSIRT Procedure for Compromised Certificates and Central Security Emergency.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

OSG PKI Transition Impact on CMS. Impact on End User After March , DOEGrids CA will stop issuing or renewing certificates. If a user is entitled.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

OSG PKI Transition Mine Altunay OSG Security Officer

Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

Certificate Security For Users Obtaining and Using Your Personal Certificate using the OSG PKI Kyle Gross – OSG Operations Support Lead Elizabeth Prout.

EGI-InSPIRE RI EGI (IGTF Liaison Function) EGI-InSPIRE RI IGTF & EUGridPMA status update SHA-2 – and more (David Groep,

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

New OSG Virtual Organization Security Training OSG Security Team.

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

OSG Security Kevin Hill.

Presentation transcript:

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014

Key Initiatives CILogon Basic CA is now IGTF accredited – Under the new IGTF profile – Included in the new IGTF release. – Included in our standard IGTF distribution as an accredited CA

Key Initiative: OSG IdM Roadmap Two questions from Lothar triggered our work. Presented the roadmap in detail on 4/2/2014 meeting. – What would happen to OSG stakeholders if we stop to provide certificates? – Can we get certificates somewhere other than DigiCert? – We created a short-term roadmap, OSG-doc- 1185, answering these questions in detail. Please read the document for details.

IDM Roadmap Can we get certificates somewhere else? Yes: – CILogon Net HSM service – Commercial Retail CAs – InCommon Certificate Service – Operating our own Backend CA – Operating our intermediate CA

IDM Roadmap CILogon Net HSM is the best option. We note the concern about future funding commitments. – Same set of services we get from DigiCert with minimal changes to Frontend – Started a prototype. Instantiating a new HSM service instance for OSG. Will use the same OIM invocation methods. No changes to the command line clients. If CILogon NET HSM option does not work, then we want to try to set up our own HSM service. If our own HSM does not work out, we should continue with DigiCert CA.

IDM Roadmap We completed a working prototype. Demonstrated that it works and changes are easily manageable. API changes at OIM-side Wrote a MOU between XSEDE and OSG and waiting to hear back form seniro mgmt. When we receive the approval, we will proceed.

Key initiatives OSG IdP that can onboard OSG members to OSG Connect seamlessly is completed. – Transitioning the service to GOC – IdP authenticates OSG users with their certificates, then sends a notification to OSGConnect. The OSG user does not have authenticate twice. – We stopped our plans on building an IdP that authenticates users with their uname/psswd. Objected at the staff retreat.

Change Management Process with DigiCert Had a few operational problems with PKI – Unprocessed Revocations. Found out revocation requests have not processed because a final step in approval was not performed. Learned that we should have tested CRLs once the revocations performed. – CRL download problem. Caused by trying to remediate the unprocessed revocations. GOC wanted to distribute CRLs faster but requested to change configuration variables that does not impact the distribution speed. Caused a OSG-wide CRL download problem. – Service names inclusion in renewed certificates. Discovered a minor problem with service prefix not included in certificate DN for renewals. – Testing infrastructure. Learned that DigiCert applies some changes to its production CA; we have no way of testing end-end before they move to rpoduction

These issues demonstrate that – We still have not fully understood DigiCert’s operational details – Have not nailed down a change management process – Seemingly innocent change requests can cause trouble. PKI is complex and fragile at the same time. Operations and Security teams got together and created a change management request process. – Always seek approval from security and operations teams before making a change request. – Consider consequences of a change from many angles. – Keep track in a ticketing system. Document the request and the steps taken. – Define a process for emergencies. Do our best to minimize the number of emergency releases. Since they will not be tested thoroughly. – We will test the process with the upcoming SHA-2 change

Operational security Busy 3 months Heartbleed, bitcoin mining, dcache vulnerability Dcache vulnerability, sent announcement to sites. Heartbleed. – More challenging. – Private keys, passwords, confidential material may become exposed if an attacker finds a vulnerable server – We asked all sites to patch ASAP. – We decided not to renew worker node certificates immediately. – No username/passwords to renew – For gatekeepers, we suggested renewing when is not burdensome for the site admin.

Operational Security Bitcoin Mining – Had some publicized incidents on CIOMagazine, bitcoin miners on NSF supercomputer, harvard university, and in EGI. – Sent out an announcement to VO admins. First line of defense is to educate the VO managers and ask them to spread the message. – Do not view bitcoin mining as a “malicious” activity, does not threat our security. But waste of computer resources. – More worried about increasing incident causing a hysteria in DOE leading to widespread bans in distributed computing environment.

Operational Security Bitcoin Mining– Actions to take – Will follow up with VO managers one-one. This is the most important action item for us. – Working with XSEDE security team. Will participate into closed-doors security meeting at XSEDE – Distribute information for sites who has IDS systems – OSG VO implemented warning messages when users first log in. – OSGConnect plans on having the same warning messages.

Operational Security Central banning tool – WLCG has been asking about an automated banning server that can push banned user list to sites automatically – Brian has implemented an additional feature in GUMS that it can retrieve ban list form Argus server. – OSG security decided not to run a central banning service because Most of our sites do not require end user certificates therefore they cannot ban a user based on the user’s dn Many of our users (non-LHC) do not use a certificate to submit Having a central banning tool has ony marginal value for a few OSG sites, CMS mainly

Operational security We considered whether having the banning feature at the VO-side is more meaningful. – Ban the user automatically at glideinwms submit node. – Decided this is not useful either. – During an incident, it is the VO who tracks the malicious user and identifies his/her identity. So the banning happens at the VO’s speed. – Sharing the malicious user name across the Vos may be useful but few users have multiple VO memberships and furthermore users name may be different from VO to VO. So we cannot automatically find and ban a user in a different VO. We no longer have a grid-wide unique identifier for each user. – So the banning service is no longer very useful for OSG

Future work Security controls. Started already. Scott has already completed GOC’s assessment. Thanks. Document the new risk model for OSG with the certificate-free jobs. – Ssh access to submit nodes, as opposed to certificate-based access to resources. – Weakest link is the submit node now.